Saying that we have heard the word whistleblower a lot more recently than in the past years is an understatement. The dictionary definition of a whistleblower is someone who has and reports insider knowledge of misconduct occurring in an organization. It is only recently that the word 'whistleblower’ came into existence, gradually evolving from whistle blower (with a space between the two words) in the 19th century and whistle-blower (with a hyphen) in the 20th. Historically, a whistleblower was someone who blew a whistle to draw attention and announce wrong-doings or regulate order. In the context of sports, it was the referee who blew the whistle while administrating the rules and judgment. But, if it is true that not all superheroes wear capes, it is also true that not all whistleblowers blow a whistle. The connotation of blowing a whistle and attracting attention to ill-doings has, in recent times, been extended into figurative use.
While “whistleblower” may not be a common noun most people would like to classify themselves, it is far from synonymous with a snitch. Especially with the hottest category of whistleblowing of recent times, which is “cyber whistleblowing.” While reporting on any misconduct you are aware of is not just ethical but also crucial, cyber whistleblowing or cybersecurity-related whistleblowing is specially constructed towards not just one’s social responsibility but also the security of a larger population segment. Cyber whistleblowing is the latest and one of the organizations' sultriest exposure areas. With faster technological advances and increased possibilities of data breaches, a slack in organizational cybersecurity enforcement can foster an atmosphere of potential data security non-compliance. This could create opportunities for breaches. Without whistleblowers, such security non-compliance and data breaches would primarily go unreported.
When consumers provide their sensitive data to a company, they trust that the company will make every effort to safeguard their privacy and the confidentiality of their data. The company, in this case, also must comply with the data protection protocols and rules and take necessary security measures to protect its consumer base. The consumer, though, has no way of validating that the company is doing this. Likewise, regulatory agencies cannot constantly assess what security measures are in place, leaving the protection of sensitive data on the shoulders of the companies’ Information Technology and Security teams. As the only stakeholders with “behind-the-scenes” information, they are often the only parties who can act as whistleblowers.
Various laws protect their rights because of the significant role cyber whistleblowers play. While the Public Interest Disclosure Act 1998 (PIDA) takes care of the protection of whistleblowers in the UK, the Whistleblower Protection Act of 1989 is a federal law that protects federal whistleblowers in the US. The whistleblower laws that OSHA enforces prohibit employers from retaliating against employees for engaging in activities protected under those laws. Additionally, in the fall of 2021, the US Department of Justice (DOJ) introduced the Civil Cyber-Fraud Initiative (CCFI). This initiative provisions for the False Claim Act (FCA) to address government contractors and grant recipients that misrepresent compliance with cybersecurity standards related to Information Technology, cloud-based storage, and other related services.
The FCA covers any cybersecurity compliance misrepresentation, such as deliberately providing deficient cybersecurity products or services, knowingly mispresenting cybersecurity practices and protocols, or violating obligations to monitor and report cybersecurity incidents and data breaches. CCFI has secured more than $9 million so far in false claim settlements. This serves as a premonition for companies that non-compliance with applicable cybersecurity standards and regulations will be dealt with seriously and can be expensive.
With high-profile cyber whistleblowing happening all around us every day, it seems like it is a whistleblower's world, and we are all just living in it. It is, therefore, time that organizations mitigate the repercussion of whistleblower actions by:
- Making sure that they have internal processes for reporting probable cybersecurity non-compliance
- Acting on any employee complaints meaningfully to achieve compliance.
- Making every effort to secure confidential, sensitive, and personal data and comply with the applicable cybersecurity regulations and protocols. This will ensure that organizations do not provide an environment that would breed internal cyber whistleblowers.
Fortanix helps enterprises secure their sensitive data and achieve privacy compliance with our comprehensive product suite that includes the Data Security Manager, which is a cloud-based integrated solution for Tokenization, Key Management, and Encryption. Fortanix Confidential Artificial Intelligence is a service for developing and deploying Artificial Intelligence & Machine Learning models on sensitive data using confidential computing.
Want to know more? Contact us.