In the context of economic and social developments, we are all immersed in a complex, uncertain and opaque universe: the protection of goods and people has become global (global enterprises, social networks, etc.), while, in most cases, the approaches remained incomplete and local.
The presence of whistleblowers, part of the so-called whistleblowing phenomenon, is a symptom of the deep crisis of the regime and civilization that we are going through. Their actions and possible protection, often security and ethics oriented, are considered an ill-defined problem because there are always new situations and unexpected challenges that we are faced with.
Indeed, this occurs each time we experience changes (technological, political, economic, social, etc.). Emerging new practices, habits, needs and usages are associated with their own relevant misuses, excesses or deviance we did not predict or imagine. Thus, ethical behavior is often the only alternative imposed on us by the situation, and it forces us to collectively rethink the causes of deviance and the notion of sustainability.
While whistleblowers have been making major headlines in recent years, many businesses are assessing their role in encouraging individuals to speak up against unethical behavior.
Social networks on the Internet are now an integral part of our daily lives (Digital, Social & Mobile 2016 report of the international agency “We Are Social”). The number of active users on the Internet has exceeded 3.4 billion, representing 46% of the world’s population. Their number continues to grow by 10% per year, via MID and mobile phones. On average, a social media user is active for 1–3 hours per day depending on the country, and uses platforms such as Facebook, Google and Twitter. On average, data traffic per user is 1.4 gigabytes per month by telephone.
Now, with the rise of IOT (the Internet of the things), more than 30 billion sensors and features will be interconnected and the amount of data to be collected will be in the order of exabytes per year.
This is why, in Chapter 1, and [MAS 17a] we introduced the notion of data-centered complex systems. False information and hazy theories, as well as viruses, can circulate easily and widely on social networks, sometimes with serious consequences, and this is a disturbing phenomenon of technological change that jeopardizes the sustainability of our planet.
The main problem is the so-called “data breach” problem, which we will describe here before developing the concept of business ethics addressing whistleblowing.
A data breach is an intentional or unintentional release of secure or private/confidential information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attacks by black hats associated with organized crime, political intentions, or national organizations to careless disposal of used computer equipment or data storage media.
DEFINITION.– “A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so” (according to Wikipedia)1. Most data breaches involve overexposed and vulnerable unstructured data – files, documents and sensitive information.
Most data breach incidents publicized in the media involve private information on individuals, i.e. social security numbers, health information, confidential media data, etc. Loss of corporate information such as trade secrets, sensitive corporate information, strategies, details of customer contracts, etc. or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.
The “2016 Cost of Data Breach Study: Global Analysis”, by the Ponemon Institute and sponsored by IBM is based on an evaluation involving 383 enterprises worldwide (12 different countries).
According to this research [PON 16], the average impact of a data breach can be summarized as follows:
The biggest financial consequence of organizations that experienced a data breach is loss of business. The customer churn rate may be higher than 6% when the number of records impacted is high. When we consider the activity sectors subject to data breach, Figure 5.3 shows that the main areas impacted are healthcare, finance and education.
It is a consolidated view (383 companies involved worldwide), and measured in USD.
Figure 5.4 shows the main root causes of a data breach.
Most data breaches are caused by malicious or criminal attacks. There are also glitches that include both IT and business process failures that lead to a sudden malfunction or irregularity.
Breaches also take the most time to detect and contain. As a result, they have the highest cost per record.
The probability of a data breach occurring over a period of 24 months is quite significant:
Many governments and public organizations try to fight this new cause of economic and social injury. Presently, the European Union (EU) has issued a General Data Protection Regulation (GDPR) directive. It is a regulation by which the Parliament, the Council of the EU and the European Commission intend to strengthen and unify data protection for all individuals.
The primary objectives of the GDPR are to return to citizens and residents control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDRP separates responsibilities and duties of data controllers and processors, obligating controllers to engage with only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights. Processors must also take all measures required by Article 32, which delineates the GDPR’s “security of processing” standards.
Under Article 32, similarly to the Directive’s Article 17, controllers and processors are required to “implement appropriate technical and organizational measures”.
First, the GDPR requires businesses to implement technical and organizational measures to provide appropriate protection to the personal data they hold. Among the specific suggestions for what kinds of security actions might be considered “appropriate to the risk”, we can quote:
When determining such security measures, businesses must take into account the nature, scope, context and purposes of their use of personal data. So far nothing really new.
DSPs are providers of online marketplaces, online search engines or cloud computing services. These are all defined terms in the directive:
Hardware manufacturers and software developers are now specifically excluded in this scope.
This question depends on practices sometimes observed which consist of charging the victim with carelessness:
Currently, the mass of available data makes it possible to study the various phenomena of breaches, disinformation, misinformation [MOC 15], or non-consistency, either quantitatively (through business analytics) or qualitatively (tag cloud graphs, judgment-based technologies) [QUA 17].
Figure 5.6 shows how information (true or false), broadcast at a given place (as a ‘post’), is distributed online. The graph shows its propagation path ways. The nodes represent the users, and the lines represent the relationships between users, enabling sharing. The original post is in the center of the graph. The colors indicate the users’ interests, i.e. their preference for a type of content: yellow indicates the users who follow the conventional sources of information, green the political discussions, red the alternate sources, and blue the trolls (that is people who post inflammatory messages on Internet forums to fuel controversy).
We can formulate several comments:
The problems related to the lack of security, biased information, stolen data, information misuse, rumors, etc. and corporate systems’ intrusion, hacking, fake news or information, etc., which developed thanks to globalization and social networking, are major ethical problems. These have to be addressed, as for bioethics, as the main challenge of the next generation since it will affect everyone.
The DSP are often blamed for not assuming their responsibility and must work in order to react and limit the propagation of such failures. But how?
This question is a complex one. Answers are often unknown, or not consensual. Thus, it is a business ethics problem that has to be solved.
This notion was developed, in France, in sociological works conducted by Francis Chateauraynaud [CHA 99]. A whistleblower is generally a person, or group of persons, who considers that he has discovered elements which are considered to be threatening to man, society, the enterprise, economy or the environment or who sees a danger emerging, and decides, not in their own interest, to bring them to the attention of official organizations, associations or the media, sometimes against the advice of their superiors. It therefore sends a signal and, in doing so, triggers a process of regulation, controversy or collective mobilization.
Unlike an informer, the whistleblower is sincere and with good intent: they do not blame someone, but disclose what they consider a threat against the common good or general interest.
Often, the whistleblower takes a real risk on behalf of the cause they try to protect: they sometimes jeopardize their financial or physical health, the peace of their family, and their personal safety and image (in case of media coverage, name, face and life are no longer private).
The notion of whistleblower is different to the denouncer (who is sincere) and the informer (who is interested). The whistleblower is just linked to the denunciation of illegalities or injustices; their intent is to stop an illegal or irregular action.
In the field of networked activities, the warning system is also intended to highlight a danger or a risk and avoid it by questioning the decision makers in place and raising the awareness of citizens [MEY 16]. They can interact upstream or downstream, with all kinds of people or watchdogs sharing the same ideals. Despite this [LA 17], about 25% of employees, working in a large company, declared that they are able to denounce a non-ethical problem within their company and would not hesitate to denounce those responsible of such deviance. Also, almost 9 out of 10 employees report to be “probably” or “definitely” ready to report a hazardous fact.
However, fewer than 6 employees out of 10 trust in their company to ensure their protection and anonymity if they become whistleblower. They are regularly prosecuted: quite often the purpose of a judicial proceeding is to silence and censor or ruin a detractor. Recent events, including LuxLeaks, Edward Snowden’s revelations and other cases where whistleblowers, despite the justification of their actions, are sanctioned by justice, sent a negative signal to whistleblowers who might denounce an ethical problem within their enterprise. It is a sign of a “kind of mistrust” that emerges. In order to discuss ethical issues, employees would prefer a human resources representative (75%) or a company’s ethics manager (74%), before a colleague (65%) or their manager (64%). This shows the importance of a fast implementation of a status to protect whistleblowers and employees in the company, although this is planned and supposed to be provided by law.
A whistleblower (also written as whistle-blower or whistle blower) is a person who exposes any kind of information or activity that is deemed illegal, unethical or not correct within an organization that is either private or public:
“The information of alleged wrongdoing can be classified in many ways: violation of company policy/rules, law, regulation, morality, or threat to public interest/national security, as well as fraud, and corruption, etc.
Those who become whistleblowers can choose to bring information or allegations to surface either internally or externally. Internally, a whistleblower can bring his/her accusations to the attention of other people within the accused organization such as an immediate supervisor. Externally, a whistleblower can bring allegations to light by contacting a third party outside of an accused organization such as the media, government, law enforcement, or those who are concerned”2.
Some characteristics of whistleblowing include:
Deeper questions and theories of whistleblowing and why people choose to do so can be studied through an ethical approach. Whistleblowing is a topic of ongoing ethical debate. Leading arguments in the ideological camp that whistleblowing is ethical maintain that whistleblowing is a form of civil disobedience, and aims to protect the public from government wrongdoing.
In the opposite camp, some see whistleblowing as unethical for breaching confidentiality, especially in industries that handle sensitive client or patient information. Legal protection can also be granted to protect whistleblowers, but that protection is subject to many stipulations. Hundreds of laws grant protection to whistleblowers, but stipulations can easily cloud that protection and leave whistleblowers vulnerable to retaliation and legal trouble.
It is relevant to distinguish between two levels of whistleblowing, namely internal whistleblowing and external whistleblowing. Most people who have a concern tend to raise this internally with their line manager or superior first, and very few whistleblowers “go public” (that is blow the whistle outside the organization) without passing through this preliminary stage.
However, in many whistleblowing cases, the organization’s response is often hostile. Criticism of current practices is unwelcome, and the “concerned employee” is now viewed at best as disloyal or at worst as an organizational pariah and hence deserves being victimized. This is because, when faced with this situation, many “internal whistleblowers” become external whistleblowers. They make a public disclosure to regulating bodies, the press or government bodies, and the problem is exposed in detail in the public domain.
Ethics governs a person’s or group’s behavior. The ethical implications of whistleblowing can be negative as well as positive. However, sometimes employees may blow the whistle as a ‘guerrilla’. “Rather than acting openly, guerrillas often choose to remain undercover, moving clandestinely behind the scenes, as a salmon swimming upstream against the current of power”.
Over the years, motivations driving guerrillas have been diverse. They range from altruism to the seemingly petty. Taken as a whole, whistleblowing can be interpreted as awe inspiring, as saving human lives. Nevertheless, of the more than 1,000 whistleblower complaints that are filed each year with the Pentagon’s Inspector General, about 97% are not substantiated.
The negative results of being a whistleblower could be one being seen as a traitor, a hero, or just one of the majority (97%) of whistleblowers who are simply disgruntled with a perceived unfairness.
It is believed throughout the professional world that an individual is bound to secrecy within their work sector. Discussions of whistleblowing and employee loyalty usually assume that the concept of loyalty is irrelevant to the issue or, more commonly, that whistleblowing involves a moral choice that pits the loyalty that an employee owes an employer against the employee’s responsibility to serve the public interest.
At present, whistleblowing generally has a good public perception whereas perhaps 15 or even 10 years ago [HTT 17], it may have been seen as something sneaky, like “telling tales”. Perhaps this is because during that period, the world has witnessed some spectacular scandals and many of these only became apparent as a consequence of whistleblowers.
At the micro level, in SME’s however, organizations normally react in a very negative manner to whistleblowing, often bullying the employee and dismissing them, and whilst a “fortunate few” may be paid off when the organization tries to buy their silence with gagging orders, for many others there is an uphill struggle in getting any justice at all for the economic and personal loss they suffer.
Discussions on whistleblowing generally revolve around several topics: what precisely does whistleblowing mean? How and when is whistleblowing ethical? What are the methodologies to be implemented?
Concerning business ethics, hereafter we have a set of rules that we can easily apply.
According to Samiel Dyens [DYE 17], a lawyer, whistleblowing is an “internal warning mechanism, empowered to receive and deal with employee complaints relevant to fraud, misuses, or financial or accounting misconduct, which they may have known within the framework of their job” [BAI 10].
Such professional warnings or ethical alerts consist of literally “blowing the whistle” to alert and reveal facts or situations likely to be detrimental to an organization.
However, far from being merely an internal and simple control mechanism within an organization, whistleblowing, or ethical alerts, leads us to re-examine our relationship with the institution, with public confidence and with democracy.
There are lessons we can learn from our history. Even if denunciations, denigration and maliciousness are not uncommon in companies and administrations, the logic of institutionalization of the alert justifies a kind of rejection in our country: the dark hours of the occupation and collaboration during the Second World War have generated mistrust towards this approach.
This confusion between the obligation to denounce and the ethical alert is maintained by the legislator himself. Thinking about an ethical alert is all the more necessary today because we observe a massive and rapid dissemination of corporate warnings.
We are experiencing an unprecedented rise. There are no less than four texts which, in very different fields, provide a warning system and/or protection for the alert.
However, this promotes the mechanism of the ethics alert as being a preferred tool to fight against corruption. There are several reasons for that:
Here again emerges the need to distinguish between the obligation of denunciation as planned by rules (laws or internal rules of procedure) and issuing an ethical alert through personal initiative.
Good whistleblower policies and procedures are an essential part of ensuring good governance, in every sector of society whatever the level of governance (Gillian Moorse –Oxford) [MOO 14].
Indeed, the exposure of malpractices, fraud and corruption is a vital method of developing business ethics.
Several times, we have focused on the fact that good governance starts at the top but should then pervade every level of an organization, in the enterprise. Leaders and those involved in corporate governance need to demonstrate a 24-7 commitment to integrity, thereby encouraging workers’ own commitment to ethical conduct. In matters of ethics, leaders set the tone: their attitude is the “Alpha and Omega” for good corporate governance.
The main principles for good governance result from the whole organization culture embraced by everyone. If a blind eye is turned to malpractices, then this can allow an “Invirtuous Cycle” of corruption to become embedded into the organization’s culture which, as the following diagram from the Ethics Research Center demonstrates, becomes a vicious circle.
The consequence of this is an erosion of ethics throughout some organizations (as for the famous ENRON story) and the implicit tolerance of wrong behaviors in modern society generally (as due to greed). These are factors which may go on contributing to more fraud and corruption. To break the invirtuous circle, we need the ethical tone at the top to inspire employees to do the right thing. There also needs to be a means of effective reporting of malpractices as any chain is only as strong as its weakest link. Implementation of efficient whistleblower policies and procedures in organizations is one of the best means to do this.
“The National Business Ethics Survey 2013 indicated that in the USA one in three workers observing workplace misconduct chose not to report it. This was coupled with an estimated retaliation rate of over 21% towards workers who did report wrongdoing. In the UK legislation to protect whistleblowers has been largely ineffective whatever the good intentions of the lawmakers and in spite of the frequency of Government commissioned reports identifying the benefits of whistleblowing and praising whistleblowers for their courage in making a stand against malpractices” [NBE 13].
Avoiding dealing with malpractices can be construed as condoning the wrongdoing – so once the wrongdoing has been flagged up why not deal with it rather than risk it escalating to the extent of high profile negative publicity?
A reputation lost can be costly in terms of partners, customers and potential employees not wanting to be associated with a company conducting itself on dubious lines, without factoring in the obvious loss of profit. It is not a good strategy for business.
Usually, most customers and employees want to be associated with companies that demonstrate high ethical standards, organizations that value their workforce, comply with the law of the country they are operating in and promote a healthy relationship at all the levels of its hierarchy. Furthermore, if malpractice is going on in an organization, those at the top, especially those involved in governance, if they have any ethical values should really welcome these matters being brought to their attention.
How can whistleblower policies and procedures be harnessed positively to the benefit of everyone so that corporate governance can be strengthened and without any detriment to the person blowing the whistle?
Organizational hotlines can be a useful internal form of communication and potentially reduce the risk of external whistleblowing and increased exposure of malpractices in the public domain. It is also possible to implement improved communications between an organization and whistleblowers to provide more opportunities to resolve issues in their work.
Another advantage of having an anonymous whistleblowing hotline is that it may encourage the estimated third of workers who choose NOT to report wrongdoing to feel more comfortable about making a disclosure. Certainly, the silence of many the so-called “Inactive Observers” (or silent alert launchers) is sometimes because they assume that no action will be taken; however, many may feel more comfortable anonymously divulging information that they may otherwise have withheld, and therefore anonymous whistleblowing hotlines may potentially result in more whistleblowing.
Finally, whistleblowing can strengthen corporate governance by bringing transparency to the fore. However, we should not be in the position of relying on whistleblowing as a means of policing organizations – it is a complementary and useful tool, but it should be the last line of defense when all others are failed, rather than the first or principal one.
Ethics Resource Center: www.ethics.org
KPMG [KPM 17] – Analysis of Global Patterns of Fraud: Who is the Typical Fraudster? Available at: https://www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/Documents/who-is-the-typical-fraudster.pdf
Whistleblowing Commission Report (2013) sponsored by the charity Public Concern at Work available at: http://www.pcaw.org.uk/
Whitepaper: Beyond Compliance: Implementing Effective Whistleblower Hotline Reporting Systems available at: http://touroinstitute.com/Beyond_Compliance.pdf