Most Employers Prevail
However, early statistics show that most employers prevail in whistleblower cases, according to a report published by Alston, Bird LLP attorneys Robert Roirdan and Lisa Durham Taylor. Between July 2002, when the act passed, and December 2003 OSHA (a division of the Department of Labor that oversees Sarbanes-Oxley) recorded 169 charges alleging retaliation.OSHA found for the employer 77 of 79 cases in which it completed an investigation.Of those 45, were appealed to an Administrative Law judge, and OSHAs determinations have been reversed only three times. Later statistics were not available from the Department of Labor at press time. OKeefes attorney, Darryll Bolduc, principal of the Bolduc Law Firm, is seeking to prove two points: that there is a co-mingling of management between TIAA-CREF by showing that there is one IT organization and one financial organization that spans both entities; and that OKeefe was engaged in a protected activity when he reported the issues with TIAA-CREFs testing environment. "I am claiming that my client was terminated because of a cover up," said Bolduc, in Charlotte, N.C. "He was a great employee, he won the Chairmans Award. TIAA-CREF made a mistake by not getting a proper background check," on Radencovich. But OKeefes story doesnt end and begin with the arrest of Radencovich. At least a year before the data theft, OKeefe said he and several colleagues tried to bring the test environment issues to light at TIAA-CREF, to no avail. "Many people brought this up, and I was one of then," said OKeefe, who pointed the finger to the top of the IT org chartthe CTOas the person who should set policy regarding test environments, "not a guy in charge of writing code." After Radencovich was fired in November 2004, a lot changed, according to OKeefe. "Every new policy and procedure known to man came out as a result of this security breach," said OKeefe. "So today employee data is scrambled. But customer data is not." And the data that Radencovich downloaded to her laptop and, ostensibly, the USB devices? Its still out there, according to Bolduc. TIAA-CREF filed a lawsuit to get access to Radencovichs laptop, but was never able to actually get its hands on the hard drive. The USB devices are nowhere to be found. The threat, for customers, is still there, according to OKeefe. He pointed out the fact that customers Social Security numbers and birth datesinformation that Radencovich had access todoesnt change. She could, in all likelihood, serve her time in prison and sell the customer data when she gets out. At $5 to $10 per customer name, according to Bolduc, "thats not a bad get out of jail free card." But the bigger issue for IT managers is who is responsible in the case of employee malfeasance and identity theft. And are employees actually covered under the Sarbanes-Oxley Whistle Blower Act? OKeefe said he doesnt believe he should be held responsible for the actions of a contractor. He said he did his job in hiring a qualified candidate (and that most consultants bring their own laptops to work). "The resume Sonia Howe gave me, [the felony counts against her] wasnt on there. It had all this great technical skills on there," said OKeefe. "You stereotype what a criminal should look likethat didnt look like Sonia Howe. She looked normal. Shes a mother with small kids. And she has great technical skills. I was actually thinking about hiring her permanently." The courts will decide if OKeefe is covered under the law. Check out eWEEK.coms for the latest news, reviews and analysis on IT management from CIOInsight.com.