I was extremely disappointed to see at http://ha.ckers.org/blog/20080522/tjx-whistle-blower/ that an employee of TJX (CrYpTiC_MauleR) had been tracked down and fired for posting some comments about TJX’s data security flaws (TJX of HUGE SECURITY BREACH fame). As an information technology whistleblower that just finished with three years of whistleblower litigation against my former employer for data security problems, I thought it would be useful to post to the IT community how one goes about blowing the whistle in a way that gives you some chance of a successful outcome.
First off, this is not a path I would recommend to anyone unless you have a completely ethical reason for doing so, have a backbone of steel, and a very thick skin (don’t think you will make a million $$ in other words). In my case, the security problems were rampant, auditors were not told the truth, and I was in the direct path to be blamed if there was a data breach (I was the company’s database administrator in managing security for their databases with CC#s, SS#s etc)
Secondly – something all IT people in the USA need to be aware of; we don’t have a lot of protections when it comes to whistle blowing. There are basically two routes if you work in private industry (federal and state-employed whistleblowers have different avenues): Sarbanes-Oxley (SOX) whistleblower protection for publicly traded companies (see fact sheet at http://www.osha.gov/Publications/osha-factsheet-sox-act.pdf) and state “public policy” or whistleblower laws, for companies that aren’t publicly traded. State laws are usually weak, and SOX whistleblower protection is pretty much a joke, but there is a way to negotiate them and possibly get a positive change as LONG AS YOU FOLLOW THE RULES (fyi – these rules pretty much apply to all forms of whistle blowing):
- Know the law as it pertains to data security. Publicly traded companies are covered by SOX (internal controls rules CAN and SHOULD cover data security under the contractual obligations with VISA), financial institutions are covered by the Gramm-Leach-Blilely Act, and other OCC rules and regs. GLBA covers privacy data at a federal level. Nearly all states have some sort of laws for privacy and financial account protection these days and nearly all of them are similar to California SB 1386. They can be looked up online – good resources are www.privacyrights.org and www.consumersunion.org.
- If you find something that the company is doing that is not in line with these laws, document what you’ve found and tell your supervisor. IT IS CRITICAL TO STATE WHICH LAW YOU THINK IS BEING VIOLATED AT THIS TIME – THE EXACT LAW AND DO IT IN WRITING – EMAIL IS FINE. KEEP A HARD COPY. Once you do this, you have entered the protected activity phase, which means that the company has to tread carefully from that point on as far as disciplinary action etc.
- If you have gone to your supervisor 3 times and nothing has happened, escalate to his boss and/or the Information Security Department. I generally would recommend telling your supervisor that you intend to do this. Again – document everything and ALWAYS spell out which law is being broken.
- If you STILL see no change I would see if the company has an Internal Audit department and I would find out how to contact the Audit Committee (for publicly traded companies). At this point I would also consider going to Human Resources just as a CYA. But remember, HR is NOT YOUR FRIEND. IT IS GUARANTEED THAT WHATEVER YOU TELL THEM, THEY ARE GOING TO TELL YOUR BOSS. Forward your concern to the head of Internal Audit, and also the company’s Audit Committee. For non-publicly traded companies you might not have this option. ALWAYS KEEP THE DOCUMENTATION ON ALL THIS – and IF YOUR STATE LAW ALLOWS ONE-SIDED APPROVAL TO RECORD CONVERSATIONS I WOULD START CARRYING A SMALL RECORDER AND USING IT – ESPECIALLY WITH ANY DEALINGS WITH HUMAN RESOURCES. Cloak and dagger? Unethical? Against company policy? Will get you fired if they find out? Probably all of the above - but this was one of my biggest regrets – not doing it. If the judge and jury had heard the way that I was treated, I would have made all the difference in the world.
- At this point, the company is a) going to do nothing and hope you shut up and/or go away, b) start working to fix the problem, c) start a harassment campaign to get you to quit or d) fire you. If you start experiencing any evidence of hostility, change in schedules or job functions, changes in responsibilities, shunning etc DOCUMENT EVERYTHING. Look up the definition of hostile work environment and if you start experiencing any of this – KEEP A JOURNAL. But, remember, journals are not admissible as evidence, but can be used to refresh your memory. EMAILS are the main evidence these days, so document, document, document and ALWAYS BE PROFESSIONAL.
- If things reach this point and you STILL want to try to get the problem(s) fixed it’s time to consider going outside the company for a solution. Read the OSHA documentation for SOX whistleblowing listed above, if your company is not covered by SOX contact your attorney general’s office in your state to find out what to do (that may get you nowhere – be prepared for that). You can try contacting the Federal Trade Commission for data security violations in regard to credit card numbers, but as they have a 1.8% enforcement rate (after data breaches occur) I’m not sure I would bother. VISA/MC have no method of contact to my knowledge – although they are the ones that do enforcement of the PCI DSS. Also – now is the time to start getting the documentation you need together, including proof of wrongdoing and putting it somewhere for safekeeping (unless your company is the firing type – then I’d start getting the docs out from the beginning). Please be advised that this gets on shaky ground because of non-disclosure agreements, but as long as you intend to use the documentation ONLY for purposes of an outside investigation you should be OK. Don’t hand it over to the press in other words, or post it online.
- At this point you can still continue to do things on your own, but I would recommend contacting an attorney who specializes in whistleblower law – a good resource can be found at the Government Accountability Project, www.whistleblower.org
Sounds like a lot of work and hassle – you bet it is. But, I can say FROM EXPERIENCE that this is the about the only way to effect a positive change from whistle blower actions. Hopefully, everything can be solved in-house and you will never have to go outside the company to try to solve the problem.
FYI – I lost my SOX case because the federal judge said that as a database administrator (rather than an accountant) I could not have had a “reasonable belief” that the company was breaking the law, although all the evidence that was produced showed that they were CLEARLY in violation of many state and federal laws. The judge’s decision was totally bogus of course, and I think he regretted it after he saw all the evidence (case had a lot of “moving parts”, evidence came up in a jury trial on a state whistleblower claim). But, if I had followed all the steps I had outlined above, I would have had a better chance of winning.
Also be prepared for the “deer in the headlights” look whenever you start talking about IT security to anyone who is not in IT. Learn how to speak in layman’s terms.
Nell Walton, CISA, CISSP
