New York’s highest court – the NY Court of Appeals – upheld the conviction of Sergey Aleynikov, a former computer programmer for Goldman Sachs & Co., who was charged in a state court in 2012 with illicitly copying with the intent to use for a new employer, Teza Technologies LLC, Goldman’s proprietary computer code for a high-frequency trading system. Mr. Aleynikov never used the computer code at Teza, however.

Mr. Aleynikov was initially charged by a federal grand jury for violation of a federal law – the National Stolen Property Act – in February 2010 related to his alleged misappropriation and found guilty in December 2010. (Click here to access the relevant law at 18 U.S.C. § 2314.)  However, the federal appeals court in New York overturned Mr. Aleynikov’s conviction in April 2012, concluding that source code was intangible property and not a good, and thus a theft of computer code could not involve the “taking of a physical thing” – a necessary requirement for a violation under the relevant law. (Click here for a copy of the relevant court decision.)

Mr. Aleynikov was subsequently criminally charged in September 2012 and convicted by a NY court jury for violating a provision of NY law that prohibits a person from making an unauthorized “tangible reproduction” of secret scientific material. (Click here to access NY Penal Law § 165.07.) However, the New York trial court set aside the jury’s verdict, claiming that source code is not tangible when it is only stored on a computer.

In January 2017, an intermediate appellate court in New York reversed the trial court’s order and remanded the case for sentencing. (Click here to access the relevant court decision.) Acting on Mr. Aleynikov’s appeal, the NY Court of Appeals upheld the defendant’s conviction.

According to the NY Court of Appeals, Mr. Aleynikov, without Goldman’s permission, transferred his then employer’s proprietary source code using his work computer to an unauthorized computer server in Germany on June 5, 2009, his last day of employment at Goldman. This action was expressly prohibited by Goldman policy which precluded employees from removing a copy of source code from the company’s network. Later, Mr. Aleynikov downloaded the source code to his home computer from the Germany-based server. Subsequently, he placed the source code in a Teza website repository for use by Teza.

The NY Court of Appeals said that a “rational jury” could have concluded that the copy of the source code made by Mr. Aleynikov “was tangible in the sense of ‘material’ or ‘having physical form’.” This is because the jury heard evidence that, since source code stored on a computer takes up space on a drive, it is physical in nature. As a result, the court upheld Mr. Aleynikov’s conviction.

Compliance Weeds: The long tortuous prosecution of Mr. Aleynikov may now be headed to a sentencing phase, but it provides a reminder that companies’ cybersecurity procedures should address not only possible unauthorized penetration of systems by external sources and persons, but internal theft. Indeed it has been estimated that 60 percent of all cyber breaches are from internal sources. (Click here for a September 19, 2016 article from the Harvard Business Review regarding this.)

Last month, the National Institute of Standards and Technology updated its Framework for Improving Critical Infrastructure Cybersecurity. (Click here to access.)

Generally, the Framework sets forth the industry-standard risk-based approach to manage cybersecurity vulnerability. The objective of the Framework is to provide all firms a common means to describe their current cybersecurity approach; describe their target state; identify and prioritize opportunities for improvement; assess progress towards achieving the target state; and communicate about cybersecurity risk to internal and external stakeholders.

Persons in charge of cybersecurity programs at financial services firms might use the opportunity of the revised NIST framework to review their firm’s own approach to assessing, managing and communicating about cybersecurity risk to ensure, among other things, it adequately identifies and mitigates against internal risks.

Correction: This article was corrected on May 9 to make clear that Mr. Aleynikov did not use the misappropriated Goldman source code at Teza.