Whistleblowing isn’t a new phenomenon, and has been recognized and protected under SOX, GLBA, Federal and State laws, as well as industry-specific regulatory frameworks. The Dodd-Frank Act has ensured additional protections for corporate officers who come forward with evidence of misconduct or wrongdoing, and created financial incentives for whistleblowers to report securities violations and fraud.
You may be aware of a recent decision by the Third Circuit Court of Appeals in FTC v. Wyndham Resorts, which affirmed FTC’s standing as a Federal cyber enforcer under the Court’s intentionally broad – and unanimous – interpretation of the “fair trade” doctrine. What this means is that the FTC will increase its scrutiny of cyber security issues which affect US commerce and involve US consumers, surely to add to its list of approximately 50 recent enforcement actions taken against a variety of firms thus far.
However, FTC can only act upon known issues. A breach affecting millions of consumers, such as the Wyndham case or the Target and Home Depot incidents, comes into FTC’s view only after the proverbial horse has left the barn. While FTC seeks to encourage responsible behavior through punitive action meant to act as a deterrent for the rest of the field, the retroactive nature of its action leaves much to be desired on the preventive side of the equation.
Despite a positive step in the right direction, the Commission’s post hoc enforcement scope creates a potential incentive for firms to conceal information security breaches at all costs in a bid to prevent additional scrutiny and likely punishment for failure to do adequately secure their information operations. In many cases, the firms are successful. As reported in the New York Times, a massive breach of a major industrial automation firm shortly after its $2-billion acquisition went unreported to the markets and regulators, remaining under wraps until a confidential customer memo was leaked to a well-known security blogger.
Wrapped in non-disclosure agreements and contract confidentiality clauses, manufacturers get to operate in secrecy, largely making the public disclosure of a breach a choice rather than an obligation (in cases not involving regulated consumer data such as credit cards and PII).
Transparency is difficult to come by in a field cloaked in what I call the “Three M’s” of cyber security: myth, mystique, and mystery. Confidentiality for confidentiality’s sake prevails throughout corporate organizations, stifling
CEO’s don’t want to hear about problems which they would be compelled to solve – if they actually heard about them. Integrity of internal controls, after all, is a serious matter well within the regulatory purview of the SEC. The logical answer, in the unscrupulous organizations at least, becomes rather obvious: keep the CEO and the Board from hearing about cyber issues they’d be forced to fix. With information security, that’s all too easy given the inherent complexity and difficulty in assessing the true state of cyber posture and maturity in global organizations.
This obfuscation doesn’t have to appear all that malicious, either. A simple omission, a confused statistic, an “honest mistake” in reporting threat or vulnerability data – all plausible enough to filter the information about known or suspected deficiencies in the enterprise security program.
How do we pierce this veil of corporate secrecy and obfuscation, designed to immunize and absolve the power structure while allowing cyber negligence to remain the accepted status quo? If internal reporting is suppressed, and those who speak out find themselves ostracized – or worse, – what channels are available for communicating internal issues tantamount to corporate misconduct and malfeasance?
The answer: Whistleblowing.
Encouraging and protecting those who come forward is essential to the functioning of markets and societies. Transparency, Integrity, and trust are non-negotiable. As our world continues to become “smarter”, more connected, more integrated, as our transactions become more distributed and rapid, as machine learning and automation become more mainstream by the day – it is fundamental we as consumers, and the regulators on our behalf, insist on total integrity and trustworthiness on the part of those who seek to populate our world with “smart” machines.
The manufacturers and suppliers competing for the lucrative space on our wrists, in our pockets, our kitchens, cars, and office buildings, must prove to us their technologies are safe, secure, and resilient before we allow them to take over our lives to the tune of 50 billion connected devices projected to surround us by the year 2020 (Gartner).
Whistleblowers are crucial in ensuring that no matter how complex an organization, how powerful or aloof the management, or how lucrative the business venture – consumers get to know the truth, and to make their choice in the marketplace based not only on the features of a product or service, but its maker’s trustworthiness and integrity.
Cyber whistleblowers have a pivotal role to play in the upcoming battle to connect our world. Let us encourage them and protect them.
In a recent article in CIO Magazine, the nation’s premier whistleblower attorney Debra S. Katz of Katz Marshall Banks provides an overview of the unique challenges faced by cyber whistleblowers, and the dangers for companies who retaliate against them:
View the original content and more from this author here: http://ift.tt/1GbQEEi
from cyber security caucus http://ift.tt/1MTRhdh
via IFTTT
No comments:
Post a Comment