Would your cybersecurity stand up to a whistleblower?

Why is this question relevant? This one example shows the risk businesses are taking by not meeting requirements to protect data.

In this case, the Department of Justice Civil Cyber-Fraud Initiative was used by a former IT staffer of a manufacturer who was subject to data security requirements in their government contracts. The DOJ intends to use the False Claim Act (FCA) to hold government contractors accountable for putting U.S. information and systems at risk by knowingly: (1) providing deficient cybersecurity products or services; (2) misrepresenting cybersecurity practices or protocols; or (3) failing to monitor and report cybersecurity incidents and breaches. The claim was that the company had lied about its adherence to compliance requirements and sought damages in excess of $19 billion, three times the sum of every invoice the company had been paid.

Although no breach occurred, the U.S. District Court rejected the company's argument that the government did not suffer any damages. Less than 24 hours after the jury was selected, the company agreed to a $9 million settlement, plus attorney's fees.

The False Claims Act includes a financial incentive for company insiders/whistleblowers to uncover and report fraud. If their disclosure results in the recovery of funds by the United States, the whistleblower will be entitled to 15-30% of the funds recovered.

The impact for organizations that are subject to requirements to protect the government's data is pretty clear. What about your business? If you are not taking your responsibility to protect the data of your staff, customers, members, or other stakeholders, could a whistleblower put your business at risk by informing a regulatory agency, attorney, or even your biggest client that you are putting their data at risk?