Chris OKeefe was, in a former life, an IT manager in charge of customer relationship management implementations at TIAA-CREF, a prestigious financial institution that handles some of the nations largest academic retirement funds.
But he said he was fired for telling the truth: that TIAA-CREFs IT test environment was unencrypted and that Sonia Radencovich, a felon who helped her lover swindle more than $200 million from insurance firms, had access to the data.
OKeefe has filed a Sarbanes-Oxley whistleblower complaint with the Department of Labor, stating that he should have been protected for information revealed during the Radencovich investigation. His story is a cautionary tale for anyone in IT—particularly anyone who handles sensitive customer data.
Radencovich was scheduled for sentencing to federal prison several months into her job at TIAA-CREF. But before Radencovichs true identity had been discovered—she had applied for the job using the alias Sonia Howe—she had unfettered access to customer data for months.
She brought her own laptop and a few USB devices to work, which she used to download an undetermined amount of customer information. Radencovich needed to test things associated with call center projects, said OKeefe in Charlotte, N.C., who was her supervisor. “It wasnt her access [that was in question]; it was that this data was unscrambled—all of it.”
OKeefe was asked to help investigators determine the amount of information to which she had access. He told them that Radencovich had access to a lot more information than TIAA-CREF wanted to let out.
“TIAA-CREF said [Radencovich] had access to very little information—only 100 participants. The fact is, she walked away with a lot more data than that,” OKeefe said. OKeefe estimates that Radencovich had access to a good portion, or even all, of TIAA-CREFs 3.2 million customer records.
OKeefe was fired in February 2005 for, he said, telling the truth. Shortly after he was terminated—for violating policies in his supervision of Radencovich, sharing passwords and allowing Radencovich to use her laptop at work—OKeefe filed the whistleblower complaint. In June 2005, OKeefes initial complaint was dismissed on a technicality: that he worked for TIAA and not TIAA-CREF. OKeefes trial will be heard Aug. 14-18 by an administrative law judge.
The task at hand is a tough one for OKeefe. The Sarbanes-Oxley Act prohibits employers with publicly traded stock from retaliating against employees who engage in protected activities—such as providing information in relation to alleged accounting improprieties. But early statistics show that most employers prevail in whistleblower cases, according to a report published by Alston & Bird attorneys Robert Riordan and Lisa Durham Taylor.
Between July 2002 and December 2003, the Occupational Safety and Health Administration (the division of the Department of Labor that oversees SarbOx) recorded 169 charges alleging retaliation. OSHA found for the employer in 77 out of 79 cases in which it completed an investigation. OKeefes attorney, Darryll Bolduc, principal of The Bolduc Law Firm, is seeking to prove two points: He seeks to prove there is a commingling of management between TIAA and CREF, as there is one IT organization and one financial organization that spans both entities, and that OKeefe was engaged in a protected activity when he reported the testing environment issues.
“TIAA-CREF made a mistake by not getting a proper background check” on Radencovich, said Bolduc in Charlotte, N.C.
At least a year before the data theft, OKeefe said he and several colleagues tried to bring test environment issues to light at TIAA-CREF, to no avail. After Radencovich was fired in November 2004, a lot changed, according to OKeefe. “Every new policy and procedure known to man came out as a result of this security breach,” said OKeefe. “So, today, employee data is scrambled. But customer data is not.”
The threat for customers is still there, according to OKeefe, given that the stolen customer data hasnt been recovered. Radencovich could serve her time and sell it when she gets out. At $5 to $10 per customer name, said Bolduc, “thats not a bad get-out-of-jail-free card.”
The courts will decide if OKeefe is protected under the law.