On Friday, January 8, 2016, former St. Louis Cardinals Director of Baseball Development, Christopher Correa, pleaded guilty to criminal charges for breaching the private database of the Houston Astros. Correa admitted using someone else’s password to gain access to email, and accessing the player database of the Astros. From March 2013 through at least March 2014, Correa’s gained access to the database to learn what players the Astros were considering for the MLB draft and also to view notes of the Astros’ trade discussions with other major league baseball teams.
Correa pleaded guilty to five counts of unauthorized access to a protected computer. Each conviction carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine.
The case serves as a reminder of the serious consequences of engaging in computer related misconduct. Gaining unauthorized access to computer files, taking information of others, or even deleting another person’s computer files can lead to criminal prosecution and penalties in addition to significant civil damages.
Here are a few laws you should be aware of:
The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030 generally prohibits (1) the unauthorized accessing (2) of a “protected” computer (3) with the intent either (a) to obtain information, (b) to further a fraud, or (c) to damage the computer or its data. There are various criminal punishment guidelines under the CFAA. The amount of fines and imprisonment vary according to which provision of the CFAA is violated and whether it is a first offense.
The U.S. Economic Espionage Act of 1996 (“EEA”), 18 U.S.C. § 1831 makes theft or misappropriation of trade secrets a federal crime. Conviction of the theft of trade secrets under the EEA can result in a fine of up to $250,000 for an individual (up to $5 million for corporations), imprisonment up to ten years, or both. If the crime is committed for the benefit of any foreign government, instrumentality, or agent, the penalties increase to fines of $500,000 (up to $10 million for an organization), imprisonment up to 15 years, or both. There is pending legislation in Congress to amend the EEA to add a federal civil cause of action for trade secrets theft.
The Georgia Theft of Trade Secrets Statute, O.C.G.A. § 16-8-13, makes theft of a trade secret a crime and provides for punishment by imprisonment for not less than one nor more than five years, and by a fine of not more than $50,000 if the value of the stolen trade secrets exceeds $100.
Georgia has a companion civil statute, the Georgia Trade Secrets Act of 1990, (“GTSA”) § 10-1-760, that provides a variety of remedies. These remedies include injunctive relief, damages for misappropriation in addition to or in lieu of injunctive relief, exemplary damages if the misappropriation is determined to be willful and malicious, and the award of reasonable attorney’s fees.
The Georgia Computer Systems Protection Act, (“GCSPA”), O.C.G.A. § 16-9-90, provides that any person convicted of the crime of computer theft, computer trespass, computer invasion of privacy, or computer forgery shall be fined not more than $50,000.00 or imprisoned not more than 15 years, or both. Under the Act, a person convicted of computer password disclosure may be fined up to $5,000.00 or incarcerated for a period up to one year, or both.
As the Correa case and the above laws make clear, misappropriating trade secrets is a serious matter that can have significant criminal and civil consequences.