https://archive.org/details/LegalGeekEp81
Last week, the CFAA hit the news again because Chris Correa, a former scouting director of the St. Louis Cardinals, was convicted of hacking a competitor team's player personnel database, leading to a prison sentence of almost 4 years and over $275,000 of damages restitution. This was no case of password sharing, however.
Instead, the FBI found the following facts. Correa in 2013 and 2014 gained unauthorized access to the Houston Astros' databases by using a password similar to one used by a former Cardinals employee who had to turn over a company laptop and his password when he left to go work for the Astros in 2011. Ironically, the current general manager Jeff Luhnow is the only employee that would have had such access and also fits this profile, and he is the very person who informed reporters of the data breach in 2014.
From those facts, we can basically conclude that Luhnow used a similar or variant form of the same password for his Astros database access, and this was predictable enough for Correa to guess it based on the information turned over to him with the laptop in 2011. There's an important lesson to all people who change jobs, particularly to leave for competitors. Although hacking is a federal crime, re-using the same or similar passwords is absolutely, positively a terrible idea. It's just not worth the risk, so don't do it!
For example, despite the nearly $300,000 in restitution that will be paid by Correa, the Astros are estimated to have lost $1.7 million or more. A mistake of that magnitude could easily cost a guy like Luhnow his job, and it's all about not sufficiently changing passwords when you change jobs.
This case also implicates the discussion of broad vs. narrow interpretation of the catch all provision of the CFAA guarding any protected computer acting in interstate commerce from unauthorized access. Certainly protecting major league baseball team databases is within a broad view of this catch all, but this is also clearly hacking to cause serious financial detriment. That activity falls directly in the scope of what the law is supposed to stop.
The Bottom Line is, there will continue to be concerns about how broad the CFAA will be applied based on big cases like this baseball one, especially when there are other mechanisms available like Major League Baseball rules in this case to govern such bad conduct. However, unlike the Nosal case, this outcome is not quite so broad or troubling. Let's hope for well-reasoned applications of this law in the future.
Oh, and change your darn passwords already.
-----------------------------------
Thanks for reading. Please provide feedback and legal-themed questions as segment suggestions to me on Twitter @BuckeyeFitzy
Thanks for reading. Please provide feedback and legal-themed questions as segment suggestions to me on Twitter @BuckeyeFitzy
TEMPORARY CLOSER
If you will be at GenCon in Indianapolis in August, come check out my seminars on IP law and game design there, or message me on Twitter @BuckeyeFitzy and we can meet up for a drink or a game.
No comments:
Post a Comment