(Photo: ESB Professional/Shutterstock.com) (Photo: ESB Professional/Shutterstock.com)

The Securities and Exchange Commission's announcement of insider trading charges against a former information technology administrator for cybersecurity company Palo Alto Networks Inc. raises questions about what, if anything, in-house leaders can do to prevent similar incidents. 

In the Palo Alto Networks case, the IT staffer in question, Janardhan Nellore, allegedly accessed "highly confidential" financial records with his employee credentials, then shared the insider information with four friends. Nellore pleaded guilty Wednesday to conspiracy to commit securities fraud before a federal judge in San Jose in a related criminal case.

Nellore and his pals, who used the code word "baby" in texts and emails to refer to Palo Alto Networks' stock, made more than $7 million through the insider trading scheme before they were caught, according to a federal complaint filed Tuesday in California. 

Nellore was arrested in May at the airport as he and his family tried to board a one-way flight to India. He was fired earlier this year. 

"There will always be people at a company with administrative access to email, etc., unless you have a totally closed system, which is pretty unrealistic and impractical," Ed Ryan, former general counsel of Marriott International Inc., wrote Wednesday in an email.  

Companies need to ensure that sensitive data is shared on a need-to-know basis and that "anyone who potentially has access, authorized or not—and this would include IT—be aware that it's a terminable offense to access it (and they know that bread crumbs are always out there) and a criminal offense to use it," Ryan added. 

Corporate legal department adviser Jason Winmill, a managing partner at Agropoint in Boston, echoed Ryan in noting that in-house leaders typically have an advisory role when it comes to determining which documents are confidential but do not generally act as gatekeepers. 

"In my experience, the general counsel would be responsible for communicating to the other stakeholders what their legal obligations are to keep things confidential. And then perhaps doing follow-up spot checking to make sure the legal obligations are being met," he said.  

Mark Smolik, general counsel and chief compliance officer for DHL Supply Chain Americas, noted that many large companies, especially those with a global presence, have data protection officers, who sometimes work in the legal department but are more often found in the IT department. 

Smolik added that "more and more of this function [oversight of confidential records] is landing under the umbrella of the IT teams. Legal departments are there to support the IT departments and data protection officers and interpret the laws and rules and regulations that apply." 

Of course, most companies that are worried about the misuse of their confidential data have employees sign nondisclosure and noncompete agreements. But Susan Hackett, CEO of law practice management consulting firm Legal Executive Leadership, said corporate counsel are increasingly questioning the benefit of such agreements.

"Quite honestly, you don't give yourself any further protections at law for having put those documents in place. If you violate a nondisclosure agreement, you're going to get prosecuted if we catch you. But the fact that you have a nondisclosure agreement doesn't mean I have any greater or fewer opportunities to sue your or stop you," she added.  

The agreements serve a purpose by putting employees on notice, Hackett said, but "in terms of compliance responsibilities, I'm not sure that you can prevent someone who has criminal intent from exercising that criminal intent." 

She added, "If there was any kind of best practice, it would be to help employees who may be ignorant of these issues realize what they should or shouldn't talk about." 

Read More: 

Insider Trading Policies and Cybersecurity

Civil Penalties for Insider Trading