It is not a public problem yet. But according to multiple experts, it will be.
“它”是网络ecurity whistleblower – an employee who sees a flaw, or flaws, in his or her company’s network security, brings the problem to management but gets ignored or punished – marginalized, harassed, demoted or even fired.
And then the worker either goes public or files a complaint with a federal regulatory agency like the Securities and Exchange Commission (SEC).
Such a scenario is unlikely to end well – almost certainly for the company (if the complaint is credible) and perhaps even for the whistleblower, notwithstanding laws meant to protect them.
该公司可能面临罚款和其他监管措施。员工,谁在某些情况下可能会得到回报(美国证券交易委员会提供了10%到30和解的超过100万$的百分之“合格”告密者),还可能会发现它损害到了职业生涯。
[ ALSO ON CSO:Whistleblowers at risk when using US government websites]
“Think about it. If you were someone classified as a whistleblower, it would label you unemployable,” said one expert who declined to speak for attribution.
另一位专家,谁也拒绝归属说话,说,当他拒绝证明,他以前的雇主是满足一定的安全标准,“我得到了警告,并最终辞职。它成为一个敌对的工作环境“。
He has never spoken about it to regulators or other outside authorities either.
埃迪·施瓦茨,ISACA的国际副总裁兼WhiteOps的总裁,他说他知道一个民族国家的黑客发生和雇员报告说,它向他的上级的情况下的。
“He was told to mind his business and that the organization was dealing with it. It wasn’t, and when he reported it to authorities, he was essentially fired for it,” Schwartz said.
埃迪·施瓦茨ISACA的国际副总裁,WhiteOps总裁
So the predicted increase in cybersecurity whistleblower cases is somewhat speculative at the moment, in part due to secrecy. There are no public cases involving them on record so far, even though most businesses have had an online presence for two decades or even longer.
他们确实存在,根据黛布拉·卡茨,在卡茨,马歇尔和银行的创始合伙人。她说,她的公司已经代表了大约十几这样的告密者,但这些案件,“在诉前阶段结算,包含强大的保密规定。”换句话说,他们是不公开。
A second reason for a lack of clarity is that it remains a relatively new legal field. “All federal agencies – not just the SEC – are playing catch-up to align their policies with the seriousness of cybersecurity threats,” Katz said.
Debra Katz, founding partner, Katz, Marshall & Banks
That means there is not much legal history, precedent or even laws that specifically addresses cybersecurity whistleblowers.
虽然在提供领域从石棉到饮用水,固体废物,铁路,汽车,集装箱,管道航空,消费类产品,危险废物,食物,药品和更举报人保护的各种状态近两打法律,没有什么上为那些涉及网络安全的具体保护的书籍。
Still, attorneys like Katz, who specialize in whistleblower cases, say top management in organizations may need to play catch-up as well, since such cases could lead to damaging breaches or an investigation by a regulatory agency – or both.
And while legal protections may not be explicit for cybersecurity whistleblowers, they exist by implication, experts say. Lance Hayden, managing director at the Berkeley Research Group and a CSO contributor, is one of several who have cited asettlementlast September between the SEC and R.T. Jones Capital Equities Management over charges that the firm’s violation of the “safeguards rule” led to a breach that compromised the information of about 100,000 people.
While the firm did not have to admit to the charges, it agreed to a censure by the SEC and to pay a $75,000 fine.
There was no documented evidence of whistleblower involvement in the case, but Haydenwrote它成为“一种催化剂,”对于SEC专注于网络安全。
He quoted SEC Commissioner Kara Stein saying after the R.T. Jones settlement that the agency intends “...to play a much more active role in trying to help companies better protect themselves against an increasing number of cyber security issues …”
达拉斯锤,与祖克曼法律师,编写了国家法律评论,说过the R.T. Jones case indicates that, “cybersecurity issues have become a key enforcement priority for the SEC,” which means that, “in turn, whistleblower tips that touch on cybersecurity may receive additional scrutiny.”