What Are the Incentives for Cybersecurity Whistleblowers?

By Devin Partida, Editor-in-Chief, ReHack.com

Cybersecurity professionals deal with sensitive information on a regular basis, so it makes sense that they often go public when it is mishandled. Since their primary job is to maintain security, there are plenty of incentives for cybersecurity whistleblowers to come forward.

The Process of Whistleblowing

A whistleblower can leak documents or information to the public or go directly to official agencies. While they do not have to go to the government, they often feel motivated to do so.

An individual can sue on the government’s behalf using qui tam actions. Cybersecurity whistleblowers could bring a lawsuit against their former company and allege false claims of data protection. Their position representing the government during the suit gives them additional protection.

After they file a qui tam lawsuit, all subsequent similar suits cannot proceed in a court of law.

This action ensures they have control over the situation, making it more attractive. In addition, it also encourages whistleblowers to act quickly.

Since a subsequent qui tam suit cannot move forward once one is already happening, potential whistleblowers may move more urgently. Whatever they might gain from is only possible if they begin the process.

Common Incentives for Cybersecurity Whistleblowers

There are many reasons why someone becomes a whistleblower. Most commonly, it happens in reaction to fraud, illegal activity, corruption or abuse. Individuals may have personal reasons to expose each instance, but they can also gain reputation or money.

Often, whistleblowers do it because they feel it’s necessary to report such activity. They deal with critical data and its misuse significantly affects regular people. Their data is connected to private medical and financial information. A company that doesn’t handle such things properly can put people’s livelihoods at risk.

Whistleblowers are incentivized to come forward because they stand to gain:

There are government programs that financially award them. They are compensated with money when their claim is successful. When the cases are against large companies, they may receive enormous payouts.

They may feel like they personally gain by retaliating against an employer. While this is not often the case, some employees might come forward because they feel anger at their company. For example, a whistleblower could make a report after being denied a raise.

Moral obligations can strongly incentivize many. Fraud and criminal activity are two common reasons why many become whistleblowers. The mishandling of data leads to real-world consequences. Morality typically incentivizes them to make their knowledge of such things public.

Since they are legally protected, they may feel emboldened or want recognition. The government has taken many actions to protect whistleblowers, so most feel encouraged to go to them. They are more likely to do so when they feel safe.

Many receive significant monetary compensation for their accounts. For example, two individuals received $12 million collectively in March of 2023 after their cases succeeded. Such a large amount of money is an excellent motivator.

Beyond financial gain, some may choose to make things public because they feel it is in their best interest. While most go to the government, some simply leak their data to the public. Not only do they not stand to gain anything financially in that case, but they also put themselves at legal risk. When that is the case, it usually is because they feel obligated or wish to retaliate against their employer.

Cybersecurity professionals regularly deal with sensitive information. For example, they are responsible for patients’ confidential information in health care settings. Individuals are often whistleblowers because their employers mishandle or neglect such data, which has serious ramifications.

How the Government Incentivizes Whistleblowers

Whatever their incentive for reporting, cybersecurity whistleblowers are protected well by the government. Multiple agencies have created laws, regulations and programs to defend them. For example, the Securities and Exchange Commission (SEC) can take legal action against anyone who retaliates against whistleblowers — it is not limited to employers.

Over the years, legal protections have strengthened to encourage whistleblowing and safeguard those who make reports. They’re relatively legally untouchable as long as they follow proper procedures.

However, that is not always the case. In 2013, the well-known whistleblower Edward Snowden exposed a government agency for collecting information on citizens without their knowledge. Even though he thought it was his duty to reveal such a privacy violation to the public, he was actually breaking the law and faced legal consequences.

In reaction to similar situations, government agencies created more protections for anyone coming to them with sensitive information. The Department of Justice made a Civil Cyber-Fraud Initiative to enforce information and system security and protect whistleblowers who provide relevant information. People are more likely to give information directly to official bodies instead of the public.

Whistleblowing is often for the benefit of the general public, but the government prefers to know the information beforehand. It lets them anticipate reactions and control damage, which is why they want to incentivize people to report directly to them.

Why Cybersecurity Professionals Whistleblow

Personal reasons may motivate cybersecurity professionals to report, but they are typically morally obligated. Their work is all about securing information, systems and networks, so it is reasonable they would react to neglected security. Many go into the field because they are passionate about security. Ultimately, it is likely their main incentives are connected to their work.

Devin Partida is an industrial tech writer and the Editor-in-Chief of ReHack.com, a digital magazine for all things technology, big data, cryptocurrency, and more. To read more from Devin, please check out the site.



Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.