EU Whistleblower Act: Organizations Must Protect Whistleblowers

As of June 2023, the Act for Better Protection of Whistleblowers (HinSchG) is law in Germany, set a standard for the rest of the EU to follow. The whistleblower act impacts all organizations with at least 249 employees and expands in December to include all organizations with at least 49 employees.

The act describes specific requirements for enabling employees to report criminal activity and non-compliance. These requirements cover both internal reporting within the organization and external reporting to a government agency. In each case, employees must be able to use purpose-built channels that protect their confidentiality.

At the same time, organizations are prohibited from retaliating against employees who report violations. Organizations that retaliate may be forced to compensate the whistleblower for material damages and pay an additional fine of up to €50,000.

In some cases, employees are even allowed to make public disclosures of company violations. If a violation poses an immediate threat to public interest, employees can simply report these violations publicly and remain protected. The same rule applies to employees who attempt internal and external reports but fail to see the appropriate follow-up action taken.

The 249 employee limit of the June 2023 law makes whistleblower protection an active compliance goal for most mid-sized organizations. However, when the law expands to include all organizations with at least 49 employees, it becomes a pressing issue for many small businesses too.

This means that most organizations will need to quickly establish channels for employees to report internal grievances and charge an executive with the responsibility to address them. At the same time, those reports should only be accessible to the individuals authorized to process them.

These are a few examples of channels that organizations can implement for submitting whistleblowing reports:

• A special email inbox that accepts anonymous submissions
• A designated telephone number or post office box
• An on-site personal submission box
• Personal face-to-face meetings with decision-makers
• A technical whistleblowing system like Hintbox or Whistleblower Software

At the same time, employees responsible for processing reports should receive special training. They may need to communicate with whistleblowers and confirm the report was received, examine its validity and legal relevance, and escalate reports for investigation.

Virtually any kind of violation or criminal wrongdoing may be included in a report. Organizations must document the validity and legal relevance of reports, so not every report will automatically escalate and result in an investigation. However, many areas of corporate governance and administration are highly susceptible to these kinds of reports.

Some of the most common activities that whistleblowers report include:

• Fraud
• Abuse
• Corruption
• Tax code violations
• False healthcare and insurance claims
• Regulatory and compliance violations
• Cybersecurity policy violations

Many whistleblower cases include more than one type of violation. For example, a cybersecurity leader may neglect to disclose a data breach on time and then commit fraud while trying to cover it up. If the company is publicly traded, investor fraud and a wide range of compliance violations may be added on top. The executive responsible may even be criminally liable.

In November 2016, cybercriminals breached Uber’s database and accessed private customer data. They threatened to make the data public unless Uber paid a six-figure ransom. Uber’s security team consulted its executives and decided to pay the attackers through the company’s bug bounty program. Joseph Sullivan, the company’s chief security officer, then neglected to report the incident as required by law.

In October 2022, a jury found Sullivan guilty of obstructing an active FTC investigation and concealing a data breach. This is exactly the kind of scenario that the Whistleblower act is designed to avoid. If members of Uber’s security team felt comfortable reporting the first violation as it occurred, the subsequent cover up and fraud might never have happened.

New protections for whistleblowers help employees hold their employers to a higher standard. Organizations can no longer get by with wasteful, abusive, or inefficient systems – nor should they want to. By protecting employees who report on employer violations, the new law ensures a fairer and more balanced market for everyone.

However, it also means that security leaders will have to carefully review their policies and the technology that supports them. Any system or workflow that fails to protect user data and privacy may be the subject of a whistleblower report.

In the best-case scenario, whistleblowers will report security violations internally, giving the organization time to implement changes and close security gaps. However, whistleblowers may also choose to report directly to government agencies. This may lead to an expensive, time-consuming investigation that results in non-compliance fines and other damages.

One of the important caveats of the new law is that employers can’t dictate where employees file their reports. You can encourage employees to file internal reports by cultivating a workplace culture that values and rewards security. If employees feel safe and empowered when submitting internal reports, they are more likely to make that choice.

Waiting for employees to report violations is not a winning security strategy. To truly protect your company from potential risks, you’ll need to proactively address violations with robust security policies. The more secure your policies are, the better-equipped your organization will be to address uncertainty and risk.

Enforcing policies requires capable technology. Prevention-based security tools like BlackFog’s anti data exfiltration solution prevent unauthorized transfers of data outside of the network. This reduces data leak risks and improves perimeter security, making compliance violations less likely. Deploying anti data exfiltration solutions like BlackFog to prevent unauthorized access to critical assets helps keep your organization safe.

BlackFog provides anti data exfiltration technology that prevent cybercriminals from transferring data off protected networks and devices. Improve your organization’s security capabilities and address potential security violations before they result in unexpected damages.

Learn more about how BlackFog protects enterprises from the threats posed by data exfiltration.