In March, Assistant U.S. Attorney Stephen Heymann noted in court papers filed in the Boston case that Gonzalez was recorded on a phone call from prison telling an associate to destroy a paper copy of a contacts list but keep the electronic version of it.
"The potential risk of misuse of the electronic discovery materials by the defendant is demonstrably high, and the potential cost to individuals and corporations that the defendant has already victimized is equally high," Heymann said in court papers.
Gonzalez's lawyers complained that the restrictions would hurt their client's ability to defend himself, but they ultimately agreed to several concessions, including keeping track of the material Gonzalez had viewed.
Gonzalez's lawyer Weinberg, in an interview with The National Law Journal before the plea deal was announced, said the Gonzalez case "is a window into our future."
"This case stands at the dawn of the criminal justice system's response to the unique demands generated by computers and the Internet," he said, noting that Congress has not created statutory protections for stolen credit card data as it has for child pornography and classified intelligence.
Former prosecutors say they aren't surprised by the government's posture regarding evidence in this case.
"The government is going to push for maximum restrictions. Given the scope of the allegations it would certainly call for unusual measures," said Eugene, Ore., defense lawyer Joseph Metcalfe, a former prosecutor in the Justice Department's Computer Crime and Intellectual Property Section.
And it wasn't just prosecutors who were trying to control Gonzalez's access to information. Lawyers for TJX told a judge that allowing Gonzalez access to its trade secrets could expose the company to further computer attacks.
TJX's lawyer, Ropes & Gray partner Samuel Buffone, said in court papers that the intrusion had an "extremely serious" impact on the company through "litigation, claims, and investigations, as well as damage to its reputation and customers' concerns about shopping at its stores." TJX cooperated in the investigation and prosecution of Gonzalez.
In December 2007, TJX and its Cincinnati-based merchant bank, Fifth Third Bancorp, finalized a $41 million out-of-court agreement, settling claims brought by financial institutions for the expenses they incurred replacing the cards. TJX announced in June that it settled for $9.75 million with 41 states to resolve allegations that the company failed to take sufficient steps to protect customer information.
One of the companies at the center of the New Jersey prosecution is currently fighting civil suits over the data breach.
Heartland Payment Systems, whose payment processing system was allegedly hacked by Gonzalez in December 2007, is facing consolidated class actions from individual consumers and banks, among other plaintiffs, in the U.S. District Court for the Southern District of Texas.
"If the numbers pan out, this will certainly be the largest data breach in the history of the universe -- to date," said Richard Coffmann, a solo practitioner in Beaumont, Texas, who is co-lead counsel for a group of banks suing Heartland.
First reported in The BLT: The Blog of Legal Times.