In a developing story, The New York Times is reporting that the FBI is investigating the St. Louis Cardinals for hacking into the Houston Astros’ computer networks to steal the Astros’ internal baseball operation intelligence which is apparently working.
Quick aside: click here to see highlights of last night’s win and the emergence of some of the Astros’ young stars.
The Astros’ GM responsible for the resurgence of the team used to work for the Cardinals. The two used to compete in the National League Central before the Astros moved to the American League West (I’m still getting used to that).
According to the NYT article:
Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.
When Luhnow left St. Louis, he helped the Astros build their “Ground Control” database which mirrored a similar effort he helped lead when with the Cardinals. This is all part of the sabermetrics / big data craze in professional sports. It’s the reason that at the game I attended earlier this month, it seemed like the shift was employed on defense almost half the time.
Some leaked information was already published in an embarassing article on Deadspin which included some trade prospects and player evaluations.
The FBI claims the Cardinals used a master password list compiled by Lunhow and associates when they were with the Cardinals to guess their passwords on the Astros’ systems. The FBI was able to determine the hack had been done from a computer at a home that some Cardinals officials had lived in.
Here’s more background and detail from The Washington Post.
So what are the legal issues?
We often advise clients who have been hacked to contact law enforcement authorities. When it is on a smaller scale or not as high profile, it is hard to get them to take action. It is almost always better if you can get law enforcement to investigate and do the heavy lifting.
On the criminal side, you are looking at fines and up to five years in prison based on the statutes discussed below.
But, you can still resort to the civil courthouse.
The Computer Fraud and Abuse Act
The CFAA (18 U.S.C. § 1030) makes it illegal to access a data base without proper authority or to exceed one’s authority impairing the computer system or data accessed and was passed to address hacking. Liability is premised on there being at least $5,000 in losses in any one-year period. The CFAA is primarily a criminal statute.
A plaintiff could make a civil claim under the CFAA to recover actual damages, injunctions or other equitable relief. A criminal conviction can result in fines and imprisonment. On the civil side, plaintiffs sometimes struggle establishing the required $5,000 in a statutorily-defined “loss” to pursue a CFAA claim.
The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).
Lost opportunities (like trades, or the value of the actual information) often do not qualify as the type of loss covered by the statute. The loss usually results from costs of investigation and the expense to shut down the computer network.
ECPA and the SCA
The Electronic Communications Privacy Act (18 U.S.C. § 2510) and the Stored Communications Act (18 U.S.C. §§ 2701-12) are equally important sister statutes. Generally speaking, the ECPA applies to electronic communications in transit and the SCA applies to communications stored on servers. By gaining access to a database on the Astros’ servers, the perpetrators may be liable under the Stored Communications Act.
A plaintiff under the ECPA can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys’ fees and costs. Criminal violations can result in up to five years and fines up to $250,000 for individuals and $500,000 for organizations.
The SCA meanwhile, which is technically part of the ECPA, makes it illegal for anyone to “intentionally access without authorization a facility through which an electronic communication service is provided or . . . intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorize access to a wire or electronic communication while it is in electronic storage in such system.”
In addition to these statutes, there could be additional claims like RICO, breaches of contracts, wire fraud, trespassing and a myriad of state law claims.
The best revenge would be to rectify this dark moment in Houston Astros history from the 2005 NLCS (although the Astros won Game 6 in St. Louis before being swept by the White Sox in their only World Series appearance).
Maybe Springer, Correa, Altuve, Tucker, McHugh and Velasquez can get their recompense out of the courtroom.