Evan Schuman's StorefrontBacktalk

The defense counsel also pointed to the government having “sought forfeiture of $1.65 million in proceeds, which presumably reflects the government’s best estimate of the proceeds derived from the offense and which Gonzalez agreed to forfeit under the plea agreement.”

Counsel further drilled into the particulars of the loss claims reported by other retailers, pointing out that the vast majority of dollars cited have little to do with its client’s conduct. From a description of Heartland as victim: “Gonzalez’s offense level, and concomitantly, his punishment, should not be inflated because Heartland decided to spend large sums of money on public relations or on implementing changes in its computer systems to make them more secure.”

In a filing from Heartland, the victim claimed $111.3 million in losses, broken down into four areas: “(1) paying assessments imposed by MasterCard and Visa, (2) paying settlements reached with Visa and American Express, (3) settlement offers to certain card brands to settle their claims against Heartland, and (4) settlements deemed likely to be reached in the future with other claimants. The information provided is entirely too broad and undifferentiated to provide a basis for a reasoned estimation of the loss. It also should not include costs incurred by Heartland in defending itself against governmental investigations into its systems and practices, especially an investigation into whether Heartland officers and employees are guilty of insider trading.”

In addition, the defense counsel challenged the government on its claims surrounding “intended loss,” which is defined as “the loss the defendant reasonable expected to occur at the time he perpetrated” the breach. “By no stretch of the imagination,” Weinberg wrote, “did Gonzalez expect that losses remotely approaching $400 million would result from his offenses.”

The government also tried to add more dollars to the damages it’s claiming for the breaches, suggesting that a stock slide of TJX was also a breach damage. “In the ten weeks following TJX’s initial announcement of the intrusion and data theft, however, as investors adjusted to the news, TJX shareholders lost over a billion dollars in equity while the S&P 500 as a whole had fallen less than one percent,” said the U.S. Attorney’s Office in its sentence recommendation.

That argument was knocked down, but not by the defense counsel. TJX felt obliged to make a filing Wednesday (March 24) disagreeing with the government. Although “TJX’s stock price did experience small movement in the months after TJX first announced the intrusion, there is no basis to conclude that such movement was caused by the intrusion or the absorption by the market of knowledge about the intrusion,” said a TJX filing.

That’s quite true. None of the major retailers have reported any revenue losses or negative consumer reaction at all to their breaches.

Attorneys in the case argued about differing psychiatric assessments, too, questioning whether drug use and computer addiction were factors the judge should consider when determining sentence. The government said the Gonzalez attacks were identity thefts, which the defense strongly disagrees with (they argue that Gonzalez had merely engaged in data theft, which seems more semantic than anything else; it doesn’t impact the sentencing guidelines).

“If imposed, the sentences would be the longest ever imposed in an identity theft case and among the longest imposed for a financial crime, which is appropriate because Gonzalez was at the center of the largest and most costly series of identity thefts in the nation’s history,” wrote Assistant U.S. Attorney Stephen Heymann. “He knowingly victimized a group of people whose population exceeded that of many major cities and some states–certainly millions upon millions, perhaps tens of millions. He did so at the cost of hundreds of millions of dollars to businesses ranging from small banks and credit unions to Fortune 500 companies.”

Defense filings urged the judges to differentiate between victims. Although Gonzalez was a central player in some attacks—such as against TJX—he had a much smaller role with others. “Gonzalez did not even know of the Heartland intrusion prior to its occurrence. His role in these offenses was limited to permitting ‘Hacker 1’ and ‘Hacker 2’ to have access to certain servers he controlled and, on one occasion, asking [another accused cyberthief] to modify malware which had been designed by ‘Hacker 1’ or ‘Hacker 2,'” Weinberg wrote. “He had no other involvement in either the Heartland or Hannaford intrusions and only minor and insignificant further involvement with the 7-Eleven intrusion. He did not own or have any control over the Gigenet server used by ‘Hacker 1’ and ‘Hacker 2’ in the 7-Eleven offense, nor did he write any of the malware they used.”