A Game-Changer in Prosecuting Data Thieves

Financial institutions get the insider-threat verdict they've been waiting for

Good news for financial institutions. Based on strong evidence, a New York appeals court has reinstated the conviction of an investment-bank employee charged with stealing proprietary information in 2009. This development also underscores a pressing need for companies to amass intelligent evidence, as data-theft laws rapidly evolve in the digital age.

Eight years ago, Goldman Sachs employee Sergey Aleynikov was arrested on his way out the door. The programmer, who quit the financial giant for a $1.2 million job at tech-trading firm Teza Technologies, copied some of Goldman’s high-frequency trading code onto a flash drive.

Aleynikov was sent to jail in 2015 for his actions—which he claimed were for research purposes—before a U.S. appeals court threw out that conviction a year later. On January 24, the appeals court determined that the 1967 physical-evidence law which freed him was too out-of-date, and that today, digital data on a flash drive should count as physical evidence. (A lawyer for Aleynikov, who faces four years in prison, has vowed to counter-appeal.)

The initial defeat of Aleynikov’s conviction rocked the banking world. “No company wants to do business in a market where someone can steal its work product without consequences,” says Cyrus Vance Jr., the Manhattan District Attorney who brought the initial charges against the programmer.

The latest ruling is a clear victory for Vance, as well as for financial institutions looking to vigilantly protect their data—especially from insider threats, which are on the rise. “It might certainly suggest to prosecutors that if they’re in doubt in these areas where there isn’t a lot of case law and you have these statutes dealing with electronic crimes, that they certainly can test the waters,” notes Bennett Gershman, a former prosecutor for the Manhattan District Attorney’s Office.

While this comes as some solace to businesses, it also poses new challenges. Because the forensics process has proven slow and its evidence vague (after all, investigations won’t always procure a hard- or flash drive), there’s an onus on companies to find cybersecurity that yields intelligence. Surfacing an employee’s shady behavior is an accusation unless it’s accompanied by the actionable data to empower HR teams, executive leadership, and of course, law enforcement.