OKeefes story is a cautionary tale for anyone in IT—particularly anyone that handles sensitive customer data.
Well into his 13th year on the job at TIAA-CREF, one of OKeefes subordinates, a contractor named Sonia Radencovich, was recognized by a colleague as a felon who had helped her lover swindle more than $200 million from insurance firms.
She was scheduled for sentencing to federal prison several months into her job at TIAA-CREF.
But before Radencovichs true identity had been discovered—she had applied for the job at TIAA-CREF using the alias Sonia Howe—shed had unfettered access to customer data for a couple of months.
And she brought her own laptop and a couple USB devices to work, which she used to download customer information (its not clear how much information she downloaded).
"Sonia Howe had access that she needed to perform her job function—projects that had to do with the call center, systems our agents used when they answered the phone to identify customers when they call in," said OKeefe, who was Radencovichs supervisor.
"By their nature she needed to test those things. It wasnt her access [in question]; it was that this data was unscrambled—all if it."
As the technical lead on two key ongoing initiatives at TIAA-CREF, Open Plan Solutions and Advice that Radencovich also worked on, OKeefe was asked to help investigators determine how much information Radencovich had access to.
He did, and was fired in February 2005 for, he said, telling the truth: TIAA-CREFs IT test environment was unencrypted and Radencovich had access to a whole lot of data.
"I told [TIAA-CREF] she had access to a lot more information than they wanted to let out," said OKeefe.
"TIAA-CREF said [Radencovich] had access to very little information—only 100 participants. The fact is, she walked away with a lot more data than that."
OKeefe estimates that Radencovich had access to a good portion of, or even all of TIAA-CREFs 3.2 million customer records.
Shortly after he was terminated—for violating policies in his supervision of Radencovich, sharing passwords and allowing Radencovich to use her laptop at work—OKeefe filed a Sarbanes-Oxley Whistleblower complaint with the Department of Labor, stating that he should have been protected for information revealed during the Radencovich investigation.
Last June, OKeefes initial complaint was dismissed on a technicality; the DOL determined he worked for TIAA and not TIAA-CREF.
"The whistleblower provisions of Sarbanes-Oxley did not cover TIAA because it is neither a company with a class of securities registered under Section 12 of the Securities Exchange Act of 1934 nor one that is required to file reports under Section 15(d) of the Exchange Act," according to a statement from TIAA-CREF. "The former employee is appealing this finding."
OKeefes appeal will be heard Aug. 14-18 by an Administrative Law judge, who will determine if OKeefe is in fact an employee of TIAA-CREF, and whether he is protected under the SarbOx Whistleblower regulations.
The task at hand is an onerous one for OKeefe.
The Sarbanes-Oxley Act prohibits employers with publicly traded stock from retaliating against employees who engage in protected activities—like providing information in relation to alleged accounting improprieties or participating in a proceeding related to alleged securities law violations.