NY Appeals Court Decision Signals Cybersecurity Whistleblowing Implicates Corporate Theft

legal_justice

Most people don?t think about what whistleblower laws may protect them until they need them. Many information security professionals may be surprised to learn that they are protected by the law although no law specifically protects ?cybersecurity? whistleblowers. This is because issues involving information security are rarely only about information security.

The criminal case of People v. Aleynikov illustrates this point well. People v. Aleynikov, No. 1956, 2017 WL 327278 (N.Y. App. Div. Jan. 24, 2017). In Aleynikov, the defendant was a programmer at Goldman Sachs Group Inc. The government alleged that after his employment at Goldman Sachs ended, the defendant took proprietary software code without permission. A jury convicted the defendant, but the trial judge overturned the conviction on the basis that the defendant did not take any tangible property.

In Late January, a New York state appeals court reinstated the conviction. The court noted that Goldman Sachs had taken substantial security measures to protect its valuable data. The bank had physical security, legal agreements, and a dedicated information security group. This group discovered unusual activity from the defendant?s work computer when reviewing reports from its monitoring systems. The defendant put thousands of proprietary files into encrypted tarballs and uploaded them to an external site. Goldman Sachs? security system was designed to block the type of external site used, but it failed in this instance. Nonetheless, the team was quickly able to identify the breach and suspected culprit despite the defendant?s alleged attempts to conceal his actions, thereby likely mitigating potential harm to the company.

The court based its holding on an examination of the statutory meaning of ?tangible.? But for our purposes, Manhattan District Attorney Cyrus Vance summed up the case?s significance well. Vance reportedly stated that ?the theft of intellectual property is indeed a crime?regardless of the physical means used to spirt the data away from its source.? (emphasis added). Despite the digital form of the stolen property and all the implicated cybersecurity issues, this was a case about corporate theft.

The term ?data leakage? has a distinct significance within the information security field. But it always means more than that. Data leakage can be theft, it can indicate deficient internal controls, and it can evidence a breach of contract. Cybersecurity issues are ubiquitous because the digital world is ubiquitous. However, the presence of information security concerns does not deprive the conduct at issue from its significance in other contexts. It is for this reason that whistleblowers who disclose cybersecurity concerns are often protected despite the lack of a cybersecurity-specific statute.
Whistleblower Protections for Cybersecurity Whistleblowers

Under certain circumstances, all the following laws can protect cybersecurity whistleblowers:

  • Sarbanes-Oxley Act
  • Dodd-Frank Act
  • False Claims Act
  • National Defense Authorization Act
  • Whistleblower Protection Act (federal employees)
  • Consumer Financial Protection Act
  • State wrongful discharge actions

About this Author
Dallas Hammer, Zuckerman Law, Whistleblower Attorney, Labor Lawyer, Discrimination Attorney
Dallas Hammer represents employees in whistleblower, discrimination, and other employment-related litigation.

Source: natlawreview.com
0 Comments