from the United States District Court for the Eastern
District of Texas
WIENER, HIGGINSON, and COSTA, Circuit Judges.
COSTA, CIRCUIT JUDGE
Thomas worked as the Information Technology Operations
Manager for ClickMotive, LP, a software and webpage hosting
company. Upset that a coworker had been fired, Thomas
embarked on a weekend campaign of electronic sabotage. He
deleted over 600 files, disabled backup operations,
eliminated employees from a group email a client used to
contact the company, diverted executives' emails to his
personal account, and set a "time bomb" that would
result in employees being unable to remotely access the
company's network after Thomas submitted his resignation.
Once ClickMotive discovered what Thomas did, it incurred over
$130, 000 in costs to fix these problems.
found Thomas guilty of "knowingly caus[ing] the
transmission of a program, information, code, or command, and
as a result of such conduct, intentionally caus[ing] damage
without authorization, to a protected computer." 18
U.S.C. § 1030(a)(5)(A). Thomas challenges the
"without authorization" requirement of this
provision of the Computer Fraud and Abuse Act. He contends
that because his IT job gave him full access to the system
and required him to "damage" the system-for
example, at times his duties included deleting certain
files-his conduct did not lack authorization. In support of
his view that the statute does not reach those whose access
to a system includes the ability to impair it, Thomas invokes
the rule of lenity and principle that vague statutes cannot
be enforced. But we conclude that Thomas's conduct falls
squarely within the ordinary meaning of the statute and
affirm his conviction.
duties at ClickMotive included network administration;
maintaining production websites; installing, maintaining,
upgrading, and troubleshooting network servers; ensuring
system security and data integrity; and performing backups.
He was granted full access to the network operating system
and had the authority to access any data and change any
setting on the system. Thomas was expected to perform his
duties using his "best efforts and judgment to produce
maximum benefit" to ClickMotive.
was not happy when his friend in the IT department was fired.
It was not just a matter of loyalty to his former colleague;
a smaller IT staff meant more work for Thomas. So Thomas, to
use his word, "tinkered" with the company's
system. The tinkering, which started on a Friday evening and
continued through Monday morning, included the following:
• He deleted 625 files of backup history and deleted
automated commands set to perform future backups.
• He issued a command to destroy the virtual
machine that performed ClickMotive's backups
for one of its servers and then Thomas failed to activate its
redundant pair, ensuring that the backups would not occur.
• He tampered with ClickMotive's pager notification
system by entering false contact information for various
company employees, ensuring that they would not receive any
automatically-generated alerts indicating system problems.
• He triggered automatic forwarding of executives'
emails to an external personal email account he created
during the weekend.
• He deleted pages from ClickMotive's internal
"wiki, " an online system of internal policies and
procedures that employees routinely used for troubleshooting
• He manually changed the setting for an authentication
service that would eventually lead to the inability of
employees to work remotely through VPN. Changing the setting
of the VPN authentication service set a time bomb that would
cause the VPN to become inoperative when someone rebooted the
system, a common and foreseeable maintenance function.
• And he removed employees from e-mail distribution
groups created for the benefit of customers, leading to