Legal and Cybersecurity issues in Whistleblowing

Benjamin Ang – Programme Chair, Internet Society SingaporeSenior Fellow, Cybersecurity, Centre of Excellence for National SecurityTwitter @benjaminang @isocsingapore www.isoc.sg

Where we come from

CENS

Multinational team of

specialists in national

and homeland security

Research think tank

based at NTU’s RSIS,

working closely with

NSCS and CSA

ISOC.SG

Dedicated to ensuring

that the Internet stays

open, transparent and

defined by you.

Organizing events,

Providing education,

Engaging policy

Myself

Former Lawyer

Former CIO

Senior Research Fellow

in Cybersecurity Law and

Policy

3

Singapore Chapter

Internet Society Mission

To promote the open development,

evolution, and use of the Internet for

the benefit of all people throughout

the world.

4

Singapore Chapter

Current Priorities

Internet Governance

Open Internet Standards

Cybersecurity

IPv6

Blockchain Technology

Domain Name System Security (DNSSEC)

Internet and Human Rights

Intellectual Property and Digital Content

Internet of Things

5

Singapore Chapter

What we’ve done in Singapore

Workshops

Public Consultation on MDA new licensing regime, changes to Copyright Act

Charlie Hebdo seminar

Pre-Election Blogging seminar

Social Media and Elections seminar

Opinions / Commentaries

Lodged complaint against copyright owners of Dallas Buyers Club for threatening users

Civil Service Internet Isolation

Can the act of disclosing information about wrongdoing result in LEGAL TROUBLE for the informer?

Whistleblowing is important

How fraud is detected

Whistleblowing, 40%

Int Audit, 24%

Accident, 21%

Int Controls, 18%

Ext Audits, 11%

(2004 study by the Association of

Certified Fraud Examiners

(ACFE) of U.S. organizations)

But whistleblowing is dangerous

90% were fired or demoted

27% were sued

26% needed psychiatric or physical care

25% suffered alcohol abuse, 17% lost their homes

15% got divorced, 10% attempted suicide

8% were bankrupted.

Cybersecurity issues

Confidentiality

Integrity

Availability

How to protect Confidentiality

Training of staff esp against social engineering

Restricting access on need to know

Encrypting databases

Strong passwords and 2 Factor Authentication

How to protect Integrity

Hackers can plant false information into leaks - Bruce Schneier

Strong passwords and 2FA

Access control

Backups

I have

discovered

wrongdoing in

the company!

Who should

I tell?

The Management?

The Authorities?

The Media?

The Internet?

I have

discovered

wrongdoing in

the company!

Who should

I tell?

The Management?

Is there a way to report ?

Some companies have whistleblowing lines

All government departments and agencies

All regulators

Many big companies e.g. SPH

You can report

Fraud, Corruption, Misuse of assets, Deception

Sexual harassment, Bullying, Malpractice

But not enough

40%say organisation discourages whistleblowing

24.1%say company did not have a whistleblowing policy in place

20%say policy is not adequately communicated to employees

Freshfields Bruckhaus Deringer survey of over 2,500 senior and middle managers internationally

I have

discovered

wrongdoing in

the company!

Who should

I tell?

The Authorities?

Will the informer’s identity be protected?

You have been

accused of corruption Who accused me?

I demand to know

???

Identity is protected in corruption cases

PREVENTION OF CORRUPTION ACT - Protection of informers

36.—(1)… .no witness shall be obliged or permitted to disclose the name or address

of any informer...

BUT [If the judge believes] that the informer wilfully made [a false] complaint …

[then the judge may] require full disclosure concerning the informer.

(3) What about OTHER types of cases?

My company has been

evading taxes

As the company sec,

aren’t you responsible

for that?

Will the informer be protected from prosecution?

Protected from prosecution in Competition Cases

CCS’s Guidelines on Lenient Treatment for Undertakings Coming Forward with

Information on Cartel Activity Cases

What about OTHER types of cases?

We will be lenient

since you reported it

I have

discovered

wrongdoing in

the company!

Who should

I tell?

The Media?

The Internet?

Criminal Law

Prosecution by authorities – possible fine or prison

Computer Misuse and Cybersecurity Act

3.—(1) … any person who

knowingly … access without

authority to any program or

data

10.—(1) Any person who

abets the commission … or

does any act

I’m not

supposed to

see thisFind out more!

Personal Data Protection Act

13. An organisation shall

not... collect, use or disclose

personal data about an

individual unless — (a) the

individual gives … his

consent

1. An organisation may

collect personal data about

an individual without the

consent …or from a source

other than the individual

(h) collected by a news

organisation solely for its

news activity

Personal Data Protection Act

13. An organisation shall

not... collect, use or disclose

personal data about an

individual unless — (a) the

individual gives … his

consent

1. An organisation may

collect personal data about

an individual without the

consent …or from a source

other than the individual

(h) collected by a news

organisation solely for its

news activity

Official Secrets Act

5.—(1) If any person having in his possession or control any secret official code

word, countersign or password, or any photograph, drawing, plan, model, article,

note, document or information which —

(d) has been entrusted in confidence to him by any person … under the

Government; or (e) he has obtained … owing to his position

(iv) fails to take reasonable care of, or …. endanger the safety or secrecy of [it]

I’m going to give

this to the media

Official Secrets Act

(2) If any person receives any secret official … document or information

knowing [that it] is communicated to him in contravention of this Act, he shall be

guilty of an offence unless he proves [it was against his desire]

No, don’t give it to meLook, here is the

secret information

Civil Law

Lawsuit by company – have to pay damages if you lose

Defamation

You can be sued if the

information

1. Lowers the reputation of

the person

2. Identifies the person

3. Is told to at least one

other person

Defences

1. It is true

2. You have a duty to tell

Mr Tan has been

receiving bribes

Breach of Confidentiality

You can be sued if the

information

1. Is important

2. Was given to you

confidentially

3. Could cause damage

Defences

1. Public Interest

I have confidential

documents

showing Mr Tan

receiving bribes

Meet Edward.

He once had a good salary and a good

job in Hawaii.

He disclosed information about his

company to the media.

Now he can never go home, or he will

be arrested.

Disclosing information has consequences

Make sure that the information is accurate

Know your risks and your rights

@benjaminang @isocsingaporewww.isoc.sg