Skip to main content

Breaking down Chris Correa’s prison sentence for hacking Astros

Understanding Chris Correa’s 46-month sentence for hacking the Astros and looking at whether the Cardinals may be punished by MLB
You are reading your 3 Of 4 free premium articles

Your teams. Your favorite writers. Wherever you want them. Personalize SI with our new App. Install on iOS or Android.

U.S. District Court Judge Lynn Hughes on Monday sentenced former St. Louis Cardinals director of scouting Christopher Correa to 46 months in prison for unlawfully hacking the Houston Astros’ scouting records. Correa, who earlier this year pleaded guilty to five counts, also must pay $279,038 in restitution.

Correa’s criminal activity took place between 2013 and '14, during which he repeatedly viewed confidential information found on the Astros’ online scouting databases. For example, he studied the team’s weekly digest page, which identified draft prospects and how Houston's scouts had evaluated those players. Correa also observed how the Astros’ analytics staff ranked hitters and pitchers. In addition, he unlawfully accessed the Astros’ email system in order to enter “Ground Control,” the team’s private online database. In his plea agreement with prosecutors, Correa acknowledged that he employed “sophisticated means” to mask his identity and location. Astros general manager Jeff Luhnow, who previously worked for the Cardinals, is thought to be a key link in Correa’s crimes; it is believed that Correa accessed credentials that Luhnow had used when he was St. Louis' vice president of scouting and player development.

Understanding Correa’s sentence

Correa’s 46-month sentence might seem harsh, especially in comparison to sentences for other persons in recent high-profile cases. Take the sentencing of former Stanford University swimmer Brock Turner, who received a six-month sentence for assaulting and sexually penetrating an unconscious 22-year-old woman. Although Turner’s sentence was consistent with the sentencing recommendation of a probation officer, the idea that Turner could receive six months for his gruesome crimes and Correa could receive 46 months for impermissibly viewing another team’s scouting reports is sure to strike many as incomprehensible.

The best way to address the seeming imbalance is to focus not on what might instinctively make sense but rather on the specific laws at play. Turner’s sentence, controversial as it was, was permissible under the laws as written in California. Correa’s sentence is also permissible for the five counts to which he pleaded guilty. Unfortunately for Correa, he broke a federal law that carries steep sanctions: the Computer Fraud and Abuse Act, better known as the CFAA. The CFAA prohibits unauthorized access into another business’s computer with the intent to steal data from that computer. The CFAA is a serious and worrisome law for those who are charged with violating it: First-time offenders can be sentenced to up to five years in prison, with the possibility of even higher prison penalties depending on the severity of the breach and the frequency of hacking. The CFAA attracted controversy in 2013, when 26-year-old Internet activist Aaron Swartz, who allegedly downloaded academic articles without permission, committed suicide. At the time, Swartz faced 11 charges for violating the CFAA and decades in prison.

Which veterans in their twilight have the best shot at Cooperstown?

Correa’s sentence of 46 months is also a much shorter sentence than he could have received. Each of the five counts to which he pleaded guilty carries maximum sentences of five years, meaning a total of 25 years. As a first-time offender of the law who accepted responsibility for his acts, however, Correa would never receive the maximum sentence. Further, prison time for each count would be expected to run concurrently rather than consecutively. Still, Correa receiving a sentence of 46 months is a substantial improvement over a potential sentence of 60 months if the five counts were run concurrently.

Forty-six months is also consistent with non-binding federal sentencing guidelines. Given that Correa caused $1.7 million in damages to the Astros, the guidelines indicated a sentence within the range of 36 to 48 months. Correa might also be able to serve less than 46 months. Should he behave well while in prison, he can earn “good time credit” and be eligible for release after serving 85% of his sentence. As a result, Correa may be able to leave prison after serving about 39 months.

Why Tom Brady walked away from Deflategate, and what might be next

Do no expect any appeal by Correa. By pleading guilty and admitting to guilt of unlawfully accessing the Astros’ computers, Correa relinquishes the possibility of waging an effective appeal. Further, as explained above, his 46-month sentence is consistent with the law and with his plea deal. This means Correa cannot successfully appeal on grounds the punishment is unlawfully excessive.

Next step: MLB’s potential punishment of the Cardinals

MLB commissioner Rob Manfred has not punished the Cardinals for the data breach. He has also not indicated if the team will face any punishment. With Correa’s case resolved, however, expect a resolution one way or the other.

Under baseball’s constitution, which is an agreement between teams and the commissioner’s office, Manfred has broad legal authority to investigate the data breach and assign penalties. The specific language is from Article II, Section 2, which dictates the “functions” of the commissioner and the commissioner’s sweeping “best interests” power. Key functions include:

• To investigate, either upon complaint or upon the Commissioner’s own initiative, any act, transaction or practice charged, alleged or suspected to be not in the best interests of the national game of Baseball, with authority to summon persons and to order the production of documents, and, in case of refusal to appear or produce, to impose such penalties as are hereinafter provided.

• To determine, after investigation, what preventive, remedial or punitive action is appropriate in the premises, and to take such action either against Major League Clubs or individuals, as the case may be.

Possible penalties for the Cardinals include loss of draft picks, suspensions of team officials and fines assigned to the team and its officials. The severity of any punishment would depend on several factors.

Who should be buying or selling in the AL at the trade deadline?

One key factor is whether the Cardinals should have detected Correa’s misconduct. Even if Correa was acting alone as a rogue employee and even if his unlawful conduct occurred away from the team’s facilities, Manfred might reason that the Cardinals should have more closely trained and monitored employees who could engage in the kinds of data theft perpetrated by Correa. From that lens, the Cardinals could be viewed as deserving some degree of blame.

In addition, Correa was a relatively high-ranking official with the Cardinals, serving as the team’s director of baseball development. In that capacity, he helped to direct St. Louis’ analytical operations and provided analytical support for the team. Manfred might reason that it is worse for the Cardinals that it was a relatively high-ranking employee, rather than a more junior employee or intern, who perpetuated the crimes. Manfred might also be troubled by the frequency in which Correa hacked into the Astros—reportedly 60 times in 35 days—and regard it as grounds to impose a tougher penalty. On the other hand, Manfred might question why the Astros didn’t detect the hacking sooner.

As a second factor, Manfred might conclude that he ought to make an example of the Cardinals in order to “send a message” across the league. More than any professional sports league, MLB is especially sensitive to the security of analytics. Baseball teams utilize analytics as critical aspects of their player evaluation process. Teams develop their own formulas for analysis and are always worried when one employee leaves the organization with this knowledge for another team. Manfred would like to deter other teams from hacking and encourage teams to make sure their employees are properly trained so they do not hack.

Third, Manfred will consider the precedent of baseball punishments. While MLB has been around for more than a century, it is relatively rare for a team to be punished. Consider that the league declined to punish the Cincinnati Reds even though their manager, Pete Rose, was betting on baseball games. MLB similarly declined to punish the Reds even though their owner, Marge Schott, made a series of racist comments during her time in charge of the franchise. Baseball has also declined to punish teams for players using PEDs despite evidence indicating that team trainers and coaches may have facilitated that usage. Likewise, MLB declined to punish teams during the mid 1980s, when cocaine use by players became problematic.

The 30: Underrated players get their due in this week's power rankings

The record of team punishments is fairly barren. In 1999, then-commissioner Bud Selig fined the Los Angeles Dodgers $50,000 for signing Adrian Beltre prior to the third baseman turning 16 years old as required by the collective bargaining agreement. A year later, Selig fined the Atlanta Braves $100,000 for the same type of offense involving the signing of Wilson Betemit. More recently, MLB punished the Boston Red Sox for international signing violations. In general, though, there isn’t much precedent for Manfred to consider.

In addition to punishing the Cardinals, Manfred may find it desirable to hire a special investigator to study the data breach and make recommendations to prevent a future occurrence. In 1989, then-commissioner Bart Giamatti hired attorney John Dowd to investigate Pete Rose over gambling allegations. The investigation led to the Dowd Report and Rose’s subsequent lifetime ban from baseball. In 2006, then-commissioner Selig hired former U.S. Senator George Mitchell to investigate the use of steroids and other performance enhancing drugs by baseball players. A year later, the Mitchell Report was released, naming 89 players as having used prohibited PEDs. These investigations are thought to have helped to “clean up” the sport. If MLB is concerned about Correa not being the only hacker, a closer examination may be warranted.

Michael McCann is a legal analyst and writer for Sports Illustrated. He is also a Massachusetts attorney and the founding director of the Sports and Entertainment Law Institute at the University of New Hampshire School of Law. McCann also created and teaches the Deflategate undergraduate course at UNH. He serves on the Board of Advisors to the Harvard Law School Systemic Justice Project and is the distinguished visiting Hall of Fame Professor of Law at Mississippi College School of Law. He is also on the faculty of the Oregon Law Summer Sports Institute.