That means there is not much legal history, precedent or even laws that specifically addresses cybersecurity whistleblowers.
While there are nearly two dozen laws in various states that provide protection for whistleblowers in areas ranging from asbestos to drinking water, solid waste, railroads, motor vehicles, shipping containers, pipelines aviation, consumer products, hazardous waste, food, drugs and more, there is nothing on the books that provides specific protection for those involved with cybersecurity.
Still, attorneys like Katz, who specialize in whistleblower cases, say top management in organizations may need to play catch-up as well, since such cases could lead to damaging breaches or an investigation by a regulatory agency – or both.
And while legal protections may not be explicit for cybersecurity whistleblowers, they exist by implication, experts say. Lance Hayden, managing director at the Berkeley Research Group and a CSO contributor, is one of several who have cited a settlement last September between the SEC and R.T. Jones Capital Equities Management over charges that the firm’s violation of the “safeguards rule” led to a breach that compromised the information of about 100,000 people.
While the firm did not have to admit to the charges, it agreed to a censure by the SEC and to pay a $75,000 fine.
There was no documented evidence of whistleblower involvement in the case, but Hayden wrote that it became, “a sort of catalyst,” for the SEC to focus on cybersecurity.
He quoted SEC Commissioner Kara Stein saying after the R.T. Jones settlement that the agency intends “...to play a much more active role in trying to help companies better protect themselves against an increasing number of cyber security issues …”
Dallas Hammer, an attorney with Zuckerman Law, writing for the National Law Review, said the R.T. Jones case indicates that, “cybersecurity issues have become a key enforcement priority for the SEC,” which means that, “in turn, whistleblower tips that touch on cybersecurity may receive additional scrutiny.”
And Katz wrote last fall that, “for public companies and other entities regulated by the Securities and Exchange Commission, mismanagement of their cybersecurity could violate securities laws.”
She noted that the Dodd-Frank Act established an SEC Whistleblower Program that, while it does not specifically address cybersecurity, could still lead to an enforcement action if a company is out of compliance with compliance requirements.
But those implications come with qualifications – both Hammer and Katz tempered their conclusions with words like “may” and “could” rather than “will.”
Ariel Silverstone, a consulting chief security and privacy officer, doesn’t think the qualifications are necessary. Since the SEC’s whistleblower program language doesn’t exclude cybersecurity, it is therefore included, he said.
Still, all those involved say it is impossible to make blanket statements about the topic since it is not a simple, black-and-white issue.
Sign up for CIO Asia eNewsletters.