Many legal blogs writing about computer misconduct in the workplace typically warn employers what wayward employees might do after the original employment relationship ends and competition with that individual begins. Just last week, our own blog featured this topic here. But have you thought about the issues your company’s tech-savy employees’ might raise during the employment relationship?
A good lesson to answer this question comes from a case involving a former St. Louis Cardinals’ employee, Christopher Correa. Correa was the Cardinals director of scouting, and yesterday he was sentenced to 46 months in prison and ordered to pay nearly $280,000 in restitution after he pleaded guilty to multiple counts under the Computer Fraud and Abuse Act. Regular readers of this blog will recall that the CFAA prohibits individuals from engaging in the following activity:
Intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains . . . information from any protected computer[.]
Correa’s misconduct leading to this sentence all occurred in the scope of his employment for the Cardinals. Perhaps more surprising is that Correa did not use any highly sophisticated coding skills to obtain his unauthorized access – he just happened to guess the right user name and password.
Correa’s wrongdoing started with the departure of a Cardinals employee, Jeff Luhnow, for the Houston Astros. When Luhnow left the Cardinals, he turned in his laptop and disclosed the user name and password for the device. Luhnow apparently enjoyed that user name and password so much he regularly used it for access to other systems.
This became relevant to the Astros player database, called Ground Control. A news story on Ground Control made its existence widely known. After Luhnow left the Cardinals for the Astros, Correa used Luhnow’s user name and password to access Luhnow’s e-mail where Luhnow received the Astro’s password for Ground Control. Correa then accessed Ground Control, via Luhnow’s credentials, at several key times during the season to obtain the Astros’ internal information on players in the draft and trade considerations. Earlier this year, Correa pleaded guilty to all counts filed against him for his behavior.
Employers should take heed of several warnings that come from Correa’s story. First, annual employee training should address computer fraud. Today’s workplace is highly competitive and employees need to know the potential criminal of trying to use a former employee’s login credentials, like Correa. Something as simple as guessing a password to a system you do not have authority to access can have serious consequences. Further, although the Cardinals have not faced civil liability to date, it is not difficult to see how an employer could be legally implicated by the employee’s conduct. For example, a competitor will likely look for any courtroom avenue possible if such unauthorized access leads to the loss of significant sales money. If a lower-ranking employee is acting on the instructions of a higher-ranking supervisor, the employer could be directly implicated. Additionally, not all employees may appreciate how their favorite user name and password they enjoy for access to anything requiring one can be a major security risk. Passwords should be regularly changed and employees should know why it is important to rely on something unique whenever possible.