Whistleblower Disclosures About Data Leakage Implicate Corporate Theft
Most people don’t think about what whistleblower laws may protect them until they need them. Many information security professionals may be surprised to learn that they are protected by the law although no law specifically protects “cybersecurity” whistleblowers. This is because issues involving information security are rarely only about information security.
The criminal case of People v. Aleynikov illustrates this point well. People v. Aleynikov, No. 1956, 2017 WL 327278 (N.Y. App. Div. Jan. 24, 2017). In Aleynikov, the defendant was a programmer at Goldman Sachs Group Inc. The government alleged that after his employment at Goldman Sachs ended, the defendant took proprietary software code without permission. A jury convicted the defendant, but the trial judge overturned the conviction on the basis that the defendant did not take any tangible property.
Today, a New York state appeals court reinstated the conviction. The court noted that Goldman Sachs had taken substantial security measures to protect its valuable data. The bank had physical security, legal agreements, and a dedicated information security group. This group discovered unusual activity from the defendant’s work computer when reviewing reports from its monitoring systems. The defendant put thousands of proprietary files into encrypted tarballs and uploaded them to an external site. Goldman Sachs’ security system was designed to block the type of external site used, but it failed in this instance. Nonetheless, the team was quickly able to identify the breach and suspected culprit despite the defendant’s alleged attempts to conceal his actions, thereby likely mitigating potential harm to the company.
The court based its holding on an examination of the statutory meaning of “tangible.” But for our purposes, Manhattan District Attorney Cyrus Vance summed up the case’s significance well. Vance reportedly stated that “the theft of intellectual property is indeed a crime…regardless of the physical means used to spirt the data away from its source.” (emphasis added). Despite the digital form of the stolen property and all the implicated cybersecurity issues, this was a case about corporate theft.
The term “data leakage” has a distinct significance within the information security field. But it always means more than that. Data leakage can be theft, it can indicate deficient internal controls, and it can evidence a breach of contract. Cybersecurity issues are ubiquitous because the digital world is ubiquitous. However, the presence of information security concerns does not deprive the conduct at issue from its significance in other contexts. It is for this reason that whistleblowers who disclose cybersecurity concerns are often protected despite the lack of a cybersecurity-specific statute.
Whistleblower Protections for Cybersecurity Whistleblowers
Under certain circumstances, all the following laws can protect cybersecurity whistleblowers:
False Claims Act
National Defense Authorization Act
Whistleblower Protection Act (federal employees)
Consumer Financial Protection Act
State wrongful discharge actions
This is only representative and by no means exhaustive. However, in most cases, an information security whistleblower needs to know that the cybersecurity issues they are reporting relate to these other issues. A good starting point is to consider why it is important that the data, network, etc. is protected, what could happen if a breach were to occur? If a breach has occurred, what obligations does the company have to its customers, business partners, and regulators? Could it cause substantial loss to the company or cause the company to violate its contractual agreements? Does the cybersecurity issue constitute a violation of law?