Let's say a US non-government employment comes in contact with very sensitive unprotected information on the web. The information was gathered using opsint (Open Source Intelligence) there was no other occurrence of this information on the internet, local libraries,etc. If the existence of the unprotected information was reported to the owner (Defense Contractor), what protection does the person reporting the data vulnerability, have against the embarrassed retribution by the owner of the information? Would it be better to report the exposed information to the military law enforcement of the end user of the equipment or data?
Asked
Active
Viewed 342 times
2 Answers
1
The personal downside of not reporting it is slim. The personal upside of not reporting it is you keep your job and maybe see an opportunity to fix it some day (or to cash out as a hacker later if you can avoid espionage charges).
The personal upside of reporting it is almost nil and it isn't likely to work.
The personal downside of reporting it is that there is a good chance you will be fired or suffer negative consequences that, even if there is theoretically whistleblower protection, is very hard to prove and almost never secured a full remedy even if you win.
Basically, you are in a bad situation with no good choices.
ohwilleke
- 257,510
- 16
- 506
- 896
0
There are a variety of whistleblower protections applicable. Because you're talking about military police, I assume you're thinking of defense-related information.
If that's the case, and you're talking about a discovery by an employee of the contractor, one source of protection would be Section 828 of the National Defense Authorization Act of 2013, which protects the employee from any discharge, demotion, or other discrimination for reporting a violation of a law, rule, or regulation related to the contract, which would presumably include the rules on protection and disclosure of classified information.
In the event of retaliation, the act allows the employee to seek reinstatement, collect damages for lost wages, etc., and recover attorneys' fees and court costs.
In many cases, a nonemployee whistleblower can bring a qui tam action under the False Claims Act or a state law equivalent. If that happens, retaliation against the witness could subject the wrongdoer to liability for criminal retaliation, witness tampering, etc.
If you're talking about an employee who has not filed a lawsuit, the protections are generally going to be limited to those available through generally applicable tort law: defamation, malicious prosecution, etc. Those may not be much comfort after the wrong has already been done, but it hopefully provides some disincentive to keep the company from retaliating.
In any of these scenarios, I recommend speaking with a lawyer who specializes in whistleblower law. Whistleblower laws are frequently far less helpful than they look, and an uninformed party can easily waive his rights. Lawyers in this field usually work on contingency, so you would likely be able to have an initial conversation at no cost to figure out what kind of protections are available and how to make the best use of them.
bdb484
- 66,944
- 4
- 146
- 214