The Cardinal Rule for The Connected Age
Although stealing signs has been commonplace in major league baseball for decades, the type of theft that occurred last year from the Houston Astros computer network appears to be unprecedented in professional sports. Many readers will likely have read the startling news that the Federal Bureau of Investigation is investigating allegations that a member of the St. Louis Cardinals organization hacked into a Houston Astros database containing a potentially wide range of sensitive information. The facts currently in the public domain point to a former Cardinals front office executive utilizing a former employee’s password to gain access to an Astros database called Ground Control that housed statistical information, scouting reports and medical records. After some sensitive information belonging to the Astros appeared on the Internet last summer, the F.B.I. in Houston began conducting an investigation. Using the standard cyber investigative technique of tracing an IP address back to the home of a Cardinals employee, the F.B.I. began unraveling a much larger scheme. Several critical questions remain unanswered for the general public. Was this the action of a single rogue employee or a concerted effort by the organization as retribution for the Astros hiring of a former Cardinals employee? Was the stolen information utilized to gain a strategic advantage?
As anyone who has been subjected to such an intrusion knows, the feeling isn’t pleasant. According to the New York Times, Jeff Luhnow, the victimized former Cardinals executive and current Astros executive said, “At the time when it happened a year ago, it was like coming home and seeing your house has been broken into,” he said. “You feel violated when someone does that without permission.” Exactly what transpired with Luhnow’s password(s) remains unclear at this point, but serves as a constant reminder to practice good password and network security.
A multitude of federal criminal statutes may be implicated by this type of illegal conduct. The most obvious violation involves a federal statue called the Computer Fraud and Abuse Act (the “CFAA” at 18 United States Code, Section 1030) addressing computer and network intrusions. Importantly, this law sets out what constitutes an unlawful intrusion or “hack.” The alleged conduct in the Astros hack – using a known password or guessing the next version of that password – would clearly be covered under the law. The law explicitly addresses unauthorized access to computer systems with the key word being unauthorized. So, if the Cardinals executive under investigation obtained an old password or guessed the next version of the password, using it to gain access to the Astros database would undoubtedly qualify as unauthorized.
Depending on the facts surrounding the manner and means of the computer intrusion, several other federal criminal statutes may also have been violated. The information stolen from the Astros database could be covered under the federal Economic Espionage Act prohibiting theft of trade secrets (located at 18. United States Code, Section 1831). Although a variety of factors must be met, the trade secret law will clearly be in play during the investigation and court case. Although it’s currently unknown if the conduct involved the unauthorized use of passwords to monitor email traffic, continuing access to a victim’s email account, such as through key-logging software or even setting up an auto-forward, a violation of the federal WireTap Act (located at 18 United States Code, Section 2511) may also have occurred. So if all of these potential allegations can be proven, what may be the result in court? Some of the answer to that question relates to the loss of economic value caused by the conduct and the background of the accused. That being said, it’s not unreasonable to surmise that a prison sentence may be on the horizon.
Another potential issue – and one that will likely only play out after a criminal case – is what kind of civil liability may the Cardinals face for this conduct. Potential causes of action exist under both federal and state law should the Astros organization choose that course of action. Are there indications that the Cardinals knew or should have known about the actions of a front office employee? Did anyone in the Cardinals organization question how this front office employee knew so much about the Astros? Did anyone hesitate when this front office employee requested and obtained the master password list of Cardinal’s employees which gave him a roadmap to obtaining a workable password for the Astros database? Only one thing is certain at this point, the attorneys and investigators are hard at work…so stay tuned. Oh, and the cardinal rule for the connected age – change your password.
Marc Miller serves as general counsel for McCann Investigations, a firm with primary offices in New York and Houston that specializes in private investigations, digital forensics, privacy intrusions and more. In addition to holding senior executive positions in the movie and video game industry, Mr. Miller served as a state & federal prosecutor for almost 15 years spending significant time in the United States Department of Justice’s Computer Crime Section.