This article first appeared in Yahoo Finance.
As was first reported by the New York Times, the FBI and Justice Department are investigating whether St. Louis Cardinals employees illegally hacked into networks owned and operated by the Houston Astros. The information allegedly obtained by the Cardinals contained information about potential trades, player evaluations and statistics. At least one commentator on ESPN has suggested that if the information was not the “work of significant efforts by Astros officials . . . not available elsewhere” and “if the Cardinals’ activity was just a dirty trick or an attempt at getting even with a former colleague, the hacking might not qualify as a crime.” This understanding is just plain wrong with regard to computer hacking and, if the information was not publicly available, the government may be able to also charge theft of trade secrets.
The case, believed to be the first corporate espionage case involving two professional sports teams may create a legal nightmare for the Cardinals and those employees who were involved in it, especially if higher level Cardinal employees were involved or had knowledge of the activity. In particular, the Cardinals and their employees may be subject to criminal liability under the Computer Fraud and Abuse Act (CFAA) and the Economic Espionage Act (EEA). This case is different however from cases where a company steals trade secrets from another company and the victim company can also bring a civil suit for damages because Major League Baseball by-laws do not permit one team from suing another team civilly, although under federal criminal laws the Astros as the victim would be entitled to restitution from the Cardinals for the amount of damage caused by the Redbirds.
First, with regard to potential criminal liability under the CFAA, the most relevant section prohibits anyone from “intentionally” accessing “a protected computer without authorization or in excess of authorization” and, thereby “obtained information.” There is no requirement that the information be “proprietary, non-public information” information, or that it is “the work product of significant efforts by Astros officials . . . not available elsewhere.” It simply must be information and there is no requirement that they “knew the were committing a crime,” or that they didn’t just see this as a “dirty trick.” Further, the term “obtained information” includes merely viewing information online. Even if the Cardinals breach was an unsophisticated effort, the circumvention of password requirements likely violates the CFAA.
However, without more, this only establishes that the Cardinals’ employees committed a misdemeanor and it is commonly understood that federal prosecutors are reluctant to charge misdemeanors, although in this case, given the notoriety of the matter, they may make an exception. Further, where the crime is committed for “purposes of commercial advantage or private personal gain,” the offense becomes a felony. Here, it seems likely that the offense was committed in order to provide the Cardinals with a competitive edge on the field, which would certainly qualify as “commercial advantage” and would provide the basis to bring felony charges.
Reports have also suggested that the hack was precipitated by the Cardinals employees’ belief that Luhnow had taken with him proprietary information belonging to the Cardinals when he went to the Astros as the general manager. Unfortunately for the Cardinals employees, their motive is not relevant to whether they committed a crime. As a general matter, the law frowns on self-help measures and instead of taking measures into their own hands, the Cardinals should have referred the matter to law enforcement and/or Major League Baseball if supported by the facts.
In addition to the CFAA, the government may also charge the Cardinal employees with violating the Economic Espionage Act, which has been in the news lately in connection with the government charging six Chinese nationals in what the government contended was a decades-long scheme to steal microelectronics designs from U.S. companies on behalf of the Chinese government. While the EEA is most commonly used to prosecute thefts of trade secrets involving sophisticated technology, there is nothing that would prevent the government from using it to prosecute the Cardinal employees if the information allegedly obtained qualified a trade secret.
While many people may find it difficult to believe that baseball teams have trade secrets, the data allegedly accessed by the Cardinals would appear to satisfy the legal definition of a trade secret which covers any information that provides a business with a competitive advantage over its competitors, is not generally known to the public, and which the owner has taken reasonable measures to keep secret. The Astros’ proprietary statistical analysis and internal scouting reports would almost certainly qualify as a trade secret under this definition. The only possible question would be whether the Astros’ took reasonable measures to safeguard the information. However, this does not mean, that the extent of the Astros security measures had to be absolute, but they had to be “reasonable” under circumstances. In order to answer this question, the government, as part of its investigation, will be seeking information on whether the Astros, apart from requiring passwords to access the system, undertook other security measures. For example, did the Astros limit access to the information on a “need to know basis, were employees required to sign confidentiality agreements, were paper documents of the same information kept under lock and key, and were the documents marked “confidential” or contain some other legend indicating their non-public nature? Under the EEA, anyone who steals, copies, or downloads someone else’s trade secrets without permission faces a monetary fine and possible jail sentences of up to 10 years in prison.
The criminal penalties that the Cardinals’ employees could be facing would depend on a variety of factors and would be determined by a judge based on the application of the federal Sentencing Guidelines and not the statutory penalties, which simply set the maximum sentence that can be imposed. In general, the Sentencing Guidelines contain a base level and a variety of factors that are applied to a given crime and from which the sentence is calculated. For example, in the case of a bank robbery, the Guidelines would provide for an increase in the sentence if the robber used a gun or committed an act of violence. In the case of computer hacking and theft of trade secrets the single most important factor determining the sentence is the “amount of loss.” This can include the fair market value or replacement cost of the property. While determining the value of the Astros’ information may be very difficult to determine since there is no market for this type of information and determining the replacement cost may be somewhat speculative, a “reasonable estimate” is sufficient.
In this instance if it is assumed that the amount of loss caused by the hack was $500,000, the defendants could be facing a sentence of 33-41 months in prison, which is certainly not an insignificant sentence.
While it would be difficult to charge the Cardinals’ organization under the CFAA, the EEA would potentially allow the government to charge it with criminal activity. The EEA specifically provides that “Any organization that commits any offense … (a) shall be fined not more than $5,000,000.” In order to charge the entire organization with criminal activity, however, prosecutors would likely have to show that mid or high-level Cardinal executives were aware of the hacking, or at least should have known that it was going on. Conversely, if the hacking was committed by low-level employees, without the knowledge of their supervisors, than it is unlikely that the Cardinals would be charged by the government.
While federal criminal investigations often to extra innings and do not end as expected, it is almost certain that the Cardinals’ employees who were involved in the hack of the Astros’ computer system will face federal criminal charges. Whether the Cardinals as an organization will also be criminally indicted is more of an unknown, but remains a distinct possibility. The Justice Department has stated publicly, and by its actions has clearly indicated that it takes computer hacking and theft of trade secrets very seriously, and there is no reason that the government is not approaching this matter with the same determination.