Whistleblowers: Data theft or public service?

This is a contributed piece from Nick Banks, VP EMEA and APAC, IronKey by Imation

Whistleblowers are the subject of much controversy, with some viewing their actions as a positive act necessary to prevent any wrongdoing, whilst others suggest that whistleblowers are likely disgruntled employees who maliciously set out to damage an organisation.

Over the past few years there have been a number of high profile cases where whistleblowers have leaked information to the public, highlighting corruption and malpractice amongst trusted institutions. Whilst some of these cases have clearly disclosed information that is in the public interest – for example the recent inquiry into the fatalities at Morecambe Bay Furness Hospital – other whistleblowers have disclosed sensitive corporate data leading some to question whether the information is truly in the public interest, or is in fact a data breach.  

What is clear, is that whistleblowing can have huge financial repercussions – in fact, The Pentagon has recently said that it may cost billions of dollars to overcome the damage to military security by Edward Snowden’s release of classified intelligence documents.

From a corporate perspective, unfounded whistleblowing is essentially another type of ‘insider threat’, and we know that this issue is climbing higher on the risk agenda for IT departments worldwide. Organisations must assess the threat that this form of data leakage can have on their business and put measures in place to protect themselves.


There are many complex regulations to consider when it comes to the issue of whistleblowing. Under the Enterprise and Regulatory Reform Act 2013, whistleblowers have to demonstrate that they “reasonably believe” that the disclosure they are making is in the “public interest”. Unfortunately, what amounts to “public interest” is not defined in the legislation and it will be left to the courts and tribunals to lead the way with their interpretation.

The law states that an individual is permitted to declare information/whistleblow if someone’s health and safety is in danger, if there is damage to the environment, if the employer is committing a criminal offence, if the company is failing to honour legal obligations or if the company is covering up a wrongdoing.

Many of these exceptions will pose no threat to the everyday corporation, therefore the key threat is the possibility of an ex-employee sharing sensitive information.

Data Protection

Although the Data Protection Act gives businesses additional protection when private data is at stake, there is still a concern that ex-employees will speak out about historic events such as previous data breaches experienced whilst employed.

There are some practical steps that businesses can take to protect their intellectual property. They can use an array of solutions to protect corporate data on computers, laptops, wireless networks and in the workplace. For organisations seeking extra security, an Enterprise Management System, with a command centre whereby device activity can be viewed from all over the world, provides a robust and highly secure solution. Data can be securely stored and if an employee fails to return to work, a device can be destroyed remotely.

A ‘Compromise Agreement’ is becoming a common solution to the problem around employee trust. Organisations are adding a clause in contracts to ensure that all confidential information remains confidential, and employees are then prevented from making defamatory comments or disclosing sensitive information, even after they have left a company.


Organisations must consider the issue objectively as it can result in negative consequences for the employees and the organisation in question. Businesses should develop formal policies for the effective management of whistleblowing. These should provide guidelines with which organisations should respond to concerns of their employees, to protect those who wish to disclose matters of public interest.

Equally, businesses should be prepared to incorporate whistleblowing policies that allow for internal disclosure mechanisms for employees who wish to discuss their concerns. Equally, organisations should incorporate a caveat to note that employees who attempt to express concerns in an unethical manner outside of a corporation are discouraged from doing so.

Organisations need to ensure that they have permissions and privileged access in place to protect sensitive information to avoid the potential for these to be breached.

Whistleblowing policies offer the opportunity for internal resolution of sensitive issues and provide organisations with an opportunity to correct them behind closed doors. Whilst there is no panacea for protecting against whistleblowing, businesses ensuring they have the necessary policies and data protection solutions in place will go a long way to avoiding costly and detrimental repercussions.


« Red Hat CEO Jim Whitehurst: On leadership and listening


Top Tips: How to make your app stand out »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?