Just a few days after the Major League Baseball season opens next month, former St. Louis Cardinals scouting director Chris Correa will attend a sentencing hearing where he faces to up to five years in prison, a $250,000 fine, and payment of restitution to the Houston Astros. Correa pleaded guilty earlier this year to criminal charges brought against him under the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030. Trade secret lawyers, baseball fans, and "Moneyball" enthusiasts are familiar with the allegations. Correa used the password of a former Cardinals employee now working for the Astros to access the Astros' scouting database and obtain confidential player evaluation data.
Federal courts have continued to disagree on whether the Computer Fraud & Abuse Act ("CFAA") applies to employees who misuse confidential information or trade secrets obtained from an employer's computer system that the employee was authorized to access. In Florida, and particularly in the Middle District, the large majority of district courts to consider the issue have followed the "narrow" view that an employee who has been granted access to information does not "exceed authorized access" under the CFAA by virtue of the employee's subjective intent or by subsequently violating company policies on the use of the information. Does that mean that employers in those districts cannot, or should not, assert CFAA claims under the "broader" view -- that an employee who accesses confidential information for personal purposes inconsistent with the employer's interests has "exceeded authorized access" to the information?