As I get closer to the end of my career, I’m finding it more and more important to break down some of the experiences I’ve had as a professional software engineer over almost 40 years — to share them, and to try to help the next generation of engineers deal with some of the problems I’ve had to deal with.

So here’s one. When you get into a situation where somebody tries to screw you over — or actually does screw you over — the last thing they expect is for you to patiently wait for the right opportunity to fix the situation, whatever that may be.

Let me give you an example from my own career.

A few years ago now, before the Pandemic, I accepted a relatively small consulting engagement with a very, very early-stage startup. They hadn’t built any product yet — not a single line of code. They needed somebody to come in and architect the system for them, and work with another engineer to build a prototype.

So I put a contract in place. A very important provision in any contract you sign as a professional engineer is the Acceptance Criteria: under what circumstances has the customer accepted the work you’ve done, and therefore owes you payment? A very common provision — one I always add — is that if the customer uses your software for any commercial purpose, they have accepted the software.

The situation was that I went to work for this very early-stage startup. It was about a $27,000 engagement over the course of, I’d say, six weeks or so, with three milestones, each carrying its own milestone payment. The company originally told me they only wanted to pay $18,000 for the engagement, but I sent them some estimates and said, well, I think it’s really going to take more like $27,000. That was the very first tell. Looking back, I realize it was the first sign there might be problems.

They wanted me to use my own computer, but even though I was a contractor, they insisted I come into their office every day. It was actually a WeWork in downtown San Francisco. And despite the fact that asking a consultant to show up at nine in the morning and work until five in the evening sort of automatically makes you not a consultant, I agreed to that as well, because I thought it was an interesting thing to work on.

So I went into the office and was introduced to the other engineer on the project. He was a front-end engineer, I was a back-end engineer, and we were going to be working together to build this prototype. I very quickly realized that this was literally his first job out of college. He had zero experience working in a professional environment. So in addition to building the back end of the system, I was immediately put in the position of having to mentor him, coach him, and help him with his work.

We trundled along through the first milestone. I submitted my invoice and got paid $9,000. Then we trundled along through the second milestone, and I submitted another invoice and got paid again. After a couple more weeks of work, I was getting ready to deliver the final milestone. We had a demoable system — one that showed potential investors what the product was ultimately going to be able to do, and what the value proposition of the company was.

But along the way, a couple of other red flags started to pop up.

I got into a very serious back-and-forth with the CEO about HIPAA compliance. This company was intending to launch a technology product in the healthcare space, and since we were going to be storing patient data, we had to be — in my view — HIPAA compliant. At that time we were running our system on Heroku, which is a very convenient platform to launch startup ideas on. But Heroku is not HIPAA compliant. You cannot launch a HIPAA-compliant product on Heroku.

So I made the CEO aware of this and put some options in front of him that would eventually lead to HIPAA compliance. And I got immediate pushback. It was too much cost, too much effort, way too many problems. At the same time, there was a conversation going on about launching a limited pilot with real patients.

That’s where my concern lay. It became clear to me that the CEO was not going to take HIPAA compliance seriously. In fact, I found out he met with a consultant at one point who told him that companies can self-certify for HIPAA compliance. I pointed out to the CEO that self-certification was for companies like Johnson & Johnson or Procter & Gamble — companies with big internal IT organizations that could actually check all the boxes for true HIPAA compliance.

So I ended up sending the CEO an email basically saying: I’ve done all this work, but I won’t put this system into production for you. I won’t be involved in making this system available to real patients in any capacity, because of the lack of HIPAA compliance.

And with that, I submitted my final invoice and went on vacation with my family.

We went to England. I was sitting in Wembley Stadium with my son and my wife, watching The Pretenders open for Fleetwood Mac — that was the concert we went to at Wembley — and I was thoroughly enjoying myself when my phone suddenly blew up.

Two things were happening at the exact same time. On one hand, the young engineer was texting me, because the CEO was getting ready to demo our product to a potential investor, and he had lots of questions about how to set up the back end and get everything working correctly. So I was helping him with that, sending him instructions for how to do it.

At the same time, I got a message from the CEO and his co-founder telling me they were not accepting the work I had done. They were not going to make the final milestone payment. And in fact, the system was so unacceptable, they said, that they were planning to sue me to get back the $18,000 they had already paid me.

It was at that point that all the red flags came together — and there were other red flags I don’t care to get into here. I realized that for these guys, $18,000 was all they ever had. That’s all they ever intended to pay me. They had essentially been stringing me along to get as much work out of me as possible.

So I sent them back a notice saying: listen, I know you’re about to do a demo for a potential investor. In my view, that constitutes a commercial use of the system I built. So you have accepted this product, and you do in fact owe me the last $9,000.

I can’t remember what they wrote back, because frankly, I was on vacation enjoying myself with my family. So I just filed it away and didn’t think much about it for several years.

The Pandemic happened, and we all got through that. I just waited patiently. Every once in a while I would check in with this company to see what was going on. They were in the telemedicine business, so like a lot of other companies during the Pandemic, they did extremely well. They got funding, they launched, they signed up a lot of patients, and by all accounts were doing extremely well.

Sometime toward the end of the Pandemic — or maybe after — I decided to check in with them again. One of the first things I did was check my laptop, because it turned out I still had a couple of artifacts on my machine from the work I’d done for them. I had the code, because there was no reason for me to delete it. And I also had some AWS keys that I had originally used to set up parts of the system.

Almost on a whim, I tried to access Amazon. I won’t say exactly which services I tried to access, but I just sort of probed. And I discovered that the Amazon keys I had issued to myself years earlier were still valid.

In other words, this company had not done even the most superficial, cursory security cleanup when they let me go — a consultant they had basically stiff-armed and never paid. They hadn’t changed those keys. I immediately shut down what I was doing and went no further, because at one point I was actually looking at patient data. And I was like, okay, this is not good.

So then I checked their website, found out the name of their venture capital firm, and found out the name of the partner who sat on their board. I sent that gentleman a very nicely worded, very helpful, but also very serious message. I laid out the whole thing for him. It was sort of a “did you know about this?” You have these security holes. You obviously don’t have a culture around security. I doubt you’re HIPAA compliant. And — can I please get paid for the work I did, so we can put this all behind us?

And lo and behold, I got paid within three or four days.

Remember, this was years after the initial fallout. I had waited patiently for this point, because that’s the best thing to do. At the point they actually owed me the money years ago, there was no use trying — I wouldn’t have gotten paid. But several years later, after they had raised quite a bit of money, the potential liability was a very serious issue for them. So I got paid right away.

In fact, they asked me to sign a mutual non-disparagement and non-disclosure agreement around these issues, which I did. In retrospect, I probably should have asked for more money to sign it. But I didn’t. I just put the whole thing behind me.

Several years after that, I came to find out that this company, after its initial success, basically imploded — because it turned out they were sending confidential patient data to a third party. I still don’t know what ultimately happened to their business, because at this point I don’t care.

But the point is this: in your professional career, you will run across all sorts of people. And unfortunately, what I’ve seen in my almost 40 years in this business is that the caliber and integrity of a lot of people in our industry has degraded significantly. This is not the only story I have about a startup founder who not only bent the rules but blatantly broke them — broke laws, even — in order to be successful, thinking the rules don’t apply to them. And they do.

So when you run into a situation like this in your career, be thoughtful and be patient. Wait for your opportunity to make things right.