Cybersecurity Whistleblowers
Privacy Plus+
Privacy, Technology and Perspective
Cybersecurity Whistleblowers. This week, let’s consider how to deal with cybersecurity whistleblower complaints.
Background: There has been a significant uptick in cybersecurity whistleblower cases where recent regulatory actions have encouraged such whistle-blowing. But concern about cybersecurity whistleblowers dates back to 2019, when Cisco paid $8.6 million to settle the first cybersecurity False Claims Act case. If you would like to read more about the Cisco case, you can review the following article from the New York Times:
https://www.nytimes.com/2019/07/31/technology/cisco-tech-flaw-sales.html
Recently closer to home, we’ve seen a prominent cybersecurity whistleblower reveal sensitive information about our school district…
DISD: In August 2021, the Dallas Independent School District (DISD) experienced a large data breach impacting the district’s electronic records of current and former students, alums, parents, and district employees. DISD delayed reporting the breach and failed to disclose the details fulsomely. In protest, the district’s chief information security officer (CISO) resigned and went public, stating he was "afraid the details of the breach will become public at some point, and Dallas ISD will lose credibility.” You can review that quote by clicking on the following link:
https://informationsecurityleadership.com/ciso-quits-over-data-breach/
Twitter: Additionally, a cybersecurity whistleblower surfaced in connection with Twitter. In September 2022, Twitter’s former CISO testified to a United States Senate panel that Twitter “lacked basic security measures.” During his testimony, he also revealed sensitive information about Twitter’s allegedly deficient cybersecurity and privacy practices, highlighting Twitter’s lack of access controls and lack of understanding of its data and data flows, among other things. If you would like to read more about his testimony, you can review the following article from CNBC:
Our thoughts: Cybersecurity whistleblower complaints are unique because they implicate unique stakeholders, and potentially regulatory scrutiny if not handled correctly. Accordingly, they must be handled differently than “ordinary” corporate-misconduct complaints.
At the outset, companies should recognize that IT-related complaints are common, so they (and their workforce) must be able to tell whistleblower issues from routine complaints. This likely means that companies should revisit their whistleblower policies and/or codes of conduct to ensure that they recognize and appropriately route and address cyber complaints. They should also educate their workforce on whistleblower policies, including how cybersecurity-specific complaints are routed and otherwise handled.
How cybersecurity whistleblower complaints are routed is an issue that each organization must consider for itself in light of its organizational structure. But particularly in organizations where a depth of resources is available, perhaps a CISO (from within whose department often “the whistle is being blown”) should not bear primary responsibility for managing an investigation or response to a whistleblower complaint. Instead, a Chief Legal Officer or Ethics Officer might supervise, perhaps together with the CISO, or outside counsel, as needed.
Regardless, internal and external reporting channels, like whistleblower hotlines, should be updated to include a new category for cybersecurity whistleblower complaints. And as with any investigation, issues of privilege will need to be considered, and resolutions appropriately documented.
A good article on the subject is available at the following link:
https://www.corporatecomplianceinsights.com/emerging-cyber-whistleblower/
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.