15

I'm a developer working at a company that handles sensitive banking information and recently, I've had troubles organising my code and thus posted it in a private repository on Github, which only I can access in any way.

A week later, I got a notice from management to delete everything and a general aura of "you messed up" is hanging around me. The only information I'm getting at the moment is "check your contract" which says the following:

§ 8 Confidentiality

The Employee agrees to keep confidentially any business and trade secrets as well as operational matters of a confidential nature which are designated as such by the management in writing or orally or which are apparently recognisable as such, not to make them available to any third parties without the prior approval of the management, and to protect them against unauthorized access. This obligation shall continue even beyond the termination of the employment.

To the best of my knowledge, I have respected said clause since I have not made it available to anyone but me. I'm just an intern freshly out of school so I might not fully grasp the details of this.

Would uploading the code to GitHub count as making it available to a third party?

EDIT : With hindsight, I was totally in the wrong. The code itself was Python/SQL scripts for data analysis and collection but no credentials were stored. While it wasn't a security breach since even with those no data could be accessed, it was not acceptable to store "company owned" code on a 3rd party. We are using Git internally now, so all is well.

Improve this question
5
  • 1
    This conversation has been moved to chat.
    – Pat W.
    Commented Aug 10, 2022 at 15:17
  • 16
    Side-comment regarding git: If you just want to organise your code using git, you don't even need github. Just use git only locally on your machine and never use git push to anywhere :)
    – csstudent1418
    Commented Aug 10, 2022 at 15:50
  • 9
    a private repository on Github, which only I can access in any way Unless GitHub has a data breach...
    – John Gordon
    Commented Aug 11, 2022 at 1:04
  • 4
    @JohnGordon And unless GitHub has employees. See the chat.
    – Stack Exchange Supports Israel
    Commented Aug 11, 2022 at 18:44
  • 1
    Not part of the question, but still relevant - by hoarding code in a private space to work on it in private can create additional problems. Since you are in Germany, the company might be held liable for a breach of labour laws if you work off hours. Also if your manager does not know about your problems, he cannot help you, and if you write code in your spare time and do not tell him, he will get a wrong idea of how long things take (which will get all of you in trouble later on). So this is not only legally wrong, but you create problems for the company, for you manager, and for yourself.
    – Eike Pierstorff
    Commented Aug 12, 2022 at 11:24

5 Answers 5

Reset to default
48

Assuming none of these terms are defined elsewhere in the contract:

A third party is a party (a person or company) that is neither you nor the other party to the contract (here, presumably the company that hired you).

Since GitHub is neither you nor the company, it would therefore be a third party, and thus it would in fact violate that contract as written to upload the company's code there. Keep in mind that GitHub is not an autonomous system with no humans involved; it's run by a company of people, many of whom could theoretically access the code in private repositories.

That said, from a practical standpoint, most companies aren't going to fire someone for a mistake made in good faith, especially if actual disclosure to any humans is rather unlikely. However, do remember that we don't know the company's rules, what training you may have received, what exactly you uploaded, or what regulatory/contractual rules they must comply with.

Any of that could affect their decision-making, so you should take this as a general answer and use your own judgement when applying it to your situation.

Improve this answer
9
  • 13
    Bearing in mind the OP said the company handles sensitive banking information, reference to complying with the regulatory rules (especially German financial / banking regs and GDPR) shouldn't be underestimated. +1.
    – user35069
    Commented Aug 9, 2022 at 11:28
  • 15
    @NuclearHoagie that depends on how the email is set up (it could be hosted by the business and/or encrypted in such a way that only the sender and recipient can read it, for example). That's also where the "without the prior approval of the management" clause comes in: if the business has authorized the use of their email for sending code, it's not a breach of the contract.
    – Ryan M
    Commented Aug 9, 2022 at 21:23
  • 1
    @armitage Email can be a secure method of transferring data, depending on how it's configured. It's entirely possible for email between employees of a company to be secure in this manner. It's also possible to configure two companies' email servers to securely transfer data between them.
    – Ryan M
    Commented Aug 10, 2022 at 17:02
  • 2
    @ohwilleke that's an interesting analogy, and one I hadn't thought of. My experience in the software industry is that a company with a mature security organization would prohibit exactly that. Putting unencrypted confidential data on a flash drive at all would likely be a breach of security protocols (due to the increased likelihood of portable media being lost/stolen). We are also trained not to upload confidential information to third-party cloud services. Assuming that the prevalence of similar customs in the industry could be established, would that affect the reading of the contract?
    – Ryan M
    Commented Aug 11, 2022 at 9:13
  • 1
    @RyanM "Assuming that the prevalence of similar customs in the industry could be established, would that affect the reading of the contract?" Yes. Testimony regarding industry customs and practices is a common type of evidence in contract interpretation lawsuits and the weight given to it in U.S. law is something that was fairly expressly borrowed from German contract law. The key point, however, is that you need this testimony since interpreting words in a contract does just mean using a fixed literal meaning independent of context. Interpretation is more than the plain meaning of the words.
    – ohwilleke
    Commented Aug 11, 2022 at 9:20
16

As others have pointed out, you shared your code with a third party without getting the explicit okay from management. It doesn't matter what their stated policies are, you didn't give management the opportunity to review that policy first. Give that the company:

handles sensitive banking information

it's highly likely they would insist that their legal team vet any such policy along with discussions at the executive level before even okaying the use of an external repository.

Financial data is governed by very, very strict laws at the federal level and any risk to that data (including the unauthorized release of source code for platforms that manage it) is a reason for real concern. It affects trust relationships with clients as well as inviting extra scrutiny from the government up to and including an audit.

Depending on what the code does, there's risk of exposure of confidential information embodied in the code as algorithms and numeric data related to those algorithms. That may be owned by the company you work for or it's clients depending on whether or not they do custom work for individual clients.

Consider yourself as very lucky your job has survived this to this point. That may change depending on the full evaluation of the risks associated with what happened.

In the future, I recommend you ask a more senior developer for advice on how to accomplish your goals in a way that fits company culture as well as your technical needs. That should be a very well understood part of their role - to provide mentoring to junior employees.

Improve this answer
2
  • 1
    And in the future, don't post company code (i.e. any code you're working on as part of your job) on public websites without prior authorization from people with authority to give that authorization. It's almost never (realistically never) the right thing to do. This is a valuable lesson to learn while still an intern.
    – bob
    Commented Aug 11, 2022 at 13:14
  • The code I had uploaded was mostly python/sql scripts that were used for data collection/analysis, I had obviously removed all credentials so you could not access the database with it. Since I was just a starting rookie, I had not used any internal algorithms or functions so would you only have gotten the standartised layout for the underlying data -- Still in hindsight, it was not a good idea. I've convinced our team to use Git now so all is well.
    – ratouney
    Commented May 9, 2023 at 8:40
12

In addition to the discovery that GitHub IS A THIRD PARTY in your setup (detailed in the other answers), there are some additional considerations in this regard:

  • GitHub is not immune to breaches. It is not that anyone really is. In a case of breach, the third parties multiply by a great number.
  • Even if you delete the code from GitHub, chances are that it is also copied to backups, transaction logs and various other data handling mechanisms that could allow its retrieval at a later date. Law enforcement actions, backup restores, internal audits, software bugs, etc, etc... can expose whatever you deleted at any moment in the future.

how about

This obligation shall continue even beyond the termination of the employment.

p.s. These things are considered basic knowledge in any security-sensitive environment, including, but not limited to, finances, military or government institutions.

Improve this answer
1
  • Hindsight really hit like a train and yes, I was totally wrong in doing so. The team is using Git internally now so all is well on that front. As to the "beyond termination" part, it was using my company email and everything related to it saved only on company devices (Auth on company phone/KeePass for creds), so I could turn in everything and only my superiors would have access to it.
    – ratouney
    Commented May 9, 2023 at 8:46
7

Your data is now on a website owned by a third party, stored on the servers of a third party. If I did that at my current or at my previous company, I’d actually expect my contract to be finished.

You claim that the data can only be accessed by you. That is unlikely to be true. GitHub can access your data, most likely. Police with a warrant can access it. Hackers may be able access it. And it’s you putting the data at risk.

There might be massive legal risks for your company. Allowing you to do what you did might actually be illegal. My previous company would have been in trouble if customers found out; the current one only wants its own secrets to stay secret.

All in all, what you did could easily and legally get you fired instantly.

Improve this answer
5
  • 1
    legally get you fired instantly — even in Germany?
    – gerrit
    Commented Aug 11, 2022 at 8:13
  • 3
    @gerrit Criminal behaviour - even if it's something as little as stealing a pencil - is reason for immediate termination in Germany. As we don't know exactly what OP pushed to GitHub, we don't know if OP actually violated the law. "Grobe Verletzung der Treuepflicht" - cross breach of employees duty of good faith - is also a reason for immediate termination; again, we can't tell if a court would classify OP's behavior as such.
    – Guntram Blohm
    Commented Aug 11, 2022 at 9:01
  • 3
    You can be told instantly that you will be fired at the earliest legal point in time.
    – gnasher729
    Commented Aug 11, 2022 at 15:19
  • @Gerrit As Guntram already mentioned it is possible to fire someone effective immediately in Germany. Violation of confidentiality rules or GDPR is certainly one of the things that can get you fired. The paperwork may drag on for months though (often results in a court-case). Because of that most companies will prefer to put someone on inactive status (garden leave) immediately and follow the normal termination procedure with the regular notice period. This is irrespective of whether or not criminal (or civil) charges will be made against the employee regarding his/her behavior.
    – Tonny
    Commented Aug 11, 2022 at 23:29
  • @GuntramBlohm It was mostly python/sql data collection and analysis, basic datascience fieldkit in a couple notebooks. No credentials were stored on the git.
    – ratouney
    Commented May 9, 2023 at 8:47
2

The best option is to reach out to your mentors/ senior developers and ask them what they do / what the policy is. At our org (healthcare - so PHI issues) we publish to a Azure based git system (sorry this is not the right wording exactly - but we publish to an institution wide git system basically). The major thing for US is - is patient information exposed, or trade secrets. In my case the answer is no, so I could publish externally if I wanted to, but I did the right thing and reached out to infosec and asked.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .