Is it considered a breach of confidentiality if data is uploaded to a website which only makes that data available to the uploader?

Question

I'm a developer working at a company that handles sensitive banking information and recently, I've had troubles organising my code and thus posted it in a private repository on Github, which only I can access in any way.

A week later, I got a notice from management to delete everything and a general aura of "you messed up" is hanging around me. The only information I'm getting at the moment is "check your contract" which says the following:

§ 8 Confidentiality

The Employee agrees to keep confidentially any business and trade secrets as well as operational matters of a confidential nature which are designated as such by the management in writing or orally or which are apparently recognisable as such, not to make them available to any third parties without the prior approval of the management, and to protect them against unauthorized access. This obligation shall continue even beyond the termination of the employment.

To the best of my knowledge, I have respected said clause since I have not made it available to anyone but me. I'm just an intern freshly out of school so I might not fully grasp the details of this.

Would uploading the code to GitHub count as making it available to a third party?

EDIT : With hindsight, I was totally in the wrong. The code itself was Python/SQL scripts for data analysis and collection but no credentials were stored. While it wasn't a security breach since even with those no data could be accessed, it was not acceptable to store "company owned" code on a 3rd party. We are using Git internally now, so all is well.

Answer 1

Assuming none of these terms are defined elsewhere in the contract:

A third party is a party (a person or company) that is neither you nor the other party to the contract (here, presumably the company that hired you).

Since GitHub is neither you nor the company, it would therefore be a third party, and thus it would in fact violate that contract as written to upload the company's code there. Keep in mind that GitHub is not an autonomous system with no humans involved; it's run by a company of people, many of whom could theoretically access the code in private repositories.

---

That said, from a practical standpoint, most companies aren't going to fire someone for a mistake made in good faith, especially if actual disclosure to any humans is rather unlikely. However, do remember that we don't know the company's rules, what training you may have received, what exactly you uploaded, or what regulatory/contractual rules they must comply with.

Any of that could affect their decision-making, so you should take this as a general answer and use your own judgement when applying it to your situation.

Answer 2

As others have pointed out, you shared your code with a third party without getting the explicit okay from management. It doesn't matter what their stated policies are, you didn't give management the opportunity to review that policy first. Give that the company:

handles sensitive banking information

it's highly likely they would insist that their legal team vet any such policy along with discussions at the executive level before even okaying the use of an external repository.

Financial data is governed by very, very strict laws at the federal level and any risk to that data (including the unauthorized release of source code for platforms that manage it) is a reason for real concern. It affects trust relationships with clients as well as inviting extra scrutiny from the government up to and including an audit.

Depending on what the code does, there's risk of exposure of confidential information embodied in the code as algorithms and numeric data related to those algorithms. That may be owned by the company you work for or it's clients depending on whether or not they do custom work for individual clients.

Consider yourself as very lucky your job has survived this to this point. That may change depending on the full evaluation of the risks associated with what happened.

In the future, I recommend you ask a more senior developer for advice on how to accomplish your goals in a way that fits company culture as well as your technical needs. That should be a very well understood part of their role - to provide mentoring to junior employees.

Answer 3

In addition to the discovery that GitHub IS A THIRD PARTY in your setup (detailed in the other answers), there are some additional considerations in this regard:

• GitHub is not immune to breaches. It is not that anyone really is. In a case of breach, the third parties multiply by a great number.
• Even if you delete the code from GitHub, chances are that it is also copied to backups, transaction logs and various other data handling mechanisms that could allow its retrieval at a later date. Law enforcement actions, backup restores, internal audits, software bugs, etc, etc... can expose whatever you deleted at any moment in the future.

how about

This obligation shall continue even beyond the termination of the employment.

p.s. These things are considered basic knowledge in any security-sensitive environment, including, but not limited to, finances, military or government institutions.

Answer 4

Your data is now on a website owned by a third party, stored on the servers of a third party. If I did that at my current or at my previous company, I’d actually expect my contract to be finished.

You claim that the data can only be accessed by you. That is unlikely to be true. GitHub can access your data, most likely. Police with a warrant can access it. Hackers may be able access it. And it’s you putting the data at risk.

There might be massive legal risks for your company. Allowing you to do what you did might actually be illegal. My previous company would have been in trouble if customers found out; the current one only wants its own secrets to stay secret.

All in all, what you did could easily and legally get you fired instantly.

Answer 5

The best option is to reach out to your mentors/ senior developers and ask them what they do / what the policy is. At our org (healthcare - so PHI issues) we publish to a Azure based git system (sorry this is not the right wording exactly - but we publish to an institution wide git system basically). The major thing for US is - is patient information exposed, or trade secrets. In my case the answer is no, so I could publish externally if I wanted to, but I did the right thing and reached out to infosec and asked.