Your company’s security controls are lacking, and a high-level employee in IT is naturally worried – he’s addressed his concerns several times. Employees are regularly transmitting unencrypted information, sharing passwords and using non-compliant cloud services to share data and sensitive client side IP. This doesn’t seem overly alarming, we’ve all made similar mistakes, so the comments are ignored and operations continue. A few months later however the employee becomes increasingly vocal so senior management decides to let him go. Problem solved. Or … the problem might just be beginning.

Companies that ignore (and retaliate against) employees who address cybersecurity vulnerabilities can face significantly increased liability resulting from a new breed of whistleblower claims – cyber whistleblowing. With cyber regulatory oversight increasing at a rapid rate, these claims are poised to increase as well. While no federal laws specifically protect cybersecurity whistleblowers, existing anti-retaliation provisions are often broad enough to cover employees who raise information security concerns.  Most notably, federal statutes prohibiting retaliation against corporate whistleblowers and employees who report misconduct in connection with federal funds, as well as state wrongful discharge actions, may apply to cybersecurity whistleblowers.

The Sarbanes-Oxley Act (“SOX”) protects employees of public corporations who report a wide range of misconduct, such as shareholder fraud or other violations of securities laws.  Cybersecurity issues often fall within this broad coverage.

[Click link to continue reading.]