Baseball Executive Caught Stealing, Pleads Guilty to Violation of Computer Fraud and Abuse Act
A scandal in America's Pastime has culminated with a baseball executive, Christopher Correa, pleading guilty on January 8, 2016 to violating the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, et seq. The guilty plea brings some resolution to the news reports that broke in the summer of 2015 accusing the St. Louis Cardinals of hacking the Houston Astros' online scouting and personnel database. Correa, previously the Director of Baseball Development for the Cardinals, is scheduled for sentencing in April. The five counts each carry a maximum of five years in prison, and the plea deal calls for a recommendation of concurrent, rather than consecutive, sentencing.
While Correa's actions took place in the context of Major League Baseball, baseball fans are not the only ones that should take note: actions similar to Correa's can happen in any industry. The story starts in 2011 when a former employee of the Cardinals – identified in the plea agreement as Victim A – left the Cardinals and joined the Astros. In December 2011, as Victim A was preparing to leave the Cardinals, he was instructed to return his Cardinals-owned laptop to Correa, along with the laptop's password. When Victim A joined the Astros, Victim A re-used a similar password for his Astros' account, which allowed access to the Astros email system and to "Ground Control," the Astros' proprietary database of scouting information. Correa used his knowledge of Victim A's password with the Cardinals to access to the Victim A's email, Ground Control, and other Astros personnel email accounts. Through this subterfuge, Correa viewed extensive information the Astros had gathered on draft targets, free agents, player trade discussions, and player compensation.
Correa's case is a good example of the CFAA's very broad reach. Passed by Congress in 1984 as a criminal statute to protect classified information in government computer systems, Congress amended the CFAA in 1996 to cover so-called "protected" computers, or computers "which [are] used in interstate or foreign commerce or communications." The internet has made nearly all computer use – including the Astros' email and Ground Control system – interstate in nature and thereby subject to the CFAA. The plea agreement tabbed the Astros' losses at $1.7 million, thereby exceeding the CFAA's rather low jurisdictional damages threshold of $5,000.
At bottom, then, this is the tale of an executive who used knowledge of a former employee's passwords to gain access a competitor's proprietary industry data. There are lessons here for any business. First, an employer that learns an employee is engaging in corporate espionage should investigate thoroughly and respond promptly. The Cardinals appear to have done exactly that: they retained outside counsel, conducted an internal investigation, and then acted decisively by firing Correa shortly after news of the hack broke. It is worth noting that, as of now, the U.S. Attorney's Office only alleged wrongdoing by Correa, not the team.
Second, companies should implement robust cybersecurity measures, including measures to defend against relatively low tech intrustions like Correa's. Of obvious merit is a policy requiring frequent changes to passwords, without re-using versions of old passwords. This simple step might have prevented Correa from accessing the Astros' systems.
Third, companies that have been victims of an intrusion should explore the CFAA's civil remedies, as codified in Section 1030(g). Victims may obtain compensatory damages and injunctive or other equitable relief.
Baseball teaches that effective defense can keep you in the game. So it is with cybersecurity.