The recent sentencing of a former Boeing engineer for stealing trade secrets raised the question of whether a defense contractor has a duty to notify the Department of Defense (DoD) under the Safeguarding Covered Defense Information and Cyber Incident Reporting Regulation (DFARS 252.204-7012), when the contractor has knowledge that an employee may be stealing trade secrets.

1. The Sentencing of Mr. Justice for Economic Espionage and AECA and ITAR Violations.

Former Boeing Satellite Systems’ engineer and long-time employee Gregory Allen Justice was sentenced on Sept. 18, 2017 to five years in federal prison for selling military secrets to an undercover FBI agent he believed to be a Russian spy. Mr. Justice had previously pled guilty to the crimes of attempted economic espionage and violating the Arms Export Control Act (AECA) and International Traffic in Arms Act (ITAR).

The Government’s sentencing memo stated that between February and July 2016, Mr. Justice met in person with an FBI undercover agent six times. After the first introductory meeting, Mr. Justice began downloading trade secrets pertaining to the Wideband Global Satellite Communications. The trade secrets related to technology for verifying encryption and decryption functionality, testing the satellite operations, and sensitive anti-jamming capabilities. Mr. Justice told the undercover agent that the information could be used to intercept and substitute communications. In the final meeting, Mr. Justice offered to give the undercover agent a tour of his work facility, during which the undercover agent could wear glasses to take pictures of the facility, which was prohibited.

An industry expert testified that the cost to develop the trade secrets was almost $3.2 million. Mr. Justice downloaded the trade secrets onto thumb drives, which he in turn gave to the undercover agent. Mr. Justice received a total of $3,500 cash in exchange for the stolen trade secrets—$500 for his first delivery, and $1,000 for each of the three subsequent deliveries.

Mr. Justice told the undercover agent that he needed to sell the secrets to pay for his wife’s medical bills, but in reality he sent much of the $3,500 cash he received to provide cash and gifts to a woman he met online. The cash was just a portion of the more than $21,000 he mailed to his paramour. Mr. Justice’s attorney said her client struggled with depression and obsessive compulsive tendencies at his job.

2. The Reporting Obligations Under the DoD Cybersecurity Regulations.

The Safeguarding Covered Defense Information and Cyber Incident Reporting Regulation requires that contractors rapidly report “cyber incidents” to the DoD within 72 hours of their discovery. DFARS 252.204-7012. The definition of “cyber incident” includes a “compromise,” which in turn means that “the copying of [covered defense] information to unauthorized media may have occurred.” So when Mr. Justice, a longtime, trusted engineer, downloaded the trade secrets onto a thumb drive, presumably in violation of company policy, the contractor’s reporting obligation was triggered. Before this regulation, contractors had no such explicit reporting obligation.

3. Insider Threat Programs.

Under the DoD National Industrial Security Program (“NIPSOM”), Change 2, cleared contractors must establish and implement insider threat programs consistent with Executive Order 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs. (Effective May 18, 2016). Insider threat programs should include alerts when an employee attempts to download information onto a device or into a cloud application, which are often prohibited activities in violation of security policies.

Interestingly, in March 2016, SailPoint published a Market Survey that 1 in 5 employees would sell their passwords to an outsider. Of those who would sell their passwords, 44% would do so for less than $1,000.