IT whistleblowers gagged and bound

IT managers and professionals are finding it nearly impossible to stay on the right side of the law and keep their jobs.

At least that's the verdict following an overwhelming reader response to last week's Computerworld expose, Technologists face ethical bind, July 27 page 1, about the ethical dilemmas facing IT managers.

The article, which pointed to the problem of employers putting pressure on IT departments to destroy data that could be used as formal court evidence, prompted a flood of confidential and anonymous complaints, horror stories and tips.

Out of almost 20 responses to the story, IT executives across the public and private sectors said fear of retribution from their own organizations stopped them from speaking out about unethical or illegal conduct.

All cited the threat of financially crippling legal action and loss of career as the main reasons why they kept quiet in the face of unconscionable action from their superiors.

In one example given to Computerworld, an IT team was recruited for a "special project" at a financial services company. They were all forced to sign non-disclosure agreements - only to discover they were working on customer data which had clearly been stolen from a competing organization.

"When the issue was raised we were told in no uncertain terms the company would sue us into the ground. It never got off the ground because people just resigned because it was both illegal and badly managed," one reader wrote.

Another reader says he found himself "scapegoated" out of his company after warning his CIO's actions were likely to come unstuck in front of regulators. He said he received no management support.

On the IT security side, readers in banks said "auditors" are routinely "parachuted in to play the grim reaper" to remove staff by finding breaches of computer usage policy.

"They are not the sort of people you would ever trust or want to employ on a team. But you can't get rid of them. They're in with management," said one bank source.

On the vendor side, a number of readers said it was common to be offered "career inducements" to swing deals, not least the promise of lucrative work elsewhere.

The example cited in last week's article was Pan Pharmaceuticals IT manager Karl Brooks who gave evidence in a Sydney court that he was ordered to wipe incriminating data from a hard drive to prevent auditors from discovering irregularities.

Corporate solicitor at Gadens Lawyers, Stephen Ross, says IT staff need to think very carefully about their legal exposure before speaking out because of what he calls "quite limited protections" for whistleblowers.

Pointing to specific whistleblower provisions in the Corporations Act (Part 9.4AAA), Ross says legal protection is afforded only for "quite specific people informing on quite specific people". Those not covered can face defamation proceedings, especially if whistleblowing information is conveyed in writing.

Specifically to be protected by the Corporations Act, the person disclosing the information must be either: an officer of the company; an employee of the company; a person contracted to provide goods or services to the company; or an employee of the latter.

However, such people can only disclose the information to: the Australian Securities and Investments Commission; the company's auditor or a member of an audit team; a company director, company secretary or a senior manager; or a person authorized by the company to receive such information.

As if that's not enough, the person disclosing the information must have "reasonable grounds" to believe a contravention of the Corporations Act has occurred and act in good faith.