Siber Güvenlik İhbarcılarının Korunması Açısından ABD ve AB Yaklaşımlarının Karşılaştırılması

Öz

Bu çalışma, siber güvenlik ihbarcılarını işverenlerin misilleme eylemlerine karşı koruyan Amerika Birleşik Devletleri ve Avrupa Birliği yasalarını karşılaştırmaktadır. Yasalar, kapsam, "misilleme"nin tanımı ve yasal korumaya hak kazanmak için gereken raporlama prosedürleri açısından benzerlikler ve farklılıklar göstermektedir. ABD’de hiçbir misilleme karşıtı federal yasa doğrudan siber güvenlik ihbarcılığını ele almamaktadır, ancak ihbarcılar mevcut yasalarla korunan faaliyet kapsamına giren siber güvenlikle ilgili yasa ihlallerini ifşa ettiklerinde yine de korunabilirler. AB'de, ihbarcı misillemelerine karşı yasal koruma daha az belirsizdir çünkü 2019/1937 sayılı Direktif (AB), gizlilik ve kişisel verilerin korunması ile ağ ve bilgi sistemlerinin güvenliği gibi AB yasaları kapsamında olan ihlalleri bildiren çalışanları doğrudan korumaktadır. Bu iki yaklaşım, bildirimde bulunan kişinin kimliğinin gizliliği konusunda da farklılık göstermektedir. Bu çalışma, ABD ve AB'nin genel olarak ihbarcılara ve özellikle siber güvenlik ihbarcılarına misillemeye karşı yasal koruma sağlama konusunda nasıl farklılıklar gösterdiğini ortaya koymayı hedeflemektedir.

Anahtar Kelimeler

• İhbar (bilgi uçurma)
• siber güvenlik
• misilleme
• 2019/1937 sayılı Direktif (AB)
• çalışanların korunması

Cybersecurity Whistleblower Protection: A Comparison of the US and the EU Approaches

Öz

This study compares the laws in the United States and the European Union protecting cybersecurity whistleblowers from employer retaliation. Similarities and differences exist regarding the scope of laws, the definition of “retaliation,” and required reporting procedures to be eligible for legal protection. In the US, no anti-retaliation federal statute directly addresses cybersecurity whistleblowing, but whistleblowers may still be protected when they disclose cybersecurity-related violations of laws falling within the scope of protected activity under the current laws. In the EU, the Directive (EU) 2019/1937 directly protects employees who report breaches falling within the scope of the EU acts, including the protection of privacy and personal data and the security of network and information systems. The two approaches also differ concerning the confidentiality of the reporting person’s identity. This study provides a brief foundation for understanding how the US and EU’s approaches differ in providing legal protection against retaliation for whistleblowers.

Anahtar Kelimeler

• Whistleblowing
• cybersecurity
• retaliation
• Directive (EU) 2019/1937
• whistleblower protection

Kaynakça

1. Bishara N. D., Callahan E. S., & Dworkin T. M. (2013). The mouth of truth. New York University Journal of Law & Business, 10, 37-43.
2. Directive (EU) 2016/680. On the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. URL:https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L0680.
3. Directive (EU) 2019/1937. On the protection of persons who report breaches of Union law. URL:https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019L1937&from=en.
4. Eisenstadt, L. F. and Pacella, J. M. (2018). Whistleblowers need not apply. American Business Law Journal, 55(4), 665-719.
5. European Data Protection Supervisor. (2016, July 18). Guidelines on Processing Personal Information within a Whistleblowing Procedure. URL:https://edps.europa.eu/sites/default/files/publication/16-07-18_whistleblowing_guidelines_en.pdf, (Retrieval: 15.01.2023).
6. Exmeyer, P. C., & Jeon, S. H. (2022). Trends in state whistleblowing laws following the Whistleblower Protection Enhancement Act of 2012. Review of Public Personnel Administration, 42(2), 287-311.
7. Hammer, D. and Bundschuh, E. (29 December 2016). “The Rise of Cybersecurity Whistleblowing”, Compliance & Enforcement. URL: https://wp.nyu.edu/compliance_enforcement/2016/12/29/the-rise-of-cybersecurity-whistleblowing/. (Retrieval: 13.01.2023).
8. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (1996). URL:https://www.govinfo.gov/app/details/PLAW-104publ191.

9. Internal Revenue Service. (2022-a, October 13). Whistleblower Reforms Under the Taxpayer First Act. URL:https://www.irs.gov/compliance/whistleblower-reforms-under-the-taxpayer-first-act, (Retrieval: 20.01.2023).
10. Internal Revenue Service. (2022-b, July 21). The IRS Whistleblower Office. URL:https://www.irs.gov/about-irs/the-irs-whistleblower-office#:~:text=Protecting%20Whistleblower%20and%20Taxpayer%20Information&text=We%20protect%20against%20the%20disclosure,a%20law%20passed%20in%202019, (Retrieval: 15.01.2023).
11. Kaufmann, J., Häferer, K., & Grimhardt, K. (2020). The new EU whistleblowing directive: Considerations from a German employment and data protection law perspective. Computer Law Review International, 21(1), 14-17.
12. Kohn, S. M. (2017). The New Whistleblower's Handbook: A Step-By-Step Guide to Doing What's Right and Protecting Yourself, 3.rd. Ed., United States of America: Lyons Press.
13. Leifer, S. C. (2014). Protecting Whistleblower protections in the Dodd–Frank Act. Michigan Law Review, 113(1), 121-149.
14. Marcum, T. M. and Young, J. A. (2020). Defining the whistleblower: The Digital Realty case and proposed legislation. Richmond Journal of Law & Technology, 26(3), 1-23.
15. Marcum, T. M., Young, J., & Kirner, E. T. (2019). Blowing the whistle in the digital age: Are you really anonymous? The Perils and pitfalls of anonymity in whistleblowing law. DePaul Business & Commercial Law Journal, 17(1), 1-38.
16. National Institute of Standards and Technology. (2018, April 16). Framework for Improving Critical Infrastructure Cybersecurity. (Version 1.1). URL: https://nvlpubs.nist.gov/nistpubs/cswp/nist.cswp.04162018.pdf, (Retrieval: 20.01.2023).
17. Office of Inspector General for the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau. (n.d). Inspector General Act. URL:https://oig.federalreserve.gov/inspector-general-act.htm, (Retrieval: 04.02.2023).
18. Office of the Whistleblower Ombuds. (2022, March). Whistleblower protection act. URL:https://whistleblower.house.gov/sites/whistleblower.house.gov/files/Whistleblower_Protection_Act_Fact_Sheet.pdf, (Retrieval: 04.02.2023).
19. Overhuls, C. H. (2012). Unfinished Business: Dodd-Frank's Whistleblower Anti-Retaliation Protections Fall Short for Private Companies and Their Employees. The Journal of Business, Entrepreneurship & the Law, 6(1), 1-22.
20. Pacella, J. M. (2016). The cybersecurity threat: Compliance and the role of whistleblowers. Brooklyn Journal of Corporate, Financial & Commercial Law, 11, 38-70.
21. Pender, K., Cherasova, S., & Yamaoka-Enkerlin, A. (2021). Compliance and whistleblowing: How technology will replace, empower and change whistleblowers. In J. Madir (Ed.), FinTech (pp. 365-394). UK: Edward Elgar Publishing.
22. Regulation (EU) 2016/679. On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). URL:https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679.
23. Regulation (EU) 2018/1725. On the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. URL:https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=EN.
24. Ronicker, A. and LaGarde, M. (March 2019). “Cybersecurity Whistleblower Protections: An Overview of the Protections and Rewards Available to Cybersecurity Whistleblowers Under Federal and State Law”. URL:https://katzbanks.com/sites/default/files/cybersecurity-whistleblower-protection-guide.pdf. (Retrieval: 20.01.2023).
25. Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204 (2002). URL:https://www.govinfo.gov/app/details/PLAW-107publ204.
26. Taxpayer First Act, Pub. L. No. 116-25 (2019). URL:https://www.govinfo.gov/app/details/PLAW-116publ25.
27. Teichmann, F.M. and Wittmann, C. (2022). Whistleblowing: Procedural and dogmatic problems in the implementation of directive (EU) 2019/1937. Journal of Financial Regulation and Compliance, 30(5), 553-566.
28. US Department of Health and Human Services Office for Civil Rights. (2013, July 13). Breach Notification Rule. URL:https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html, (Retrieval: 01.02.2023).
29. US Department of Health and Human Services Office for Civil Rights. (2013, March 26). HIPAA Administrative Simplification Regulation Text 45 CFR Parts 160, 162, and 164. URL:https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf, (Retrieval: 01.02.2023).
30. US Department of Health and Human Services Office for Civil Rights. (2022, October 20). The Security Rule. URL:https://www.hhs.gov/hipaa/for-professionals/security/index.html, (Retrieval: 01.02.2023).
31. US Merit Systems Protection Board. (n.d.). Prohibited Personnel Practice 8: Whistleblower Protection. URL:https://www.mspb.gov/ppp/8ppp.htm, (Retrieval: 18.01.2023).
32. US Nuclear Regulatory Commission (NRC). (2017, August). Reporting Safety Concerns to the NRC (NUREG/BR-0240, Revision 8) [Brochure]. URL:https://www.nrc.gov/docs/ML1720/ML17208A272.pdf, (Retrieval: 08.02.2023).
33. US Office of Inspector General. (n.d.). OIG Whistleblower Protection Coordinator. URL:https://www.oig.dol.gov/whistleblower-coordinator.htm#:~:text=Whistleblower%20retaliation%20is%20an%20adverse,which%20adversely%20affects%20the%20whistleblower, (Retrieval: 26.01.2023).
34. US Securities and Exchange Commission (2018). Commission Statement and Guidance on Public Company Cybersecurity Disclosures. URL:https://www.sec.gov/rules/interp/2018/33-10459.pdf, (Retrieval: 16.01.2023).
35. US Securities and Exchange Commission. (2023, February 3). Office of the Whistleblower: Whistleblower Protections. URL:https://www.sec.gov/whistleblower/retaliation, (Retrieval: 15.01.2023).
36. Whistleblower Protection Act of 1989, Pub. L. No. 101-12 (1989). URL:https://www.govinfo.gov/content/pkg/STATUTE-103/pdf/STATUTE-103-Pg16.pdf.
37. Whistleblower Protection Enhancement Act of 2012, Pub. L. No. 112-199 (2012). URL: https://www.govinfo.gov/app/details/PLAW-112publ199.
38. 10 C.F.R. § 73 (2022). URL:https://www.govinfo.gov/app/details/CFR-2022-title10-vol2/CFR-2022-title10-vol2-part73.
39. 15 U.S.C. § 78u-6 (2021). URL:https://www.govinfo.gov/app/details/USCODE-2021-title15/USCODE-2021-title15-chap2B-sec78u-6.
40. 17 C.F.R. § 240.21F-7 (2022). URL:https://www.govinfo.gov/app/details/CFR-2022-title17-vol4/CFR-2022-title17-vol4-sec240-21F-7.
41. 17 C.F.R. § 248.201 (2020). URL:https://www.govinfo.gov/app/details/CFR-2020-title17-vol4/CFR-2020-title17-vol4-sec248-201.
42. 17 C.F.R. § 248.30 (2013). URL:https://www.govinfo.gov/app/details/CFR-2013-title17-vol3/CFR-2013-title17-vol3-sec248-30.
43. 18 U.S.C. § 1514A (2021). URL:https://www.govinfo.gov/app/details/USCODE-2021-title18/USCODE-2021-title18-partI-chap73-sec1514A.
44. 31 U.S.C. § 3729 (2021). URL:https://www.govinfo.gov/app/details/USCODE-2021-title31/USCODE-2021-title31-subtitleIII-chap37-subchapIII-sec3729.
45. 48 C.F.R. § 3.9 (2021). URL:https://www.govinfo.gov/app/details/CFR-2021-title48-vol1/CFR-2021-title48-vol1-part3-subpart3-9.
46. 48 C.F.R. § 39.101 (2021). URL:https://www.govinfo.gov/app/details/CFR-2021-title48-vol1/CFR-2021-title48-vol1-sec39-101.
47. 5 U.S.C. § 7 (2011). URL:https://www.govinfo.gov/app/details/USCODE-2011-title5/USCODE-2011-title5-app-inspector-sec7.
48. 5 U.S.C. § 2302 (2021). URL:https://www.govinfo.gov/app/details/USCODE-2021-title5/USCODE-2021-title5-partIII-subpartA-chap23-sec2302.