This is the age of data in professional sports. Sabermetrics and other data science techniques are disrupting the makeup of front offices, the evaluation of talent and the way sports are played. Proprietary data and statistical tools developed to leverage data into wins and dollars — what we will refer to as a team’s “analytic property” — may soon rank among professional sports teams’ most important assets.
But as teams’ use of AP has increased dramatically, their management of the security and legal risks related to it appears to have lagged behind. The alleged breach of the Houston Astros’ computer database by individuals working for the St. Louis Cardinals has made clear that sports teams — and the consultants and vendors that service them — are no less vulnerable to cyber attacks and trade-secret espionage than Fortune 500 companies. Rogue employees, malicious third parties and human error all pose serious threats to teams’ AP. And the consequences of a breach can be dire, including exposure of medical records, scouting reports, statistical projections and other confidential or proprietary information. The good news: Organizations can take advantage of several legal and technical tools to protect themselves.
Protection begins with understanding the potential losses teams face if they suffer a breach.
■ When a team’s AP is stolen, disclosed, deleted or corrupted, that team risks losing any competitive advantage the information may have provided. This could mean the loss of millions of dollars of invested time and resources.
■ Teams risk a hit to their reputation and goodwill: The Astros-Cards breach not only surprised the public, it also (in the words of the Cardinals’ owner) “tainted” the Cardinals’ reputation. The breached company risks reputational harm as well if, for example, candid disclosed communications (like trade talk) offends players, fans or other organizations.
■ A breach resulting in disclosure of AP or private information also could lead to lawsuits, as (among other possibilities) sensitive personal information about athletes — such as health records, financial information, intelligence test scores and details about players’ families and sexual orientation — could cause embarrassment, reputational damage or even direct financial harm. Potential lawsuits could include allegations of emotional distress, lost career opportunities, or lost earnings, and could invoke legal theories like negligence, defamation and false light, as well as breaches of federal or state privacy laws.
■ A breach can result in an immediate impact to a team’s bottom line: Breached organizations are likely to incur significant expenses investigating the cause and extent of the breach. If private information like medical records or financial information is disclosed, a team may incur additional costs notifying affected individuals and, potentially, providing credit monitoring.
 |
Nondisclosure agreements, insurance can protect teams in the event of a data breach.
Photo by: GETTY IMAGES
|
To help avoid or to mitigate losses stemming from a breach, organizations should consider limiting access to AP and other confidential data to a core group of employees and protect access with complex passwords that are changed regularly. These points seem obvious but still are not universally adopted. (Initial reports stated that a Cardinals employee allegedly used the same password to access Houston’s system that was used by Houston’s general manager when he worked for the Cardinals). Teams also should hire skilled IT personnel and consultants to implement best practices and stop unwanted access, or at least to detect a breach as early as possible. Outside insurance counsel also can help, both to ensure proper insurance is in place and to properly notify insurers in the event of a breach.
Organizations also should leverage legal tools. These tools include the use of nondisclosure agreements designed to prevent employees from using confidential information for their own benefit or the benefit of third parties without a team’s permission. Teams should consider including nondisclosure agreements in contracts for all front-office employees, especially the team’s resident sabermetricians, and the agreement should expressly discuss AP and prohibit its unauthorized use or disclosure.
Teams should consider requiring employees without contracts to sign nondisclosure agreements as a prerequisite for new or continued employment and impose the same obligation on third-party consultants, vendors and independent contractors. In most states, teams also can protect their AP through properly drafted noncompetition agreements, which can temporarily prevent certain employees with unique, proprietary knowledge from working for competitors. Because proper nondisclosure and noncompetition agreements create contractual obligations, they may provide teams with a clearer path to seek damages and injunctive relief to mitigate losses.
At a minimum, sports organizations should ensure that confidentiality and care with sensitive data are themes communicated to employees throughout the organization. That message starts with executives, but the employee handbook can serve as an effective supplement. Teams should consider using handbooks to expressly identify protocols for handling AP and confidential data and requiring employees (particularly those not bound by nondisclosure agreements) to review these provisions on a regular basis.
Insurance and indemnity agreements also are critical tools to shift risk and loss to third parties. An organization’s general liability, property, and other common insurance policies may exclude data breaches and their resulting losses from coverage. Teams can, however, purchase cyber insurance to try to fill that gap. This insurance commonly covers (or helps defray) the cost of investigating a breach, responding to regulators, defending against lawsuits, notifying affected persons and restoring or recreating any lost data, among other expenses. Teams also should identify companies that could be involved with a data breach, such as vendors and consultants, and ensure that their contracts include demands for additional insured status under any applicable insurance policies, as well as guarantees of contractual defense and indemnity.
Overall, it is essential that sports organizations confront these issues now, and not wait for the moment their own breach appears in the headlines.
Noel Paul (npaul@reedsmith.com) and Stephen Winter (swinter@reedsmith.com) are insurance recovery lawyers at global law firm Reed Smith.
