A Perspective from the UK
Over the past few years there have been a number of high profile cases where whistleblowers have leaked information to the public, highlighting wrong-doing, corruption and malpractice amongst trusted institutions. Whilst some of these cases have clearly disclosed information that is in the public interest – for example the recent inquiry into the fatalities at Morecambe Bay Furness Hospital – other whistleblowers have disclosed sensitive corporate data leading some to question whether the information is truly in the public interest, or is in fact a data breach.
What is clear, is that whistleblowing can have huge financial repercussions – in fact, The Pentagon has recently said that it may cost billions of dollars to overcome the damage to military security by Edward Snowden’s release of classified intelligence documents.
From a corporate perspective, unfounded whistleblowing is essentially another type of ‘insider threat’, and we know that this issue is climbing higher on the risk agenda for IT departments worldwide. Organisations must assess the threat that this form of data leakage can have on their business and put measures in place to protect their businesses.
Firstly, businesses can use an array of solutions to protect corporate data on computers, laptops, wireless networks and in the workplace. For organisations seeking extra security, an Enterprise Management System, with a command centre whereby device activity can be viewed from all over the world, provides a robust and highly secure solution. Data can be securely stored and if an employee fails to return to work, a device can be destroyed remotely.
There are however, many other complex regulations to consider when it comes to the issue of whistleblowing.
Under the Enterprise and Regulatory Reform Act 2013, whistleblowers have to show that they “reasonably believe” that the disclosure they are making is in the “public interest”. Unfortunately, what amounts to “public interest” is not defined in the legislation and it will be left to the courts and tribunals to lead the way with their interpretation.
The law states that an individual is permitted to declare information/whistleblow if someone’s health and safety is in danger, if there is damage to the environment, if the employer is committing a criminal offence, if the company is failing to honour legal obligations or if the company is covering up a wrongdoing.
Many of these exceptions will pose no threat to the everyday corporation, therefore the key threat is the possibility of an ex-employee sharing sensitive information.
Although the Data Protection Act gives businesses additional protection when private data is at stake, there is still a concern that ex-employees will speak out about historic events such as previous data breaches experienced whilst employed.
A ‘Compromise Agreement’ is becoming a common solution to the problem around employee trust. Organisations are adding a clause in contracts to ensure that all confidential information remains confidential, and employees are then prevented from making defamatory comments or disclosing sensitive information, even after they have left a company.
This month, Sir Robert Francis QC announced a ban on the ‘Compromise Agreement’ for hospital staff. In the health sector, where lives are at stake, it is clear that the act of whistleblowing must be protected. Some incredibly shocking stories have been revealed highlighting horrendously poor care and unacceptably high mortality rates. This has of course had a positive outcome and forced trusts to introduce new regulations to improve patient care.
For the corporate world, however, whistleblowing poses quite a different risk and can cost organisations hundreds of thousands, or even millions of pounds to repair. Businesses must reduce this risk by protecting their data, which lives both inside the building and outside on employee mobile devices and in the cloud. This way, they can put themselves one step ahead of the game.
Organisations need to ensure that they have permissions and privileged access in place to protect sensitive information to avoid the potential for these to be breached.
Businesses need to keep account of and collect any devices that may have been issued such as mobile phones; tablet, laptops, proprietary software or data, failing to do so could have detrimental repercussions.
Ensuring intellectual property and sensitive data remain secure is an on going challenge, and if businesses are failing to protect this information, the threat from whistleblowers will endure.