ABSTRACT
This abstract discusses a study about protecting whistleblowers in cybersecurity, showing how it helps make society more transparent and accountable. Whistleblowing means reporting illegal activities, corruption, or bad behavior. Even though whistleblowers might face risks like losing their job or suffering mentally, not reporting can be even worse. To protect whistleblowers and encourage reporting at work, it’s important to have rules that keep them safe. This stops organizations from doing bad things that could hurt them and the community. The study’s findings add to the conversation about making India more transparent, accountable, and well-governed. Hopefully, these findings will help policymakers, organizations, and others make changes to protect whistleblowers and encourage honesty.
KEYWORDS
Whistleblowers, Cyber Security, transparent, accountable, corruption
INTRODUCTION
The term “whistleblower” originally came from sports, where someone blew a whistle to stop games when they saw cheating.
It is German word “whistle,” meaning to reveal or expose wrongdoing. Whistleblowing includes actions by people who uncover illegal, unethical, or morally questionable behavior in private and public groups. Someone who speaks up about these actions is called a “whistle blower”.
The term “Whistle-blower” appeared in the Winters v. Houston Chronicle Pub. Co. case, mentioned by Doggett, J., from the United Kingdom. It comes from the tradition of English police constables using whistles to alert others when they saw a crime happening. Whistleblowing is always about making the public and authorities aware of illegal activities or crimes, with the goal of protecting everyone’s safety.
In the 1970s, Ralph Nader, a person who works for public causes in America, made the term more common. He wanted a better word than “snitch” or “informers,” which sound bad, to describe people who report bad behavior.
Individuals have the right to report different problems related to how companies are run that are wrong, illegal, or not right. These can include things like:
- Bad behavior
- When someone has a conflict of interest
- Poor management
- Not being fair or just
- Acting in ways that aren’t professional
- Problems at work
- Not following laws and rules
- Doing illegal things
- Acting in ways that aren’t honest or proper, especially with money.
People who reveal these kinds of problems often need to be brave and have strong beliefs. These people, whether they work for the company or not, tell the right authorities to stop these bad practices. We call them “whistle blowers,” and they’re really important for making sure companies are safe and follow ethical rules in different industries. To protect them, both bosses and government groups have made rules to help and keep whistle blowers safe from getting in trouble. But sometimes, whistle blowers might not be treated well by their coworkers or might get called names like “rat” or “snitch.”
Whistleblowing can be divided into two types:
- Internal whistleblowing
- External whistleblowing.
Internal whistleblowers are people who tell their bosses about wrongdoing or bad management within the company. External whistleblowers are those who report the same problems to the police or the media. Internal whistleblowing can help companies fix problems before they become public and embarrassing.
All organizations keep their information private, whistleblowers often get punished, like losing their job or even getting hurt. What usually happens to whistleblowers is they face harassment and other bad treatment, including threats and violence. That’s why we need a law to protect whistleblowers who take risks to protect the public interest.
Cyber whistleblowing means reporting when there are problems like security holes, breaches, bad behavior, or breaking rules in a company’s computer systems or with people’s information. This is important for showing when there’s corruption or bad management. It’s become more important as we put more of our information online and face more risks.
Whistleblowers in cybersecurity are really important for fighting against the problem. The public needs to know that the companies we trust with important jobs, like handling our money or keeping our private information safe, have someone inside making sure our data is secure. Also, in a world where technology is changing fast and the government is slow, it’s really important that government workers who deal with our national security and money are able to speak up if they see cybersecurity isn’t being taken seriously enough.
Whistleblowers don’t have a safe place to speak up about their concerns. They can either report the problems within the company they work for, but there’s a risk that their complaints might be ignored or they might face retaliation. Alternatively, they can report externally, but because there’s no central place for cybersecurity whistleblowers to go, they sometimes end up sharing sensitive information with the public, which can cause unintended harm.
This paper argues that cyber whistleblowing can actually help improve cybersecurity, but to do that, there need to be clearer rules and protections for whistleblowers. It will look at why people blow the whistle, how effective it is for cybersecurity, how to make a safer and more open environment for whistleblowers and companies, and how laws affect cyber whistleblowing.
RESEARCH METHODOLOGY
Research methodology is like a roadmap for solving a problem. It’s the study of how researchers do their work, including describing, explaining, and predicting things. There are two main types: Doctrinal and Non-doctrinal. In this study about “Legal Protection for Whistleblowers in Cyber Security,” the researcher used the Doctrinal method.
Research involves carefully studying a specific issue or problem using scientific methods. There are two main approaches: inductive and deductive. Inductive methods are used to analyze observed events, while deductive methods are used to test those observations. Inductive methods are linked to qualitative research, while deductive methods are more common in quantitative research.
For this study, the researcher used the Doctrinal method. They collected data from online sources and various websites’ reading materials. The review includes information about laws and case studies, which show how they relate to key issues and help readers understand the topic better.
REVIEW OF LITERATURE
In 2023, there were 3,205 instances of data compromises in the United States, affecting over 353 million people. These compromises include things like data breaches, leaks, and exposures. Even though they’re different events, they all have one thing in common: someone who shouldn’t have access to sensitive information gets it.
Some industries have more problems with private data being violated than others. This depends on the type and amount of personal information those industries store. In 2022, healthcare, financial services, and manufacturing had the most data breaches. The number of healthcare breaches has been going up over the past few years. In finance, the number of data compromises almost doubled between 2020 and 2022, and in manufacturing, it went up more than three times.
In 2020, an adult streaming website called CAM4 had a big leak of almost 11 billion records. This is the biggest reported data leak so far. What’s interesting about this case is that cybersecurity experts found the problem before criminals did. The second-biggest data breach was at Yahoo in 2013. At first, they said about one billion records were exposed, but later in 2017, they said it was actually three billion. In March 2018, the third-largest breach happened involving India’s national ID database Aadhaar, where over 1.1 billion records were exposed.
If a company hides these breaches, customers might become victims of identity theft or similar crimes without realizing it. Whistleblowers inform them if they need to take any security measures, but their impact doesn’t end there.
Whistleblowers make sure companies are held responsible when they try to hide cybersecurity problems. This helps enforce cybersecurity rules. If a company broke the law during a data breach, whistleblowers make sure they face the right consequences. Even in places without specific cybersecurity laws, when whistleblowers speak up, it encourages fairness from consumers.
When customers find out a company tried to cover up a data breach, they’re likely to stop doing business with them. They’ll prefer companies with strong security and more openness. If nobody knew about the breach, there wouldn’t be this push for better data safety.
Whistleblowers play a crucial role in cybersecurity, but they face risks when they expose a company’s wrongdoing. Even though whistleblowing helps improve security and protects customers, it can harm businesses that wanted to keep incidents secret. As a result, many companies might retaliate against whistleblowers, even firing them.
Some laws protect whistleblowers. For example, the False Claims Act, which deals with fraud against the government, offers rewards and protections to whistleblowers. However, not every case falls under this law, and there aren’t many other laws like it.
In some situations, courts have given whistleblowers money for what their employer did to them, like firing them. But not all whistleblowers get these rewards. Without more protections in place, there might not be many cybersecurity whistleblower cases.
LEGAL PROTECTION FOR WHISTLEBLOWERS
To combat the rising dangers online, government bodies and regulators are taking steps.
Agencies cannot tackle cybercrime single-handedly. Technology evolves rapidly, putting a strain on their resources. Consequently, there are still vulnerabilities that criminals can exploit. Organizations and agencies holding sensitive data must fortify their systems. Employees should remain vigilant and report any cyber threats they encounter. Unfortunately, those who report such issues often face repercussions, such as termination, which deters them from speaking out. To address this, employees need assurance that they will be safeguarded and possibly rewarded for reporting problems. Unlike some other sectors, there is no specific federal law protecting individuals who report cybersecurity issues. However, depending on the circumstances, certain federal and state laws might offer assistance.
1. Sarbanes-Oxley Act (SOX)
This legislation serves to safeguard employees within large corporations who witness fraudulent activities. Enacted in response to past corporate malfeasance, it provides protection to whistleblowers who report such misconduct to governmental authorities. Under its provisions, individuals disclosing suspicions of wrongdoing by their employers, aiding in investigations, or reporting violations of financial regulations are shielded from retaliation. Should whistleblowers face adverse actions such as termination, demotion, harassment, or unfair treatment for their disclosures, the law offers recourse. Within a timeframe of 180 days, aggrieved individuals may seek redress through the Occupational Safety and Health Administration (OSHA), which investigates claims and can rectify injustices, including reinstatement or compensation for lost wages.
2. Dodd-Frank Act
This legislation provides safeguards for individuals who report financial misconduct to the government, particularly to the Securities and Exchange Commission (SEC). Whistleblowers disclosing suspicions of monetary fraud within their companies are shielded by law. In the event of retaliatory actions such as termination, demotion, harassment, or unfair treatment, whistleblowers are legally protected. They have recourse to a specialized court within a six-year timeframe from the date of the adverse treatment, or within three years of becoming aware of it if not immediately apparent. However, there’s a statute of limitations of ten years from the occurrence of the misconduct to pursue legal action.
3. Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA)
This legislation serves to ensure adherence to regulations within the banking sector and provides protection to employees who observe misconduct within banks. If an employee witnesses wrongdoing within a bank and reports it to the appropriate authorities, the law safeguards their interests. Should they face adverse treatment due to their disclosure, they are legally protected. In case of mistreatment following their report, individuals have recourse to institutions such as the Federal Reserve or the Office of the Comptroller of the Currency. If their concerns remain unresolved, they retain the option to seek redress through the legal system.
4. False Claims Act (FCA)
This legislation offers protection and incentives to individuals who uncover fraud against the government. It allows whistleblowers to report instances of government fraud, with the promise of receiving a share of any funds recovered by the government as a result. The law ensures protection for whistleblowers, shielding them from adverse repercussions such as termination, demotion, harassment, or unfair treatment for their disclosures. If an individual suspects government fraud, they are obligated to report it to a specialized court, prompting a government investigation. If the allegations are validated, the whistleblower is entitled to a monetary reward.
5. Energy Reorganization Act
This legislation serves to ensure safety and compliance with regulations within nuclear power plants, providing protection to employees who observe hazardous or improper activities. If an employee working in a nuclear power plant witnesses anything dangerous or amiss and reports it to the appropriate authorities, the law ensures their protection. Should they face adverse treatment due to their disclosure, such as termination, demotion, harassment, or unfair treatment, they are legally safeguarded. In cases where mistreatment follows their report, individuals have the option to file a complaint with the Occupational Safety and Health Administration (OSHA) within 180 days. If OSHA determines that the employee was indeed mistreated, they have the authority to rectify the situation.
6. Whistleblower Protection Act
This legislation provides protection for government employees who witness illegal or unethical activities within the government, ensuring adherence to regulations. If a government employee observes any illegal or wrongful behavior and reports it to the appropriate authorities, the law safeguards their interests. Should they face adverse treatment as a result of their disclosure, such as retaliation, discrimination, or unfair treatment, they are legally protected. In instances where mistreatment occurs following their report, individuals must seek assistance from the Merit Systems Protection Board within a 30-day period. If dissatisfied with the outcome, they retain the option to seek resolution through a specialized court.
7. National Defense Authorization Act for Fiscal Year 2013
This legislation aims to safeguard employees of government contractors who witness misconduct related to government contracts, ensuring the proper expenditure of government funds. If an employee of a government contractor observes any wrongdoing associated with a government contract and reports it to the appropriate authorities, the law guarantees their protection. Should they face adverse treatment due to their disclosure, such as termination, demotion, harassment, or unfair treatment, they are legally shielded. In cases where mistreatment follows their report, individuals are required to report the matter to the Inspector General within a three-year timeframe. The Inspector General will investigate the issue and take appropriate action based on their findings.
WHY DO WHISTLEBLOWERS NEED PROTECTION
Whistleblowers need protection because they risk facing retaliation from the people or organizations they expose. Informers are often seen as traitors by their former associates, which can lead to hostility, threats, and punishment, including social exclusion, physical harm, or even death threats.
Typically, protection for whistleblowers involves keeping them separate if they’re in prison or relocating them under a new identity if they’re not incarcerated. However, whistleblowers often struggle to expose scandals because they lack complete protection.
There’s a severe lack of protection for whistleblowers, and many have paid with their lives for speaking out. This lack of protection highlights the need for a strong Whistleblower Protection. Strong laws are crucial for effectively protecting whistleblowers because the legal environment influences their decision to report wrongdoing, considering the potential retaliation they may face.
Types of Protection
1. Keeping Secrets:
Keeping secrets is really important for protection. When someone tells about something wrong, their identity should be kept secret unless they agree to share it. This is different from being anonymous, where nobody knows who you are. Even if someone finds out who the whistleblower is, they should still be protected. Most places prefer keeping secrets over being anonymous because being anonymous can make people not trust the system. Some experts say that being anonymous makes powerful people not responsible.
2. Keeping Your Reputation Safe:
If someone’s reputation gets hurt because they told about something wrong, it’s important to make it right. They should be treated well in public and at work. If there are ways to fix the problem, they should be offered quickly so that people feel safe to tell about bad things.
3. Getting Paid Back:
If the person who tells about something wrong gets hurt in a way that can’t be fixed easily, they should get paid back for it. For example, if they lose their job because they told, they should get money to help them until they find a new one.
4. Making Sure the Law Protects:
People who try to hurt or punish whistleblowers should get in trouble with the law. This stops them from bothering whistleblowers. Whistleblowers are really important because they help fight against bad things like corruption and crime. They also help make the government and society better. Whistleblowers are like an alarm that goes off when something bad is happening. Since telling about bad things can be scary and cause problems, it’s really important to protect the people who do it. We should encourage a culture where being honest and open is valued. Laws that protect people who tell about crimes help make this culture.
SUGGESTIONS
- Ensure that every company has a clear and accessible mechanism for whistleblowers to report issues related to cybersecurity.
- Consider implementing independent platforms, such as corporate whistleblower initiatives, to encourage employees and other stakeholders to report cybersecurity concerns anonymously.
- Address concerns about potential abuse of anonymous reporting by specifying the types of issues that can be reported through the whistleblower mechanism, focusing on unfair and unethical practices.
- Clearly outline the information required in a whistleblower complaint to initiate an investigation, emphasizing the importance of focusing on the reported issue rather than the identity of the whistleblower.
- Recognize that individuals may be hesitant to report cybersecurity issues due to fear of reprisal or lack of incentive. Consider implementing monetary or non-monetary incentives to encourage whistleblowers to come forward.
- Explore the possibility of introducing an incentive scheme within the company to reward whistleblowers for reporting cybersecurity issues promptly and effectively.
- Foster a culture of transparency and accountability within the organization, emphasizing the importance of cybersecurity and the role of whistleblowers in safeguarding sensitive information.
- Provide training and education to employees on the whistleblower policy and the procedures for reporting cybersecurity concerns, ensuring that they understand their rights and protections.
- Regularly review and update the whistleblower policy to address any emerging challenges or changes in cybersecurity threats, ensuring its effectiveness in protecting whistleblowers and addressing cybersecurity issues.
CONCLUSION
In conclusion, protecting whistleblowers in cybersecurity is crucial for maintaining transparency and accountability in society. Whistleblowers play a vital role in exposing illegal activities, corruption, and unethical behavior, helping to prevent harm to individuals and organizations. However, whistleblowers often face risks such as job loss and harassment, making it essential to have robust legal protections in place.
To address these challenges, it is imperative to establish clear and accessible mechanisms for reporting cybersecurity issues, both within companies and through independent platforms. By specifying the types of issues that can be reported and outlining the information required for investigations, organizations can encourage whistleblowers to come forward without fear of retaliation.
Moreover, providing incentives, both monetary and non-monetary, can further motivate whistleblowers to report cybersecurity concerns promptly and effectively. By fostering a culture of transparency and accountability and ensuring that employees are aware of their rights and protections, organizations can create a safer environment for whistleblowers.
In summary, enhancing legal protections for whistleblowers in cybersecurity is essential for promoting honesty, integrity, and ethical behavior in the digital age. By implementing these suggestions, policymakers, organizations, and other stakeholders can work together to safeguard whistleblowers and encourage honesty, ultimately contributing to a more transparent and well-governed society.
Written by :- Akash Singh Yadav
College/University :- Dattopant Thengadi Law Institute, Veer Bahadur Singh Purvanchal University, Jaunpur Uttar Pradesh