Some Now Suggesting Cardinals Hack May Have Violated The Economic Espionage Act

from the uh-oh dept

After the revelation that the St. Louis Cardinals are being investigated by the FBI for hacking into the Houston Astros’ networks and grabbing a whole bunch of proprietary statistical and scouting data, much of the speculation centered around one or two rogue employees, who may have used old passwords to get into the Astros’ systems. Those systems had been set up by the Astros’ new GM, who was a former Cardinals employee and who presumably just reused his passwords. With that speculation in mind, the focus then turned to how the feds might look to use the CFAA to go after those employees for having committed a federal crime. All of that would be serious enough in and of itself, except some of the details coming out of the investigation and some of the expert opinions on which laws may be brought to bear are making all of this look much more serious than even most people’s first take.

Much of the speculation that only an employee or two will face punishment under the CFAA has taken the form of something like this, from Alexander Southwell, a cybersecurity expert for law firm Gibson Dunn.

Southwell said the most likely charge would involve violation of the federal Computer Fraud and Abuse Act. The Cardinals would be unlikely to face criminal charges unless it could be proven that the team, and not an employee or group of employees, was behind the act, Southwell said.

“The entity can’t be held responsible for the acts of rogue employees,” he said.

But not everyone agrees with that. Much in the way that Sarbanes-Oxley was constructed to keep high-level executives from shirking their responsibility for the actions of the businesses they oversee, there are laws on the books that could be used to go after the Cardinals’ leadership not only if they had direct knowledge of this alleged hack, but also if they should have known about it but didn’t. Serious negligence would have to be proven on the part of the higher-ups still, but the bar is lower. Here’s the take from Nathaniel Grow, an Assistant Professor of Legal Studies at the University of Georgia.

The alleged hacking may have also violated the Economic Espionage Act of 1996, which criminalizes the theft or misappropriation of trade secrets. The data allegedly accessed by the Cardinals would appear to satisfy the legal definition of a trade secret, which covers any information that provides a business with a competitive advantage over its competitors and is not generally known by the public (for example, the recipe for Coca-Cola). The Astros’ proprietary statistical analysis and internal scouting reports would almost certainly qualify as trade secrets under this definition. . . Under the EEA, anyone who steals, copies, or downloads someone else’s trade secret information without permission faces a monetary fine and possible jail sentence of up to 10 years in prison per offense.

Perhaps more significantly, however, the EEA would also potentially allow the government to charge the entire Cardinals organization with criminal activity. As Section (b) of the law provides, “Any organization that commits any offense described in subsection (a) shall be fined not more than $5,000,000.“ In order to charge the entire organization with criminal activity, however, prosecutors would likely have to show that high-level Cardinals executives were aware of the hacking, or at least should have known that it was going on. If that is the case, then the entire team could face criminal prosecution. But if the hacking were simply carried out by a few lower-level team officials, without the knowledge of any higher-ups, then any organization-wide criminal case would be unlikely.

Complicating all of this further is the combination of Major League Baseball’s antitrust status, which in part hinges on the notion that MLB acts as an umbrella organization under which the franchises operate. One of the questions that’s been raised is whether or not the EEA could be invoked in this situation due to that organizational architecture. After all, two different people might own McDonald’s franchises, but it would hardly make sense if one sued the other for stealing “trade secrets” when they’re both McDonald’s. Are the two teams competitors or are they different entities within the same organization?

Either way, the more that comes out, the more it’s becoming clear that the FBI has someone or some people in the Cardinals organization dead to rights. The question is going to end up being how many are punished and under what laws they are prosecuted.

Filed Under: , , , , ,
Companies: houston astros, major league baseball, st. louis cardinals

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Some Now Suggesting Cardinals Hack May Have Violated The Economic Espionage Act”

Subscribe: RSS Leave a comment
Daniel (profile) says:

double standard?

It seems strange to me that such a law would exist, one where the leaders of an organization are held responsible if they should have known about egregious acts, for the private sector, but nothing similar for the public sector. Consider the somewhat recent case of Brennan denying knowledge of the CIA hacking senate staffers’ computers. Any reasonable person would agree the director of an agency should reasonably have knowledge of such actions and you’d think, or hope rather, that knowledge or not, he would be held responsible for those actions.

I know the cynics will echo “duh! and… ?” and the one in me would agree, but it’s still disheartening to see such an unabashed display of the dichotomy between government and private executives.

tqk (profile) says:


How about using the RICO act against the Cardinals?

I can’t see any need for the gov’t to be involved at all. Don’t these people sign NDAs? If not that, then isn’t this plain old theft by someone who’d transferred from one org to another? Why’re the feds even involved? Maybe they should instead go after the idiots who let the old login credentials stand after an employee left.

Leave a Reply to VonFluffington Cancel reply

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...