Image of NY Appeals Court Decision Signals that Cybersecurity Whistleblowing Implicates Corporate Theft

NY Appeals Court Decision Signals that Cybersecurity Whistleblowing Implicates Corporate Theft

Whistleblower Disclosures About Data Leakage Implicate Corporate Theft

Most people don’t think about what whistleblower laws may protect them until they need them.  Many information security professionals may be surprised to learn that they are protected by the law although no law specifically protects “cybersecurity” whistleblowers.  This is because issues involving information security are rarely only about information security.

The criminal case of People v. Aleynikov illustrates this point well.  People v. Aleynikov, No. 1956, 2017 WL 327278 (N.Y. App. Div. Jan. 24, 2017).  In Aleynikov, the defendant was a programmer at Goldman Sachs Group Inc.  The government alleged that after his employment at Goldman Sachs ended, the defendant took proprietary software code without permission.  A jury convicted the defendant, but the trial judge overturned the conviction on the basis that the defendant did not take any tangible property.

Today, a New York state appeals court reinstated the conviction.  The court noted that Goldman Sachs had taken substantial security measures to protect its valuable data.  The bank had physical security, legal agreements, and a dedicated information security group.  This group discovered unusual activity from the defendant’s work computer when reviewing reports from its monitoring systems.  The defendant put thousands of proprietary files into encrypted tarballs and uploaded them to an external site.  Goldman Sachs’ security system was designed to block the type of external site used, but it failed in this instance.  Nonetheless, the team was quickly able to identify the breach and suspected culprit despite the defendant’s alleged attempts to conceal his actions, thereby likely mitigating potential harm to the company.

The court based its holding on an examination of the statutory meaning of “tangible.”  But for our purposes, Manhattan District Attorney Cyrus Vance summed up the case’s significance well.  Vance reportedly stated that “the theft of intellectual property is indeed a crime…regardless of the physical means used to spirt the data away from its source.” (emphasis added).  Despite the digital form of the stolen property and all the implicated cybersecurity issues, this was a case about corporate theft.

The term “data leakage” has a distinct significance within the information security field.  But it always means more than that.  Data leakage can be theft, it can indicate deficient internal controls, and it can evidence a breach of contract.  Cybersecurity issues are ubiquitous because the digital world is ubiquitous.  However, the presence of information security concerns does not deprive the conduct at issue from its significance in other contexts.  It is for this reason that whistleblowers who disclose cybersecurity concerns are often protected despite the lack of a cybersecurity-specific statute.

Whistleblower Protections for Cybersecurity Whistleblowers

Under certain circumstances, all the following laws can protect cybersecurity whistleblowers:

This is only representative and by no means exhaustive.  However, in most cases, an information security whistleblower needs to know that the cybersecurity issues they are reporting relate to these other issues.  A good starting point is to consider why it is important that the data, network, etc. is protected, what could happen if a breach were to occur?  If a breach has occurred, what obligations does the company have to its customers, business partners, and regulators?  Could it cause substantial loss to the company or cause the company to violate its contractual agreements?  Does the cybersecurity issue constitute a violation of law?  I have written in more detail about how cybersecurity issues can be covered by existing anti-retaliation laws here and here.

Of course, information security professionals who are contemplating blowing the whistle or believe they have suffered retaliation for doing so should consult with an experienced whistleblower attorney to determine what protections may apply to their particular case.

Download our Practitioner’s Guide to Cybersecurity Whistleblowing.

Cybersecurity Whistleblower Lawyers

Leading whistleblower law firm Zuckerman Law represents cybersecurity whistleblowers in whistleblower retaliation and whistleblower rewards claims, including in Sarbanes-Oxley whistleblower actions.  Dallas Hammer has written extensively about protections for cybersecurity whistleblowers, including the following publications:

Recently, Corporate Crime Reporter interviewed Mr. Hammer about cybersecurity whistleblowing.  A summary of the interview is available online at Dallas Hammer on the Rise of Cybersecurity Whistleblowing.  And CSO quoted Mr. Hammer in an article titled Cybersecurity whistleblowers: Get ready for more.

SEC whistleblower rules

Dallas Hammer represents employees in whistleblower, discrimination, and other employment-related litigation, including representing corporate whistleblowers in claims under the whistleblower protection provisions of the Sarbanes-Oxley Act and Dodd-Frank Act; representing federal employees in adverse action appeals at the Merit Systems Protection Board and claims under the Whistleblower Protection Act, including individual right of action appeals; negotiating severance, separation, and employment agreements; and representing employees in discrimination and retaliation actions, including sexual harassment claims under Title VII of the Civil Rights Act and disability discrimination claims under the Americans with Disabilities Act Amendments Act of 2008.