Whistleblowing in IT does exist, but we rarely hear about it. Why is that, and why should we expect an increase in such cases?
In the past, when an employee turned in an employer for not meeting compliance or following cybersecurity best practices, the employee was often fired. Wrongful termination lawsuits were typically settled out of court, and no one was the wiser.
So what’s different now? In the wake of so many breaches and millions of affected individuals information being exposed, cybersecurity issues have become a key enforcement priority for the Securities and Exchange Commission (SEC), meaning that whistleblower tips related to cybersecurity are more likely to be taken very seriously.
In fact, for public companies and other entities regulated by the SEC, mismanagement of their cybersecurity could violate securities laws. The SEC is taking a closer look at companies’ cybersecurity measures and disclosures, and directing company CEOs to reference the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a guideline for best practices.
There are still grey areas however. For now, it is assumed that because the Dodd-Frank Act (an SEC whistleblower program) doesn’t specifically exclude cybersecurity, that reporting companies who are lax in this area could be included. But when a specific compliance regulation does not apply, there is still room for interpretation about “acceptable levels of risk”. While no organization can completely eliminate risk, it seems more prudent than ever to take any reports of potential vulnerabilities very seriously and address them proactively when possible. Don’t let failure to act result in an employee blowing the whistle.