Defendant Thomas Millot worked for Aventis Pharmaceuticals as a systems analyst in the company’s information security department. Among other duties, Millot was responsible for the administration of computer user accounts at Aventis’s Kansas City, Missouri facility. This responsibility included oversight of the company’s SecureID card system—a two-factor authentication system which allows an employee to remotely access the company network when she inputs her secret personal identification number and the time-sensitive code generated by a small SecureID card in her possession.In October 2000, Aventis outsourced its security functions to IBM. Although several members of the information security department were subsequently hired by IBM, Millot was not offered a job with IBM, and he left Aventis in September 2000. Before he departed, Millot took a former employee’s SecureID card which he had upgraded to the highest possible remote access level. He then kept the card active by periodically accessing the network.
On December 16, 2000, Millot used the SecureID card and account to log onto the Aventis computer network and delete the account of Jeff Jernigan, the manager of technical services for Aventis. This temporarily prevented Jernigan from remotely accessing the Aventis system, which was essential to the performance of his job.
Two former Aventis employees then working for IBM spent considerable time responding to Millot’s intrusion. One employee spent 31 hours restoring Jernigan’s account and investigating the computer intrusion, and a second employee spent 376 hours performing a security audit to verify that all existing access accounts belonged to current employees and that each account’s access level was appropriate. IBM billed its staff’s services at $50 per hour, for a total cost of $20,350.
Investigators eventually traced the unauthorized access to Millot’s personal Internet account. On March 3, 2003, Millot confessed that he had taken over the former employee’s account, kept the account active by repeatedly accessing the Aventis computer system, and used the account to delete Jernigan’s account. Millot was then charged with violating 28 USC § 1030—commonly known as the Computer Fraud and Abuse Act (CFAA). Although Millot admitted the underlying conduct, he challenged the government’s allegation that the loss caused by his conduct reached the $5,000 minimum required for a conviction under the CFAA. After a two-day trial, the jury found that the loss exceeded $5,000 and found Millot guilty of the charged offense. On November 10, 2004, the District Court for the Western District of Missouri sentenced Millot to three months of imprisonment, three months of home detention, and three years of supervised release. The district court also ordered him to pay a $5,000 fine and $20,350 in restitution for the time spent by the two IBM employees.
On appeal, the Eighth Circuit addressed whether the district court properly classified IBM as a potential victim under the CFAA, and if so, whether the government’s evidence was sufficient for a jury to find that the loss exceeded $5,000. With regard to the first question, Millot argued that any costs incurred by IBM should not have been considered in determining whether the loss amounted to the statutory minimum because the system was owned by Aventis and IBM was merely a “volunteer” fixing the system. The CFAA provides for a fine and imprisonment up to five years for an individual who “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” and that conduct causes “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value” (emphasis in opinion). In light of this provision, the Court held that although the damage was done to the Aventis computer system, “the statute does not restrict consideration of losses to only the person who owns the computer system.” Therefore, the Court concluded that the district court properly instructed the jury to consider losses sustained by IBM in determining whether the statutory minimum was met.
With regard to the amount of the damages, Millot argued that the government’s evidence was insufficient to establish that the actual loss exceeded the $5,000 minimum because there was no evidence that IBM specifically billed Aventis the amount alleged. In essence, Millot agued that the cost of the work performed was absorbed by IBM under its existing contract with Aventis. But the Court held that Millot’s argument on this point “neglects the fact that the hours spent by [the IBM employees] addressing the issues caused by Millot’s unauthorized intrusion could have been spent on other duties under the contract.” Therefore, the Court held that the evidence presented was sufficient to support Millot’s conviction, and also found proper IBM’s calculation of the hourly rate of its salaried employees.
For these reasons, the Court affirmed Millot’s conviction. In the remainder of the opinion, the Court also affirmed Millot’s split sentence and restitution order.