Upload
visual-law-school
View
125
Download
3
Embed Size (px)
Citation preview
Legal and Cybersecurity issues in Whistleblowing
Benjamin Ang – Programme Chair, Internet Society SingaporeSenior Fellow, Cybersecurity, Centre of Excellence for National SecurityTwitter @benjaminang @isocsingapore www.isoc.sg
Where we come from
CENS
Multinational team of
specialists in national
and homeland security
Research think tank
based at NTU’s RSIS,
working closely with
NSCS and CSA
ISOC.SG
Dedicated to ensuring
that the Internet stays
open, transparent and
defined by you.
Organizing events,
Providing education,
Engaging policy
Myself
Former Lawyer
Former CIO
Senior Research Fellow
in Cybersecurity Law and
Policy
3
Singapore Chapter
Internet Society Mission
To promote the open development,
evolution, and use of the Internet for
the benefit of all people throughout
the world.
4
Singapore Chapter
Current Priorities
Internet Governance
Open Internet Standards
Cybersecurity
IPv6
Blockchain Technology
Domain Name System Security (DNSSEC)
Internet and Human Rights
Intellectual Property and Digital Content
Internet of Things
5
Singapore Chapter
What we’ve done in Singapore
Workshops
Public Consultation on MDA new licensing regime, changes to Copyright Act
Charlie Hebdo seminar
Pre-Election Blogging seminar
Social Media and Elections seminar
Opinions / Commentaries
Lodged complaint against copyright owners of Dallas Buyers Club for threatening users
Civil Service Internet Isolation
Whistleblowing is important
How fraud is detected
Whistleblowing, 40%
Int Audit, 24%
Accident, 21%
Int Controls, 18%
Ext Audits, 11%
(2004 study by the Association of
Certified Fraud Examiners
(ACFE) of U.S. organizations)
But whistleblowing is dangerous
90% were fired or demoted
27% were sued
26% needed psychiatric or physical care
25% suffered alcohol abuse, 17% lost their homes
15% got divorced, 10% attempted suicide
8% were bankrupted.
How to protect Confidentiality
Training of staff esp against social engineering
Restricting access on need to know
Encrypting databases
Strong passwords and 2 Factor Authentication
How to protect Integrity
Hackers can plant false information into leaks - Bruce Schneier
Strong passwords and 2FA
Access control
Backups
I have
discovered
wrongdoing in
the company!
Who should
I tell?
The Management?
The Authorities?
The Media?
The Internet?
I have
discovered
wrongdoing in
the company!
Who should
I tell?
The Management?
Is there a way to report ?
Some companies have whistleblowing lines
All government departments and agencies
All regulators
Many big companies e.g. SPH
You can report
Fraud, Corruption, Misuse of assets, Deception
Sexual harassment, Bullying, Malpractice
But not enough
40%say organisation discourages whistleblowing
24.1%say company did not have a whistleblowing policy in place
20%say policy is not adequately communicated to employees
Freshfields Bruckhaus Deringer survey of over 2,500 senior and middle managers internationally
Will the informer’s identity be protected?
You have been
accused of corruption Who accused me?
I demand to know
???
Identity is protected in corruption cases
PREVENTION OF CORRUPTION ACT - Protection of informers
36.—(1)… .no witness shall be obliged or permitted to disclose the name or address
of any informer...
BUT [If the judge believes] that the informer wilfully made [a false] complaint …
[then the judge may] require full disclosure concerning the informer.
(3) What about OTHER types of cases?
My company has been
evading taxes
As the company sec,
aren’t you responsible
for that?
Will the informer be protected from prosecution?
Protected from prosecution in Competition Cases
CCS’s Guidelines on Lenient Treatment for Undertakings Coming Forward with
Information on Cartel Activity Cases
What about OTHER types of cases?
We will be lenient
since you reported it
Computer Misuse and Cybersecurity Act
3.—(1) … any person who
knowingly … access without
authority to any program or
data
10.—(1) Any person who
abets the commission … or
does any act
I’m not
supposed to
see thisFind out more!
Personal Data Protection Act
13. An organisation shall
not... collect, use or disclose
personal data about an
individual unless — (a) the
individual gives … his
consent
1. An organisation may
collect personal data about
an individual without the
consent …or from a source
other than the individual
(h) collected by a news
organisation solely for its
news activity
Personal Data Protection Act
13. An organisation shall
not... collect, use or disclose
personal data about an
individual unless — (a) the
individual gives … his
consent
1. An organisation may
collect personal data about
an individual without the
consent …or from a source
other than the individual
(h) collected by a news
organisation solely for its
news activity
Official Secrets Act
5.—(1) If any person having in his possession or control any secret official code
word, countersign or password, or any photograph, drawing, plan, model, article,
note, document or information which —
(d) has been entrusted in confidence to him by any person … under the
Government; or (e) he has obtained … owing to his position
(iv) fails to take reasonable care of, or …. endanger the safety or secrecy of [it]
I’m going to give
this to the media
Official Secrets Act
(2) If any person receives any secret official … document or information
knowing [that it] is communicated to him in contravention of this Act, he shall be
guilty of an offence unless he proves [it was against his desire]
No, don’t give it to meLook, here is the
secret information
Defamation
You can be sued if the
information
1. Lowers the reputation of
the person
2. Identifies the person
3. Is told to at least one
other person
Defences
1. It is true
2. You have a duty to tell
Mr Tan has been
receiving bribes
Breach of Confidentiality
You can be sued if the
information
1. Is important
2. Was given to you
confidentially
3. Could cause damage
Defences
1. Public Interest
I have confidential
documents
showing Mr Tan
receiving bribes
Meet Edward.
He once had a good salary and a good
job in Hawaii.
He disclosed information about his
company to the media.
Now he can never go home, or he will
be arrested.