No, not IPO public, but public about disclosing employer secrets which could provide a risk to the public. My friend Martin McKeay has written an article over the recent firing of an employee of TJX for disclosing in a public forum continued poor security practices by TJX. The same TJX I might add that as a result of slipshod security practices caused 100s of thousands of dollars, if not millions of dollars in bank fraud to occur.

Many have categorized CrYpTiC_MauleR, the employee who disclosed the information on hackers.org, as a "whistleblower". The term whistleblower is a term of art and in many circles will invoke some special immunity for the person who disclosed the confidential information. However, usually the disclosure of this information is made to a person or entity with the power or at least willingness to take corrective action. In this case, I think that is the missing pre-requisite. Just disclosing this information on a public message board does not meet the burden of defining this as whistleblowing. I think Martin is right on there. He says CrYpTiC (If I can call him that), was not a whistleblower in the strictest sense of the word and is not due any protection. He is just another person who violated his employment terms and his termination by TJX was perfectly justified. Let me say that I don't disagree with Martin about TJX having the right to fire CrYpTiC. They certainly do.

I have a problem with Martin when says that CrYpTiC should have done what he has done and that is keep your mouth shut and move on to the next opportunity. I think depending on the level of wrongdoing, not only is that wrong, but by willfully withholding certain information from the authorities it could make you guilty as an accomplice! Think about it Martin, if you knew your employer was committing a crime and you just quit your job rather than report that crime, you are an accomplice. When does the responsibility for the general good, outweigh your obligation to your employer. Is sticking your head in the sand and moving on while letting illegal or irresponsible behavior go on the right posture? I say not.

I think CrYpTiC felt strong enough about what TJX was doing was wrong that he posted it publicly. Though he did it anonymously and did not think it would be traced back to him, he felt strong enough that what TJX was doing was wrong and he wanted the world to know. When he made that decision, he also made the decision that letting the world know the truth was more important than his job at TJX. I am sure potential future victims of TJX fraud that will now be spared that loss would thank him for it.

Martin, there comes a time where keeping your mouth shut and moving along does not cut it. You have a duty to alert the proper authorities for the greater good of the public. The question is when does your duty to disclose surpass your duty to keep your employers information private? I think that is a personal question that all of us have to answer ourselves. Clearly criminal activity should be disclosed, otherwise you risk criminal exposure. Beyond that it is a judgment call. But saying not to disclose and just move on is appeasement at its worst.

The real question is why doesn't the PCI council or the government have a forum for people like CrYpTiC to go to in the future. That is what is needed!