The U.S. Court of Appeals for the 1st Circuit upheld a lower court’s order requiring a detainee convicted of hacking a prison computer system to pay for credit-monitoring services for prison employees.

In a unanimous panel ruling on April 12 in U.S. v. Janosko, the 1st Circuit affirmed District of Massachusetts Judge George O’Toole’s restitution order. Retired U.S. Supreme Court Associate Justice David Souter, sitting by designation, wrote the opinion. Judge Kermit Lipez and Senior Judge Bruce Selya joined the ruling.

The appeal concerned O’Toole’s order that Francis Janosko must pay the Plymouth County Sheriff’s Department’s $6,600 bill for credit monitoring. Court records show that Janosko hacked the Internet and employee and job applicant databases at the Plymouth County Correctional Facility in Plymouth, Mass. He was held at the prison from October 2006 through February 2007, first on a probation violation and then as a pretrial detainee.

The prison allowed Janosko and other inmates to use a computerized legal research program to work on their cases, but not the Internet or e-mail. Janosko pleaded guilty in September 2009 under the Computer Fraud and Abuse Act to intentionally causing damage to a protected computer. That December, he was sentenced to 18 months in prison. He was ordered to pay several forms of restitution that he did not appeal, including $10,500 for a jail lockdown, $2,300 to replace a server and $2,000 to buy software and licenses for a replacement server.

Souter called Janosko’s objections to the credit monitoring services restitution meritless. Janosko argued that the credit monitoring “did not proximately result from the acts of damaging the computer and computer system,” Souter noted. He also claimed the government didn’t make the credit checks quickly enough after the hacking to qualify for restitution.

Still, Janosko had pleaded guilty to causing “loss” by his damaging conduct, not just to causing damage, Souter wrote. And he noted that the relevant statute “defines loss to include ‘any reasonable cost to any victim, including the cost of responding to an offense,’ in addition to the cost of damage assessment, restoration of the damaged system and consequential damage like lost revenue.”

Souter conceded that individual current and former employees could have paid for their own credit monitoring when they learned of the hacking, “but this in no way diminishes the reasonableness of the Facility’s investigation prompted by the risk that its security failure created.”

Souter rejected Janosko’s timeliness argument. “An employer-victim contemplating the resolution of a charge like the one here could be expected to press the prosecutor to demand any terms that would be necessary to make the members of the employer’s workforce whole, and a credit check even up to the moment of a plea agreement would therefore be timely,” he wrote.

The Boston U.S. attorney’s office, which represented the government, and Janosko’s lawyer, Syrie Fried, an assistant in the Boston Federal Public Defender’s Office, did not respond to requests for comment.

Sheri Qualters can be contacted at squalters@alm.com.