A big thank you goes to Major League Baseball today, for giving compliance officers a great example of why their jobs are important—both the big picture stuff about ethics and values, and the nitty-gritty stuff about internal controls. A gift like that doesn’t come along often.
The example is the $2 million fine and surrender of two draft picks, that the St. Louis Cardinals must give to the Houston Astros. Why? Because in 2013, one of the Cardinals’ senior executives hacked his way into the computer systems of the Astros, where he had previously worked. Let’s review the play-by-play of this knuckle-headed caper.
The executive was Chris Correa, who worked for the Cardinals 2009 to 2015. In 2013, the Cardinals promoted him to be director of scouting. This is an important job. Translation: people at this level of management should know better.
Correa did not know better. Shortly after his promotion in 2013, Correa began hacking into the Astros’ database of prospective future players. He broke into the Astros’ database repeatedly in 2013 and 2014, spying on their reviews of new prospects, and the analytics the Astros used to rate various players. Correa also accessed the Astros’ private email system.
Correa did all this by using the credentials of a former Cardinals employee, who had left St. Louis to work for the Astros. Law enforcement never disclosed who that Astros employee was, but the Astros’ current general manager, Jeff Luhnow, previously held that position in St. Louis. Luhnow defected from St. Louis to the Astros in 2011.
According to court documents, when Luhnow left the Cardinals, he surrendered his company laptop to the team. Correa somehow peeked at the laptop and saw Luhnow’s password. Then he used commercially available hacking software and guessed his way into the Astros’ system, based on Luhnow’s previous password history.
All this unraveled in 2015. Correa was charged with violating the Computer Fraud and Abuse Act. In 2016 he was sentenced to four years in prison, plus a $280,000 fine.
MLB’s fine levied against the Cardinals on Monday was a separate sanction that the league imposed on the team. MLB commissioner Rob Manfred was to the point: “as a matter of MLB policy I am holding the Cardinals responsible for his conduct.”
Manfred also banned Correa from working in professional baseball ever again, in case Correa had any plans to resume his career in 2020.
Lesson One: Vicarious Liability
If compliance officers need any further arguments to tell the board and senior executives why ethics training is important, this is it: because the company can be held liable for employee misconduct.
In truth, that’s not news to ethics & compliance officers. We’ve seen other examples for years in enforcement actions government regulators have imposed on Corporate America. But citing an example from professional sports somehow makes the concept more sexy, especially if you have operational executives who are those college-jock types who don’t like to read. They do read Sports Illustrated and watch ESPN. This is something that will resonate with them.
As punishments go in Major League Baseball, this one is pretty severe—especially the loss of two draft picks, which over time will cost the Cardinals much more in lost future value than a measly $2 million fine. (It’s a shame we can’t see something similar in the Justice Department: get convicted of an FCPA violation, and you lose your R&D chief to your top competitor. That would get a board’s attention.)
Now, yes, Major League Baseball does have far more discretion to impose sanctions on its teams than what government regulators can usually do in the corporate realm. But still, ethics training matters if you want to avoid severe penalties. Remember that the U.S. Sentencing Guidelines do require training as part of an effective compliance program. It’s No. 4 on the Guidelines’ list of seven elements for an effective compliance program.
Lesson Two: Access Controls
We don’t want to blame the victim too much here, but let’s remember: Correa infiltrated the Astros’ computer systems because he could guess Luhnow’s password. So right away, if an IT auditor were examining the Astros’ computer systems, that auditor should take a close look at the Astros’ password policy.
This point isn’t easy to address. The plain truth is that passwords are a pain to remember, so most humans pick some basic word that’s easy to remember and then use variations of that word, as time passes and the IT system requires you to enter new passwords. So you use “password1” in January, “password2” in February, and so forth. That pattern makes it pretty easy to guess someone’s password for March.
Sure, the Astros could have imposed a requirement like, “Never use a password based on what you used at your previous company.” But how would the Astros know that you’re following that policy? How different would your new password need to be? Nobody has any good answers to questions like that yet. Hence password policies are the bane of employees’ existence, and we all scribble them down on Post-It notes next to the monitor.
Plus, we do need to remember that the Astros are the victim here; it was incumbent on the Cardinals to ensure that Correa didn’t see Luhnow’s old laptop in the first place. Auditors know this concept as the Principle of Least Privilege: an employee can only see the information that he or she needs to see, and no more.
Companies are generally good at imposing POLP on lower-level employees. The trick is to apply POLP correctly with more senior executives, and to remember that “access” doesn’t only mean access to IT systems; it can mean access to physical equipment too, as was the case here.
Correa aside, an excellent example of “POLP risk” for senior executives is a career accounting employee who claws his or her way into the CFO’s chair. At large organizations, that CFO should have no business approving invoices, entering approved payees into the billing system, or doing three-way matches. That is the work of lower-level employees. A CFO should be in charge of more strategic tasks like budgeting and financial planning. If you also give him or her full power to process payments, you’re setting yourself up for the risk of management override of internal controls. If your CFO isn’t ethical (see Lesson 1, above), then heaps of trouble await.
As for the Astros—they finished third in the American League West last year, with a .519 winning percentage and no appearance in the playoffs. Let’s hope they put those two extra draft picks to good use.