Appeal from the United States District Court for the Northern District of Texas
USDC No. 3:10-CR-308-1
Before SMITH, BARKSDALE, and HAYNES, Circuit Judges. PER CURIAM:
Michael Musacchio appeals his conviction and sentence for conspiracy and substantive violations of the Computer Fraud and Abuse Act. We affirm.
Musacchio was the president of Exel Transportation Services ("ETS") until he resigned in 2004. ETS is a transportation brokerage company that arranges freight shipments for business clients; it relies on independent agents to sell its services. In 2005, Musacchio founded a competing company, Total Transportation Services ("TTS"), and two ETS employees, Roy Brown and Michael Kelly, followed him. Beginning in 2006, several agents moved from ETS to TTS.
At about the same time, the new ETS president, Jim Damman, undertook to sign new contracts with agents. He noticed, however, that some agents seemed aware of the new terms before they had been disclosed. One agent revealed Brown had shown him an undisclosed ETS contract addendum; Damman became suspicious and hired a forensic firm to investigate the leak. The firm discovered Musacchio and Brown had been accessing ETS's servers. ETS sued TTS, Musacchio, Brown, and others, and the parties settled for $10 million.
In 2010, the government indicted Musacchio, Brown, and Kelly. Count 1 charged all three with conspiracy to make unauthorized access and exceed authorized access to a protected computer. See 18 U.S.C. §§ 371, 1030(a)(2)(C), (c)(2)(B)(i), (iii). Counts 23 and 24 charged Musacchio with unauthorized access to a protected computer, with Count 23 indicating he accessed the "Exel Server" "[o]n or about" November 24, 2005. See id. § 1030(a)(2)(C), (c)(2)(B)(i), (iii). After Brown and Kelly had pleaded guilty, the government filed a superseding indictment against Musacchio in 2012. Count 1 no longer contained the "exceed authorized access" language in the section summarizing the offense, although it did mention exceeding authorized access in the "Object of the Conspiracy" and "Manner and Means" sections. Count 2 was similar to Count 23 of the original indictment but amended the allegations by specifying Musacchio accessed the "Exel email accounts of Exel President and Exel legal counsel" "[o]n or about" November 23-25, 2005. Count 3 was the same as Count 24 of the original indictment. In 2013, the government filed a second superseding indictment that made no relevant changes.
At trial, the government introduced evidence that, after Musacchio left ETS but before Brown did, Musacchio asked Brown to access other employees' email to collect information. Brown had previously worked in ETS's information-technology department and had the ability, though not the authority, to access other employees' email. Brown complied with Musacchio's requests. After resigning from ETS, Brown used another administrator account to access ETS's servers remotely, and when that stopped working, Kelly provided Musacchio and Brown with other administrator accounts. In addition, the government presented evidence that Kim Shipp, an ETS employee who had been Musacchio's assistant, shared the email of Steve Bowers, an ETS executive, with Musacchio at his request. As Bowers's assistant, Shipp had the authority to access Bowers's email but not to share it with Musacchio.
The government's proposed jury instructions for Count 1 stated the jury had to find Musacchio agreed to "intentionally access[ ] a protected computer(s) without authorization." It did not mention exceeding authorized access. The court revised the instructions, defining the underlying offense as "to intentionally access a protected computer without authorization and exceed authorized access." Neither the government nor Musacchio objected to the conjunctive instructions. The court instructed the jury that its "verdict must be unanimous on each count of the indictment." The jury found Musacchio guilty on all three counts.
The presentence investigation report ("PSR") calculated Musacchio's criminal history category as I and the offense level as 36. A significant component of the latter calculation was an estimate that the loss was $10 million, which increased the offense level by twenty compared to a loss of $5,000 or less. See U.S. SENTENCING GUIDELINES MANUAL ("U.S.S.G.") § 2B1.1(b)(1). Musacchio and the government objected to the loss calculation. Musacchio claimed the forensic firm's fees, $322,000, were a reasonable estimate of the total loss. The government suggested $160 million, which it said was the loss in business value and profits. Two of Musacchio's experts alleged the conspiracy had a negligible impact on agent departures and estimated the loss to be, at most, less than $200,000. Jim Shields, TTS's attorney during the settlement negotiations in the civil case, testified that approximately $135,000 of the $10 million settlement represented ETS's lost profit from agents' departures attributable to the conspiracy. He explained that about $1 million of the settlement represented ETS's total economic loss attributable to the conspiracy and that most of the settlement was driven by TTS's fear of punitive damages. The court found the settlement to be the best of the methodologies presented and calculated the loss as "a million dollars or less, as testified by Mr. Shields."
Musacchio also objected to the PSR's application of a two-level enhancement for sophisticated means. See id. § 2B1.1(b)(10)(C). The court rejected his contention, finding that the conspirators' efforts to conceal their access to ETS's servers constituted sophisticated means.
Based on these rulings, the court calculated Musacchio's total offense level as 26, resulting in a guideline range of 63 to 78 months. The court imposed concurrent 60-month sentences on Counts 1 and 2 and a consecutive three-month sentence on Count 3.
Musacchio challenges the sufficiency of the evidence on Count 1. The court incorrectly instructed the jury that it had to find that Musacchio had agreed to make unauthorized access and exceed authorized access. The statute requires only that he agreed to make unauthorized access or exceed authorized access. Musacchio urges that the erroneous instruction became the law of the case, obligating the government to prove he agreed to both elements. He believes the evidence was insufficient to prove he agreed to exceed authorized access. We review de novo a properly preserved challenge to the sufficiency of the evidence, United States v. Brown, 727 F.3d 329, 335 (5th Cir. 2013), and we "review the record to determine whether, considering the evidence and all reasonable inferences in the light most favorable to the prosecution, any rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt," United States v. Vargas-Ocampo, 747 F.3d 299, 303 (5th Cir. 2014) (en banc).
In general, "[a]n instruction that increases the government's burden and to which the government does not object becomes the law of the case," United States v. Jokel, 969 F.2d 132, 136 (5th Cir. 1992), but that rule does not apply where (1) "the jury instruction . . . is patently erroneous and (2) the issue is not misstated in the indictment," United States v. Guevara, 408 F.3d 252, 258 (5th Cir. 2005). The Guevara exception applies here.
The court instructed the jury that "18 U.S.C. § 1030(a)(2)(C) makes it a crime for a person to intentionally access a protected computer without authorization and exceed authorized access . . . ." The statute, by contrast, applies to anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer." 18 U.S.C. § 1030(a)(2)(C). The replacement of "or" with "and" was an obvious clerical error, not a possible alternative description of the offense.
Nor was the issue misstated in the indictment. The second superseding indictment summarized the offense in Count 1 as "Conspiracy To Make Unauthorized Access to Protected Computer," which correctly described the offense. Although portions of the "Object of the Conspiracy" and "Manner and Means" sections alleged Musacchio agreed to make unauthorized access and exceed authorized access, the government was entitled to make those accusations. It had to prove Musacchio agreed to make unauthorized access or exceed authorized access; these statements merely indicated it believed it could prove both.
Musacchio tacitly concedes this, noting he "was indicted in Count 1 of the second superseding indictment for conspiracy to make unauthorized access to a protected computer" and referring to the "two superseding indictments . . . which abandoned the 'exceeding authorized access' crime."
Therefore, Guevara controls, and the government was required to prove only that Musacchio agreed to make unauthorized access. Musacchio does not dispute the sufficiency of the evidence on that element, so he cannot prevail on his challenge to the sufficiency of the evidence on Count 1.
Musacchio attacks the jury instructions on Count 1 as plainly erroneous. In his view, the court should have told the jury it had to be unanimous as to one of the two possible elements—making unauthorized access or exceeding authorized access. His concern is that the jury could have been split, with some jurors finding he agreed to make unauthorized access and others finding he agreed to exceed authorized access, but with no unanimous finding on either element.
Apparently Musacchio is taking inconsistent positions on appeal and claiming the jury had to find only one of the two elements. No specific unanimity instruction would have been necessary had the government been required to prove both elements.
Where the claim is properly preserved, we review a failure to provide a requested jury instruction for abuse of discretion. United States v. Grant, 683 F.3d 639, 650 (5th Cir. 2012). Musacchio did not object to the instruction, so the standard of review is plain error. See United States v. Valdez, 726 F.3d 684, 691-92 (5th Cir. 2013). "A plain error is a forfeited error that is clear or obvious and affects the defendant's substantial rights." United States v. Cruz-Rodriguez, 625 F.3d 274, 276 (5th Cir. 2010) (per curiam).
"[A] general unanimity instruction is ordinarily sufficient," United States v. Mason, 736 F.3d 682, 684 (5th Cir. 2013) (per curiam), but a specific unanimity instruction is sometimes necessary "where there exists a 'genuine risk that the jury is confused or that a conviction may occur as the result of different jurors concluding that a defendant committed different acts,'" United States v. Holley, 942 F.2d 916, 926 (5th Cir. 1991) (quoting United States v. Duncan, 850 F.2d 1104, 1114 (6th Cir. 1988)). Typically, no specific unanimity instruction is necessary for a conspiracy charge because "the crux of a conspiracy charge . . . [is] [t]he defendant's voluntary agreement with another or others to commit an offense." United States v. Dillman, 15 F.3d 384, 391 (5th Cir. 1994). A unanimous finding that the defendant agreed to participate in the conspiracy is sufficient. See id. at 392.
Dillman forecloses Musacchio's challenge to the jury instructions on Count 1. No specific unanimity instruction was necessary, and the court properly declined to provide one. Further, there was no risk of jury confusion, because the jury found Musacchio guilty of two substantive counts of making unauthorized access. There was no plain error.
Musacchio claims his prosecution on Count 2 was barred by the statute of limitations. But a limitations defense is waived if, as here, it was not raised at trial. United States v. Arky, 938 F.2d 579, 582 (5th Cir. 1991) (per curiam). Musacchio urges that Arky does not apply, because the issue can be resolved based on the face of the indictment. That approach is inconsistent with Arky and finds no support in our caselaw.
Musacchio points to United States v. Shipley, 546 F. App'x 450 (5th Cir. 2013) (per curiam), cert. denied, 134 S. Ct. 2842 (2014), an unpublished opinion, as a case that evaluated a statute-of-limitations defense on the merits even though it was not raised at trial. That is a misreading: Shipley explicitly noted the defendant "did not raise [a limitations] argument in the district court," id. at 458, and it quoted Arky's rule that "the defendant must affirmatively assert a limitations defense at trial to preserve it for appeal," id. (alteration omitted) (quoting Arky, 938 F.2d at 582). It then found, "[i]f there was error, it was not plain." Id. Although the wording of that conclusion is unusual, Shipley did not discuss the merits at all, so the only basis on which it could have rejected the defendant's claim was waiver.
The other case Musacchio cites, Putman v. United States, 162 F.2d 903, 903 (5th Cir. 1947) (per curiam), was pre-Arky and therefore is not relevant. Moreover, we have previously found waiver based on Arky in precisely the situation here—where the issue can be resolved on the face of the indictment. See United States v. Barakett, 994 F.2d 1107, 1108-10 (5th Cir. 1993). Accordingly, Musacchio waived his limitations defense by failing to raise it at trial.
Musacchio contends the errors in his trial combined to render it unconstitutionally unfair. Under the cumulative-error doctrine, "an aggregation of non-reversible errors . . . can yield a denial of the constitutional right to a fair trial, which calls for reversal." United States v. Munoz, 150 F.3d 401, 418 (5th Cir. 1998). Reversal is appropriate only in rare cases where "constitutional errors so 'fatally infect the trial' that they violated the trial's 'fundamental fairness.'" United States v. Bell, 367 F.3d 452, 471 (5th Cir. 2004) (quoting Derden v. McNeel, 978 F.2d 1453, 1457 (5th Cir. 1992) (en banc)). The only error was instructing the jury that it had to find that Musacchio agreed to make unauthorized access and exceed authorized access. If that error affected the trial at all, it benefited Musacchio and does not justify reversal.
Musacchio urges that the court miscalculated the loss under the sentencing guidelines. First, he claims the court should have considered only the costs of investigating and remediating the computer intrusion, not business losses. Second, he alleges the court miscalculated the loss even under the government's interpretation of the guidelines.
We review de novo interpretations of the guidelines and the method of calculating the loss. United States v. Nelson, 732 F.3d 504, 520 (5th Cir. 2013), cert. denied, 134 S. Ct. 2682 (2014). We review factual findings, including the actual calculation of the loss, for clear error. See id. "A factual finding is not clearly erroneous as long as it is plausible in light of the record read as a whole." United States v. Krenning, 93 F.3d 1257, 1269 (5th Cir. 1996).
The guidelines provide for an offense-level increase based on the loss, defined as "the greater of actual loss or intended loss." U.S.S.G. § 2B1.1 cmt. n.3(A). Actual loss is "the reasonably foreseeable pecuniary harm that resulted from the offense," id. cmt. n.3(A)(i), while intended loss is "the pecuniary harm that was intended to result from the offense," id. cmt. n.3(A)(ii). The guidelines include an additional provision for cases involving computer crimes:
(v) Rules of Construction in Certain Cases.—In the cases described in subdivisions (I) through (III), reasonably foreseeable pecuniary harm shall be considered to include the pecuniary harm specified for those cases as follows:
. . . .
(III) Offenses Under 18 U.S.C. § 1030.—In the case of an offense under 18 U.S.C. § 1030, actual loss includes the following pecuniary harm, regardless of whether such pecuniary harm was reasonably foreseeable: any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other damages incurred because of interruption of service.
Id. cmt. n.3(A)(v)(III) (emphasis omitted).
Musacchio's first contention, that only the costs described in the latter provision should have been included, is incorrect. To begin with, his approach is contrary to the guideline language. The use of the word "includes" in Note 3(A)(v)(III) indicates the loss described in that provision should be considered in addition to actual loss, as defined in Note 3(A)(i). Nothing in Note 3(A)(v)(III) suggests it replaces or limits the general process for calculating loss discussed in Note 3(A)(i)-(ii). The Sentencing Commission's report is consistent with this interpretation. According to the report, Note 3(A)(v)(III) was "designed to more fully account for specific factors relevant to computer offenses." The addition of Note 3(A)(v)(III) was necessary because the costs described in that provision otherwise would not have been included in the loss unless they were reasonably foreseeable.
See United States v. Baker, 742 F.3d 618, 622 (5th Cir. 2014) ("[U]se of the word 'including' . . . signals that the cited acts of distribution are illustrative rather than exhaustive." (omission in original) (quoting United States v. Reingold, 731 F.3d 204, 228-29 (2d Cir. 2013))); United States v. Ramos, 695 F.3d 1035, 1040 (10th Cir. 2012) ("The intent-related examples that the commentary sets forth . . . are preceded by the word, 'including,' suggesting that the list of outlawed conduct is non-exhaustive." (citations omitted)), cert. denied, 133 S. Ct. 912 (2013); BLACK'S LAW DICTIONARY 880 (10th ed. 2014) ("The participle including typically indicates a partial list.").
U.S. SENTENCING COMM'N, REPORT TO THE CONGRESS: INCREASED PENALTIES FOR CYBER SECURITY OFFENSES 1 (2003) (emphasis added).
Moreover, the caselaw is contrary to Musacchio's position. The out-of-circuit cases he cites concerning the guidelines, as distinguished from the Act's similarly worded civil provisions, provide little support. Musacchio concedes that United States v. Batti, 631 F.3d 371 (6th Cir. 2011), did not directly address how the loss should be calculated, greatly limiting its persuasive value. The decision in United States v. Schuster, 467 F.3d 614 (7th Cir. 2006), actually favors the government's position. Musacchio notes that Schuster found costs associated with assisting the government should not be considered under Note 3(A)(v)(III) because the Note does not explicitly list them. See id. at 619-20. That case did, however, analyze whether those costs should be considered as actual losses, see id. at 619, indicating Note 3(A)(v)(III) does not replace or limit the general process for calculating loss set out in Note 3(A)(i)-(ii). Schuster characterized the relationship between the two Notes as follows:
"Actual loss" under the sentencing guidelines, "means the reasonably foreseeable pecuniary harm that resulted from the offense." . . . Additionally, in cases involving fraud and related activity in connection with computers, the sentencing guidelines include in the calculation of actual loss [the costs described in Note 3(A)(v)(III)], regardless of whether such pecuniary harm was reasonably foreseeable . . . .
Id. at 619 (emphasis added) (quoting U.S.S.G. § 2B1.1 cmt. n.3(A)). Under Shuster, then, the loss includes both foreseeable harm and the costs listed in Note 3(A)(v)(III). Other cases have interpreted the guidelines similarly. In light of this caselaw and the guideline language, the court properly considered business losses.
See, e.g., United States v. Willis, 476 F.3d 1121, 1128-29 (10th Cir. 2007) (including value of information provided to co-conspirator in loss); United States v. Nosal, No. CR-08-0237 EMC, 2014 WL 121519, at *8 (N.D. Cal. Jan. 13, 2014) (including cost of developing stolen trade secrets in loss).
Musacchio's second claim, that the court miscalculated the loss even under the government's interpretation of the guidelines, is equally unavailing. Shields' testimony provided a basis for the finding that the loss was $1 million or less, showing it "is plausible in light of the record read as a whole." Krenning, 93 F.3d at 1269. Musacchio criticizes Shields' testimony as "pure speculation," but Shields had knowledge of the loss from the settlement negotiations, and the court was entitled to find his testimony credible and to reject other testimony. Contrary to Musacchio's suggestion, the court was not required to state a precise loss amount but instead needed only to make a reasonable estimate, which it did. As a result, there was no clear error.
See Anderson v. City of Bessemer City, N.C., 470 U.S. 564, 575 (1985) ("[W]hen a trial judge's finding is based on his decision to credit the testimony of one of two or more witnesses, each of whom has told a coherent and facially plausible story that is not contradicted by extrinsic evidence, that finding, if not internally inconsistent, can virtually never be clear error."); United States v. Klein, 543 F.3d 206, 214 (5th Cir. 2008) ("[T]he finding as to the amount of loss is a factual finding, and we cannot reassess the evidence but owe the finding deference.").
See United States v. Kennedy, 726 F.3d 968, 974-75 (7th Cir. 2013) (finding no error in determination that loss exceeded $1 million based on defendant's admission that he purchased counterfeit art for $500,000 and marked it up).
Musacchio criticizes the application of the sophisticated-means enhancement, claiming his conduct fell short of the sophistication required to trigger it. We review for clear error a determination that a defendant used sophisticated means. United States v. Roush, 466 F.3d 380, 387 (5th Cir. 2006). The guidelines provide for a two-level increase where "the offense . . . involved sophisticated means," U.S.S.G. § 2B1.1(b)(10)(C), which "means especially complex or especially intricate offense conduct pertaining to the execution or concealment of an offense," id. § 2B1.1 cmt. n.9(B).
Musacchio's efforts to conceal his activities meet this standard. He and his coconspirators used administrator accounts to read ETS employees' email, which concealed their identities. They forwarded the text of the email using webmail accounts in an attempt to avoid leaving records. Though many individuals familiar with computers likely could have developed a similar process, we previously have applied the enhancement "in cases involving some method that made it more difficult for the offense to be detected, even if that method was not by itself particularly sophisticated." Valdez, 726 F.3d at 695 (collecting cases). Musacchio's efforts to conceal his activities are similar in complexity to the activities at issue in some earlier cases. Thus, the court did not clearly err by applying the enhancement.
See, e.g., United States v. Wright, 496 F.3d 371, 377-79 (5th Cir. 2007) (in which defendant purchased cashier's checks in borrowers' names to defraud mortgage companies into thinking borrowers had provided funds); United States v. Clements, 73 F.3d 1330, 1340 (5th Cir. 1996) (in which defendant deposited cashier's checks into wife's account to conceal link between money and himself).
AFFIRMED. HAYNES, Circuit Judge, concurring:
I concur fully in the judgment of the court. I do not join in the reasoning of Section II of the opinion, however, because I would conclude that the Government sufficiently proved both prongs ("exceeds authorized use" and "unauthorized access") and, therefore would not reach the issue discussed in Section II. United States v. John, 597 F.3d 263, 270-73 (5th Cir. 2010).