Skip Navigation

Whistleblower Clause does not Require Employees to Contact Regulators

Bookmark and Share

As those who have attended the CTK Training Workshops and Webinars already know, certain regulations require a “whistleblower” clause. 

For instance, organizational policies must advise employees on how to internally respond to/report potential data security breaches (such as unsecured disposal).  The policy must also reassure those same employees that there will be no negative repercussions or persecution for notifying upper management or regulatory authorities of a potential data risk. 

This raised a question in a recent CTK Training Webinar: Does the policy have to provide information to employees on HOW to inform the proper regulatory authority of a potential data breach?  The answer, according to Kirk Nahra, perhaps the country’s preeminent privacy attorney, is “no.”  There is no requirement for any organization to provide information in their data protection policy instructing employees to contact regulatory authorities—including providing information on what regulatory authority that would be—if the organization is unresponsive to potential data breaches.

This answer is good news not only for customers but for secure destruction companies, which are also legally bound by “whistleblower” provisions.

Another 5-week CTK Training Webinar Series will begin on August 17 and 18th

Click here to download CTK Training Webinar Registration Form.