United States v. Michael Thomas, 877 F.3d 591

Background

Michael Thomas, ClickMotive's IT Operations Manager, had full administrative access and routine authority to modify, delete, and take systems offline for maintenance.
Over a weekend after a coworker’s firing, Thomas intentionally deleted backups and wiki pages, disabled backup VMs, falsified pager/contact info, forwarded executives’ email to an external account, and planted a VPN “time bomb” to break remote access after his departure.
ClickMotive incurred over $130,000 in remediation costs; Thomas later fled to Brazil and was arrested years after returning to the U.S.
A jury convicted Thomas under 18 U.S.C. § 1030(a)(5)(A) for knowingly transmitting commands and intentionally causing damage to a protected computer “without authorization.”
Thomas appealed, arguing that because his job authorized some system-impairing actions, the statute did not reach his conduct; he also raised a vagueness/rule of lenity challenge.

Issues

Issue	Plaintiff's Argument	Defendant's Argument	Held
Scope of “without authorization” in § 1030(a)(5)(A)	Thomas: "Without authorization" should exclude insiders who have any job-related authority to impair systems; his duties authorized similar acts.	Government: Means "without permission" to commit the particular damaging act; insiders can be liable when an act falls outside permitted use.	Court: "Without authorization" means without permission for that specific damaging act; §1030(a)(5)(A) covers malicious insiders.
Applicability of access-cases to damage provision	Thomas: Cases narrowing "without authorization" in access statutes (e.g., Brekka) should limit the damage clause similarly.	Government: Access provisions and damage provision differ structurally and functionally; importing that limitation is inappropriate.	Court: Rejected importation; context controls meaning and damage provision is meant to reach both outsiders and malicious insiders.
Sufficiency of evidence that acts were unauthorized	Thomas: His routine job duties included deleting files and taking systems offline, so jury lacked sufficient evidence he acted without authorization.	Government: Nature, timing, concealment, and motive showed acts were not bona fide maintenance and lacked permission.	Court: Evidence overwhelmingly supported lack of authorization and conviction.
Vagueness / Rule of Lenity	Thomas: Statute is vague as applied to employees with some authority; rule of lenity compels narrower reading.	Government: Statute’s ordinary meaning and legislative history resolve ambiguity; defendant’s conduct plainly criminal.	Court: No grievous ambiguity; lenity inapplicable; conduct falls squarely within §1030(a)(5)(A).

Key Cases Cited

LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.) (distinguishing access without authorization from exceeds authorized access)
United States v. Valle, 807 F.3d 508 (2d Cir.) (defining authorization as permission; distinguishing insider/external access issues)
United States v. Nosal, 676 F.3d 854 (9th Cir.) (en banc) (limits on use of access provisions for insiders)
United States v. Phillips, 477 F.3d 215 (5th Cir.) (use expected norms of intended use to assess authorization)
United States v. Castleman, 134 S. Ct. 1405 (Supreme Court) (explaining rule of lenity applies only when grievous ambiguity remains)
Allen v. United States, 164 U.S. 492 (Supreme Court) (flight as probative evidence of guilt)
Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am., 648 F.3d 295 (6th Cir.) (relied on Brekka in access-authorization context)
WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir.) (defining “without authorization” as without approval)
United States v. Westbrooks, 858 F.3d 317 (5th Cir.) (vagueness challenge threshold: clearly prohibited conduct cannot press the challenge)
United States v. Winkler, 639 F.3d 692 (5th Cir.) (standard for appellate review of jury credibility and sufficiency)