St. Louis Cardinals hacking allegations raise ethical, encryption concerns, Stanford law expert says

Stanford law lecturer Joe "Chip" Pitts says allegation of hacking by the St. Louis Cardinals is yet another morality tale of the rewards – and risks – of data analytics in the new context of professional sports.

AP Photo/Julio Cortez Feb. 25, 2013, file photo of Houston Astros general manager Jeff Luhnow, right, talking to St. Louis Cardinals center fielder Jon Jay, left, and second baseman Daniel Descalso

In this Feb. 25, 2013, file photo, Houston Astros general manager Jeff Luhnow, right, talks to St. Louis Cardinals center fielder Jon Jay, left, and second baseman Daniel Descalso before an exhibition spring training baseball game in Jupiter, Florida.

The FBI investigation of the St. Louis Cardinals emphasizes the need for strong business ethics at a time when data is central to professional sports, according to a Stanford law expert.

This week it was disclosed that the Cardinals, one of the most successful teams in Major League Baseball, are the subject of a federal investigation for allegedly stealing information from the Houston Astros.

Joe W. "Chip" Pitts III, a lecturer at Stanford Law School, is the former chief legal officer of Nokia, Inc. and former chief executive officer of an artificial intelligence data analytics startup. He has expertise in corporate responsibility, business and human rights (including privacy and security), intellectual property and technology law.

Stanford News Service recently interviewed Pitts about the allegations against the Cardinals:

How does this case highlight the need for domestic corporate accountability?

It demonstrates the need for companies to not merely "talk the talk" but "walk the walk." Despite rhetorical commitment to values-based leadership through the so-called "Cardinal Way," which hearkens back to similar inspirational business ethics programs at many companies, the Cardinals' culture is thrown into doubt by these allegations of trade secret theft through hacking – even if the hackers might have been motivated in turn by fears that a former Cardinals employee [now the Astros general manager], Jeff Luhnow, had himself taken proprietary information from the Cardinals. Cardinals Chairman and CEO Bill DeWitt has pledged to hold accountable anyone involved [and the Cardinals' law firm conducting an internal investigation says that neither DeWitt nor the Cardinals' general manager were involved].

But if true, these are serious breaches of both law – such as the Computer Fraud and Abuse Act and trade secret theft laws – as well as ethics, raising issues not only of legal but social/reputational liability, which could seriously harm the franchise, its brand and bottom line. In addition to criminal prosecution of the Cardinals franchise, prison time is a real possibility for the perpetrators.

This is thus qualitatively different from, say, the NFL's spygate scandal involving the Patriots videotaping the New York Jets' hand signals or baseball's own hand-signal scandals. A more apt comparison is to Formula 1's own spygate a few years back. Although distinguishable on various grounds – it was in Europe and didn't turn on hacking – McLaren paid a $100 million fine to the World Motor Sport Council for stealing Ferrari's technical information. In addition to fines, the reputational and other costs of this scandal could also spiral: Stakeholders affected include not only business partners but also players, fans, young aspiring players and the sport itself.

Does this incident call for better encryption measures? What about individual privacy concerns?

Contrary to conventional wisdom that now emphasizes information sharing as the key to cybersecurity, this incident recalls the need for basic due diligence to protect corporate assets and the true security and privacy of the human beings who constitute the heart of any business enterprise. So yes – strong encryption as well as commonsense measures such as complex and regularly changed passwords, reliable firewalls, updated software and audit trails remain indispensable to protecting not only the intellectual property "crown jewels" of the enterprise but also the personal data of those involved, such as the players and employees whose information was compromised in this hacking.

Despite personal privacy being at the core of our nation's history and constitutional values, pervading as it does the U.S. Bill of Rights, nations in Europe and elsewhere have now raced far ahead of our country in data protection laws that recognize that privacy and genuine security are integrally related.

What does this allegation say about competitive sports in today's world?

Sports today amount to not just big, but huge, multibillion-dollar business – meaning that temptations to cut corners and compete on illegitimate grounds pose serious threats to the integrity and success of sports ventures. The new competitive frontier includes rigorous player, or "asset," management using the sabermetric data analytics that have revolutionized baseball. It is underappreciated thus far but notable that not just scouting and trading discussions but proprietary statistics à la Moneyball were stolen. When anyone at a team as successful as the Cardinals thinks they have to steal competing teams' plans in order to gain an edge, something's very wrong with the picture. It's an unmistakable signal to return to the basics of fair competition and good sportsmanship – values that, ironically, the Cardinals supposedly exemplify. Especially in the wake of the FIFA, Lance Armstrong cycling, FIA, NFL deflategate and domestic violence and other scandals – including baseball's own steroid scandals – the Cardinals and all sports teams – all businesses – must renew efforts to ensure that respect for law and ethical values pervades every corner of their enterprises.

How should Major League Baseball proceed?

MLB has said it will await the FBI investigation results, but the more prudent course would be to learn from prior sports scandals and proactively get ahead of these revelations by beginning its own investigation, even if the ultimate outcome is informed by the government's. Such industry groups have a shared interest in protecting the reputation of their sectors – here, American baseball, with all its unique cultural connotations. If properly handled – to isolate and punish the actual bad actors – an MLB investigation could both help contain the downside risk of the scandal, including to MLB's powerful brand itself, while seizing whatever upside advantage can be gleaned vis-à-vis competitive sectors, e.g., by determining whether this incident is indeed a one-off and thus positioning baseball positively versus scandal-ridden global soccer, cycling and American football.

Any other points?

This is yet another morality tale of the rewards – and risks – of data analytics, only now in the new context of professional sports. Let's just hope that the Cardinals are honest about this being an unauthorized, lower-level employee breach, since knowing theft arising from the top by this or other franchises would have even more serious negative ramifications for organizational as well as personal liability – and for the size of the MLB penalty and the reputation of American baseball generally.

Joe W. "Chip" Pitts III, Stanford Law School: (214) 906-9424,

Clifton B. Parker, Stanford News Service: (650) 725-0224,