By nellwal

I was extremely disappointed to see at that an employee of TJX (CrYpTiC_MauleR) had been tracked down and fired for posting some comments about TJX’s data security flaws (TJX of HUGE SECURITY BREACH fame).  As an information technology whistleblower that just finished with three years of whistleblower litigation against my former employer for data security problems, I thought it would be useful to post to the IT community how one goes about blowing the whistle in a way that gives you some chance of a successful outcome.

First off, this is not a path I would recommend to anyone unless you have a completely ethical reason for doing so, have a backbone of steel, and a very thick skin (don’t think you will make a million $$ in other words).  In my case, the security problems were rampant, auditors were not told the truth, and I was in the direct path to be blamed if there was a data breach (I was the company’s database administrator in managing security for their databases with CC#s, SS#s etc)

Secondly – something all IT people in the USA need to be aware of; we don’t have a lot of protections when it comes to whistle blowing.  There are basically two routes if you work in private industry (federal and state-employed whistleblowers have different avenues):  Sarbanes-Oxley (SOX) whistleblower protection for publicly traded companies (see fact sheet at  and state “public policy” or whistleblower laws, for companies that aren’t publicly traded.  State laws are usually weak, and SOX whistleblower protection is pretty much a joke, but there is a way to negotiate them and possibly get a positive change as LONG AS YOU FOLLOW THE RULES (fyi – these rules pretty much apply to all forms of whistle blowing):

  1. Know the law as it pertains to data security. Publicly traded companies are covered by SOX (internal controls rules CAN and SHOULD cover data security under the contractual obligations with VISA), financial institutions are covered by the Gramm-Leach-Blilely Act, and other OCC rules and regs. GLBA covers privacy data at a federal level. Nearly all states have some sort of laws for privacy and financial account protection these days and nearly all of them are similar to California SB 1386. They can be looked up online – good resources are and
  2. If you find something that the company is doing that is not in line with these laws, document what you’ve found and tell your supervisor. IT IS CRITICAL TO STATE WHICH LAW YOU THINK IS BEING VIOLATED AT THIS TIME – THE EXACT LAW AND DO IT IN WRITING – EMAIL IS FINE. KEEP A HARD COPY. Once you do this, you have entered the protected activity phase, which means that the company has to tread carefully from that point on as far as disciplinary action etc.
  3. If you have gone to your supervisor 3 times and nothing has happened, escalate to his boss and/or the Information Security Department. I generally would recommend telling your supervisor that you intend to do this. Again – document everything and ALWAYS spell out which law is being broken.
  4. If you STILL see no change I would see if the company has an Internal Audit department and I would find out how to contact the Audit Committee (for publicly traded companies). At this point I would also consider going to Human Resources just as a CYA. But remember, HR is NOT YOUR FRIENDIT IS GUARANTEED THAT WHATEVER YOU TELL THEM, THEY ARE GOING TO TELL YOUR BOSS. Forward your concern to the head of Internal Audit, and also the company’s Audit Committee. For non-publicly traded companies you might not have this option. ALWAYS KEEP THE DOCUMENTATION ON ALL THIS – and IF YOUR STATE LAW ALLOWS ONE-SIDED APPROVAL TO RECORD CONVERSATIONS I WOULD START CARRYING A SMALL RECORDER AND USING IT – ESPECIALLY WITH ANY DEALINGS WITH HUMAN RESOURCES. Cloak and dagger? Unethical? Against company policy?  Will get you fired if they find out? Probably all of the above – but this was one of my biggest regrets – not doing it.  If the judge and jury had heard the way that I was treated, I would have made all the difference in the world.
  5. At this point, the company is a) going to do nothing and hope you shut up and/or go away, b) start working to fix the problem, c) start a harassment campaign to get you to quit or d) fire you. If you start experiencing any evidence of hostility, change in schedules or job functions, changes in responsibilities, shunning etc DOCUMENT EVERYTHING. Look up the definition of hostile work environment and if you start experiencing any of this – KEEP A JOURNAL. But, remember, journals are not admissible as evidence, but can be used to refresh your memory. EMAILS are the main evidence these days, so document, document, document and ALWAYS BE PROFESSIONAL.
  6. If things reach this point and you STILL want to try to get the problem(s) fixed it’s time to consider going outside the company for a solution. Read the OSHA documentation for SOX whistleblowing listed above, if your company is not covered by SOX contact your attorney general’s office in your state to find out what to do (that may get you nowhere – be prepared for that).  You can try contacting the Federal Trade Commission for data security violations in regard to credit card numbers, but as they have a 1.8% enforcement rate (after data breaches occur) I’m not sure I would bother.  VISA/MC have no method of contact to my knowledge – although they are the ones that do enforcement of the PCI DSS.   Also – now is the time to start getting the documentation you need together, including proof of wrongdoing and putting it somewhere for safekeeping (unless your company is the firing type – then I’d start getting the docs out from the beginning). Please be advised that this gets on shaky ground because of non-disclosure agreements, but as long as you intend to use the documentation ONLY for purposes of an outside investigation you should be OK. Don’t hand it over to the press in other words, or post it online.
  7. At this point you can still continue to do things on your own, but I would recommend contacting an attorney who specializes in whistleblower law – a good resource can be found at the Government Accountability Project,

 Sounds like a lot of work and hassle – you bet it is.  But, I can say FROM EXPERIENCE that this is the about the only way to effect a positive change from whistle blower actions.  Hopefully, everything can be solved in-house and you will never have to go outside the company to try to solve the problem.

FYI – I lost my SOX case because the federal judge said that as a database administrator (rather than an accountant) I could not have had a “reasonable belief” that the company was breaking the law, although all the evidence that was produced showed that they were CLEARLY in violation of many state and federal laws.  The judge’s decision was totally bogus of course, and I think he regretted it after he saw all the evidence (case had a lot of “moving parts”, evidence came up in a jury trial on a state whistleblower claim).   But, if I had followed all the steps I had outlined above, I would have had a better chance of winning.  

Also be prepared for the “deer in the headlights” look whenever you start talking about IT security to anyone who is not in IT.  Learn how to speak in layman’s terms.

Nell Walton, CISA, CISSP

9 Responses to “Data Security – Whistleblowing 101 for IT Professionals”

  1. 2 b0rkedTJX
    July 17, 2008 at 3:26 pm

    I have 2 words for you:
    “Movie Rights”.

  2. 3 cy
    July 31, 2008 at 7:14 am

    This is very useful info. Hopefully, the people who need this information the most would have the forethought to look for this BEFOREHAND. As you have pointed out in your writing, “documentation” is very important, esp. in legal matters.

    Sorry to hear that your case did not go your way. That’s how things sometimes end up. But at least you’ve done the right thing.

  3. 4 lynn
    September 6, 2008 at 8:25 am

    i’m trying to push pci complaince, i learned the hard way about billing disputes, i’m pushing it to try and get back 4000.00 back, if you file billing dispute ,mc will only go back 120 days(my bad charges go back 16 months, if you try to push fraud , Mc says it has a policy to fight 2 charges, mine come to 41, so im going to try PCi complaince, the co failed to protect my data, kept my card information on an index card with another co’s name adress, etc, each time thsy would charge , i got billed, theft or incompetence, even though these were all pickup oreders, much like you would do at kmart or wmart, there is no signature. Again, though who do you complain to, i called Mc and said I want to reprt PCI noncomplaince, the agent said what’s that,
    they put a supervisor he said nothing.I called the company that sets the standards , and asked them how to report pci, they said good question. Is all for the press?

  4. 5 ron
    May 10, 2009 at 8:07 am

    Just to emphasize your point about documentation, make sure it is ON PAPER, and OFF SITE! I read a story about a guy who sent emails about a problem. Then he was called in to the office and given grief about complaining. So he went to print the email out for documentation. Surprise, surprise, the email had been deleted from his inbox and email server.

    To paraphrase an old saying “your documentation is only as good as the paper it is printed on.”

    (original phrase uses contract in place of documentation)

  5. December 15, 2010 at 2:25 am


    I’m curious about your lawsuit. It would be great if you posted or pointed to copies of the court filings – e.g. the initial complaint, etc, much like I do with my case.


    Also, as a CISA and CISSP, I’m curious what you think about the settlement currently under consideration. It includes an audit component, to be performed by a CISA or CISSP. I’d love it if you took a look and commented – publicly or privately. My thoughts are on my blog; curious if you agree.

  6. December 14, 2012 at 8:26 pm

    I feel this is one of the so much vital info for me.
    And i am glad reading your article. However wanna remark on some general things, The site style is ideal, the articles
    is actually excellent : D. Just right job, cheers

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: