Computer Fraud and Abuse Act protects independent security contractor

In the case of U.S. v. Millot, the Eighth Circuit has upheld the conviction of a former systems analyst under the federal Computer Fraud and Abuse Act, 18 U.S.C. §1030 et seq. (“CFAA”). The appellate court affirmed the lower court’s determination that the independent contractor that was hired to fix a security problem caused by the defendant’s conduct was a “victim” as provided for under the CFAA.

When defendant Millot worked for a large pharmaceutical company, he was responsible for disabling remote access to the company’s servers once employees left the company. When Millot himself left the company, he devised a way to maintain remote access to the servers. Using this unauthorized means of access, Millot deleted the account of a high-ranking IT employee.

After Millot left the company, but before he deleted the accounts, the company outsourced all network security responsibilities to IBM. It was therefore up to IBM to restore the account and perform a security audit. IBM employees spent in excess of 400 hours un-doing the damage that Millot had done, and it billed out its employees’ time at $50 per hour, for a total cost of $20,000.

Millot was charged under the CFAA, and the matter proceeded to trial. In its instructions to the jury, the lower court classified IBM as a “victim” under the CFAA. The jury found that the costs incurred in fixing the security problem resulted in damages in excess of $5,000, thus satisfying the $5,000 minimum required for a conviction under the CFAA.

Millot challenged the jury instructions, arguing that the costs incurred by IBM should not have been considered, because the computer system was owned by the company, not IBM. The court rejected this argument:

Although the damage was done to the [company's] computer system, the [CFAA] does not restrict consideration of losses to only the person who owns the computer system, and the district court properly instructed the jury to consider losses sustained by IBM in determining whether the statutory minimum was met.

The court further held that the evidence put forth to show the costs incurred by IBM was sufficient to support the amount of damages which exceeded the statutory minimum.

U.S. v. Millot, 2006 U.S. App. LEXIS 430 (8th Cir., January 9, 2006).

Technorati: