United States: The Law Behind The Astros And Cardinals Hacking Scandal

The New York Times originally broke the story that the FBI is investigating the St. Louis Cardinals for hacking into the Houston Astros' computer networks to steal the Astros' internal baseball operation intelligence.

The Astros' GM responsible for the resurgence of the team used to work for the Cardinals. The two used to compete in the National League Central before the Astros moved to the American League West where the Astros are now in first place.

According to the NYT article:

When Luhnow left St. Louis, he helped the Astros build their "Ground Control" database which mirrored a similar effort he helped lead when with the Cardinals. This is all part of the sabermetrics / big data craze in professional sports.

Some leaked information was already published in an embarrassing article on Deadspin which included some trade prospects and player evaluations.

The FBI claims the Cardinals used a master password list compiled by Lunhow and associates when they were with the Cardinals to guess their passwords on the Astros' systems. The FBI was able to determine the hack had been done from a computer at a home that some Cardinals officials had lived in.

According to New York Magazine, the Cardinals fired their scouting director Chris Correa for accessing the Astros database without authorization. Correa claims he did not take anything and the Cardinals' internal action is independent from anything the FBI is doing. Major League Baseball announced they would wait on the FBI to finish their investigation before taking any action.

So what are the legal issues?

We often advise clients who have been hacked to contact law enforcement authorities. When it is on a smaller scale or not as high profile, it is hard to get them to take action. It is almost always better if you can get law enforcement to investigate and do the heavy lifting.

On the criminal side, you are looking at fines and up to five years in prison based on the statutes discussed below. But, you can still resort to the civil courthouse.

The Computer Fraud and Abuse Act

The CFAA (18 U.S.C. § 1030) makes it illegal to access a data base without proper authority or to exceed one's authority impairing the computer system or data accessed and was passed to address hacking. Liability is premised on there being at least $5,000 in losses in any one-year period. The CFAA is primarily a criminal statute.

A plaintiff could make a civil claim under the CFAA to recover actual damages, injunctions or other equitable relief. A criminal conviction can result in fines and imprisonment. On the civil side, plaintiffs sometimes struggle establishing the required $5,000 in a statutorily-defined "loss" to pursue a CFAA claim.

The CFAA defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." 18 U.S.C. § 1030(e)(11).

Lost opportunities (like trades, or the value of the actual information) often do not qualify as the type of loss covered by the statute. The loss usually results from costs of investigation and the expense to shut down the computer network.

ECPA and the SCA

The Electronic Communications Privacy Act (18 U.S.C. § 2510) and the Stored Communications Act (18 U.S.C. §§ 2701-12) are equally important sister statutes. Generally speaking, the ECPA applies to electronic communications in transit and the SCA applies to communications stored on servers. By gaining access to a database on the Astros' servers, the perpetrators may be liable under the Stored Communications Act.

A plaintiff under the ECPA can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys' fees and costs. Criminal violations can result in up to five years and fines up to $250,000 for individuals and $500,000 for organizations.

The SCA meanwhile, which is technically part of the ECPA, makes it illegal for anyone to "intentionally access[] without authorization a facility through which an electronic communication service is provided or . . . intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorize access to a wire or electronic communication while it is in electronic storage in such system."

The Economic Espionage Act

If the stolen information includes "trade secrets," the perpetrator could be convicted under the federal Economic Espionage Act. It defines "trade secrets" as it is enumerated in the civil Uniform Trade Secrets Act as "all forms and types of financial, business, scientific, technical, economic or engineering information" that the owner has taken "reasonable measures" to keep secret and that "derives independent economic value, actual or potential, from not being generally known to ... the public."

Under the Economic Espionage Act, organizations could be fined up to $5 million. An offense for an individual is felony with a penalty of up to ten years in prison.

In addition to these statutes, there could be additional claims like RICO, breaches of contracts, wire fraud, trespassing and a myriad of state law claims.

Most of the parties involved have been quiet about the investigation, but it would not be surprising for the FBI to use this high profile case as an example of how serious it intends to prosecute hacking in the future.

Of course, the best revenge for the Astros would be to meet in the Fall Classic this year, which based on records to date, is not as implausible as it would have been at the beginning of the season.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.