Organizations of all sizes around the globe are struggling to come to grips with the diverse and expansive cyber-threats they now face on a daily basis. They recognize that some of those threats can even challenge their existence. Companies and other groups now implement cybersecurity measures in order to meet their legal and regulatory obligations, and to mitigate the risk of catastrophic security breaches. Organizations fully recognize that cyberscurity breaches can result in penalties from the government and liability to customers and business partners. It is also becoming apparent that cybersecurity failures by organizations can lead to an additional form of liability on the part of employers, whistleblower claims by their employees.
Federal and state laws provide legal protection to employees who report improper conduct by their employers. More specifically, whistleblower laws protect employees who take action to stop or to report activities engaged in by their employers that are illegal or violate accepted public policies. Whistleblower laws prevent organizations from taking retaliatory action against employees who act to stop or to disclose illegal or inappropriate conduct by the employer. Retaliatory action by an employer could include termination of employment, reduction in pay or benefits, harassment or a range of other actions.
In order to raise a whistleblower claim successfully, both the employee and the employer involved must fall within the jurisdiction of an appropriate federal or state statute. The employee must actually engage in some type of whistleblower activity, and the employer must be aware of that activity. There must be some form of retaliatory action that takes place and that action must be motivated, at least in part, by the employee's whistleblower activity. The employee must demonstrate by a preponderance of evidence that he/she would not have been the target of the action by the employer if there had been no whistleblower activity.
Note that efforts to report and stop inappropriate employer conduct may, at times, include disclosure of the information by the employee to parties outside the organization. For instance, employees may inform appropriate government regulatory authorities, or state or federal law enforcement authorities as part of their effort to report and stop improper conduct by their employers. In some cases, whistleblowing employees may disclose their information to the media. Depending on the specific facts of a situation, these actions could constitute protected whistleblower activity.
Whistleblower conduct can arise in a variety of cybersecurity contexts. For example, consider a situation in which an employee becomes aware of a serious flaw in his organization's data security system. If that employee reports the apparent security threat up through his chain-of-command, and is subsequently reprimanded or somehow ostracized, there could be a whistleblower claim.
Alternatively, imagine a scenario in which computer system intrusion technology indicates that there has been massive unauthorized access to an organization's computer system and data archives, but there is no direct evidence of actual data theft or alteration. Employees who report this activity to their management could be entitled to whistleblower protection even though their organizations may not yet understand the full nature and scope of their data breach, and may thus be reluctant to disclose the breach.
Note that the scope of cybersecurity concerns extends far beyond data security breaches and malicious hacking by outside parties. For instance, employees who become aware of illegal or inappropriate use of an organization's computer system by the organization or by other employees could be entitled to whistleblower status if they try to stop or report that activity. For example, an employee of a telecommunications company or Internet service provider who learns that her employer is conducting inappropriate surveillance of the communications and online activities of the customers of the company and tries to stop or report that activity, could be considered a whistleblower under some circumstances.
Edward Snowden's disclosures regarding massive National Security Agency surveillance sparked global discussion and debate as to permissible levels of government spying. His actions also incited sharp debate as to the nature of whistleblower status in the digital environment. For some, Snowden is a whistleblower who took action to stop illegal government conduct, was penalized for that effort, and should be entitled to whistleblower legal protections. To others, Snowden is a traitor who disclosed national secrets, thus placing the United States at risk, and should be prosecuted for illegal disclosure of national secrets and potentially for treason.
Parallel debates arise in the context of digital whistleblowers in the commercial setting. The process of disclosing illegal or otherwise improper activities will almost always trigger employer claims of breach of contract, theft of trade secrets, misuse of intellectual property, and a variety of other standard commercial law arguments. Employees who attempt to block or report cybersecurity threats and failures routinely face allegations by their employers that their actions constitute some form of illegal or improper conduct by the employee. This tension between legal protections afforded to whistleblowers and legitimate legal rights of employers rests at the heart of all whistleblower cases.
There is good news with respect to cybersecurity whistleblowers. The best way for organizations to handle those whistleblowers is to listen to them and to take their claims seriously. If an organization has a properly structured, operated, and maintained set of cybersecurity policies, practices, and procedures, whistleblowers are allies to the organization, not threats. Potential whistleblower claims provide another significant reason for every organization to implement and diligently adhere to best available cybersecurity practices.
If an organization has adequate and effective cybersecurity policies, practices, and procedures in place, all employees will know what to do when they encounter or become aware of cybersecurity issues. When those employee reports and concerns are presented, the organization will act upon them, and the result will be improved security for the organization and satisfaction for the employee. In this setting, the organizations involved will be more secure against cyber-threats and far less likely to become embroiled in whistleblower claims associated with cybersecurity.
In effect, best cybersecurity practices generally try to create an environment in which every employee is a digital security whistleblower. In such a setting, each employee is conscious of the risks presented by cyber-threats, and feels empowered to identify and report such threats. This is the most effective way to promote the type of environment in which cyber-threats are identified as quickly as possible so that they can be promptly and successfully addressed.