The Legal Implications of the Cardinals’ Alleged Hacking

The New York Times dropped a bombshell of a story Tuesday morning, reporting that the FBI is investigating whether front-office officials from the St. Louis Cardinals may have illegally hacked into the Houston Astros’ proprietary computer network. According to the Times, government officials believe that unnamed Cardinals employees may have accessed the Astros’ computers in order to retrieve the team’s internal trade discussions, proprietary statistics and scouting reports. The FBI has apparently traced the source of the hacking to a house shared by some Cardinals employees.

While some are understandably comparing Tuesday’s news to the NFL’s recent “SpyGate” scandal – in which the New England Patriots were accused of impermissibly videotaping the New York Jets coaches’ hand signals during a 2007 game – if true, the Cardinals’ alleged hacking would, of course, be much more serious. Beyond just league-imposed penalties, the hacking allegations carry the possibility of criminal prosecution, not just for the Cardinals employees involved in the breach, but potentially for the organization as a whole.

The primary law implicated by the Cardinals’ alleged hacking would appear to be the Computer Fraud and Abuse Act. The CFAA was originally passed back in 1984 to protect both the government and the financial industry from electronic espionage. The law was later expanded in 1996, however, to cover any unauthorized, remote access of another’s computer.

Under Section (a)(4) of the CFAA, anyone who “knowingly … accesses a protected computer without authorization” in order to “obtain[] anything of value” is subject to potential criminal liability for the hacking. Similarly, Section (a)(5)(B) of the law prohibits “intentionally access[ing] a protected computer without authorization,” should it result in any damage being inflicted on the computer’s owner.

These provisions would appear to apply to the Cardinals’ alleged hacking. As the Times reported:

Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

So any Cardinals employees involved in the alleged hacking could potentially face criminal prosecution under the CFAA. Assuming that whichever employees are responsible for the breach have not been previously convicted for an earlier hacking offense, they would face a potential jail sentence of up to five years imprisonment, along with monetary fines potentially reaching into the hundreds of thousands of dollars.

Notably, however, this maximum sentence would apply per offense, meaning that if the hackers were shown to have illegally accessed the Astros’ computers on more than one occasion, each separate intrusion would constitute a separate offense, each carrying a potential five-year jail sentence and monetary fine.

In addition to the CFAA, the alleged hacking may have also violated the Economic Espionage Act of 1996, which criminalizes the theft or misappropriation of trade secrets. The data allegedly accessed by the Cardinals would appear to satisfy the legal definition of a trade secret, which covers any information that provides a business with a competitive advantage over its competitors and is not generally known by the public (for example, the recipe for Coca-Cola). The Astros’ proprietary statistical analysis and internal scouting reports would almost certainly qualify as trade secrets under this definition.

As a result, the government could potentially choose to charge the perpetrators with criminal violations of the EEA as well. Under the EEA, anyone who steals, copies, or downloads someone else’s trade secret information without permission faces a monetary fine and possible jail sentence of up to 10 years in prison per offense.

Perhaps more significantly, however, the EEA would also potentially allow the government to charge the entire Cardinals organization with criminal activity. As Section (b) of the law provides, “Any organization that commits any offense described in subsection (a) shall be fined not more than $5,000,000.“

In order to charge the entire organization with criminal activity, however, prosecutors would likely have to show that high-level Cardinals executives were aware of the hacking, or at least should have known that it was going on. If that is the case, then the entire team could face criminal prosecution. But if the hacking were simply carried out by a few lower-level team officials, without the knowledge of any higher-ups, then any organization-wide criminal case would be unlikely.

In addition to the potential criminal liability, the hacking could also of course result in potential civil liability as well. Under the CFAA, the victim of unauthorized hacking has a right to sue the perpetrator(s) for any financial damage that the unauthorized access may have caused. Meanwhile, the Uniform Trade Secrets Act authorizes the victims of trade secret theft to sue civilly as well.

That having been said, it is probably unlikely that the Astros would choose to file a civil lawsuit over the matter. Not only would it be difficult for the Astros to prove exactly how much the team had been harmed by the unauthorized access in monetary terms, but any lower-level Cardinals officials involved in the incident may very well lack the financial means to pay a sizeable damages award. Instead, the team will almost certainly defer to MLB to impose any sanctions on the Cardinals.

Nevertheless, MLB’s latest scandal is sure to keep plenty of attorneys busy for the foreseeable future.