On April 11, our judiciary system failed the IT industry by limiting the ability of corporations to protect their internal software. Specifically, the U.S. Second Court of Appeals reversed the 2010 conviction of Sergey Aleynikow under the Economic Espionage Act (EEA). During his last day as a Goldman Sachs programmer, Aleynikov uploaded proprietary software that enhances Goldman's high-speed trading capabilities. Shortly thereafter, he joined a company that develops software tools for financial services firms. What a coincidence.
While the judges acknowledged that the code Aleynikov used was "highly valuable," they ruled that he had not violated the EEA, since Goldman had developed the code for internal use, not for sale. Further, he had not violated the National Stolen Property Act (NSPA), because he hadn't stolen a physical object. So it's against the law to steal office supplies, but it's OK to steal valuable software?
This ruling is disastrous if your company has developed software for internal use. You need to take the following precautions:
Alert executive management. IT leadership needs to make executives aware of potential exposure. Executives who read about the ruling may not fully appreciate how legal protection for company systems that provide competitive advantage has been compromised. Even if your risk is small, you don't want someone else -- an outside adviser, a board member or the CEO's golfing buddy -- to alert executives to the Aleynikov case.
Audit software safeguard practices. Most companies implemented safeguards -- including security measures to protect code, and employment contracts to preserve the company's rights -- years ago. But all safeguards must be periodically updated for relevance and tested for compliance to standards. This can be particularly difficult in decentralized or multinational corporations.
Collaborate with legal, HR and public relations. Help the legal department understand the implications of the case. The ruling makes it much more difficult to use either the EEA or the NSPA to protect the company's rights. In the event of a similar theft, legal action must depend on other laws or corporate employment contracts (in compliance with state labor laws). If a theft occurs, be proactive about press coverage; litigation can easily become a public relations nightmare, portraying the heartless corporation pitted against the little guy.
Demand clarity from Congress.Judge Guido Calabresi of the Second Circuit wrote a separate opinion saying that he found it difficult "to conclude that Congress, in this law, actually meant to exempt the kind of behavior in which Aleynikov engaged." He went on to ask Congress to clearly define criminal behavior under the EEA. Work with your lobbying organization to request congressional action. And make sure someone in your organization is responsible for monitoring legislative progress.
The EEA and the NSPA were probably adequate when written. But the needs of IT organizations have eclipsed the understanding of law-making bodies worldwide. Congress needs to update both acts to reflect current technological capabilities.
The Aleynikov ruling only encourages other thefts of valuable IT software. Fight back. Think creatively. (Potential thieves surely will.) What development processes, employment agreements, security procedures or other safeguards need to be established or updated in your corporation? Take action before it's too late.
Bart Perkins is managing partner at Louisville, Ky.-based Leverage Partners, which helps organizations invest well in IT. Contact him at BartPerkins@LeveragePartners.com.
Read more about applications in Computerworld's Applications Topic Center.