The Cardinals Way and the Computer Fraud and Abuse Act

The big baseball news relates to the St. Louis Cardinals hacking of the Astros scouting database and not the latest deal for a high priced middle reliever.  As a data breach attorney and baseball fan, it is rare that two of my main interests collide.  I must confess to feeling some schadenfreude since I am a long suffering Brewers fan.

The New York Times has been all over this, reporting that the Cardinals had an acrimonious breakup with former GM Jeff Luhnow.  The hack was initiated by current Cardinals employees with an apparent ax to grind with Luhnow.  The motivation appears to have been to embarrass Luhnow by exposing his private conversations about talent.

Luhnow is regarded as a brilliant GM.  He ran a state of the art operation in St. Louis based upon the application of statistical analysis.  His technological baby was a database called “Redbird”.  In Houston, he constructed a proprietary database called “Ground Control”.  The hackers infiltrated “Ground Control” by using old passwords Luhnow maintained while with the Cardinals.  The attack was not sophisticated as evidence led the FBI to a house in St. Louis where the employees lived.  In other words, they were not even savvy enough to cover up their digital trail through the use of a proxy server or spoofed modem – common low level hacker tactics.

There are a few lessons to be drawn from the new “Cardinal way”.  One, is that data breach is pervasive and has legal consequences.  Hacking is not only criminally illegal but also leads to civil liability.  The industry or information does not matter – if you access a password protected account online or on a network, you have violated the Computer Fraud and Abuse Act.  No, the Houston Astros scouting records are not exactly military secrets, however, the relative lack of importance does not matter.

The Act renders it illegal for someone to access a computer database without authorization.  Court cases have greatly expanded the definition of unauthorized access under the Act.    In plain English, this usually means hacking.  Hacking can take many forms.  In the Cardinals case, it was simply plugging in Luhnow’s old passwords to access “Ground Control”.  This is a common tactic used by low level password hackers and aggregators.  Such technics are not sophisticated and, in this case, probably could have been combated if Luhnow had simply used a little password creativity when he moved to the Astros.

What can happen to the Cardinals employees or the organization?  First, many have been previously prosecuted using this statute.  Famous cases include United States v. Nosal and the tragic Aaron Swartz case.  The Cardinals hackers could do hard jail time, up to twenty years.  That won’t happen realistically, however, prosecutors have been routinely criticized for overreaching in charging people under the Act.

Civilly, if the Astros sustained a minimum of $5,000 in damages to remediate the hack, they could have standing to file a civil lawsuit under the Act.  In this case, it is unlikely such a suit would be worth anything unless a jury awarded punitive damages due to the willful nature of the conduct.  If the information has independent economic value – then a trade secrets claim could also be viable.  If, for instance, a trade for a high priced player fell through as a result of secret information the Cardinals obtained, one could foresee a multi-million dollar award.

The biggest mystery thus far is whether or not the higher ups in the Cardinals organization sanctioned or even had knowledge of the conduct.  Regardless, it underscores the necessity for companies to educate their employees on proper cyber conduct.  Companies could be held liable if their employees commit cyber-crimes within the scope of employment.  In this case, the so called best organization in baseball has certainly been tainted in a manner akin to the NFL’s Patriots.