Do we need whistle-blower laws in security?

I never thought I would have to write about this topic. I get that security is a practice built on a premise of secrecy. That knowledge of security operations and structure are paramount to the safe and successful execution of any security program. But I am increasingly running smack into situations that are making me re-think my long held beliefs that security is black & white. More and more it appears to be a spectrum between fixed points and that sometimes businesses need a little nudge to do the right thing.

Long-time readers of this blog will know that my politics are a bit to the right and leaning towards libertarian. I have always felt that government/industry intervention or regulation is something to be avoided. I have always believed that businesses will do the right thing given the opportunity; that the prevailing view of businesses being big and mean and only looking out for their bottom lines is, generally speaking, fiction. But over and over again I see businesses failing to do the right thing when it comes to data security, usually by just not doing anything in the first place. The result is that data, usually personally identifiable customer data, is allowed to walk out the door almost at will.

While there are numerous examples I can cite, I’m going to use my old fallback, TJX. TJX who, incidentally, has seen their stock value and sales increase since the huge data breach that was announced in January 2007. God forbid this company ever handles information security as a priority. Even after the largest breach in history, they apparently still are failing to address significant security vulnerabilities. This according to one of their own employees, Nick Benson (see Robert McMillan's article on

Needless to say, Benson was fired for revealing this information. From what I understand he didn’t go into this trying to be a whistle-blower and as a student at the University of Kansas he may not have been even familiar with the corporate policies in place at most organizations that restrict employees from speaking with the media or in public about exactly these types of topics. But if TJX isn’t appropriately addressing their security problems after last year’s fiasco, and they have not been hit with market backlash on their stock price or sales, maybe it’s time for regulators to jump in and give them a kick in the ass.

The problem really boils down to this: if people on the inside know there is a problem that can cause “substantial harm or inconvenience” to customers were their privacy to be breached, and the company refuses to do anything about it, isn’t it in the best interests of society to have someone jump in and force the issue? Maybe. Maybe not. I’m still not sure…and then I remember that some of my financial data is probably flying around on the servers at TJX. Is yours?

Copyright © 2008 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline