Chris OKeefe was, in a former life, an IT manager in charge of customer relationship management implementations at TIAA-CREF, a prestigious financial institution that handles some of the nations largest academic retirement funds.
OKeefes story is a cautionary tale for anyone in IT—particularly anyone that handles sensitive customer data.
Well into his 13th year on the job at TIAA-CREF, one of OKeefes subordinates, a contractor named Sonia Radencovich, was recognized by a colleague as a felon who had helped her lover swindle more than $200 million from insurance firms.
She was scheduled for sentencing to federal prison several months into her job at TIAA-CREF.
But before Radencovichs true identity had been discovered—she had applied for the job at TIAA-CREF using the alias Sonia Howe—shed had unfettered access to customer data for a couple of months.
And she brought her own laptop and a couple USB devices to work, which she used to download customer information (its not clear how much information she downloaded).
“Sonia Howe had access that she needed to perform her job function—projects that had to do with the call center, systems our agents used when they answered the phone to identify customers when they call in,” said OKeefe, who was Radencovichs supervisor.
“By their nature she needed to test those things. It wasnt her access [in question]; it was that this data was unscrambled—all if it.”
As the technical lead on two key ongoing initiatives at TIAA-CREF, Open Plan Solutions and Advice that Radencovich also worked on, OKeefe was asked to help investigators determine how much information Radencovich had access to.
He did, and was fired in February 2005 for, he said, telling the truth: TIAA-CREFs IT test environment was unencrypted and Radencovich had access to a whole lot of data.
“I told [TIAA-CREF] she had access to a lot more information than they wanted to let out,” said OKeefe.
“TIAA-CREF said [Radencovich] had access to very little information—only 100 participants. The fact is, she walked away with a lot more data than that.”
OKeefe estimates that Radencovich had access to a good portion of, or even all of TIAA-CREFs 3.2 million customer records.
Shortly after he was terminated—for violating policies in his supervision of Radencovich, sharing passwords and allowing Radencovich to use her laptop at work—OKeefe filed a Sarbanes-Oxley Whistleblower complaint with the Department of Labor, stating that he should have been protected for information revealed during the Radencovich investigation.
Last June, OKeefes initial complaint was dismissed on a technicality; the DOL determined he worked for TIAA and not TIAA-CREF.
“The whistleblower provisions of Sarbanes-Oxley did not cover TIAA because it is neither a company with a class of securities registered under Section 12 of the Securities Exchange Act of 1934 nor one that is required to file reports under Section 15(d) of the Exchange Act,” according to a statement from TIAA-CREF. “The former employee is appealing this finding.”
OKeefes appeal will be heard Aug. 14-18 by an Administrative Law judge, who will determine if OKeefe is in fact an employee of TIAA-CREF, and whether he is protected under the SarbOx Whistleblower regulations.
The task at hand is an onerous one for OKeefe.
The Sarbanes-Oxley Act prohibits employers with publicly traded stock from retaliating against employees who engage in protected activities—like providing information in relation to alleged accounting improprieties or participating in a proceeding related to alleged securities law violations.
Next Page: Most employers prevail.
Most Employers Prevail
However, early statistics show that most employers prevail in whistleblower cases, according to a report published by Alston, Bird LLP attorneys Robert Roirdan and Lisa Durham Taylor.
Between July 2002, when the act passed, and December 2003 OSHA (a division of the Department of Labor that oversees Sarbanes-Oxley) recorded 169 charges alleging retaliation.
OSHA found for the employer 77 of 79 cases in which it completed an investigation.
Of those 45, were appealed to an Administrative Law judge, and OSHAs determinations have been reversed only three times.
Later statistics were not available from the Department of Labor at press time.
OKeefes attorney, Darryll Bolduc, principal of the Bolduc Law Firm, is seeking to prove two points: that there is a co-mingling of management between TIAA-CREF by showing that there is one IT organization and one financial organization that spans both entities; and that OKeefe was engaged in a protected activity when he reported the issues with TIAA-CREFs testing environment.
“I am claiming that my client was terminated because of a cover up,” said Bolduc, in Charlotte, N.C.
“He was a great employee, he won the Chairmans Award. TIAA-CREF made a mistake by not getting a proper background check,” on Radencovich.
But OKeefes story doesnt end and begin with the arrest of Radencovich.
At least a year before the data theft, OKeefe said he and several colleagues tried to bring the test environment issues to light at TIAA-CREF, to no avail.
“Many people brought this up, and I was one of then,” said OKeefe, who pointed the finger to the top of the IT org chart—the CTO—as the person who should set policy regarding test environments, “not a guy in charge of writing code.”
After Radencovich was fired in November 2004, a lot changed, according to OKeefe.
“Every new policy and procedure known to man came out as a result of this security breach,” said OKeefe. “So today employee data is scrambled. But customer data is not.”
And the data that Radencovich downloaded to her laptop and, ostensibly, the USB devices? Its still out there, according to Bolduc.
TIAA-CREF filed a lawsuit to get access to Radencovichs laptop, but was never able to actually get its hands on the hard drive. The USB devices are nowhere to be found.
The threat, for customers, is still there, according to OKeefe.
He pointed out the fact that customers Social Security numbers and birth dates—information that Radencovich had access to—doesnt change.
She could, in all likelihood, serve her time in prison and sell the customer data when she gets out.
At $5 to $10 per customer name, according to Bolduc, “thats not a bad get out of jail free card.”
But the bigger issue for IT managers is who is responsible in the case of employee malfeasance and identity theft. And are employees actually covered under the Sarbanes-Oxley Whistle Blower Act?
OKeefe said he doesnt believe he should be held responsible for the actions of a contractor.
He said he did his job in hiring a qualified candidate (and that most consultants bring their own laptops to work).
“The resume Sonia Howe gave me, [the felony counts against her] wasnt on there. It had all this great technical skills on there,” said OKeefe.
“You stereotype what a criminal should look like—that didnt look like Sonia Howe. She looked normal. Shes a mother with small kids. And she has great technical skills. I was actually thinking about hiring her permanently.”
The courts will decide if OKeefe is covered under the law.
Check out eWEEK.coms for the latest news, reviews and analysis on IT management from CIOInsight.com.