
    UNITED STATES of America, Appellee, v. Francis G. JANOSKO, Defendant, Appellant.
    No. 10-1046.
    United States Court of Appeals, First Circuit.
    Heard Jan. 6, 2011.
    Decided April 12, 2011.
    Syrie D. Fried, for the appellant.
    Cynthia A. Young, Assistant United States Attorney, with whom Carmen M. Ortiz, United States Attorney, was on brief, for the appellee.
    Before LIPEZ, Circuit Judge, SOUTER, Associate Justice, and SELYA, Circuit Judge.
    
      
       The Hon. David H. Souter, Associate Justice (Ret.) of the Supreme Court of the United States, sitting by designation.
    
   SOUTER, Associate Justice.

While the defendant, Francis G. Janosko, was incarcerated in Massachusetts at the Plymouth County Correctional Facility in late 2006 and early 2007, he was allowed to use a computer system provided to inmates for legal research. Although the equipment was set up to confine access solely to legal materials, Janosko managed to circumvent the limits and, among other havoc, gain entrance for himself and others into the Facility’s personnel files, which contained Social Security numbers of some 1,100 current and prior employees and other personal information about them. The ensuing indictment included charges of causing damage to a protected computer, 18 U.S.C. § 1030(a)(5)(A)(i), thereby causing loss to one or more persons, id. § 1030(a)(5)(B)(i), and damage affecting a computer system used in the administration of justice, id. § 1030(a)(5)(B)(v). Janosko pleaded guilty under an agreement that left any amount of restitution to be determined by the court, which awarded the county $4,309 for the cost of purchasing elements of the system needed to replace those damaged by Janosko and retained as evidence, and $6,600 for the cost of monitoring credit records of the individuals who suffered the privacy violations and consequent risk of identity theft.

Janosko objected to the order to reimburse for the credit enquiries, arguing that they did not proximately result from the acts of damaging the computer and computer system. Before us, the defendant adds the further objection that the government failed to show that the credit checks were made close enough in time to the destructive conduct to qualify for restitution. We find the objections meritless.

Janosko is entirely correct that the cost of the credit monitoring is not what the statute defining the crimes calls “damage to a protected computer,” § 1030(a)(5)(A)(i), or “damage affecting a computer system,” § 1030(a)(5)(B)(v). But Janosko pleaded guilty not only to causing such “damage” but also to causing “loss” by his damaging conduct, § 1030(a)(5)(B)(i). The near juxtaposition of “loss” to “damage” inflicted on items or systems of equipment indicates some broader concept of forbidden effect and consequent scope of restitution.

In fact, 18 U.S.C. § 1030(e)(ll) defines loss to include “any reasonable cost to any victim, including the cost of responding to an offense” in addition to the cost of damage assessment, restoration of the damaged system and consequential damage like lost revenue. By thus exemplifying “loss” as an element of one of the offenses charged against Janosko, a “reasonable cost ... of responding” goes hand in hand with the terms of the restitution statute. The Mandatory Victims Restitution Act mandates restitution to the victim (here, without dispute, at least the county) “in any case ... [for] expenses incurred during ... the investigation or prosecution of the offense.” 18 U.S.C. § 3663A(b)(4). While “expenses” qualifying for restitution are not unlimited, like the notion of response under § 1030(e)(ll), they will pass muster if they would not have been incurred in the absence of the offense, Hughey v. United States, 495 U.S. 411, 416-18, 110 S.Ct. 1979, 109 L.Ed.2d 408 (1990); United States v. Cutter, 313 F.3d 1, 7 (1st Cir.2002), were “not too attenuated” in fact or time from the crime, United States v. Vaknin, 112 F.3d 579, 590 (1st Cir.1997), abrogated on other grounds by United States v. Anonymous Defendant, 629 F.3d 68 (1st Cir.2010), and were reasonably foreseeable, United States v. Collins, 209 F.3d, 1, 3 — 4 (1st Cir.1999). The cost of the credit check qualified under these criteria as a reasonable expense, cost of response, and thus compensable loss.

It should go without saying that an employer whose personnel records have been exposed to potential identity thieves responds reasonably when it makes enquiry to see whether its employees have been defrauded. This act of responsibility is foreseeable to the same degree that indifference to employees’ potential victimization would be reproachable. It is true, of course, that once they were told of the security breach, the individual employees and former workers involved in this case could themselves have made credit enquiries to uncover any fraud, but this in no way diminishes the reasonableness of the Facility’s investigation prompted by the risk that its security failure created. And quite aside from decency to its workers, any employer would reasonably wish to know the full extent of criminality when reporting the facts to law enforcement authorities.

Nor do we see anything helpful to Janosko in his argument that the government failed to present evidence that the credit check was reasonably timely, as Vaknin held it must be. 112 F.3d at 589. It is quite true that the prosecution ignored this point when the court was considering restitution, but so did Janosko, who apparently never raised an issue of timeliness until filing the brief in this Court. While we will assume the government is correct that the standard of review should consequently be for plain error only, the standard of review almost certainly makes no difference here, for we think that any enquiry into the credit records prior to negotiation of the plea in this case would have been timely for at least one purpose. Regardless whether the employees were “victims” under the statute and thus entitled to mandatory restitution, see § 3663A(a)(2) (defining “victim” as “a person directly and proximately harmed”); United States v. Millot, 433 F.3d 1057, 1061 (8th Cir.2006) (§ 1030 “does not restrict consideration of losses to only the person who owns the computer system”), a plea agreement may provide for restitution to anyone harmed even if not technically a victim, § 3663A(a)(3). An employer-victim contemplating the resolution of a charge like the one here could be expected to press the prosecutor to demand any terms that would be necessary to make the members of the employer’s workforce whole, and a credit check even up to the moment of a plea agreement would therefore be timely.

Affirmed. 
      
      . We review orders of restitution for. abuse of discretion, but apply de novo review to legal questions associated with restitution orders. See United States v. Innarelli, 524 F.3d 286, 293 (1st Cir.2008).
     
      
      . The statute has been amended since the period of the offenses by the Identity Theft Enforcement and Restitution Act of 2008, Pub.L. No. 110-326, § 204, 122 Stat. 3560, 3561-62. References are to the text before the 2008 changes.
     
      
      . When the case was argued, neither lawyer knew when the county had made the credit check. Subsequently, counsel for the government provided the date in a letter to the Court. Being outside the record, the information is not considered here, though it does confirm the relevance of our reasoning to the case before us.
     