Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management

    Former IT Manager Seeks Redress with SarbOx Whistleblower Lawsuit

    By
    Renee Boucher Ferguson
    -
    May 30, 2006
    Share
    Facebook
    Twitter
    Linkedin

      Chris OKeefe was, in a former life, an IT manager in charge of customer relationship management implementations at TIAA-CREF, a prestigious financial institution that handles some of the nations largest academic retirement funds.

      OKeefes story is a cautionary tale for anyone in IT—particularly anyone that handles sensitive customer data.

      Well into his 13th year on the job at TIAA-CREF, one of OKeefes subordinates, a contractor named Sonia Radencovich, was recognized by a colleague as a felon who had helped her lover swindle more than $200 million from insurance firms.

      She was scheduled for sentencing to federal prison several months into her job at TIAA-CREF.

      But before Radencovichs true identity had been discovered—she had applied for the job at TIAA-CREF using the alias Sonia Howe—shed had unfettered access to customer data for a couple of months.

      And she brought her own laptop and a couple USB devices to work, which she used to download customer information (its not clear how much information she downloaded).

      “Sonia Howe had access that she needed to perform her job function—projects that had to do with the call center, systems our agents used when they answered the phone to identify customers when they call in,” said OKeefe, who was Radencovichs supervisor.

      “By their nature she needed to test those things. It wasnt her access [in question]; it was that this data was unscrambled—all if it.”

      As the technical lead on two key ongoing initiatives at TIAA-CREF, Open Plan Solutions and Advice that Radencovich also worked on, OKeefe was asked to help investigators determine how much information Radencovich had access to.

      He did, and was fired in February 2005 for, he said, telling the truth: TIAA-CREFs IT test environment was unencrypted and Radencovich had access to a whole lot of data.

      “I told [TIAA-CREF] she had access to a lot more information than they wanted to let out,” said OKeefe.

      “TIAA-CREF said [Radencovich] had access to very little information—only 100 participants. The fact is, she walked away with a lot more data than that.”

      OKeefe estimates that Radencovich had access to a good portion of, or even all of TIAA-CREFs 3.2 million customer records.

      Shortly after he was terminated—for violating policies in his supervision of Radencovich, sharing passwords and allowing Radencovich to use her laptop at work—OKeefe filed a Sarbanes-Oxley Whistleblower complaint with the Department of Labor, stating that he should have been protected for information revealed during the Radencovich investigation.

      Last June, OKeefes initial complaint was dismissed on a technicality; the DOL determined he worked for TIAA and not TIAA-CREF.

      /zimages/1/28571.gifClick here to read more about TIAA-CREFs IT woes.

      “The whistleblower provisions of Sarbanes-Oxley did not cover TIAA because it is neither a company with a class of securities registered under Section 12 of the Securities Exchange Act of 1934 nor one that is required to file reports under Section 15(d) of the Exchange Act,” according to a statement from TIAA-CREF. “The former employee is appealing this finding.”

      OKeefes appeal will be heard Aug. 14-18 by an Administrative Law judge, who will determine if OKeefe is in fact an employee of TIAA-CREF, and whether he is protected under the SarbOx Whistleblower regulations.

      The task at hand is an onerous one for OKeefe.

      The Sarbanes-Oxley Act prohibits employers with publicly traded stock from retaliating against employees who engage in protected activities—like providing information in relation to alleged accounting improprieties or participating in a proceeding related to alleged securities law violations.

      Next Page: Most employers prevail.

      Most Employers Prevail

      However, early statistics show that most employers prevail in whistleblower cases, according to a report published by Alston, Bird LLP attorneys Robert Roirdan and Lisa Durham Taylor.

      Between July 2002, when the act passed, and December 2003 OSHA (a division of the Department of Labor that oversees Sarbanes-Oxley) recorded 169 charges alleging retaliation.

      OSHA found for the employer 77 of 79 cases in which it completed an investigation.

      Of those 45, were appealed to an Administrative Law judge, and OSHAs determinations have been reversed only three times.

      Later statistics were not available from the Department of Labor at press time.

      OKeefes attorney, Darryll Bolduc, principal of the Bolduc Law Firm, is seeking to prove two points: that there is a co-mingling of management between TIAA-CREF by showing that there is one IT organization and one financial organization that spans both entities; and that OKeefe was engaged in a protected activity when he reported the issues with TIAA-CREFs testing environment.

      “I am claiming that my client was terminated because of a cover up,” said Bolduc, in Charlotte, N.C.

      “He was a great employee, he won the Chairmans Award. TIAA-CREF made a mistake by not getting a proper background check,” on Radencovich.

      But OKeefes story doesnt end and begin with the arrest of Radencovich.

      At least a year before the data theft, OKeefe said he and several colleagues tried to bring the test environment issues to light at TIAA-CREF, to no avail.

      “Many people brought this up, and I was one of then,” said OKeefe, who pointed the finger to the top of the IT org chart—the CTO—as the person who should set policy regarding test environments, “not a guy in charge of writing code.”

      After Radencovich was fired in November 2004, a lot changed, according to OKeefe.

      “Every new policy and procedure known to man came out as a result of this security breach,” said OKeefe. “So today employee data is scrambled. But customer data is not.”

      And the data that Radencovich downloaded to her laptop and, ostensibly, the USB devices? Its still out there, according to Bolduc.

      TIAA-CREF filed a lawsuit to get access to Radencovichs laptop, but was never able to actually get its hands on the hard drive. The USB devices are nowhere to be found.

      The threat, for customers, is still there, according to OKeefe.

      He pointed out the fact that customers Social Security numbers and birth dates—information that Radencovich had access to—doesnt change.

      She could, in all likelihood, serve her time in prison and sell the customer data when she gets out.

      At $5 to $10 per customer name, according to Bolduc, “thats not a bad get out of jail free card.”

      But the bigger issue for IT managers is who is responsible in the case of employee malfeasance and identity theft. And are employees actually covered under the Sarbanes-Oxley Whistle Blower Act?

      OKeefe said he doesnt believe he should be held responsible for the actions of a contractor.

      He said he did his job in hiring a qualified candidate (and that most consultants bring their own laptops to work).

      “The resume Sonia Howe gave me, [the felony counts against her] wasnt on there. It had all this great technical skills on there,” said OKeefe.

      “You stereotype what a criminal should look like—that didnt look like Sonia Howe. She looked normal. Shes a mother with small kids. And she has great technical skills. I was actually thinking about hiring her permanently.”

      The courts will decide if OKeefe is covered under the law.

      Check out eWEEK.coms for the latest news, reviews and analysis on IT management from CIOInsight.com.

      Renee Boucher Ferguson
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×