Should We Bring Back the Cat-o-Nine-Tails? NSPA & EAA Need Not Apply

Should We Bring Back the Cat-o-Nine-Tails? NSPA & EAA Need Not Apply

Chris WinterApril 19, 2012, 10:05 am EDT

By Chris Winter, Director of Product Management, Storage Security

Or perhaps we should restart deportation to Australia? Or cutting off hands? You are probably wondering why I am even asking these questions. It is really quite simple: there used to be significant punishments for people who stole things from other people. Rather barbaric punishments, but everybody understood what would happen to them if they were caught stealing.

As we got more civilized, the punishments became less barbaric, but there was still a clear understanding of theft: it is wrong to take things that do not belong to you. A simple, concise message that even a 4 year old can understand. But that has all changed now.

On April 11^th, 2012 the appellate court of the Second Circuit ruled that source code cannot be stolen! This was in the case of a programmer at Goldman Sachs who accessed 500,000 lines of proprietary source code the day he was leaving for another job and sent it encrypted to Germany. He then attempted to cover his tracks by deleting the program he used to encrypt the source code and all the logs. When he later recovered the code when working at another company (which had offered to triple his Goldman Sachs salary of $400K), he was arrested and charged under the National Stolen Property Act (NSPA) and the Economic Espionage Act (EEA).

He was originally convicted and sentenced to 97 months in prison in December 2010 with a $12.5K fine (!!), however, on appeal this year, the appellate court ruled that source code was not a “stolen good” within the meaning of the NSPA and ordered his immediate release. They said “We decline to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age.”

Now if you are anything like me, you will be confused, perplexed, disappointed, and maybe depressed over this. But what you should be is deeply concerned over the security and protection of your corporate and private data and information. If they can do this to source code, then what next? Emails? Design documents? If you read the links throughout the post, you will see that if something is not tangible, not used to make something else, not used in something else, and not licensed for use, then the EAA does not apply. In other words, that thing cannot be stolen. Just imagine the scope and implications of that.

So what questions does that bring up? Here are some that spring to my mind:

- Who will ever hire this person in the future? What sort of character does he exhibit?
- What about trade secrets – are they protected ? What about patents? Trade secrets?
- Why did he have access to 500,000 lines of “proprietary code”? He can’t have written all that himself in the only two years he worked for GS.
- What storage security protection does my company have in place? Does it compartmentalize data and information to prevent general, unauthorized access? Does it protect against malicious or rogue administrators. Does it segregate different users’ data to prevent accidental misuse? Is there an audit log that cannot be deleted?
- What will I tell my kids tonight? “It is wrong to take things that do not belong to you… unless it is source code in which case you can do whatever you like – especially if you get paid $1.2M a year for doing it.”

The bottom line is that we can no longer rely on common sense, conventional deterrents or even the legal system to protect corporate and private information regardless of what we used to consider safeguards. There are no longer any moral or legal hindrances to prevent bad people from stealing corporate and private confidential information. We need to take data security into our own hands and ensure that data is secure, protected, and safe.

SafeNet StorageSecure and KeySecure are obvious solutions that could have prevented the loss of such a lot of proprietary and confidential source code.