A Computer Fraud and Abuse Act case involving the Houston Astros and St. Louis Cardinals provides some key lessons for employers and their lawyers about cybersecurity. While this case is getting press because it involves Major League Baseball, nothing in this matter is surprising and everything was avoidable.
The facts of the case are in the plea deal [.pdf] and are straightforward: Employee of Team A (let’s call him the “Player”) leaves for competitor Team B and, in the course of leaving, turns in his electronic devices and their passwords to another employee of A (let’s call him the “Director”). The Director, who now knows the Player’s password, is able to hack into Employer B’s proprietary information database using a variation on that password. Team B, eventually noticing that something is amiss, resets all passwords to the database and requires stronger passwords and notifies its employees by email. The Director having previously accessed all of Player’s passwords, is able to fairly quickly to enter Player’s email account and re-access the database.
MLB is determining whether and how to punish Team A.
So, the lessons learned?
- Use two-factor authentication to protect data that matters. Passwords are simply not enough. Human cognitive abilities — our capacity to remember things, especially long random things such as so-called ideal passwords — are just too limited to serve as the cornerstone of security.
- In the event of a suspected compromise, resetting passwords and other security measures through an emailed link assumes that email is not also compromised. An employer should assume email is compromised, too.
A look ahead
Employers should also know that the Supreme Court will (perhaps) be resolving a circuit split on whether an insider can be prosecuted for exceeding authorized access where the insider was otherwise permitted to access the database or information in question for any purpose. My “perhaps” is a result of the complex, unrelated facts of the case at hand. See Orin Kerr’s The CFAA reaches the Supreme Court, sort of. The case was argued in November and a decision is forthcoming. In the meantime, here is the transcript of oral argument.