The law often lags behind developments in the tech world. One problem for employers seeking to protect their data is that some anti-theft and trade secret protection laws drafted long ago refer to “goods” and “tangible” items. As a result, it is sometimes difficult for employers to get recourse against cyber thieves and others who misappropriate trade secrets and confidential information. The wrongdoers may not be criminally convicted because their misdeeds do not fit within the technical definitions in the relevant statutes.
But a recent decision from the New York State Appellate Division indicates that courts may be gravitating toward a more flexible approach that is consistent with our current understanding of what “property” really is. The case involves Sergey Aleynikov, a well-known figure who has been making his way through the criminal justice system since 2009, as a result of his uploading high-frequency trading code from his employer at the time, Goldman Sachs.
The past 15 years of Sergey Aleynikov’s life make a fascinating story. A skilled programmer at an early age, Mr. Aleynikov emigrated from the Soviet Union to the United States in 1990. After working his way up the developer’s ladder, he landed a high-level job with Goldman Sachs working on its high-frequency trading platform – a $300 million-per-year profit mill for the multinational finance company. His experiences at Goldman ultimately inspired the New York Times bestseller Flash Boys, which details the rise of high-frequency trading in the U.S. security and commodity markets.
Fame does not come without a price, however, and Mr. Aleynikov is no exception. His now eight-year legal battle against various federal and state criminal charges related to his departure from Goldman has already cost all of his money. And after the New York court’s decision, it is likely to cost him his liberty, too.
Mr. Aleynikov worked for Goldman as a vice president developer from approximately 2007 to 2009. His primary responsibilities were maintaining, updating, and testing the company’s high-frequency trading platform. He had full access to the platform’s source code.
In 2009, Mr. Aleynikov accepted a position with a startup competitor. The new employer did not have its own high-frequency trading platform. It therefore hired Mr. Aleynikov to the tune of $1.2 million a year to design and code one from scratch.
Mr. Aleynikov apparently wanted the opportunity to build from the established and stable Goldman source code. On his last day at Goldman, Mr. Aleynikov allegedly copied, encrypted, and uploaded portions of the code to a server in Germany (indisputably outside the control of the Goldman network). He also allegedly deleted logs and other digital footprints from his work computer to conceal his theft of the source code. Mr. Aleynikov apparently did not cover his digital tracks well enough, however, and he was arrested shortly after his departure from Goldman. After his arrest, portions of the Goldman source code were found on his personal computers and flash drives.
It appears there was no direct proof that Mr. Aleynikov actually used the source code, so he was charged under the federal National Stolen Property Act and Economic Espionage Act with copying the code illegally. He claimed that he merely “borrowed” the code for his personal use and not for the benefit of his new employer. His new employer promptly terminated his employment.
Mr. Aleynikov was eventually convicted and spent 11 months in prison before the U.S. Court of Appeals for the Second Circuit overturned his conviction in February 2012. The court determined, among other things, that Mr. Aleynikov could not be convicted under the Stolen Property Act because source code is “intangible property,” and therefore could not be a stolen “good” within the meaning of that statute. The court’s decision was harshly criticized, and prompted Congress and then-President Obama to enact the Theft of Trade Secrets Clarification Act of 2012, which closed several perceived loopholes in the Economic Espionage Act.
Unfortunately for Mr. Aleynikov, his legal troubles did not end with the Second Circuit’s acquittal. Just months later, he was charged under the New York State Penal Law, and a jury convicted him of “unlawful use of secret scientific material.” However, the trial court overturned the jury’s verdict and dismissed the charges, largely based upon the Second Circuit’s reasoning in the federal appeal. The state then appealed.
Before the New York Appellate Division, Mr. Aleynikov essentially made the same arguments he made in the prior federal appeal: there was no evidence that he had made a “tangible” reproduction of the source code, and there was no evidence that he acted with the requisite intent. But the Appellate Division determined that the relevant inquiry under the New York statute was not whether the source code itself was tangible, but whether Mr. Aleynikov made a tangible reproduction of the code. Because Mr. Aleynikov copied the source code to a remote server and later downloaded it to his personal computers and flash drives, the court held that the reproduction was indeed “tangible” within the meaning of the New York statue.
In disposing of the “intent” issue, the court noted that the state was required to show that Mr. Aleynikov intended to permanently exercise control over the source code he had copied. Unconvinced by Mr. Aleynikov’s claim that he briefly “borrowed” the code, the court found that the jury’s finding of intent was supported by the evidence showing that Mr. Aleynikov (1) surreptitiously uploaded the code to an overseas server, (2) downloaded the code onto several personal computers and devices, (3) shared the code with his new employer, (4) took steps to hide his tracks, and (5) never once attempted to return or delete the code.
Ultimately, the court reinstated the jury’s conviction and remanded the case for sentencing. Mr. Aleynikov now faces up to four years in prison, although his attorney has said that he will appeal.
The Appellate Division decision is one more indication that we may be entering a new era for employers seeking to protect their confidential data and trade secrets. The court’s decision references the expert testimony that saving data on a hard drive, flash drive, or other medium alters the physical properties of the storage medium and therefore that the reproduction of the data is “tangible.” Although Mr. Aleynikov is likely to argue that the court was straining to find “tangibility,” the court’s interpretation seems to be more consistent with evolving technology relating to storage of information. If a photocopy of a memorandum containing a trade secret would be “tangible,” then it is difficult to see why a server containing the same information in digital form would not be.
Although Goldman detected Mr. Aleynikov’s activity quickly and acted promptly, it surely would have preferred to prevent Mr. Aleynikov from uploading the code in the first place. But, no matter how robust, preventive measures are not foolproof. Internal threats are pervasive, and clever employees find clever ways around security protocols. Therefore, it is critical that companies have procedures that detect employee data theft reasonably quickly after it occurs and allow them to quickly limit any resulting damage. Here are a few suggestions:
Have a data security and integrity plan. Depending upon the industry, your company may already be required to have one. Compliance issues notwithstanding, it is a good idea. A substantial employee theft of unguarded data will inevitably lead to some sort of shareholder lawsuit against the company’s executives for breach of fiduciary duty. Assemble a team responsible for creating, enforcing, and executing the plan, and make sure all team members’ performance reviews include an evaluation of their performance in this area. Again, no plan is foolproof, but your company should do enough to make theft difficult and detectable. Focus especially on employee exit procedures, and remember that smart employees usually copy data well before their last day on the job.
Limit access. Require unique user names and passwords for each authorized user of a network, and implement controls on users’ access to the network. Limit the number of people who have access to certain classes of data and software based upon the business need to use it. Additionally, if employees are allowed to work from home, require that they use the company’s remote access platform or at least a company laptop so that all company data remains within the company’s control.
Have a robust computer use policy and employee non-disclosure agreements. Expressly restrict employees from using, copying, or accessing any company data or software for any reason other than company business. Consider all scenarios because both the policy and the non-disclosure agreement will be evidence at a subsequent criminal or civil trial. Mandatory security training is also advised, but remember to retain the training materials and employee attendance records.
Report electronic theft to law enforcement. If your auditing procedures uncover employee theft, report it to law enforcement immediately. Although civil remedies can be effective, employers can often get faster relief through the criminal justice system, especially if the theft involved the use of overseas servers.