The Sarbanes-Oxley Act which caused Boeing so much grief a decade ago with auditors, courts, and their own employees was only aggravated further by misunderstandings between the auditors and the regulatory board. Boeing did a poor job handling the whole situation in my opinion because they continued to carry on in violation of the law with their day to day activities without making fixing the issue a priority. From the top down, they justified this to themselves by arguing that their external consults were disagreeing and that they kept trying to hit a moving target, but they never seemed to address the root cause of the problem. Although, as the Seattle P-I article claims, “experts did not agree on who was at fault; they blamed too-vague federal rules, too-picky auditors, too-complacent Boeing and every possible combination of each,” there seems to me to be a simple solution to the issues they were having at Boeing. Starting in 2002, begin an assessment of what you need to be in compliance with in 2004 and where you are falling short. Once you find out what you are not in compliance with, fix it by hiring who you might need to hire. Rather than scrambling in 2004 to get the right reports out and putting all sorts of confusing, misdirected stress on your IT employees, Boeing should have explored the causes of the problems, and hired to meet those needs. This, as is evident in the readings, may have been easier said than done. But let’s step back for a minute. Boeing is a big, rich company. Rather than hiring a bunch of consultants and paying absurd overtime to double, triple, and quadruple check their numbers every year, they could have just as easily hired computer security experts to work with their existing IT teams for 3 years to patch and shore up their systems and practices, and in doing so paid a small overhead compared to the potential losses which SOx was making evident to them. Boeing put their employees under all of this stress, and gave them too much information by sharing with them the audit findings, which is a liability, rather than working with experts to address the causes of the problem and implement a long term, eventually money saving, solution.

Unfortunately, the employees who were fired for speaking with the media did not understand their protections under the law, and shared the wrong information with the wrong people. I believe that they were within their right to share their concerns about the security of their system and with people other than their superiors because their superiors seemed to be playing deaf. However, cracking passwords and stealing documents as a proof of concept, then trusting yourself to keep these documents under tight wraps, and holding them up as trophies to the media, is not the right way to go about it. Because of the potential financial harm they caused the company and because of this lack of protection under the laws, their firing was rightful and warranted. Had they shared the information with the appropriate authorities rather than the press, we would have only been talking about this if those authorities would have not done anything about it and forced the employees’ hands further. I don’t believe that whistleblowing laws need to be extended beyond where they are now, as these employees had a course of action which protected them from retaliation, but they chose another route and paid the consequences for it. We cannot see the whistleblowers as always being the victim, because the fate of the company, and perhaps their co-workers’ jobs and family incomes, are at stake in these situations. Extending the law so that any employee can go public with any minor concern will create a volatile stock market in which no company is trusted and the media is in a frenzy covering and exaggerating every minor report, all while an employee might just be doing it to get his/her 15 minutes of fame under legal protection. At the same time, companies need to get out of the rut of instant gratification and corner cutting, because in the long run it costs them more. A company that realizes this will take whistleblowers seriously, but will likely hear their concerns in a team meeting and address them before that employee feels the need to go public with the concerns.