In the potentially precedent-setting case, Elmer has admitted sending the data and therefore breaching bank security rules, but he denied blackmail and making a bomb threat against a bank chief.
According to the Reuters newswire, Elmer first came to public notice some three years ago when he passed on details of Swiss banking clients to WikiLeaks.
The newswire says that he passed on the data after Swiss authorities apparently "failed to act on data he said showed Baer, his former employer, helped clients dodge taxes."
"The ethics of business leadership on both sides of the Atlantic have disappointed me", Elmer is reported to have said in court yesterday, adding that he wanted to "expose illegal activity in the Cayman Islands."
The case has drawn interest from the IT security community, with Ed Macnair, the CEO of activity management specialist Overtis, noting that he and his team have seen a growing shift towards security that focuses on behaviour, so as to avoid situations like the Baer banking data leak case.
Overtis says that news of Elmer's trial follows closely on the US government's information assurance memorandum, which advises agencies to implement insider threat programmes in the wake of the WikiLeaks revelations.
The memorandum, says Macnair, includes the following questions:
- How does your agency ensure that procedures are in place to prevent classified information in removable media and other media (e.g. back-up tapes,etc.) is not removed from official premises without proper authorization?'
- What if anything have you implemented to detect behavioural changes in cleared employees who do not have access to automated systems?'
Macnair said that, whether you view him as a whistleblower or a renegade, from an information security perspective, Elmer's case is yet another example of a trusted employee storing customer information to removable media and passing it to a third party.
"There is a growing recognition that employees with privileged access to data may become less trustworthy over time and so security should be user-centric", he said.
"The only way to stay on top of your data governance is to put security in between your users and your data, so that policies are consistently enforced", he added.