from the uh-oh dept
After the revelation that the St. Louis Cardinals are being investigated by the FBI for hacking into the Houston Astros' networks and grabbing a whole bunch of proprietary statistical and scouting data, much of the speculation centered around one or two rogue employees, who may have used old passwords to get into the Astros' systems. Those systems had been set up by the Astros' new GM, who was a former Cardinals employee and who presumably just reused his passwords. With that speculation in mind, the focus then turned to how the feds might look to use the CFAA to go after those employees for having committed a federal crime. All of that would be serious enough in and of itself, except some of the details coming out of the investigation and some of the expert opinions on which laws may be brought to bear are making all of this look much more serious than even most people's first take.
Much of the speculation that only an employee or two will face punishment under the CFAA has taken the form of something like this, from Alexander Southwell, a cybersecurity expert for law firm Gibson Dunn.
Southwell said the most likely charge would involve violation of the federal Computer Fraud and Abuse Act. The Cardinals would be unlikely to face criminal charges unless it could be proven that the team, and not an employee or group of employees, was behind the act, Southwell said.But not everyone agrees with that. Much in the way that Sarbanes-Oxley was constructed to keep high-level executives from shirking their responsibility for the actions of the businesses they oversee, there are laws on the books that could be used to go after the Cardinals' leadership not only if they had direct knowledge of this alleged hack, but also if they should have known about it but didn't. Serious negligence would have to be proven on the part of the higher-ups still, but the bar is lower. Here's the take from Nathaniel Grow, an Assistant Professor of Legal Studies at the University of Georgia.
“The entity can’t be held responsible for the acts of rogue employees,” he said.
The alleged hacking may have also violated the Economic Espionage Act of 1996, which criminalizes the theft or misappropriation of trade secrets. The data allegedly accessed by the Cardinals would appear to satisfy the legal definition of a trade secret, which covers any information that provides a business with a competitive advantage over its competitors and is not generally known by the public (for example, the recipe for Coca-Cola). The Astros’ proprietary statistical analysis and internal scouting reports would almost certainly qualify as trade secrets under this definition. . . Under the EEA, anyone who steals, copies, or downloads someone else’s trade secret information without permission faces a monetary fine and possible jail sentence of up to 10 years in prison per offense.Complicating all of this further is the combination of Major League Baseball's antitrust status, which in part hinges on the notion that MLB acts as an umbrella organization under which the franchises operate. One of the questions that's been raised is whether or not the EEA could be invoked in this situation due to that organizational architecture. After all, two different people might own McDonald's franchises, but it would hardly make sense if one sued the other for stealing "trade secrets" when they're both McDonald's. Are the two teams competitors or are they different entities within the same organization?
Perhaps more significantly, however, the EEA would also potentially allow the government to charge the entire Cardinals organization with criminal activity. As Section (b) of the law provides, “Any organization that commits any offense described in subsection (a) shall be fined not more than $5,000,000.“ In order to charge the entire organization with criminal activity, however, prosecutors would likely have to show that high-level Cardinals executives were aware of the hacking, or at least should have known that it was going on. If that is the case, then the entire team could face criminal prosecution. But if the hacking were simply carried out by a few lower-level team officials, without the knowledge of any higher-ups, then any organization-wide criminal case would be unlikely.
Either way, the more that comes out, the more it's becoming clear that the FBI has someone or some people in the Cardinals organization dead to rights. The question is going to end up being how many are punished and under what laws they are prosecuted.