How to Mitigate the ITAD Whistleblower Challenge

A series of recent Security and Exchange Commission (SEC) announcements point to the increasing risk of whistleblowers stemming from improper IT asset disposal (ITAD) practices.

First, over the past year, the SEC has issued a number of statements and proposals indicating its intentions to hold organizations (and boards) under its jurisdiction accountable for cybersecurity.

At the same time, the SEC has also recently announced the importance of whistleblowers to its enforcement efforts. Most see this announcement as a not-so-subtle attempt to encourage more of it.

This blog will describe how the SEC’s growing attention on cybersecurity and its encouragement of whistleblowers pose a new type of risk for IT asset disposal (ITAD) service providers and clients. It will also offer a strategy for mitigating that risk.

Calling All Whistleblowers

The SEC Office of the Whistleblower (Dodd-Frank Act of 2010) was created with the sole purpose of encouraging informants to report non-compliance. And, just last month, in an SEC press release announcing a $12 million whistleblower award, the Commission made no secret about the importance it places on the role of such informants.

“Whistleblowers play a critical role in helping the SEC detect and prosecute wrongdoing …,” said Creola Kelly, Chief of the SEC’s Office of the Whistleblower. Saying also that the award, “…demonstrates the importance of the whistleblower program to the SEC’s enforcement efforts.”

And, when it comes to these awards, we’re not talking chump change. The total awards to individual SEC whistleblowers in 2022 was a staggering $229 million (2^nd most ever), with more than $1.3 billion awarded since its inception 11 years ago.

It is also important to note that, as demonstrated by the recent $3 million Blackbaud settlement, the SEC is more than willing to apply its enforcement powers to non-financial matters and potentially risky practices.

Framing the Whistleblower Risk to ITAD

Consider these facts:

1. ITAD is a critical element of cybersecurity and the SEC knows it.
2. Cybersecurity will soon be subject to increasing SEC disclosures and enforcement, as well as Board-level accountability.
3. All organizations under the SEC’s jurisdiction retire IT assets, and most ITAD service providers have many clients that fall into that category.
4. From a regulatory standpoint, missing or unreconciled end-of-life IT assets must be investigated and could possibly trigger a breach notification.
5. Missing or unreconciled end-of-life IT assets, by definition, qualify as cybersecurity incidents that would have to be acknowledged in future SEC filings.
6. Failure to track, inventory, and reconcile end-of-life IT assets results in regulatory violations, insofar as it prevents organizations from investigating and/or reporting incidents, and, as was shown in the recent SEC-Blackbaud settlement, can lead to prosecution for the filing of fraudulent disclosures.
7. The possibility of life-changing, multi-million-dollar whistleblower awards is a formidable temptation to current and former employees, especially when one considers that an initial complaint requires only a few mouse-clicks.

These combined factors increase the risk of the whistleblower threat in ITAD by any former or current employee who is aware of them.

The Solution

There are three steps service providers and clients can take to mitigate the whistleblower risk.

1. Comply with regulations. The best way to avoid the threat of whistleblowers is to deny them a reason to blow the whistle in the first place. From the clients’ perspective, it means tracking assets in use and reconciling those assets when discarded. It means investigating and resolving missing IT assets. From the service providers perspective, it means reporting discrepancies in inventory assets to clients, and/or notifying clients of other potential data breaches.
2. Provide in-house reporting mechanisms. Employees should be provided with clear instructions and strong mechanisms to report non-compliance to management. Doing this disarms a potential whistleblower by providing them with a process to report non-compliance before resorting to regulators. It also gives an organization a way to respond to, and, if needed, rectify non-compliance. If a whistleblower goes straight to the SEC (or other regulatory body) without first reporting the matter to company per their training, the intent and veracity of the whistleblower’s claim is compromised. The regulator’s sentiment would be, “You mean you knew about this and you did nothing to report it to management?” Looking at it from the other direction, not providing employees with a methodology for reporting non-compliance reflects very poorly on any organization. “What else were they supposed to do,” would be the whistleblower’s and the Regulator’s outcry. So, don’t let that happen. Make sure employees know how and where to raise their compliance concerns in-house.
3. Use policies and procedures to separate past non-compliance from future compliance. It is not unreasonable to worry that changing business practices somehow shines a light on past non-compliance. Luckily, regulations provide a subtle (and compliant) solution. Every data protection regulation requires that data security policies and procedures be periodically reviewed and updated. The reason for this is that risks change, and periodic reviews and updates are the regulatory mechanisms by which those emerging risks are addressed. Frankly, the organization that fails to make procedural updates based on the changing conditions is at far more risk (on all fronts) than the organization that stays with the non-compliant status quo.