If you've spent any time reading or watching the news this year, you've heard about at least one major data breach. Not only do those headline-grabbing events damage the company's reputation, they also put clients and customers at risk, because their data can easily get into the hands of the public.
In the wake of these incidents, you would think companies would appreciate a heads-up before a cyber-security threat becomes a reality. However, that's not always the case. Internal whistleblowers often face retaliation from the company they were trying to protect. Many times employees aren't even aware of the legal protections offered to them if they become a whistleblower.
Debra Katz, a founding partner of Katz, Marshall & Banks has represented a number of clients who have faced direct retaliation from their own employer after bringing a cybersecurity issue to the forefront. "What we see often is that when employees write long memos or long emails where they detail the problems, they get told right at that juncture, to not be stupid and not write stuff down. So almost from the very beginning, employees in these roles can be hammered just for reporting the problem, and trying to document the issue to get it on the screen of the company so the company allocates the necessary resources." This is especially true for employees who work closely with cybersecurity; they often feel as though they are a walking target, with the business viewing them as a threat, rather than an ally.
"It is an environment where people who work in this sector really have a lot of legal protection, they also operate with a target on their back and companies have to be sensitive to this," says Katz.
Cybersecurity threats can also be associated with fraud, where a business might simply understate potential threats to business partners and clients. For example, an employee may find a number of vulnerabilities, but is denied the resources to bring the systems up to date.
But if a company ignores internal whistleblowers, it could lead to even more problems, especially if that employee takes their concerns to the SEC, which has a whistleblower program through the Dodd-Frank Wall Street Reform and Consumer Protection Act. Through this program, whistleblowers are incentivized to come forward by receiving 10 to 30 percent of the fines the SEC imposes on companies.
These acts also offer protection to whistleblowers who work for publicly traded companies, and in addition to the Dodd-Frank Act, there is the Sarbanes-Oxley Act, which both pertain to company fraud. In addition to these two acts, state statues protect employees when it comes to reporting fraudulent business practices and potential for sensitive data breaches. And for those working at private companies, if workers find their employer is misrepresenting themselves to a publicly traded company, they are also granted protections under the same acts.
Sign up for CIO Asia eNewsletters.