Some Now Suggesting Cardinals Hack May Have Violated The Economic Espionage Act
from the uh-oh dept
After the revelation that the St. Louis Cardinals are being investigated by the FBI for hacking into the Houston Astros' networks and grabbing a whole bunch of proprietary statistical and scouting data, much of the speculation centered around one or two rogue employees, who may have used old passwords to get into the Astros' systems. Those systems had been set up by the Astros' new GM, who was a former Cardinals employee and who presumably just reused his passwords. With that speculation in mind, the focus then turned to how the feds might look to use the CFAA to go after those employees for having committed a federal crime. All of that would be serious enough in and of itself, except some of the details coming out of the investigation and some of the expert opinions on which laws may be brought to bear are making all of this look much more serious than even most people's first take.
Much of the speculation that only an employee or two will face punishment under the CFAA has taken the form of something like this, from Alexander Southwell, a cybersecurity expert for law firm Gibson Dunn.
Southwell said the most likely charge would involve violation of the federal Computer Fraud and Abuse Act. The Cardinals would be unlikely to face criminal charges unless it could be proven that the team, and not an employee or group of employees, was behind the act, Southwell said.But not everyone agrees with that. Much in the way that Sarbanes-Oxley was constructed to keep high-level executives from shirking their responsibility for the actions of the businesses they oversee, there are laws on the books that could be used to go after the Cardinals' leadership not only if they had direct knowledge of this alleged hack, but also if they should have known about it but didn't. Serious negligence would have to be proven on the part of the higher-ups still, but the bar is lower. Here's the take from Nathaniel Grow, an Assistant Professor of Legal Studies at the University of Georgia.
“The entity can’t be held responsible for the acts of rogue employees,” he said.
The alleged hacking may have also violated the Economic Espionage Act of 1996, which criminalizes the theft or misappropriation of trade secrets. The data allegedly accessed by the Cardinals would appear to satisfy the legal definition of a trade secret, which covers any information that provides a business with a competitive advantage over its competitors and is not generally known by the public (for example, the recipe for Coca-Cola). The Astros’ proprietary statistical analysis and internal scouting reports would almost certainly qualify as trade secrets under this definition. . . Under the EEA, anyone who steals, copies, or downloads someone else’s trade secret information without permission faces a monetary fine and possible jail sentence of up to 10 years in prison per offense.Complicating all of this further is the combination of Major League Baseball's antitrust status, which in part hinges on the notion that MLB acts as an umbrella organization under which the franchises operate. One of the questions that's been raised is whether or not the EEA could be invoked in this situation due to that organizational architecture. After all, two different people might own McDonald's franchises, but it would hardly make sense if one sued the other for stealing "trade secrets" when they're both McDonald's. Are the two teams competitors or are they different entities within the same organization?
Perhaps more significantly, however, the EEA would also potentially allow the government to charge the entire Cardinals organization with criminal activity. As Section (b) of the law provides, “Any organization that commits any offense described in subsection (a) shall be fined not more than $5,000,000.“ In order to charge the entire organization with criminal activity, however, prosecutors would likely have to show that high-level Cardinals executives were aware of the hacking, or at least should have known that it was going on. If that is the case, then the entire team could face criminal prosecution. But if the hacking were simply carried out by a few lower-level team officials, without the knowledge of any higher-ups, then any organization-wide criminal case would be unlikely.
Either way, the more that comes out, the more it's becoming clear that the FBI has someone or some people in the Cardinals organization dead to rights. The question is going to end up being how many are punished and under what laws they are prosecuted.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: astros, cardinals, cfaa, criminal, economic espionage, trade secrets
Companies: houston astros, major league baseball, st. louis cardinals
Reader Comments
Subscribe: RSS
View by: Time | Thread
double standard?
I know the cynics will echo "duh! and... ?" and the one in me would agree, but it's still disheartening to see such an unabashed display of the dichotomy between government and private executives.
[ link to this | view in chronology ]
RICO?
But seriously, to be equivalent to other people who did much lesser hacks, some people should be looking at possible sentences measured in decades.
[ link to this | view in chronology ]
Re: RICO?
I can't see any need for the gov't to be involved at all. Don't these people sign NDAs? If not that, then isn't this plain old theft by someone who'd transferred from one org to another? Why're the feds even involved? Maybe they should instead go after the idiots who let the old login credentials stand after an employee left.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
That would be an much less interesting question if they were both in the same league and thus literally competed with each other on a regular basis, but since they're not, this becomes a bit tricky. But who says they can't be both?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]