United States v. Michael Thomas

Court of Appeals for the Fifth Circuit
877 F.3d 591 (2017)

ELI5:

Rule of Law:

Under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(5)(A), an employee acts 'without authorization' when they intentionally cause damage to a computer system for malicious purposes, even if their job duties otherwise permit them to perform some acts that impair the system.

Facts:

Michael Thomas worked as the Information Technology Operations Manager for ClickMotive, LP, with full administrative access to the company's computer network.
Upset that a coworker had been fired, Thomas decided to sabotage the company's systems.
Over a weekend, Thomas deleted over 600 backup history files, disabled future backup operations, and destroyed a virtual machine responsible for backups.
He tampered with the company's pager notification system to prevent alerts about system problems from being sent.
Thomas redirected executives' emails to his personal account and deleted pages from the company's internal troubleshooting 'wiki'.
He set a 'time bomb' on the VPN authentication service, which would later prevent employees from accessing the network remotely.
After completing the sabotage, Thomas left a resignation letter at the office.
ClickMotive incurred over $130,000 in costs to investigate and repair the damage Thomas caused.

Procedural Posture:

A federal grand jury indicted Michael Thomas for violating the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(5)(A).
Thomas fled to Brazil for nearly three years before surrendering to the FBI.
Following a trial in the U.S. District Court, a jury returned a guilty verdict.
The district court sentenced Thomas to time served, supervised release, and restitution.
Thomas filed a motion for judgment of acquittal, arguing that the evidence was insufficient to prove his conduct was 'without authorization,' which the district court denied.
Thomas, as appellant, appealed the district court's judgment to the U.S. Court of Appeals for the Fifth Circuit.

Premium Content

Subscribe to Lexplug to view the complete brief

You're viewing a preview with Rule of Law, Facts, and Procedural Posture

Issue:

Does an employee with authorized access to a computer system, whose duties sometimes include impairing the system for maintenance, act 'without authorization' under the Computer Fraud and Abuse Act when they intentionally cause malicious damage to that system for purposes outside the scope of their employment?

Opinions:

Majority - Gregg Costa, Circuit Judge

Yes, an employee with authorized access acts 'without authorization' under the Computer Fraud and Abuse Act when they intentionally cause malicious damage. The statute's prohibition on causing damage 'without authorization' applies to the specific damaging act, not to the employee's general level of access. The court rejected Thomas's argument that his authorization to perform some system-impairing tasks as part of his job created a blanket immunity for any damage he caused. The court distinguished the 'damage' provision in § 1030(a)(5)(A) from the CFAA's 'access' provisions, noting that caselaw narrowly interpreting 'authorization' in access cases does not apply here because the legislative history shows the damage provision was specifically intended to cover malicious insiders. The plain meaning of 'without authorization' is 'without permission,' and Thomas clearly did not have permission to sabotage the company's network, as his actions fell far outside the 'expected norms of intended use.'

Analysis:

This decision solidifies a critical distinction between the Computer Fraud and Abuse Act's 'access' provisions and its 'damage' provision, preventing the narrowing interpretations of authorization in access cases from undermining prosecutions against malicious insiders. The court clarifies that authorization is act-specific, meaning an employee's legitimate authority to alter a system does not shield them from liability when they intentionally cause damage for unauthorized, malicious purposes. This ruling provides a strong tool for prosecutors against disgruntled employees who abuse their technical privileges, ensuring that 'insider threat' cases can be effectively addressed under federal law.

🤖 Gunnerbot:

Query United States v. Michael Thomas (2017) directly. You can ask questions about any aspect of the case. If it's in the case, Gunnerbot will know.

Subscribe to Lexplug to chat with the Gunnerbot about this case.

Unlock the full brief for United States v. Michael Thomas

Get access to Issue, Opinions, Analysis, Gunnerbot & more for Lexplug's entire library of premium content

Premium Feature