Data Theft And What’s “Tangible”: New York Appellate Division Reinstates Conviction Of Former Goldman Sachs Programmer Sergey Aleynikov

by Constangy, Brooks, Smith & Prophete, LLP
Contact

Constangy, Brooks, Smith & Prophete, LLP

The law often lags behind developments in the tech world. One problem for employers seeking to protect their data is that some anti-theft and trade secret protection laws drafted long ago refer to “goods” and “tangible” items. As a result, it is sometimes difficult for employers to get recourse against cyber thieves and others who misappropriate trade secrets and confidential information. The wrongdoers may not be criminally convicted because their misdeeds do not fit within the technical definitions in the relevant statutes.

But a recent decision from the New York State Appellate Division indicates that courts may be gravitating toward a more flexible approach that is consistent with our current understanding of what “property” really is. The case involves Sergey Aleynikov, a well-known figure who has been making his way through the criminal justice system since 2009, as a result of his uploading high-frequency trading code from his employer at the time, Goldman Sachs.

Background

The past 15 years of Sergey Aleynikov’s life make a fascinating story. A skilled programmer at an early age, Mr. Aleynikov emigrated from the Soviet Union to the United States in 1990. After working his way up the developer’s ladder, he landed a high-level job with Goldman Sachs working on its high-frequency trading platform – a $300 million-per-year profit mill for the multinational finance company. His experiences at Goldman ultimately inspired the New York Times bestseller Flash Boys, which details the rise of high-frequency trading in the U.S. security and commodity markets.

Fame does not come without a price, however, and Mr. Aleynikov is no exception. His now eight-year legal battle against various federal and state criminal charges related to his departure from Goldman has already cost all of his money. And after the New York court’s decision, it is likely to cost him his liberty, too.

Mr. Aleynikov worked for Goldman as a vice president developer from approximately 2007 to 2009. His primary responsibilities were maintaining, updating, and testing the company’s high-frequency trading platform. He had full access to the platform’s source code.

In 2009, Mr. Aleynikov accepted a position with a startup competitor. The new employer did not have its own high-frequency trading platform. It therefore hired Mr. Aleynikov to the tune of $1.2 million a year to design and code one from scratch.

Mr. Aleynikov apparently wanted the opportunity to build from the established and stable Goldman source code. On his last day at Goldman, Mr. Aleynikov allegedly copied, encrypted, and uploaded portions of the code to a server in Germany (indisputably outside the control of the Goldman network). He also allegedly deleted logs and other digital footprints from his work computer to conceal his theft of the source code. Mr. Aleynikov apparently did not cover his digital tracks well enough, however, and he was arrested shortly after his departure from Goldman.  After his arrest, portions of the Goldman source code were found on his personal computers and flash drives.

It appears there was no direct proof that Mr. Aleynikov actually used the source code, so he was charged under the federal National Stolen Property Act and Economic Espionage Act with copying the code illegally. He claimed that he merely “borrowed” the code for his personal use and not for the benefit of his new employer. His new employer promptly terminated his employment.

Mr. Aleynikov was eventually convicted and spent 11 months in prison before the U.S. Court of Appeals for the Second Circuit overturned his conviction in February 2012.  The court determined, among other things, that Mr. Aleynikov could not be convicted under the Stolen Property Act because source code is “intangible property,” and therefore could not be a stolen “good” within the meaning of that statute. The court’s decision was harshly criticized, and prompted Congress and then-President Obama to enact the Theft of Trade Secrets Clarification Act of 2012, which closed several perceived loopholes in the Economic Espionage Act.

Unfortunately for Mr. Aleynikov, his legal troubles did not end with the Second Circuit’s acquittal.  Just months later, he was charged under the New York State Penal Law, and a jury convicted him of “unlawful use of secret scientific material.” However, the trial court overturned the jury’s verdict and dismissed the charges, largely based upon the Second Circuit’s reasoning in the federal appeal. The state then appealed.

Holding

Before the New York Appellate Division, Mr. Aleynikov essentially made the same arguments he made in the prior federal appeal:  there was no evidence that he had made a “tangible” reproduction of the source code, and there was no evidence that he acted with the requisite intent. But the Appellate Division determined that the relevant inquiry under the New York statute was not whether the source code itself was tangible, but whether Mr. Aleynikov made a tangible reproduction of the code. Because Mr. Aleynikov copied the source code to a remote server and later downloaded it to his personal computers and flash drives, the court held that the reproduction was indeed “tangible” within the meaning of the New York statue.

In disposing of the “intent” issue, the court noted that the state was required to show that Mr. Aleynikov intended to permanently exercise control over the source code he had copied. Unconvinced by Mr. Aleynikov’s claim that he briefly “borrowed” the code, the court found that the jury’s finding of intent was supported by the evidence showing that Mr. Aleynikov (1) surreptitiously uploaded the code to an overseas server, (2) downloaded the code onto several personal computers and devices, (3) shared the code with his new employer, (4) took steps to hide his tracks, and (5) never once attempted to return or delete the code.

Ultimately, the court reinstated the jury’s conviction and remanded the case for sentencing. Mr. Aleynikov now faces up to four years in prison, although his attorney has said that he will appeal.

Employer Takeaways

The Appellate Division decision is one more indication that we may be entering a new era for employers seeking to protect their confidential data and trade secrets. The court’s decision references the expert testimony that saving data on a hard drive, flash drive, or other medium alters the physical properties of the storage medium and therefore that the reproduction of the data is “tangible.” Although Mr. Aleynikov is likely to argue that the court was straining to find “tangibility,” the court’s interpretation seems to be more consistent with evolving technology relating to storage of information. If a photocopy of a memorandum containing a trade secret would be “tangible,” then it is difficult to see why a server containing the same information in digital form would not be.

Although Goldman detected Mr. Aleynikov’s activity quickly and acted promptly, it surely would have preferred to prevent Mr. Aleynikov from uploading the code in the first place. But, no matter how robust, preventive measures are not foolproof. Internal threats are pervasive, and clever employees find clever ways around security protocols. Therefore, it is critical that companies have procedures that detect employee data theft reasonably quickly after it occurs and allow them to quickly limit any resulting damage. Here are a few suggestions:

  • Have a data security and integrity plan.  Depending upon the industry, your company may already be required to have one. Compliance issues notwithstanding, it is a good idea. A substantial employee theft of unguarded data will inevitably lead to some sort of shareholder lawsuit against the company’s executives for breach of fiduciary duty. Assemble a team responsible for creating, enforcing, and executing the plan, and make sure all team members’ performance reviews include an evaluation of their performance in this area. Again, no plan is foolproof, but your company should do enough to make theft difficult and detectable. Focus especially on employee exit procedures, and remember that smart employees usually copy data well before their last day on the job.
  • Limit access. Require unique user names and passwords for each authorized user of a network, and implement controls on users’ access to the network. Limit the number of people who have access to certain classes of data and software based upon the business need to use  it. Additionally, if employees are allowed to work from home, require that they use the company’s remote access platform or at least a company laptop so that all company data remains within the company’s control.
  • Have a robust computer use policy and employee non-disclosure agreements. Expressly restrict employees from using, copying, or accessing any company data or software for any reason other than company business. Consider all scenarios because both the policy and the non-disclosure agreement will be evidence at a subsequent criminal or civil trial. Mandatory security training is also advised, but remember to retain the training materials and employee attendance records.
  • Report electronic theft to law enforcement. If your auditing procedures uncover employee theft, report it to law enforcement immediately. Although civil remedies can be effective, employers can often get faster relief through the criminal justice system, especially if the theft involved the use of overseas servers.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Constangy, Brooks, Smith & Prophete, LLP | Attorney Advertising

Written by:

Constangy, Brooks, Smith & Prophete, LLP
Contact
more
less

Constangy, Brooks, Smith & Prophete, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.