This post examines a recent decision from a U.S. District Court Judge who sits in the U.S. District Court for the Middle District of Pennsylvania: U.S. v. Prugar, 2014
WL 4716382 (2014). She begins the
opinion by explaining that Dariusz Prugar pled guilty to
intentionally causing damage without
authorization to a protected computer, in violation of the Computer Fraud and Abuse Act (`CFAA'), 18 U.S. Code § 1030(a)(5)(A), based on an intrusion
into his former employer's protected computer system after he was terminated
from his position. Prior to sentencing, [Prugar] moved to withdraw his guilty
plea primarily on the basis that he did not knowingly and voluntarily enter the
plea because he was suffering from undiagnosed Bipolar II Disorder at the time
of the plea hearing.
U.S. v. Prugar, supra. He was originally indicted on two other
charges – “wire fraud, in violation of 18 U.S. Code § 1343; and Hobbs Act extortion, in violation of § 18 U.S. Code § 1951” – but he subsequently entered
into a plea agreement in which he pled guilty to the § 1030(a)(5)(A) charge
“and the government agreed to dismiss the charges of wire fraud and
extortion.” U.S. v. Prugar, supra.
As Rule 11(a)(1) of the Federal Rules of Criminal Procedure
explains, someone who has been charged with a federal crime can “plead not
guilty, guilty, or (with the court's consent) nolo contendere.” And Rule
11(d)(2) says a “defendant may withdraw a plea of guilty . . . after the court
accepts the plea, but before it imposes sentence if . . . the defendant can
show a fair and just reason for requesting the withdrawal.” So, Prugar moved to withdraw his plea
pursuant to this provision, which meant he had to “show a fair and just reason”
for withdrawing it.
At the plea hearing, the prosecutor “provided the essence of
the plea agreement, stating, in pertinent part, that `[Prugar] is going to face
a maximum punishment of 10 years incarceration, a maximum fine of $250,000, a
term of supervised release, as well as a $100.00 special assessment.’” U.S. v. Prugar, supra. Prugar “twice stated that he understood the
maximum penalty under the plea agreement.” U.S.
v. Prugar, supra.
At the plea hearing, the prosecutor also “reviewed the
factual basis” for the § 1030(a)(5)(A) charge, i.e., outlined the evidence the
government would present if Prugar were to go to trial on the charge:
The Defendant was employed as a
programmer for [a computer services business (`the Business’)], which is an
information technology business located in Enola, Pennsylvania.
[The Business] provides a number of
computer technology services, including managing an Internet service provider
[(`the Online Service’)]. . . .In late June of 2010, after a series of
personnel issues with [him], the Defendant was terminated from his position at
[the Business]. . . . In the days following his termination, [the Business]
noticed that their web service and other computer functions began to crash. For
approximately a week, their system was substantially inoperable. [The Business]
had to contract with outside contractors and other individuals to rebuild their
system.
As a result of [the] system being
compromised or being rendered inoperable, [the Online Service] customers as
well as other customers of [the Business] were unable to access their Internet
and e-mail services, and businesses which used these services for their
internal operations were unable to perform their various business functions
that they had contracted [the Business] and/or [the Online Service] to perform.
It was estimated [that] approximately
10,000 e-mail accounts and over 300 customers were unable to utilize their
services during the interruption period. Some of the customers were involved in
the transportation of hazardous materials as well as the online distribution of
pharmaceuticals.
During this interruption period, [the
Business'] employees contacted [Defendant] by telephone and sought his
assistance. [Defendant] had served as a programmer for the system [and] was the
keeper of many of the codes to the various components of the computer system.
The [Business'] employees contacted [Defendant] to seek his assistance to help
stem the systematic compromise which was going on.
In those calls, the Defendant acknowledged
that he had these codes and that he could assist the [Business'] programmers in
restructuring their system. However, he requested that certain scripts and/or
software programs which he believed he had a proprietary interest in as well as
computer materials be returned to him in exchange for his assistance.
They were unable to reach a resolution
between [the Business] and [Defendant]. Local authorities, and ultimately the
FBI, were called in. Agents conducted an investigation and interviewed [Defendant].
[He] confessed to the agents that he had entered the system through entry
points in attempts to gather some information which he believed belonged to
him, and while he was in the system, he had erased certain scripts or codes
from the system.
It was this unlawful entry that the
investigation revealed caused the network's damage. [The Business] lost
multiple customers as a result of this outage, and the damage was in excess of
$5,000.00.
U.S. v. Prugar, supra.
The judge who has the case then “inquired” of Prugar
“whether he agreed with the facts as recited.”
U.S. v. Prugar, supra. The opinion says they then had this exchange:
The Court: Were you employed by [the
Business] at some point in time?
Defendant: Yes, I was.
The Court: And you had access to
computer information of the [B]usiness ['] users?
Defendant: Yes, I did.
The Court: And you were eventually
terminated by this company?
Defendant: That's correct.
The Court: And through computer program
information, code[,] and command, you were able to access the [B]usiness[']
computer network?
Defendant: That's also correct.
The Court: And you were able to alter
computer programs or scripts?
Defendant: Alterations never occurred,
but file deletions of certain log files, yes.
The Court: And do you agree that these
protected customers had damage caused to their systems?
Defense Counsel: Your honor, if I may?
What we agree is that the [Business'] server had damage that was caused. At
issue in this matter, Your Honor, is the extent of the damage, what damage was
particularly caused by [Defendant], the number of folks that were damaged, and
whether or not they would qualify as critical infrastructure.
So to the extent that [Defendant] has
said, yes, absolutely he had entered it, he had no business to do so, it was a
protected computer, he acknowledges that damage was caused through his actions.
Is that correct, [Defendant], that you would stipulate those are true and
correct facts?
Defendant: That is true and correct.
Court: Does he understand that these
computers, the use of these computers does involve interstate commerce?
Defense Counsel: He does, Your Honor.
The Court: And there's also an
allegation that the [B]usiness['] computer network had damage in excess of
$5,000.00.
Defense Counsel: He would-he has no
objection it was likely in excess of $5,000.00. It is how much larger that is
at issue.
The Court: Is there likely a need for a
hearing on damage?
Prosecutor: There may be a hearing on
damage as well as other sentencing factors.
The Court: Okay. Otherwise, do you
substantially agree with the facts as set forth by [the Government] in this
matter?
Defendant: Yes, I do.
U.S. v. Prugar, supra.
The judge then accepted his plea of guilty. U.S. v. Prugar, supra.
As part of the sentencing process, on July 31, 2013, “a
United States Probation Officer prepared a presentence investigation report, in
which he found, inter alia: a loss amount between $200,000 and
$400,000; over 50 victims; use of sophisticated means; and damage to critical
infrastructure.” U.S. v. Prugar,
supra. The Probation Officer then
calculated Prugar’s potential sentence under the U.S. Sentencing Guidelines and
arrived at a “sentencing guideline range of 87 to
108 months” in prison. U.S. v. Prugar, supra.
On June 16, 2014,
Prugar filed a motion with the court to withdraw his guilty plea and a
brief in support. . . .The motion
is primarily based on a claim that he did not knowingly and voluntarily plead
guilty, and, further, that he is innocent of the charge. In his brief, [Prugar]
explains that, prior to his arrest, he was being treated for a variety of
mental health issues and had been diagnosed with obsessive compulsive disorder
(`OCD’), panic disorder, and ADHD. . . . As a result of these diagnoses, [he] was
prescribed Ativan, Adderall, and Ambien. . . .However, subsequent to
changing his plea to guilty, Defendant was diagnosed with Bipolar II Disorder,
for which he was prescribed Lamictal. . . . After diagnosis and treatment,
Defendant claims that he began to exhibit marked improvement in functioning. .
. .
U.S. v. Prugar, supra. He also attached records from his
psychiatrist which showed he “was, in fact, diagnosed with Bipolar II Disorder
after he pled guilty and that . . . reported significant improvement after
being prescribed Lamictal.” U.S. v.
Prugar, supra.
The prosecution then filed a response to Prugar’s filings,
in which it argued that the
plea proceeding demonstrated [Prugar{ entered
his plea knowingly and voluntarily, and . . . pled guilty to all of the elements
of the charged offense. . . . As to his mental health diagnosis, the Government
contends that Dr. Verma's records `reflect a functioning, employed individual
who is capable of making significant decisions in life.’ . . . For example, on
June 17, 2012, Dr. Verma observed [Prugar’s] `attitude/behavior was neutral”
and his “mood was congruent with the issues and circumstances of the
evaluation.’ . . . On July 23, 2012, Dr. Verma noted [Prugar] had traveled to
Austin, Texas for several weeks for work . . . and, on September 19, 2012, [he]
reported that the combination of therapy and medication was extremely helpful.
. . . Two months after [Prugar[ entered his guilty plea, Dr. Verma noted that [he]
`ha[d] been doing extremely well.’ . . .
The Government argues that, while the
medical records indicate [Prugar] was diagnosed with Bipolar II Disorder on
October 3, 2013 -- nearly six months after his guilty plea -- and that he began
to experience improvement following the diagnosis, there is no indication that
he was suffering from the condition at the time of his plea nor that it had any
impact on the entry of his plea.
U.S. v. Prugar, supra.
The prosecution also responded to Prugar’s claim of “actual
innocence” by arguing that
[he] has admitted his guilt to all of
the elements of the crime. Specifically, [Prugar] admitted to `remotely
accessing a protected computer without authority and erasing scripts,’ and does
not contest that he caused damage, i.e., `the erasing of
scripts.’ . . . While [Prugar] and his counsel noted during the change of plea
proceedings that they were contesting the amount of loss and the status of the
computers as part of critical infrastructure, D[he] conceded the loss involved
was in excess of $5,000 for purposes of a felony offense under 18 U.S.
Code § 1030(a)(5)(A). . . .Further, the Government submits that, as a computer
programmer and designer of the Business' network, [Prugar] had more than sufficient
information to make `an informed decision that there was harm caused by his
actions and he was guilty.’
The Government attached numerous
exhibits to their brief, including two statements [Prugar] gave to the FBI. In
his July 8, 2010 statement, [he] acknowledged that he understood at the time of
his termination that he was no longer authorized to access any of the Business'
computer systems. . . . However, after being terminated, he decided to retrieve
the `scripts,’ or software code, that he had written and stored on the
Business' servers because he `would hate to have to redo them’ at his next job.
[Prugar] then recounted in detail the
commands he issued to the Business' servers in order to retrieve those scripts
and to delete the record of the commands he had just executed on the system.
For example, after locating and copying the scripts from the server to his
computer, he ran the commands `rm .history_bash’ and `rm history.c’ to delete
the record. He also explained that, in order to `cover his “tracks,”’ he
installed a `web based notepad’ and created a `CRON job script’ to delete all
log files every minute.
He further stated that, `every action
he took was meant with “good intentions”. . . .He had no reason to delete the
files, he just “wanted to erase all tracks.”’ Upon being notified by employees
of the Business that it was experiencing network issues, he told them that he
had nothing to do with it. However, when they asked him to provide certain
network passwords that only he knew, he refused to divulge them because he
wanted `leverage’ to retrieve what he considered his personal property.
U.S. v. Prugar, supra.
The judge then outlined the applicable standard for
withdrawing a guilty plea, noting that whether the defendant has a “fair and
just reason” for doing so depends on three factors:
“`(1) whether the defendant asserts his
innocence; (2) the strength of the defendant's reasons for withdrawing the
plea; and (3) whether the government would be prejudiced by the withdrawal.’” U.S. v. Prugar, supra (quoting U.S. v. Jones,
336 F.3d 245 (U.S Court of Appeals for the 3rd Circuit 2003)).
After analyzing the
facts presented at the evidentiary hearing on Prugar’s motion, the charges and
the factors outlined above, the judge found that Program had not “shown a fair and just reason to withdraw his guilty plea.” U.S.
v. Prugar, supra. With regard to the
first factor, she explained that
`[b]ald assertions of innocence . . . are
insufficient to permit a defendant to withdraw [his] guilty plea.’ U.S. v. Brown, 250 F.3d 811 (U.S. Court
of Appeals for the 3rd Circuit 2001). Rather, `”[a]ssertions of
innocence must be buttressed by facts in the record that support a claimed
defense.”’ Id. . . . [T]he defendant
must `give sufficient reasons to explain why contradictory positions were taken
before the district court and why permission should be given to withdraw the
guilty plea.’ U.S. v. Jones, supra. . . .
[Prugar] admits he knowingly entered
commands into a protected computer, thus satisfying the first clause of the
section. [He] disputes . . . that his admissions to the Government are
sufficient to establish that he intentionally caused damage to the computer.
Pursuant to the statutory definition, it is clear they do. Section
1030(e)(8) defines `damage’ . . . as `any impairment to
the integrity or availability of data, a program, a system, or information.’ 18
U.S. Code § 1030(e)(8) (emphasis added). Although the statute itself does not
define `intentionally,’ the Third Circuit has defined it . . . `as performing
an act deliberately and not by accident.’ U.S. v. Carlson, 209 F.
App'x 181 (U.S. Court of Appeals for the 3d Circuit 2006). . . .
In his first statement to the FBI, [Prugar]
admitted that, following the termination of his employment, he accessed
numerous servers of the Business to retrieve and copy scripts that he had
written and stored on the servers. . . . After locating and copying the scripts
from the server to his computer, he ran the commands `rm .history_bash’ and `rm
history.c’ to delete the record of the commands he had just executed on the
system. . . . He also installed a web based notepad and created a `CRON
job script’ to continuously delete all log files. . . . In his handwritten
statement, [Prugar] admitted that he `gained unauthorized access to many of the
company servers and issued commands to the servers to stop logging functions
and delete log files . . . to cover up the fact that [he] gained unauthorized
access. . . .’ At the change of plea hearing, [he] agreed with the offense
conduct as set forth therein by the Government, including that he had erased
scripts or codes from the system, and that, upon learning of the Business'
system outage, he refused to disclose certain codes that would assist the
Business in restoring the system until . . . the Business returned certain
scripts and/or software programs which he believed belonged to him. . . . [He]
admitted to accessing the Business' computer network and to `delet[ing] certain
log files. . . .’
[Prugar’s] admissions are sufficient to
establish the requisite intent to cause damage necessary for the charge. The servers
[he] accessed were designed to permit the Business to retrace any entry into
its system. [He] deliberately entered the `rm . history_bash’ and `rm
history.c’ commands and created the CRON job script to destroy any record of
his having accessed the servers, thus impairing the availability of the data.
That his deliberate deletion of this history was done with the purpose of
concealing his access rather than causing the system to malfunction or
pecuniary harm is not dispositive to whether [he] intended to cause damage as
defined be the statute and case law. Clearly, he admitted that he deleted
information owned by the Business, thereby compromising the integrity of the
server and the availability of data stored therein. Accordingly, the court
concludes that Defendant has failed to adequately assert his innocence. This
factor weighs against permitting him to withdraw his plea.
U.S. v. Prugar, supra.
As to the second factor, the judge found that Prugar had
failed to present evidence supporting his claim that “he was incompetent to
plead guilty” because of his “Bipolar II”. U.S.
v. Prugar, supra. She noted, among
other things, that “there is no evidence indicating [he] did not knowingly,
voluntarily, or competently plead guilty on February 17, 2013”, which meant he
had “failed to show a fair and just reason for withdrawing his plea.” U.S. v. Prugar, supra.
And as to the third factor – prejudice to the government – the
judge explained that if
[Prugar] had succeeded in establishing
a fair and just reason for withdrawing his guilty plea, the burden would shift
to the government to show that it would be prejudiced by the withdrawal.
However, the [U.S. Court of Appeals for the 3rd Circuit] has made
clear that the government is not required to show prejudice when a defendant
has failed to provide sufficient grounds for permitting withdrawal of the
plea. . . . Accordingly, the court will decline to consider the
third factor.
U.S. v. Prugar, supra.
She therefore denied his motion to withdraw his guilty plea.
U.S. v. Prugar, supra.
No comments:
Post a Comment