Chris Correa was the former scouting director for the St. Louis Cardinals. ESPN.Go reported that according to the FBI and federal prosecutors, Correa gained access to the Houston Astros scouting data by using a password similar to an ex-employee of the Cardinals who joined the Astros in 2011. The ex-employee “had to turn over his Cardinals-owned laptop to Correa along with the laptop's password” when he left. In 2013, Correa was accused of illegally downloading a file from the Astros' database a scouting list of all players eligible for the draft in 2013. Correa also viewed notes concerning Astro prospects, including “potential bonus details, statistics and notes on recent performances and injuries by team prospects.” Correa accessed Houston's database 60 times on 35 different days. In June, 2014, Houston General Manager Jeff Luhnow, who previously worked for the Cardinals, reported that someone had hacked into the computer servers and published months of internal trade talks online.
In January, 2016, Correa pleaded guilty to five counts of unauthorized access to a protected computer, admitting that he hacked into the accounts of three different Astros employees. The information he was able to access was valued at $1.7 million by the prosecutor's office. On Monday, July 18, Correa was sentenced to 46 months in prison, followed by 24 months of supervised release, and ordered to pay restitution in the amount of $279,038. The Cardinals are now facing the possibility of being disciplined by MLB, including the possible loss of draft picks and/or a fine. MLB issued the following statement:
Now that the criminal process has been completed, Commissioner Manfred has asked the Department of Investigations to conduct a complete investigation of the facts in this matter, including requesting information from the appropriate law enforcement authorities…The Commissioner hopes that the investigation can be completed promptly to put him in a position to take appropriate action.
Practice pointers. This high profile case provides numerous lessons for employers who have confidential information on computer databases. Among other things, employers need to consider:
- Properly identifying confidential information or trade secrets.
- Educate employees as to what is confidential and/or a trade secret, and how to properly secure it.
- Do not provide passwords to others, co-employees, friends or otherwise.
- Passwords should be changed on a regular basis, and should not be similar to a prior password.
- If a key employee leaves, make sure that that person returns the company computer (and other property) as well as the password to gain access.
- Ensure that the IT department disables access to the computer system by the departing employee.
- IT can also check the system to see if there has been any unusual activity on the computer system before the employee left: multiple downloads, forwarding of information through emails, etc.
- The new employer should ensure that the password used by the new employee is completely different from what was used at the prior employer.
- Recognize that illegal access to a computer system is illegal and can lead to civil and criminal proceedings, which could result in significant jail time and monetary fines or judgments
- Under the new Federal Defend Trade Secrets Act, which I recently wrote about, a court may, under extraordinary circumstances, based on an ex-parte request, seize computers and other property if necessary to prevent the propagation or dissemination of the trade secret.