There is a long and storied tradition of American professional sports teams surreptitiously trying to steal information from opponents, from sign-stealing in baseball to the infamous “Spygate” scandal involving the NFL’s New England Patriots videotaping other team’s coaches and analyzing hand signals.
When caught engaging in such chicanery, those involved typically face suspensions and fines. Tuesday’s revelation that St. Louis Cardinals employees may have hacked into a Houston Astros network to access scouting reports and internal trade deliberations, however, is a much more serious matter, according to legal experts. If Cardinals employees accessed the Astros’ system without permission, as investigators believe, they broke federal law, and could face prison time.
What elevated this alleged scheme from competitive cheating to criminal corporate espionage is the use of a computer. The Computer Fraud and Abuse Act is a 1986 law that made it a federal crime to obtain information from a computer without authorization. The law applies both to sophisticated hacking attempts and more simpler breaches, such as the password-testing methods Cardinals employees allegedly deployed to crack into their former colleague Jeffrey Luhnow’s system in Houston, according to the New York Times.
“This is classic corporate espionage … If true, it clearly violates the law,” said Alexander H. Southwell, a former federal prosecutor and co-chair of the privacy, cybersecurity and consumer protection practice at Gibson Dunn & Crutcher law firm.
In the eyes of the law, it doesn’t make a difference if you’re a Chinese national trying to steal design schematics from American aerospace companies, or a Cardinals employee wanting to find out what Astros scouts think of their team’s young prospects and whom they’d be willing to trade.
“There’s healthy competition between teams,” former federal prosecutor Michael Wildes said. “When someone physically extracts proprietary intelligence that’s not transparently available to the public, that’s a crime.”
Penalties under the Computer Fraud and Abuse Act range from hefty fines to prison sentences of up to 20 years. Based on the allegations outlined Tuesday, Southwell guessed Cardinals employees involved with the scheme could be threatened with prison sentences of up to five years.
The key factors that will determine possible sentence length are the value of the information stolen, and what Cardinals employees did with it, Southwell said.
“It’s too early to tell whether they took information that was helpful in games, or whether they destroyed information in an attempt at sabotage, or if they just accessed it for some prurient interests,” Southwell said. “If they haven’t actually done anything with the data, it’s just a breach of security. Those typically don’t have long prison sentences.”
In an analogous case last year, Ariel Friedler — the former CEO of Symplicity Corporation, a Virginia higher education technology firm — was sentenced to two months in federal prison and one year of probation after admitting to hacking into competitors’ computer systems.