Breaking News: Hacker’s Conviction Affirmed Despite Lower Court’s Error
This week, the United States Supreme Court upheld a conviction under the Computer Fraud and Abuse Act despite the Court’s acknowledgement that the jury had been wrongfully instructed on the elements of the crime charged. This is the second noteworthy decision relating to the Act to be issued recently.
Defendant Michael Musacchio had been the president of a logistics company, Exel Transportation Services (“ETS”) until his resignation in 2004. In 2005, Mr. Musacchio formed a rival company, and the former head of ETS’ IT department joined his new company. Working together with this other employee, Mr. Musascchio gained access to ETS’s password-protected computer system until early 2006.
Mr. Musacchio was indicted under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C). Under this provision, a person commits a crime when he or she “intentionally accesses a computer without authorization or exceeds authorized access” and in doing so “obtains . . . information from any protected computer.” (emphasis added). Thus, a person commits a crime under the Act either when he or she obtains access without authorization or obtains access with authorization but then exceeds that authorization.
Diverging from the language in the indictment and the proposed jury instruction, the district court instructed the jury that § 1030(a)(2)(C) “makes it a crime for a person to intentionally access a computer without authorization and exceed authorized access,” thus adding an element to the crime that is not found in the statute. Despite the flaw in this instruction, the jury found Mr. Musacchio guilty, and the district court sentenced him to 60 months’ imprisonment.
On appeal, Mr. Musacchio argued that there was insufficient evidence to support the jury’s verdict because the government could not prove both prongs of the charge. One of the main issues on the appeal was whether sufficiency of the evidence should be measured against the crime charged or against the heightened and erroneous standard used in the lower court’s jury instructions. Resolving a Circuit split on this issue, the Supreme Court reasoned that a sufficiency challenge should be assessed against the elements of the crime charged. Key to the Court’s holding was the limited nature of a court’s review when tasked with assessing the sufficiency of the evidence on appeal.
The Supreme Court’s decision is yet another example of how crimes under the Computer Fraud and Abuse Act continue to provide fodder for appeals. Just last month, the Second Circuit opined on the same statutory provision, 18 U.S.C. § 1030, and held that it is not a crime under the Act to access information for an impermissible purpose so long as the individual otherwise had the authority to access the information.