Question of the Week — Should Whistleblowers Receive Rewards for Exposing Data Breaches?
Hardly a week goes by without more news of an actual or attempted data breach threatening consumer privacy or government security. In just this past month, Uber, Anthem and Facebook all made headlines for massive data breaches affecting millions of users and customers. In late September, Facebook notified its users of a data breach that exposed over 50 million people to hackers who could have taken over the users’ Facebook profiles. The very same week, Uber agreed to pay $148 million to settle a multi-state investigation arising from a 2016 data breach which exposed the drivers’ license data of 600,000 drivers and other personal data from as many as 57 million customers. And just this past Monday, Anthem settled potential violations of HIPAA Privacy and Security Rules with the U.S. Department of Health and Human Services for $16 million. According to HHS, the Anthem settlement follows “a series of cyberattacks [which] led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.”
Considering how often these breaches occur and the sensitive nature of the information exposed, it may come as a surprise that the U.S. does not have a specific mechanism for encouraging data breach whistleblowers through monetary awards. While these whistleblowers may be eligible for rewards in certain contexts (for example, if they bring a False Claims Act case or make a submission to the SEC whistleblower program), there’s no overarching program that rewards whistleblowers for disclosing information that uncovers a data breach.
What do you think? Vote below.