Two recent court rulings have made it difficult to prosecute anyone for stealing internally focused software. IT should be working with Legal and the C-suite to mitigate the risks.
Let's say an employee with legitimate access to corporate intellectual property -- perhaps an extremely valuable and closely held program for internal operations that gives your business most of its competitive edge -- uploads that program's source code to the cloud. Then our hypothetical employee turns in his resignation, and from home pulls down the source code and loads it on a USB stick for transport to his new employer -- soon to become your fiercest competitor.
There's a law against that, right?
Actually there are three federal laws that employers have commonly wielded in cases like this. As IEEE Spectrum describes it, one of them was eviscerated on April 9 by the Ninth Circuit Court of Appeals in California and the other two were shredded two days later by the Second Circuit Court of Appeals in New York.
The scenario above describes exactly what programmer Sergey Aleynikov did beginning on his last day in the employ of Goldman Sachs, in June 2009. The software in question was Goldman's "secret sauce" for high-frequency trading. Aleynikov was arrested, tried, convicted (in December 2010), and sent to jail for 8 years. Upon appeal to the Second Circuit, he was freed two months later and his conviction under the National Stolen Property Act (NSPA) and the Economic Espionage Act (EEA) was thrown out.
The court ruled that what Aleynikov stole was not tangible "property" as defined under the NSPA. And since Goldman had developed its software strictly for internal use, and never intended to sell it across state lines, the EEA could not be applied to the case.
In the opinion the court released in April, Chief Judge Dennis Jacobs wrote: "We decline to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age."
The California case decided in the Ninth Circuit in that same week in April was about the theft of customer and prospect contact information, not software. But the court's ruling kicked the legs from under the third law, the Computer Fraud and Abuse Act (CFAA), as it had been used in the past to go after insiders who stole intellectual property.
The court ruled that the CFAA only applies in cases of break-in or hacking by an unauthorized party, and that it is an inappropriate legal tool to apply to a case of insider theft. (The New York trial court had come to the same conclusion in the Aleynikov case, and threw out a charge brought under the CFAA.)
What is a CIO to do with this information? Follow the advice of Bart Perkins, writing in CIO.com:
The last point embodies the long-term solution. No-one believes that Congress ever intended to let software thieves walk through loopholes in laws that have not kept pace with technology.