© 2016 The Texas Lawbook.
By Marc Katz, Todd Mobley and Britney Prince of Andrews Kurth
(Aug. 31) – “Winning is more related to good defense than good offense,” according to former NBA coach and broadcaster Dr. Jack Ramsey. While some may question if this is still true on the fields and courts in professional sports today, yet there can be no doubt that, in protecting these sports from cyberattacks, an increased focus on defense is the way to go.
Not surprisingly, professional sports have become an attractive target for cyberattacks, and the sources of and motivations for such attacks are as diverse as the array of sports themselves. For example:
- Anonymous (an international network of hacktivists) took down the official Formula One website in protest over a Grand Prix race being hosted by Bahrain, which had been accused of engaging in human rights violations.
- The Syrian Electronic Army (a group of pro-Bashar Al Assad Syrian hackers) hacked FC Barcelona’s official Twitter accounts, apparently in retaliation for the team’s sponsorship agreement with Qatar Airways.
- The website for the Rugby League team the Keighley Cougars was hacked to display a message in favor of ISIS and images of bloody people injured in fighting.
- A hacking collective named Peggle Crew hacked into the NFL’s Twitter account and tweeted that Commissioner Roger Goodell had died. Peggle Crew stated that they acquired the password for the NFL’s Twitter account by accessing an email of a social media staffer at the NFL that contained the credentials.
While these attacks were primarily disruptive in nature, others take a more intrusive approach. As noted above, sports teams and leagues maintain significant volumes of highly sensitive, confidential, and proprietary information. Salaries, contracts, statistical analyses, scouting reports, game strategies, predictive models, athlete information, fan information, marketing and sales data (the list literally goes on and on) provide a trove of information that rivals, competitors, and general thieves would love to obtain.
For example, the computer systems of Team Sky, a British professional cycling team, were hacked in 2014. According to Team Sky, the hackers accessed performance data for champion cyclist Chris Froome, allegedly in an attempt to uncover evidence that would discredit Froome and support doping accusations that had been made against him. More recently, in May 2016, a Milwaukee Bucks employee fell prey to an email phishing scam, leading to the disclosure of the W-2 forms of all 2015 employees and players. There, the hacker used a spoofed email address to impersonate the team’s president and request the W-2s. Unfortunately, the employee provided the information. The Bucks have announced that they are now providing additional privacy training and implementing additional preventative measures.
And then there was the Astros-Cardinals incident that recently resulted in the sentencing of St. Louis Cardinal’s former director of baseball development, Christopher Correa. On July 18, 2016, a Houston federal judge sentenced Correa to nearly four years in prison, and ordered him to pay over $279,000 in restitution, after he admitted to hacking into the Houston Astros’ email- and player-information database. Federal prosecutors estimated that Correa’s intrusion resulted in a $1.7 million loss for the Astros.
According to federal prosecutors, Correa was able to access the Astros’ scouting information database, known as “Ground Control,” and other private team communications, by using the old password of Jeff Luhnow, the Cardinals’ former vice president of scouting and player development. Lunhow left the Cardinals in 2011 to become the general manager of the Astros. However, prior to leaving, Lunhow was required to return his Cardinals-owned laptop and disclose his password to Correa. Correa then used iterations of this same password until he was able to gain access to the Astros’ database.
During the period that Correa had access to the Astros’ system, he accessed the network nearly 60 times and viewed 118 pages of confidential information, such as trade discussions, player evaluations, potential bonus details, and an uncompleted 2014 team draft board. In 2013, Correa also downloaded a file of the Astros’ scouting information for every player eligible for the draft that year.
Although the U.S. Attorney’s Office recently announced that no one else from the Cardinals will be charged, the fallout may be far from over. Major League Baseball Commissioner Rob Manfred intends to complete an additional investigation into the matter and has reserved the right to discipline the Cardinals with a fine or reduce their number of draft picks.
This should serve as a cautionary tale for the entire industry. Modern data-centric protection is essential – robust cybersecurity programs should be implemented immediately, and they should be evaluated often.
The first step of any effective cybersecurity defense program is to evaluate and identify what data is going to be gathered, how that data is going to be stored and used, who will have access to that data, and what electronic devices those with access will be using. This analysis needs to be done with the input of both the technical personnel who will be tasked with establishing the safeguards and the business folks who will be using the information. The easiest way to fall into the trap of making sensitive information more vulnerable is by not following the protective systems that have been put in place because those systems do not allow the business folks to use the information in an effective manner.
To help ensure continuity between the technological and business aspects of cybersecurity, organizations should appoint a security officer who is ultimately responsible for ensuring open communication throughout the organization and strict ongoing compliance with the cyber-defense program. Essentially, organizations should have a single point person to make certain that nothing falls between the cracks.
Another major component of any cybersecurity program is education. Organizations should ensure that their personnel are provided with appropriate security-awareness training. For instance, personnel should know to avoid engaging in risky behavior like using unencrypted email to send or receive sensitive information, working outside of the organization’s firewall or technology infrastructure, or using unsecure file sharing services or cloud based storage accounts. Athletes, particularly, should be trained on how to increase security on their personal social media accounts and go about their online activities.
Of course, education will only go so far. Organizations also have to provide their personnel with the necessary technological safeguards. Controls such as scanning, or even blocking, email attachments being sent externally, appropriate encryption, strong password protections and login credentials (perhaps even implementing a policy whereby employees cannot use passwords that were used while working with a previous employer), using access controls and limiting access to the network or certain areas within the network, and scanning and monitoring all electronic activities are a good start, but technology must be continuously monitored for vulnerabilities.
In this regard, managing mobile devices and social media networks is extremely important – related policies should be implemented to inform employees as to expectations with respect to electronic or cyber conduct, as well as the ways in which the organization will monitor such conduct, and what happens when their employment is terminated (for example, cutting off access to the network, confiscation or scrubbing of mobile devices, etc.).
For direction with respect to ensuring that appropriate technological safeguards have been implemented, organizations can reference the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as guidance provided by the Federal Trade Commission. It is also essential that organizations work with their legal counsel to develop clear and detailed security policies and incident response plans so that they can mobilize quickly and respond effectively in the event of a security breach.
In sum, sports teams, like all businesses and organizations that sit squarely within hackers’ crosshairs, should act now to ensure that they are prepared to defend against cyberattacks. Because, with respect to such attacks, it’s not a matter of if, it’s a matter of when.
Marc Katz is Chair of Andrews Kurth’s Labor & Employment practice, a member of the Firm’s Management Committee, and maintains a strong sports law and entertainment practice.
Todd Mobley is an associate in Andrews Kurth’s Labor & Employment Section, and he represents employers in connection with matters related to ERISA, the ACA, HIPAA, Title VII, the ADA, the FLSA, and the FMLA.
Britney Prince is an associate in Andrews Kurth’s Labor & Employment Section, and her practice includes involvement in federal and state investigations with agencies such as the EEOC, TWC, the DOL, and both federal and state court actions.
© 2016 The Texas Lawbook. Content of The Texas Lawbook is controlled and protected by specific licensing agreements with our subscribers and under federal copyright laws. Any distribution of this content without the consent of The Texas Lawbook is prohibited.
If you see any inaccuracy in any article in The Texas Lawbook, please contact us. Our goal is content that is 100% true and accurate. Thank you.