knausk (7/28/2014)
Have there been any clear legal decisions where the IT worker was held in error or legally responsible for failing to report security issues outside the company if the company refuses to fix problematic practices or if the worker fails to report it up the management heirarchy?Put another way is there case law that says what your duties are, when and where you must report security issues?
Legal decisions are made in the courts, the law applies long before then. In the example we looked at in the seminar I was at, the FBI agent agreed that if you found evidence of a crime involving computers, the information pertaining to that crime is now on your PC, and therefore you could be charged as an accessory, or you could be charged with covering up a crime. The minute you become aware of computer crime and do not report it you put yourself at risk.
The question isn't whether anyone has been charged. The question is what options the individual had, and reporting it to the authorities is be far the best option when the corporation ignores you.
Dave