United States v. Thomas Millot ( 2006 )

                     United States Court of Appeals
FOR THE EIGHTH CIRCUIT
___________
No. 04-3962
___________
United States of America,                *
*
Appellee,                  *
* Appeal From the United States
v.                                 * District Court for the
* Western District of Missouri.
Thomas S. Millot,                        *
*
Appellant.                  *
___________
Submitted: November 15, 2005
Filed: January 9, 2006
___________
Before SMITH, HEANEY, and BENTON, Circuit Judges.
___________
HEANEY, Circuit Judge.
On June 15, 2004, a jury found Thomas S. Millot guilty of unauthorized
computer intrusion, in violation of the Computer Fraud and Abuse Act (CFAA), 18
U.S.C. § 1030(a)(5)(A)(ii), (a)(5)(B)(i), and (c)(4)(B). The district court1 sentenced
Millot to three months of imprisonment, three months of home detention, three years
of supervised release, a $5,000 fine, and restitution in the amount of $20,350. Millot
appeals his conviction, sentence, and restitution order, alleging several errors by the
district court. We affirm.
1
The Honorable Howard F. Sachs, United States District Judge for the Western
District of Missouri.
BACKGROUND
In 2000, Millot worked as a systems analyst in the Information Access
Management Group for Aventis Pharmaceuticals. The Information Access
Management Group managed the day-to-day computer security duties at Aventis’s
Kansas City, Missouri facility. Millot was responsible for administration of the
SecureID cards and accounts. A SecureID card is an active device that generates a
number that, in combination with a user name and personal identification number,
allows Aventis employees to remotely access the Aventis computer system in order
to check email and perform other job-related functions. An employee’s remote access
level depends on the individual’s responsibilities for the company. As a systems
analyst, Millot’s access level was the highest available.
Millot had the lead responsibility for disabling remote access accounts when
individuals left employment and collecting and tracking returned SecureID cards. On
or around August 2000, Millot reassigned the access account of former employee
Gernot Fromm to one of the inventoried SecureID cards, and increased the account
access level to the highest level available.
In October of 2000, Aventis Pharmaceuticals outsourced its security functions
to International Business Machines (IBM). Although several members of the
Information Access Group were subsequently hired by IBM, Millot was not offered
a job with IBM, and left employment with Aventis in September 2000. When he left
employment, he kept the SecureID card he assigned to the Fromm account. To keep
the card active he periodically accessed the network. Millot used the Fromm account
to access the Aventis computer network nine times between August 26 and
December 16, 2000. On December 16, 2000, he used the SecureID card and the
Fromm account to log onto the Aventis system and delete Jeff Jernigan’s account.
Jernigan was the manager of Technical Services for Aventis, and his ability to
remotely access and monitor the network was essential to his job. December 16,
-2-
2000, was a Saturday, and Jernigan unsuccessfully attempted to access the Aventis
system from his home. Although Geoffery Bridges was able to rebuild Jernigan’s
account within a matter of hours, Jernigan continued to experience problems with his
account for the following three weeks.
Bridges and Lori Meyer, former Aventis employees then working for IBM,
performed the bulk of the activities in response to Millot’s intrusion into the Aventis
computer system. Bridges rebuilt the Jernigan account and investigated the intrusion
while Meyer performed a security audit to verify that all existing access accounts
belonged to current employees, and that each account’s access level was appropriate.
Bridges spent 31 hours restoring Jernigan’s account and investigating the computer
intrusion, and Meyers spent 376 hours on the audit for a total of 407 hours. IBM
billed its staff’s services at fifty dollars per hour, for a total cost of $20,350.
Investigators traced the unauthorized remote access back to Millot’s personal
internet access account. On March 3, 2003, Millot confessed that he had taken over
the Fromm account, repeatedly contacted the Aventis computer system, and deleted
the Jernigan account. The grand jury issued an indictment alleging that “it cost more
than Five Thousand Dollars ($5,000) [to at least one or more persons] to conduct a
damage assessment of, verify the security of, and restore the integrity of the Aventis
network computer system.” (R. at 13.)
Millot admitted the underlying conduct, but challenged the government’s
allegation that the loss caused by his conduct amounted to the $5,000 minimum
required for a conviction under the CFAA. Following a two-day trial, the jury found
the loss exceeded $5,000 and found Millot guilty of the charged offense. His base
offense level was 6, with a four-level enhancement for loss more than $10,000 but less
than $30,000, a two-level enhancement for abuse of position of trust, and a two-level
adjustment for acceptance of responsibility. Accordingly, his adjusted offense level
was 10 with a criminal history category of I, resulting in a sentencing range of 6 to 12
3
months. On November 10, 2004, the district court sentenced Millot to a split
sentence, at the bottom of the range, of three months of imprisonment,2 three months
of home detention, and three years supervised release. The district court also ordered
Millot to pay a $5,000 fine and $20,350 in restitution for the time spent by Bridges
and Meyers. This appeal followed.
ANALYSIS
Millot alleges the government failed to prove damage of at least $5,000 because
the district court erred in finding IBM a “victim” under the CFAA. He also alleges
that the district court erred in sentencing him under the pre-Booker3 mandatory
sentencing guidelines, and that the restitution order also violated Booker.
I. Millot’s Conviction Under the CFAA4
To determine whether we should overturn Millot’s conviction, we must
determine whether the district court properly classified IBM as a potential victim
under the CFAA, and if so, whether the government’s evidence was sufficient for a
jury to find that the loss exceeded $5,000.
2
At the time of this writing, Millot has completed the three months of
imprisonment and three months of home detention.
3
United States v. Booker, 

(2005).
4
Millot alleges several corollary errors based on the assertion that IBM was not
a victim and therefore should not have been named in the jury instructions. Since we
find that the district court correctly included IBM as a potential victim under the
CFAA and the evidence was sufficient to show that IBM suffered harm as a result of
Millot’s actions, we do not address the remaining related issues.
4
We review the district court’s interpretation of a statute de novo, see United
States v. Moore, 

, 979 (8th Cir. 1994), and in reviewing a jury verdict, we
“view the evidence in the light most favorable to the jury’s verdict, overturning it only
if no reasonable jury could conclude that the government has proven all the elements
beyond a reasonable doubt,” United States v. Cole, 

, 425 (8th Cir. 2004).
Millot argues that any costs incurred by IBM should not have been considered
in determining whether the loss amounted to the statutory minimum because the
system was owned by Aventis and IBM was a “volunteer” fixing the system. This
argument lacks merit. The CFAA provides for a fine and imprisonment up to five
years for an individual who “intentionally accesses a protected computer without
authorization, and as a result of such conduct, recklessly causes damage” and that
conduct causes “loss to 1 or more persons during any 1-year period . . . aggregating
at least $5,000 in value.” 18 U.S.C. §§ 1030(c)(4)(B), (a)(5)(A)(ii), (a)(5)(B)(i)
(emphasis added). Although the damage was done to the Aventis computer system,
the statute does not restrict consideration of losses to only the person who owns the
computer system, and the district court properly instructed the jury to consider losses
sustained by IBM in determining whether the statutory minimum was met.
Next we address the sufficiency of the evidence. Millot contends that the
government’s evidence was insufficient to establish that the actual loss exceeded the
$5,000 minimum, because there was no evidence that IBM specifically billed Aventis
the amount alleged. The Ninth Circuit addressed a similar challenge in United States
v. Middleton, 

, 1213-14 (9th Cir. 2000). There, the defendant argued
that since salaried employees fixed the damage caused by the defendant’s conduct, the
government could not prove that the defendant had caused damage in excess of the
$5,000 minimum. 

Circuit disagreed, stating “whether the amount of
time spent by the employees and their imputed hourly rates were reasonable for the
repair tasks that they performed are questions to be answered by the trier of fact.” 

1214. There, the value of the loss was calculated by multiplying the number of
hours spent repairing the damage by an estimated hourly rate based on the employees’
annual salary. 

The Ninth Circuit stated that “[t]here is no basis to believe
that Congress intended the element of ‘damage’ to depend on a victim’s choice
whether to use hourly employees, outside contractors, or salaried employees to repair
the same level of harm to a protected computer.” 

At Millot’s trial, the government presented undisputed evidence regarding the
hours spent by Bridges and Meyers in response to the unauthorized intrusion, and that
the time spent was valued at fifty dollars per hour. IBM undoubtedly paid Meyers and
Bridges for their time, and the work was done on behalf of Aventis to remedy damage
to Aventis’s computer system that Millot admits he caused. Millot’s own expert
agreed that the work done by Meyers and Bridges was a reasonable response to the
discovery of a breach in the security of the computer system. Millot argues that the
cost of the work performed was absorbed by IBM under its existing contract with
Aventis. This argument neglects the fact that the hours spent by Bridges and Meyers
addressing the issues caused by Millot’s unauthorized intrusion could have been spent
on other duties under the contract. See United States v. Sablan, 

, 870 (9th
Cir. 1996) (holding it proper to base the estimated cost of repairs on the standard
hourly rate for the employees who fixed the problem, because their time would have
otherwise been devoted to assisting bank customers).
Accordingly, we find that the evidence presented was sufficient to support the
conviction.
II. Sentencing
Millot was sentenced, on November 10, 2004, before the Supreme Court issued
Booker. The district court imposed a four-level enhancement for loss more than
$10,000 but less than $30,000, and a two-level enhancement for abuse of a position
6
of trust. The district court based its enhancements on its own findings that the amount
of loss was $20,350, an amount that was not found by the jury, and that Millot used
his position as a systems analyst to perpetrate the crime.
Millot preserved his objection to the guidelines sentence by raising Blakely v.
Washington, 

(2004). United States v. Haidley, 

, 644 (8th
Cir. 2005). Therefore, we review the sentence for harmless error–whether the error
affected Millot’s substantial rights. United States v. Sutherlin, 

, 728 (8th
Cir. 2005) (per curiam); Fed. R. Crim. P. 52(a). Because the enhancements had the
effect of increasing Millot’s guidelines range, the government must show that the
Booker error was harmless beyond a reasonable doubt. Haidley, 

, 645
(8th Cir. 2005).
Millot’s guidelines sentencing range was 6 to12 months. Since this was a Zone
B sentence, the district court could have ordered a probationary sentence, substituting
home confinement for some or all of the actual jail time. USSG § 5C1.1(c)(3).
Instead, the district court ordered three months of imprisonment, noting that “a short
period of imprisonment [was] probably appropriate” for the purpose of deterring
others. (Sent. Tr. at 16.) This court has held that mandatory, rather than advisory,
application of the guidelines is harmless error where the district court had the
discretion to impose a lesser sentence but instead sentenced the defendant in the
middle of the sentencing range. See 

(citing United States
v. Perez-Ramirez, 

, 878 (8th Cir. 2005)). Here, the court’s refusal to
grant a probationary sentence, although it had the discretion to do so, convince us that
the district court’s apparent mandatory, rather than advisory, application of the
sentencing guidelines was harmless. Therefore, we affirm the sentence imposed by
the district court.
7
III. Restitution
Millot next argues that the district court violated his Sixth Amendment rights,
under Blakely, by ordering restitution in an amount exceeding that found by the jury.
“Booker does not affect restitution orders since they are not subject to any prescribed
statutory maximum and they are not in the nature of a criminal penalty.” United
States v. Carruth, 

, 904 (8th Cir. 2005). Millot further claims that the
restitution order was not supported by the evidence. We review this matter for clear
error. 

restitution amount was based on evidence presented at trial
regarding the number of hours spent fixing the problem, and the billing rate for that
work. Accordingly, the district court did not err in ordering restitution in the amount
of $20,350.
CONCLUSION
For the above-stated reasons we affirm the district court.
______________________________
8