stored communications Act

If you watched the first round of the NFL Draft, the big story was the sliding of Ole Miss offensive tackle Laremy Tunsil out of the top five to number 13. As the draft was unfolding, someone released a video of him smoking marijuana through a gas mask.  You can read the story here.  You can watch this interview right after he was picked.

To make matters worse, after he was picked, someone released text messages between Tunsil and one of the assistant coaches at Ole Miss where it looks like Ole Miss was paying Tunsil’s rent or his mother’s electric bill.  Read about it and see the texts here. Here is another interview where Tunsil admits the texts were his.

So, can Tunsil sue or is there a possible crime?

Yes and yes.

Assuming someone “hacked” his Twitter or Instagram account, even if Tunsil was somewhat lackadaisical about protecting it, and that this person did not have “authority” to access the account, then there is likely a violation of the Stored Communications Act.

The SCA makes it illegal for anyone to “intentionally access[] without authorization a facility through which an electronic communication service is provided or . . . intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorize access to a wire or electronic communication while it is in electronic storage in such system.” Accessing his Twitter or Instagram accounts without his permission would likely be a violation.

In addition to these statutes, there could be additional claims like RICO, breaches of contracts, fiduciary duty, wire fraud, trespassing, theft, extortion if there was money demanded in advance, and a number of other state law claims.

So, what are the criminal penalties?

Pursuant to 18 U.S.C. § 2701, “if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain,” the criminal penalty for a first offense is a fine or imprisonment for not more than five years or both.

What about a civil lawsuit?

Tunsil could also sue the perpetrator.  Assuming he can establish there was no authority to access his accounts, the SCA provides that a plaintiff can recover:

damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.

18 U.S.C. § 2707.

To prove damages, I would have a composite of the mock drafts immediately prior to the release of the video to determine where Tunsil would have likely been drafted had the video not come out. Then, you take the difference between the guaranteed money that pick would have received and the money the 13th pick receives as your actual damages. Those damages could easily exceed $10 million.

Assuming the defendant wanted to purposefully hurt Tunsil, punitive damages would also be available.

What about Tunsil’s conduct?

Yes, Tunsil is shown smoking marijuana.  Yes, it appears he took benefits from Ole Miss in violation of the NCAA rules. If you are making a negligence claim, the plaintiff’s own negligence comes into play.

But, under the Stored Communications Act, his alleged bad acts don’t really come into play as far as liability.  A jury might consider his actions when deciding the causation. What really caused his damages? Was it the hacking by the defendant or Tunsil’s own bad acts?

Causation is usually a fact question in a civil trial, but would anyone really be surprised that an NFL prospect smoked marijuana at some point in his life? Tunsil says the video is old and his pre-draft drug tests all came up clean.

The video came out 13 minutes before the draft started. The argument is the slide in the draft only happened when the video came out. After all, even after he did these things (although no one knew), he was still considered a top five pick.

If there was a civil case, there could be a huge verdict, but then there is always the matter of collecting.

In a developing story, The New York Times is reporting that the FBI is investigating the St. Louis Cardinals for hacking into the Houston Astros’ computer networks to steal the Astros’ internal baseball operation intelligence which is apparently working.

Quick aside:  click here to see highlights of last night’s win and the emergence of some of the Astros’ young stars.

The Astros’ GM responsible for the resurgence of the team used to work for the Cardinals. The two used to compete in the National League Central before the Astros moved to the American League West (I’m still getting used to that).

According to the NYT article:

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.

When Luhnow left St. Louis, he helped the Astros build their “Ground Control” database which mirrored a similar effort he helped lead when with the Cardinals.  This is all part of the sabermetrics / big data craze in professional sports.  It’s the reason that at the game I attended earlier this month, it seemed like the shift was employed on defense almost half the time.

Some leaked information was already published in an embarassing article on Deadspin which included some trade prospects and player evaluations.

The FBI claims the Cardinals used a master password list compiled by Lunhow and associates when they were with the Cardinals to guess their passwords on the Astros’ systems.  The FBI was able to determine the hack had been done from a computer at a home that some Cardinals officials had lived in.

Here’s more background and detail from The Washington Post.

So what are the legal issues?

We often advise clients who have been hacked to contact law enforcement authorities. When it is on a smaller scale or not as high profile, it is hard to get them to take action.  It is almost always better if you can get law enforcement to investigate and do the heavy lifting.

On the criminal side, you are looking at fines and up to five years in prison based on the statutes discussed below.

But, you can still resort to the civil courthouse.

The Computer Fraud and Abuse Act

The CFAA (18 U.S.C. § 1030) makes it illegal to access a data base without proper authority or to exceed one’s authority impairing the computer system or data accessed and was passed to address hacking.  Liability is premised on there being at least $5,000 in losses in any one-year period. The CFAA is primarily a criminal statute.

A plaintiff could make a civil claim under the CFAA to recover actual damages, injunctions or other equitable relief. A criminal conviction can result in fines and imprisonment.  On the civil side, plaintiffs sometimes struggle establishing the required $5,000 in a statutorily-defined “loss” to pursue a CFAA claim.

The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”  18 U.S.C. § 1030(e)(11).

Lost opportunities (like trades, or the value of the actual information) often do not qualify as the type of loss covered by the statute.  The loss usually results from costs of investigation and the expense to shut down the computer network.

ECPA and the SCA

The Electronic Communications Privacy Act (18 U.S.C. § 2510) and the Stored Communications Act (18 U.S.C. §§ 2701-12) are equally important sister statutes.  Generally speaking, the ECPA applies to electronic communications in transit and the SCA applies to communications stored on servers.  By gaining access to a database on the Astros’ servers, the perpetrators may be liable under the Stored Communications Act.

A plaintiff under the ECPA can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys’ fees and costs.   Criminal violations can result in up to five years and fines up to $250,000 for individuals and $500,000 for organizations.

The SCA meanwhile, which is technically part of the ECPA, makes it illegal for anyone to “intentionally access[] without authorization a facility through which an electronic communication service is provided or . . . intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorize access to a wire or electronic communication while it is in electronic storage in such system.”

In addition to these statutes, there could be additional claims like RICO, breaches of contracts, wire fraud, trespassing and a myriad of state law claims.

The best revenge would be to rectify this dark moment in Houston Astros history from the 2005 NLCS (although the Astros won Game 6 in St. Louis before being swept by the White Sox in their only World Series appearance).

Maybe Springer, Correa, Altuve, Tucker, McHugh and Velasquez can get their recompense out of the courtroom.

Here’s my interview on Sports Radio 610 from this afternoon’s Triple Threat Show.