The Legal Implications of the Cardinals’ Alleged Hacking

The New York Times dropped a bombshell of a story Tuesday morning, reporting that the FBI is investigating whether front-office officials from the St. Louis Cardinals may have illegally hacked into the Houston Astros’ proprietary computer network. According to the Times, government officials believe that unnamed Cardinals employees may have accessed the Astros’ computers in order to retrieve the team’s internal trade discussions, proprietary statistics and scouting reports. The FBI has apparently traced the source of the hacking to a house shared by some Cardinals employees.

While some are understandably comparing Tuesday’s news to the NFL’s recent “SpyGate” scandal – in which the New England Patriots were accused of impermissibly videotaping the New York Jets coaches’ hand signals during a 2007 game – if true, the Cardinals’ alleged hacking would, of course, be much more serious. Beyond just league-imposed penalties, the hacking allegations carry the possibility of criminal prosecution, not just for the Cardinals employees involved in the breach, but potentially for the organization as a whole.

The primary law implicated by the Cardinals’ alleged hacking would appear to be the Computer Fraud and Abuse Act. The CFAA was originally passed back in 1984 to protect both the government and the financial industry from electronic espionage. The law was later expanded in 1996, however, to cover any unauthorized, remote access of another’s computer.

Under Section (a)(4) of the CFAA, anyone who “knowingly … accesses a protected computer without authorization” in order to “obtain[] anything of value” is subject to potential criminal liability for the hacking. Similarly, Section (a)(5)(B) of the law prohibits “intentionally access[ing] a protected computer without authorization,” should it result in any damage being inflicted on the computer’s owner.

These provisions would appear to apply to the Cardinals’ alleged hacking. As the Times reported:

Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

So any Cardinals employees involved in the alleged hacking could potentially face criminal prosecution under the CFAA. Assuming that whichever employees are responsible for the breach have not been previously convicted for an earlier hacking offense, they would face a potential jail sentence of up to five years imprisonment, along with monetary fines potentially reaching into the hundreds of thousands of dollars.

Notably, however, this maximum sentence would apply per offense, meaning that if the hackers were shown to have illegally accessed the Astros’ computers on more than one occasion, each separate intrusion would constitute a separate offense, each carrying a potential five-year jail sentence and monetary fine.

In addition to the CFAA, the alleged hacking may have also violated the Economic Espionage Act of 1996, which criminalizes the theft or misappropriation of trade secrets. The data allegedly accessed by the Cardinals would appear to satisfy the legal definition of a trade secret, which covers any information that provides a business with a competitive advantage over its competitors and is not generally known by the public (for example, the recipe for Coca-Cola). The Astros’ proprietary statistical analysis and internal scouting reports would almost certainly qualify as trade secrets under this definition.

As a result, the government could potentially choose to charge the perpetrators with criminal violations of the EEA as well. Under the EEA, anyone who steals, copies, or downloads someone else’s trade secret information without permission faces a monetary fine and possible jail sentence of up to 10 years in prison per offense.

Perhaps more significantly, however, the EEA would also potentially allow the government to charge the entire Cardinals organization with criminal activity. As Section (b) of the law provides, “Any organization that commits any offense described in subsection (a) shall be fined not more than $5,000,000.

In order to charge the entire organization with criminal activity, however, prosecutors would likely have to show that high-level Cardinals executives were aware of the hacking, or at least should have known that it was going on. If that is the case, then the entire team could face criminal prosecution. But if the hacking were simply carried out by a few lower-level team officials, without the knowledge of any higher-ups, then any organization-wide criminal case would be unlikely.

In addition to the potential criminal liability, the hacking could also of course result in potential civil liability as well. Under the CFAA, the victim of unauthorized hacking has a right to sue the perpetrator(s) for any financial damage that the unauthorized access may have caused. Meanwhile, the Uniform Trade Secrets Act authorizes the victims of trade secret theft to sue civilly as well.

That having been said, it is probably unlikely that the Astros would choose to file a civil lawsuit over the matter. Not only would it be difficult for the Astros to prove exactly how much the team had been harmed by the unauthorized access in monetary terms, but any lower-level Cardinals officials involved in the incident may very well lack the financial means to pay a sizeable damages award. Instead, the team will almost certainly defer to MLB to impose any sanctions on the Cardinals.

Nevertheless, MLB’s latest scandal is sure to keep plenty of attorneys busy for the foreseeable future.

 

 





Nathaniel Grow is an Associate Professor of Business Law and Ethics at Indiana University's Kelley School of Business. He is the author of Baseball on Trial: The Origin of Baseball's Antitrust Exemption, as well as a number of sports-related law review articles. You can follow him on Twitter @NathanielGrow. The views expressed are solely those of the author and do not express the views or opinions of Indiana University.

newest oldest most voted
Hutch
Member
Hutch

Best Fans in Baseball©

Compton
Guest
Compton

But what do their fans have to do with this?

Paul
Guest
Paul

Nothing, but it’s still fun to joke about. All of the hyperbole about the classiest, best-run organization with the best fans makes for good fodder in times like this.

McNulty
Guest
McNulty

The media sure loves to build something up just to tear it down later

BDJ
Guest
BDJ

Hutch, you’re an idiot. This had nothing to do with fans.

Sgt. Hulka
Guest
Sgt. Hulka

Lighten up, Francis.

captain obvious
Guest
captain obvious

WE DON’T KNOW THAT YET

The next step may well be federal charges against the Cardinal fanbase, according to my speculation.

Oh please oh please

Freese_AEC
Guest
Freese_AEC

Yeah, like any fan would be crazy enough to carry out criminal hacking…

It’s a FELONY FRAUD.

Neil
Guest
Neil

Probability is high that the employees who hacked into the Astros network are fans of the Cardinals.

But in all seriousness...
Guest
But in all seriousness...

Best Hackers in Baseball

Neil
Guest
Neil

Not really they got caught, and did it from their home.