How can your breach turn into a securities law violation? The answer may be “via whistleblower.” More and more, corporate employees are reporting cybersecurity vulnerabilities to the U.S. Securities and Exchange Commission after not receiving satisfactory responses from managers about issues they raise. Companies with a strong internal reporting protocol may believe that they need not worry about missing a valid internal report. But organizations should not be so sure. Cyber whistleblowers may present themselves in ways that are virtually unrecognizable from a traditional whistleblower perspective. Recognizing a potential cyber whistleblower may require companies to appreciate nuances previously unanticipated by most internal reporting schemes.
Consider the following scenario. An IT employee approaches his manager. He expresses concern that his co-workers are not following appropriate cybersecurity practices. Specifically, he is aware that employees share passwords for certain systems. The employee knows that his co-workers do this for convenience, but he is concerned that doing so presents a risk to company information. Many managers would not recognize this as a potential whistleblower situation. However, this simple complaint may indeed form the basis for a whistleblower report. If the employee believes that the vulnerability is serious and puts consumer or company information in jeopardy, the employee may take this information to the SEC.
