In the weeks since the story broke one Cardinals’ employee has already been terminated in connection with the investigation, although no charges have been filed. An article in the St. Louis Post-Dispatch reports that Cardinals director of amateur scouting, Chris Correa, was terminated on July 1st and has admitted to being at least partially responsible for the hack. In a prepared statement from his lawyer, Nicholas Williams, Correa shed some light on a possible motive:
“Mr. Correa denies any illegal conduct. The relevant inquiry should be what information did former St. Louis Cardinals employees steal from the St. Louis Cardinals organization prior to joining the Houston Astros, and who in the Houston Astros organization authorized, consented to, or benefitted from that roguish behavior?”
Correa’s comments seem to support the proposition that any alleged theft of proprietary information that may have occurred was in fact done to embarrass Jeff Luhnow and was not a calculated attempt by the Cardinals organization to obtain a competitive advantage. While that may be considered a mitigating factor when punishments are eventually handed down, the St. Louis Cardinals and any participating employees still face potential liability for arguably violating a number of federal computer hacking statutes.
1. The Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) penalizes various conduct relating to remote access of another’s computer. Under the applicable provisions of the statute individuals guilty of violations could be issued a fine, sentenced up to 10 years in prison, or both. The statute would also allow the Houston Astros to sue individual hackers for economic damages in civil court if they suffered damage or loss exceeding $5,000.
Section (a)(4) imposes liability on anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization . . . and by means of such conduct furthers the intended fraud and obtains anything of value.” One issue that arises in this case is whether the information contained in the Astros database was actually something of “value.” The statute itself does not define “value” and the general consensus among Major League General Managers seems to be that the information’s shelf-life is too short to be valuable to other clubs. In an article published on SB Nation, Jeff Luhnow himself was quoted as saying “the idea that one team’s outdated intellectual property would have remained helpful to a rival even in the short term is illogical. If you were to take a snapshot of the database of one team, within a month it would not be useful anymore, because things change so quickly."
Section (a)(5)(C) of the CFAA could be another source of potential liability. This provision provides penalties for anyone who “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.” For the Houston Astros “damage and loss” means impairment to the integrity of the information and includes any reasonable cost including the cost of responding to an offense, conducting a damage assessment, and any revenue lost. Cardinals’ employees would likely take the position that there is no damage and loss because the information compromised during the breach is outdated intellectual property and the response to the breach has been handled exclusively by the FBI and Justice Department. The Astros on the other hand, can show damage and loss by demonstrating that they invested significant employee time in addressing the breach, or that the hack has negatively affected their relationship with other teams.
The Economic Espionage Act (EEA) governs criminal penalties for the theft and misappropriation of trade secrets. The EEA defines a trade secret as (1) information that the owner has taken reasonable measures to keep secret and (2) the information derives independent economic value from not being generally known and not being readily ascertainable through proper means by the public. Under the EEA an individual who steals or otherwise misappropriates a trade secret is subject to a fine and may be sentenced to up to ten years in prison.
A charge under the EEA could be forthcoming if investigators discover that information taken by the Cardinals was used in their internal baseball operations. If the information was used by high ranking executives with authority to make player personnel decisions it would be easier to prove that the information had intrinsic economic value and that the Cardinals used that information for their own economic benefit.
The issue with bringing charges under the EEA is whether the information housed in the Astros’ database actually qualifies as a trade secret. The statement issued by Chris Correa’s attorney suggests that information in the database was taken from the Cardinals’ organization when Jeff Luhnow and other executives left the team in 2011. If that statement is proven to be true that information would not be protected under the EEA. Additionally, if the information was accessed using a master list of passwords left by Jeff Luhnow in the St. Louis Cardinals front office it would be difficult to prove that reasonable steps were taken to protect the information.
3. Federal Wire Fraud (Communications Act)
Any use of a computer as part of a scheme to defraud another person generally falls within the scope of the federal wire fraud statute known as the Communications Act. An individual found guilty of federal wire fraud could face a fine or imprisonment of up to 20 years depending on the seriousness of the offense. To obtain a conviction for federal wire fraud the government must prove beyond a reasonable doubt that an individual: (1) used wire communication, (2) in the furtherance of a scheme to defraud, (3) involving a material deception, (4) with the intent to deprive another, (5) of property or honest services.
Federal wire fraud legislation is the broadest sweeping of the computer hacking statutes and a federal prosecutor could potentially prove each of the five elements in this situation. During the alleged hack the Cardinals’ officials used wire communication by remotely accessing the Houston database from a home computer. The use of wire communication appears to be in furtherance of a scheme to defraud because officials stole proprietary player information when they accessed the database. The hackers used a material deception by misrepresenting themselves as Houston Astros front office personnel. It was apparently the Hackers intent to steal proprietary information from the database and intangible intellectual property was actually taken during the breach.
In total, any Cardinals’ officials implicated in the breach will be exposed to potential civil and criminal liability on top of any discipline handed down by the St. Louis Cardinals. If proven to be in violation of one or more of the computer hacking statutes, each individual could be sued for damages in civil court by the Houston Astros and could potentially face a 20-year prison sentence if convicted by a federal prosecutor.
As for the St. Louis Cardinals organization, any discipline for their role in the breach is going to be handed down by Major League Baseball. While the organization could be vicariously liable to the Houston Astros for civil damages caused by their employees, Major League Baseball’s Constitution does not allow teams to sue one another and all disputes are handled internally. Rob Manfred and the Commissioner’s Office have decided to wait until the conclusion of the investigation before handing down any discipline, but when they do the St. Louis Cardinals could face a fine of up to $2,000,000 for not acting “in the best interest of baseball.”