Ethics - Moral law vs. Criminal law

#42
Sorry! You can't slide in the back door to spot a burglar gobbling food out of your refrigerator and discipline him for not washing his hands.

Everything I have written about protecting yourself by seeing an attorney holds true in each of these cases you cite.

If you suspect an actual criminal violation, you ought not to "decriminalize" it by reducing it to some trivial violation of an ISO Standard. Get real! If a manufacturer is going so far as to perform any of these violations of law, do you think the responsible person is going to mend his ways because you issue a non-conforming report?

If your conscience bothers you that much for the apparent violation, go the rest of the way! Otherwise . . .
 
S

Stephen Rubino

#43
Thank you Dave and Wes.

Dave, your answer was more in line with what I was looking for...

Wes, short of getting on my own moral high-horse, I would at least like to outline a couple of things relating to your answer:

If I were to contact and attorney, the attorney would be bound by his/her duties as such to be the whistle blower once a violation of law became apparent. In the case of a company that is buying goods from Cuba - where there is no apparent harm caused other than a violation of some political trade embargo - my own inclination would be to let it slide, save for a possible observation, as I personnally disagree with most politically motivated embargos based on awarenes that innocents suffer the consequences of such actions the most.

In terms of a case where I discover a major corporation illegally concealing information so as to protect profits - where there is a know potential for harm - I personnally would consider it my oblligation to be the whistle blower.

Please realize that both scenarios are fictitious and were created to engender discussion. Perhaps I should have selected better examples...
 
#44
Stephen Rubino said:
Thank you Dave and Wes.

Dave, your answer was more in line with what I was looking for...

Wes, short of getting on my own moral high-horse, I would at least like to outline a couple of things relating to your answer:

If I were to contact and attorney, the attorney would be bound by his/her duties as such to be the whistle blower once a violation of law became apparent. In the case of a company that is buying goods from Cuba - where there is no apparent harm caused other than a violation of some political trade embargo - my own inclination would be to let it slide, save for a possible observation, as I personnally disagree with most politically motivated embargos based on awarenes that innocents suffer the consequences of such actions the most.

In terms of a case where I discover a major corporation illegally concealing information so as to protect profits - where there is a know potential for harm - I personnally would consider it my oblligation to be the whistle blower.

Please realize that both scenarios are fictitious and were created to engender discussion. Perhaps I should have selected better examples...
If the attorney feels duty bound to report it, he is also duty bound (even higher duty) to protect you, his client.

It occurs to me that if an attorney feels duty bound to report a wrong-doing, he is probably more in tune with reality than someone who makes a personal decision which laws are "OK to break" - similar to the actual lawbreaker.

Some scenarios:
1) Aide to high ranking public official decides someone has injured his boss's political future by making public statements. Aide "decides" it is OK to retaliate against that person by making "off-the-record" statements that will injure the career of the wife of the person. Police decide the retaliation may be criminal - aide has decided he better disown the retaliation attempt and lies to police to cover up.
(I have a hunch the aide did not consult an attorney BEFORE lying to police.)

2) You are an employer. You hire undocumented workers at below-market wages and pay them off the books because you can save money on social security payments. Undocumented workers get about same net pay as documented worker because no social security or income tax is deducted from wage. You, the employer, say, "I do this to give the undocumented worker a chance. I don't think our immigration and work laws are fair."

What do you then say to the IRS and INS if someone with different ethical slant blows the whistle? What do you say to the documented workers who don't get a job? Do you complain that your own social security payments are in jeopardy because of "government mismanagement?"

Do you complain when your own personal income taxes climb because so many folks work "off the books?"

Do you complain that your competitors are undercutting your prices because they choose to outsource employment to 3rd world countries at wages much lower than what you pay for undocumented workers? Do you then declare bankruptcy and settle with suppliers and employees for 5 or 10 cents on the dollar? Do you then "reorganize" and start all over?

We should value ethics and morals because they help grease the wheels of society and commerce much more than under-the-table and back alley deals.

If you don't agree with laws and rules, it seems much more amenable to society if you either protest out loud or avoid doing anything that involves such laws or rules. The worst choice is to clandestinely flout those laws and rules you disagree with and hold yourself out to be an ethical law abiding person when you really aren't.

A weak analogy is the driver who buys a giant gas guzzler vehicle, then speeds (wasting more fuel), endangers the lives of people driving small, fuel efficient cars, then complains that some mysterious "they" are gouging him for the gas he buys.

Bottom line:
A crime is a crime. Condoning the crime and helping the perpetrator avoid the law is called "aiding and abetting" - it carries a pretty stiff penalty. If you know about the crime beforehand and do nothing, it is subject to being called "conspiracy," often an even heavier penalty than aiding and abetting. If you know enough about the crime to question it, but then do not seek adequate counsel (to determine if the crime exists or whether you are mistaken), you could become embroiled in the investigation if someone else blows the whistle first.
 
Last edited:

Jim Wynne

Super Moderator
#45
Wes Bucey said:
If you know about the crime beforehand and do nothing, it is subject to being called "conspiracy," often an even heavier penalty than aiding and abetting.
Perhaps a bit :topic:, but...

I think it was O. W. Holmes who described conspiracy statues this way:
If a boy goes into a candy store and steals a piece of candy, that's petty theft and it's a misdemeanor. If two boys outside stand outside the store and talk about stealing candy but don't do it, that's conspiracy, and it's a felony.
 
#46
JSW05 said:
Perhaps a bit :topic:, but...

I think it was O. W. Holmes who described conspiracy statutes this way:
If a boy goes into a candy store and steals a piece of candy, that's petty theft and it's a misdemeanor. If two boys outside stand outside the store and talk about stealing candy but don't do it, that's conspiracy, and it's a felony.
Pretty close to the actual concept - one additional thing needs to be in place (in America) according to conspiracy statutes [laws]:
one of the conspirators (even without the knowledge or aid of the other) has to perform an "overt act" toward accomplishing the goal of the conspiracy. In the case cited, one boy leaves the scene, the remaining boy merely enters the store, but is apprehended for some other reason before completing the crime discussed in the conspiracy, he might buy some leniency on his other, previous crimes by roping in his "conspirator" even though neither conspirator had actually touched the candy, let alone stolen it from the store.
 

Al Rosen

Staff member
Super Moderator
#47
Wes Bucey said:
If you know about the crime beforehand and do nothing, it is subject to being called "conspiracy," often an even heavier penalty than aiding and abetting.
:2cents:Just knowing about the crime before hand is not conspiracy. There has to be an agreement between two or more people to commit a crime for it to be a conspiricy, not just the knowledge beforehand
 
#48
Al Rosen said:
:2cents:Just knowing about the crime before hand is not conspiracy. There has to be an agreement between two or more people to commit a crime for it to be a conspiricy, not just the knowledge beforehand
That used to be the interpretation when I was in school 40 years ago. Since then, prosecutors and courts have pushed the envelope to indict and in some cases get convictions for folks who were merely present at the planning of a crime, but did no overt act to disassociate themselves from the conspiracy even if they did not contribute to the plans. This is especially true in narcotics and murder cases, but we are seeing some of this in previously sacrosanct white collar crime, too.

Suffice to say, if you are around when a conspiracy is hatched and folks involved in the conspiracy get arrested, you will have a good chance of being indicted and put on trial. Many folks in such positions do get declared not guilty by judges and juries IF they have good attorneys and IF the crime never happens and IF there is a lot of lag time between hatching the conspiracy and the first overt act toward carrying out the plan, so the defendant can claim he "thought everyone gave up on the idea" if he never had further conversations about it.

In practical terms, prosecutors indict (technically, a prosecutor convinces a grand jury to "hand up" an indictment to a judge who issues a warrant) to induce non participating conspirators to give evidence against the overt criminals to get lighter sentences for themselves. This is much more prevalent in federal cases (big time white collar crime) and in narcotics and capital crimes.
 
#49
It's been awhile since we visited this thread. The information is as valid today as it was then, perhaps more so, as rights of whistleblowers get whittled away more and more.

The advice to get a good lawyer in your corner BEFORE doing any whistleblowing is more important than ever.

Here is a recent case where the whistleblower is getting whipsawed by the employer AND the courts. Would you like to discuss how this might pertain in our roles as Quality practitioners?
Former IT Manager Seeks Redress with SarbOx Whistleblower Lawsuit
By Renee Boucher Ferguson
May 30, 2006

Chris O'Keefe was, in a former life, an IT manager in charge of customer relationship management implementations at TIAA-CREF, a prestigious financial institution that handles some of the nation's largest academic retirement funds.

OKeefe's story is a cautionary tale for anyone in IT—particularly anyone that handles sensitive customer data.

Well into his 13th year on the job at TIAA-CREF, one of O'Keefe's subordinates, a contractor named Sonia Radencovich, was recognized by a colleague as a felon who had helped her lover swindle more than $200 million from insurance firms.

She was scheduled for sentencing to federal prison several months into her job at TIAA-CREF.

But before Radencovich's true identity had been discovered—she had applied for the job at TIAA-CREF using the alias Sonia Howe—she'd had unfettered access to customer data for a couple of months.

And she brought her own laptop and a couple USB devices to work, which she used to download customer information (it's not clear how much information she downloaded).

"Sonia Howe had access that she needed to perform her job function—projects that had to do with the call center, systems our agents used when they answered the phone to identify customers when they call in," said O'Keefe, who was Radencovich's supervisor.

"By their nature she needed to test those things. It wasn't her access [in question]; it was that this data was unscrambled—all if it."

As the technical lead on two key ongoing initiatives at TIAA-CREF, Open Plan Solutions and Advice that Radencovich also worked on, O'Keefe was asked to help investigators determine how much information Radencovich had access to.

He did, and was fired in February 2005 for, he said, telling the truth: TIAA-CREF's IT test environment was unencrypted and Radencovich had access to a whole lot of data.

"I told [TIAA-CREF] she had access to a lot more information than they wanted to let out," said O'Keefe.

"TIAA-CREF said [Radencovich] had access to very little information—only 100 participants. The fact is, she walked away with a lot more data than that."

O'Keefe estimates that Radencovich had access to a good portion of, or even all of TIAA-CREF's 3.2 million customer records.

Shortly after he was terminated—for violating policies in his supervision of Radencovich, sharing passwords and allowing Radencovich to use her laptop at work—O'Keefe filed a Sarbanes-Oxley Whistleblower complaint with the Department of Labor, stating that he should have been protected for information revealed during the Radencovich investigation.

Last June, O'Keefe's initial complaint was dismissed on a technicality; the DOL determined he worked for TIAA and not TIAA-CREF.

"The whistleblower provisions of Sarbanes-Oxley did not cover TIAA because it is neither a company with a class of securities registered under Section 12 of the Securities Exchange Act of 1934 nor one that is required to file reports under Section 15(d) of the Exchange Act," according to a statement from TIAA-CREF. "The former employee is appealing this finding."

O'Keefe's appeal will be heard Aug. 14-18 by an Administrative Law judge, who will determine if O'Keefe is in fact an employee of TIAA-CREF, and whether he is protected under the SarbOx Whistleblower regulations.
The task at hand is an onerous one for O'Keefe.

The Sarbanes-Oxley Act prohibits employers with publicly traded stock from retaliating against employees who engage in protected activities—like providing information in relation to alleged accounting improprieties or participating in a proceeding related to alleged securities law violations.
However, early statistics show that most employers prevail in whistleblower cases, according to a report published by Alston, Bird LLP attorneys Robert Roirdan and Lisa Durham Taylor.

Between July 2002, when the act passed, and December 2003 OSHA (a division of the Department of Labor that oversees Sarbanes-Oxley) recorded 169 charges alleging retaliation.

OSHA found for the employer 77 of 79 cases in which it completed an investigation.

Of those 45, were appealed to an Administrative Law judge, and OSHA's determinations have been reversed only three times.

Later statistics were not available from the Department of Labor at press time.

O'Keefe's attorney, Darryll Bolduc, principal of the Bolduc Law Firm, is seeking to prove two points: that there is a co-mingling of management between TIAA-CREF by showing that there is one IT organization and one financial organization that spans both entities; and that O'Keefe was engaged in a protected activity when he reported the issues with TIAA-CREF's testing environment.

"I am claiming that my client was terminated because of a cover up," said Bolduc, in Charlotte, N.C.

"He was a great employee, he won the Chairman's Award. TIAA-CREF made a mistake by not getting a proper background check," on Radencovich.

But O'Keefe's story doesn't end and begin with the arrest of Radencovich.
At least a year before the data theft, O'Keefe said he and several colleagues tried to bring the test environment issues to light at TIAA-CREF, to no avail.

"Many people brought this up, and I was one of then," said O'Keefe, who pointed the finger to the top of the IT org chart—the CTO—as the person who should set policy regarding test environments, "not a guy in charge of writing code."

After Radencovich was fired in November 2004, a lot changed, according to O'Keefe.

"Every new policy and procedure known to man came out as a result of this security breach," said O'Keefe. "So today employee data is scrambled. But customer data is not."

And the data that Radencovich downloaded to her laptop and, ostensibly, the USB devices? It's still out there, according to Bolduc.

TIAA-CREF filed a lawsuit to get access to Radencovich's laptop, but was never able to actually get its hands on the hard drive. The USB devices are nowhere to be found.

The threat, for customers, is still there, according to O'Keefe.

He pointed out the fact that customers' Social Security numbers and birth dates—information that Radencovich had access to—doesn't change.
She could, in all likelihood, serve her time in prison and sell the customer data when she gets out.

At $5 to $10 per customer name, according to Bolduc, "that's not a bad get out of jail free card."

But the bigger issue for IT managers is who is responsible in the case of employee malfeasance and identity theft. And are employees actually covered under the Sarbanes-Oxley Whistle Blower Act?

O'Keefe said he doesn't believe he should be held responsible for the actions of a contractor.

He said he did his job in hiring a qualified candidate (and that most consultants bring their own laptops to work).

"The resume Sonia Howe gave me, [the felony counts against her] wasn't on there. It had all this great technical skills on there," said O'Keefe.

"You stereotype what a criminal should look like—that didn't look like Sonia Howe. She looked normal. She's a mother with small kids. And she has great technical skills. I was actually thinking about hiring her permanently."
The courts will decide if O'Keefe is covered under the law.
  1. In light of this, if you were the Quality Director at the Veteran's Administration where an employee took home personal data on millions of vets in unencrypted form and subsequently had them stolen, how would you proceed on root cause, risk analysis, etc. to assure this "NC" did not recur?
  2. If you were a fellow employee and had knowledge of someone who was regularly taking home data to "work on," (despite company policy to the contrary) how would you proceed?
  3. Have you, personally, ever violated company policy in a similar manner because you thought the "exception" would make no material difference and you might get personal benefit from getting your work done at home without "pesky distractions" from bosses and coworkers? What actually happened? What is the worst case that COULD have happened? In hindsight, was the risk worth the benefit?
 

Jim Wynne

Super Moderator
#50
Wes Bucey said:
Here is a recent case where the whistleblower is getting whipsawed by the employer AND the courts.
Given the information at hand, it's hard to say whether the guy is even really an actual whistleblower, let alone a whistleblower being "whipsawed." It seems that there was all kinds of sloppy management going on, and he might have contributed materially to the sloppiness. He appears to be a scapegoat, but that doesn't mean he wasn't complicit in the untidiness.

Wes Bucey said:
In light of this, if you were the Quality Director at the Veteran's Administration where an employee took home personal data on millions of vets in unencrypted form and subsequently had them stolen, how would you proceed on root cause, risk analysis, etc. to assure this "NC" did not recur?
Because the VA thing involves a government agency and a lot of publicity, it's inevitable that some kneejerking is going to happen. The fact is that people need to have access to encrypted data (and the ability to decrypt it) or no one would be able to use it. With the advent of flash drives that are both huge in terms of storage capacity and tiny in terms of portability, there probably is no way to completely guard against stupid or malicious people. Limit access as much as possible, make sure everyone is aware of the implications and consequences of removing data from the premises, and hope for the best.

One more interesting possibility with regard to a possible defect in the system is the idea that the person who felt the need to work at home with the data (if that was the case) was doing so because of understaffing, and not enough hours in the day to get his work done at work.

Wes Bucey said:
If you were a fellow employee and had knowledge of someone who was regularly taking home data to "work on," (despite company policy to the contrary) how would you proceed?
Assuming that it wasn't common knowledge (i.e., the employee was removing data surreptitiously), the first move would be to discuss it with the employee directly. Just the fact that someone else knows what's going on could be enough to stop it from happening. Anything after that would depend on the sensitivity of the data, and the possible consequences of the data being lost or falling into the hands of someone outside the company. It can get sticky, because if something bad happens and you can be implicated as having knowledge of the removal and not reporting it... It's a judgement call at the point of occurrence.

Wes Bucey said:
Have you, personally, ever violated company policy in a similar manner because you thought the "exception" would make no material difference and you might get personal benefit from getting your work done at home without "pesky distractions" from bosses and coworkers? What actually happened? What is the worst case that COULD have happened? In hindsight, was the risk worth the benefit?
I would urge everyone not to answer this question in a public forum. I can say that I know someone who lost his job because he revealed a serious security flaw in a company network, and the revelation embarrassed several managers. This was long before whistleblower laws, and the person who became the scapegoat thought it best to just move along and not make waves. We all need to be cognizant of the fact that violating any company policy, whether it pertains to removing data from the premises or spitting on the sidewalk, can have undesireable consequences.
 


Top Bottom