United States v. John

Raj PagariyaCase Summary

Interpretation of "exceeding authorised access" in CFAA

United States v. Dimetriace Eva-Lavon John
597 F.3d 263
In the United States Court of Appeals for the Fifth Circuit
Case Number 08-10459
Before Circuit Judge Smith, Circuit Judge Owen, and Circuit Judge Haynes
Decided on February 09, 2010

Relevancy of the Case: Interpretation of “exceeding authorised access” in CFAA

Statutes and Provisions Involved

  • 18 U.S.C. § 371
  • 18 U.S.C. § 1029
  • 18 U.S.C. §1030

Relevant Facts of the Case

  • The defendant worked as an account manager at Citigroup for approximately three years. She had access to Citigroup’s internal computer system and customer account information.
  • She accessed and printed information about at least 76 corporate customer accounts and provided it to Riley, her half-brother.
  • During the trial, the jury found her guilty on all counts of a seven-count indictment arising from her involvement in this scheme.
  • A Presentence Report (PSR) determined that she intended to obtain account holders’ personal information and added two additional sentencing levels above the applicable guidelines. She had no criminal history, and the resulting range, as per the Sentencing Guidelines, was 97-121 months. The District Court ultimately sentenced her to 108 months.

Prominent Arguments by the Counsels

  • The defendant’s counsel argued that the prosecution did not present sufficient evidence to support her conviction on Counts 6 and 7 under Section 1030(a)(2) for exceeding authorised access to Citigroup computers. As an employee of Citigroup, she had the necessary authorisation to view and print information regarding accounts in the course of her official duties. CFAA does not prohibit unlawful use of material that she could access through authorised computer use. The statute only prohibits using authorised access to obtain information that she was not entitled to.
  • The defendant’s counsel also argued extensively on the issue of loss estimation by the District Court and subsequent conviction.

Opinion of the Bench

  • The statute prohibits both accessing a computer without authorisation and exceeding authorised access to obtain specified information. The law does not define authorised or authorisation. As held by the court in United States v. Phillips, the intended-use analysis test is a potential way to understand authorisation and authorised use. John’s use of Citigroup’s computer system to perpetuate fraud was not an intended use of the system.
  • The court agreed with the First Circuit’s interpretation of exceeding authorised access in the case of EF Cultural Travel BV v. Explorica, Inc. Exceeding authorised access may include exceeding the purposes for which access is authorised.

Final Decision

  • The court affirmed her convictions on all seven counts; however, vacated her sentence and remanded the case for further proceedings.