Gonzalez has pled guilty to masterminding a cyberthief ring that stole data from TJX, BJ’s Wholesale Club, Boston Market and Sports Authority, among other major chains.
Much of this defense sentencing recommendation tries to argue down how many dollars Gonzalez' activities have lost. Federal sentencing guidelines force judges to factor in how much damage the defendant's actions have caused and use that to help calculate the length of the sentence.
It starts by suggesting that TJX weathered the cyberattack remarkably well. "The government has (produced) no evidence regarding the extent to which the stolen TJX data was ever used to an individual cardholder's detriment, as opposed to simply remaining on the server," wrote Gonzalez defense attorney Martin Weinberg. "And, as to TJX, a telling (indicator) of the degree of damage it suffered is found in the fact that during one of the most devastating economic periods in the country's history, TJX's stock value rose 30 percent."
But the core point of the recommendation is that Gonzalez shouldn't be punished because of what TJX did. He should only be punished for what he did. "Gonzalez' offense level, and concomitantly, his punishment, should not be inflated because TJX decided to spend millions of dollars on public relations or because it spent large sums of money replacing its computer system with a new and improved system rather than replacement costs to restore the old system." (Editor's Nitpick: It's a distinct possibility that making enough replacements to properly restore the old system might have cost TJX even more money than simply replacing it. More to the point, it's not clear that restoring the old system to a proper security level would have even been possible.)
The memo said various independent reports concluded that TJX had severe problems with data storage, encryption levels and monitoring. "Because TJX's pre-intrusion data security systems were seriously deficit in safeguarding the personal data of its customers, a form of multiple causation is at work here," the memo said, adding that "TJX was itself negligent in maintaining confidential customer data on a system that could be so easily penetrated" and that this "is relevant to whether the losses it declares should be" used for sentencing purposes.
"TJX's losses were in part the consequence of its own negligence" and "Gonzalez should not be held responsible for costs incurred by TJX in defending itself against governmental investigations into its carelessness" and "if TJX's data retention systems provided less than the required degree of protection, that is not the fault of Gonzalez."