Whistleblower watchdogs have proven to be essential in aiding the Government’s efforts to protect the public against cybersecurity breaches and vulnerabilities, as evidenced by two recent stories making news headlines. First, whistleblower Elevation 33, LLC, an entity owned by a former Guidehouse employee, helped DOJ secure an $11.5M settlement, one of the largest cybersecurity settlements under the False Claims Act, with Guidehouse and Nan McKay and Associates (NMA) for allegedly failing to conduct contractually-required cybersecurity testing that would have detected and prevented a 2021 breach of PII in New York's Covid-era Emergency Rental Assistance Program.
Second, ProPublica's Renee Dudley reported on whistleblower Andrew Harris's tireless and ultimately futile campaign to alert and get Microsoft, his former employer, to fix critical cybersecurity flaws years before the SolarWinds hack. Harris's 4-year odyssey to report inside Microsoft sadly is an all-too-familiar cautionary tale for internal whistleblowers. Despite later being corroborated by outside cybersecurity experts, Microsoft refused to heed Harris's countless warnings, choosing, as Dudley reports, to put its own business interests above that of its customers, including the U.S. government. Rather than plug its cybersecurity holes, which is a cost center, Microsoft reportedly opted to prioritize the profit center that was its then new Azure product, out of concern that implementing Harris's fix would jeopardize its ability to secure a lucrative contract with the federal government.
Cybersecurity professionals, like Compliance Officers, are essential parts of their companies' risk management function. Rather than being rewarded for successfully doing their jobs and exposing a risk that threatens their business, they are frequently ignored or worse, retaliated against for exposing an inconvenient truth. In this way, employees like Andrew Harris do not set out to be whistleblowers; instead, companies like Microsoft make them into whistleblowers by creating an environment where they are marginalized and ignored and have no other option but to report externally to regulators or the media, thereby indelibly affixing them with the whistleblower moniker.
It does not have to be this way. Risk professionals should be heeded and rewarded for doing their jobs well. And as research from Professors Kyle Welch and Steve Stubben shows, protecting the business is good business, meaning it can be profitable too.
For more information about the role of whistleblowers in protecting the public against cybersecurity breaches, read about our attorneys' successful representation of a cybersecurity whistleblower with information about cybersecurity vulnerabilities at Cisco Systems.