Your company’s security controls are lacking, and a high level employee in IT is naturally worried – he’s addressed his concerns a number of times. Employees are regularly transmitting unencrypted information, sharing passwords and using non-compliant cloud services to share data and sensitive client side IP. This doesn’t seem overly alarming, we’ve all made similar mistakes, so the comments fall on deaf ears and operations continue. A few months later however the employee becomes increasingly vocal so senior management decides to let him go. Problem solved. Or…the problem might just be beginning.
Companies that ignore (and retaliate against) employees who address cybersecurity vulnerabilities can face significantly increased liability resulting from a new breed of whistleblower claims – cyber whistleblowing. With cyber regulatory oversight increasing at a rapid rate, these claims are poised to increase as well. While no federal laws specifically protect cybersecurity whistleblowers, existing anti-retaliation provisions are often broad enough to cover employees who raise information security concerns. Most notably, federal statutes prohibiting retaliation against corporate whistleblowers and employees who report misconduct in connection with federal funds, as well as state wrongful discharge actions, may apply to cybersecurity whistleblowers.
Federal Statutes Prohibiting Retaliation as a Source of Cyber Whistleblower Protection
The Sarbanes-Oxley Act (“SOX”) protects employees of public corporations who report a wide range of misconduct, such as shareholder fraud or other violations of securities laws. Cybersecurity issues often fall within this broad coverage. For example, public corporations must maintain adequate internal controls to ensure the company knows the disposition of its assets (including intangible assets like proprietary or confidential business data). SOX requires public corporations to disclose whether those internal controls have any material weaknesses. Blowing the whistle on materially-deficient internal controls is protected under SOX. Internal controls include policies and procedures pertaining to the prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could materially affect its financial statements. Cybersecurity policies and procedures specifically aim to prevent and detect the misuse and improper disposition of electronically-stored information, so they could qualify as internal controls. In short, employees of public corporations who suffer retaliation for disclosing cybersecurity concerns may have a statutory cause of action under SOX.
The Dodd-Frank Act’s (“DFA”) whistleblower protections often overlap with the SOX anti-retaliation provision. However, the DFA may also protect employees of private firms if the disclosed cybersecurity concerns amount to a material misrepresentation in connection with the purchase or sale of securities or violations of other applicable securities laws.
Employees of companies doing business with the federal government enjoy even broader protections under the False Claims Act (“FCA”) and the National Defense Authorization Act (“NDAA”). The FCA prohibits an employer from retaliating against an employee who opposes false claims on the government. Virtually every federal contractor has cybersecurity obligations, regardless of whether the contract directly pertains to cybersecurity. For example, in May 2016 the U.S. Department of Defense, the General Services Administration, and NASA published a joint rule establishing basic information security requirements for many federal contracts, regardless of the particular work to be performed….The implied certification of liability holds that a company has violated the law if, when submitting a claim for payment, it falsely represents that it has complied with all material terms of the contract. This representation need not be explicit, but rather may be inferred. The violated terms need not deal specifically with the subject of the contract. In other words, if cybersecurity issues are a material term of the contract, it does not matter whether the contract is to provide IT services to the government or to produce bus seats. If considered material to the contract, breaching these obligations can cause a company to violate the FCA when it tries to get paid, even if it has performed the primary work. A cybersecurity whistleblower who has reported such a breach could be considered to have opposed false claims. Accordingly, retaliation against an employee who blows the whistle regarding cybersecurity issues on federal contracts could give rise to a statutory retaliation claim under the FCA.
The NDAA’s whistleblower protections go even further, prohibiting retaliation against an employee for disclosing any violation of law, rule, or regulation related to federal contracts or grants. The protections also extend to employees who report abuses of authority, gross mismanagement, or gross waste in relation to federal contracts or grants. Finally, the NDAA protects disclosures of substantial and specific dangers to public health or safety. Many federal rules and regulations potentially apply to federal contractors and grantees with regard to cybersecurity issues, such as the one discussed above. Therefore, a cybersecurity whistleblower could likely be protected under the NDAA if her employer receives federal funds.
State Wrongful Discharge Actions as a Source of Cyber Whistleblower Protection
For employers, state wrongful discharge actions may be the most vexing source of cyber whistleblower protections. State wrongful discharge actions vary considerably from jurisdiction to jurisdiction. Because “public policy” defines the scope of protected activity, it can be difficult to determine with certainty whether any particular disclosure is covered. Additionally, some state wrongful discharge actions permit punitive damages. Further, unlike the federal statutes discussed above, these actions can apply to all employers. While preventing and assessing potential exposure under these claims can be more difficult, it is a task that no company should ignore.
For example, a sole proprietorship receiving no federal funds in a state that has no specific cyber whistleblower law, like Maryland, may mistakenly believe it is in the clear. However, although Maryland has no specific cyber whistleblower law, it does have a common law wrongful discharge action. That action protects employees from retaliation for refusing to violate the law or for meeting a statutory obligation. The Maryland Personal Information Protection Act (“MPIPA”) requires covered businesses to notify consumers in the event of certain data breaches. A company understandably may be reluctant to make such a disclosure. However, if the company terminates an employee for refusing to conceal a data breach in violation of MPIPA or for notifying consumers in compliance with MPIPA, it may face a retaliation claim. Under certain circumstances, an employee can recover punitive damages for wrongful discharge in Maryland.
The Increase in Cyber Whistleblowing and Attendant Regulator Oversight
Cyber whistleblowing claims are relatively new, so many organizations are unaware of their existence, and the fact that many of these claims are pursued and resolved quietly leaves many corporations and their directors in the dark. In addition, many companies that have yet to experience a breach likely believe that their current cyber controls are sufficient, resulting in executives taking a somewhat passive defiant stance against the ever-growing security requirements that, to them, may seem overbearing. Even when the risk is understood, the time, costs and resulting downtime required to implement stronger controls often act as a deterrent to implementation.
However, regulators have recognized the growing importance of cybersecurity and are steadily increasing cyber oversight. They are also more frequently looking to whistleblowers to augment their oversight and enforcement capabilities. When a company ignores its employees’ concerns about cyber risks, those employees can receive potentially huge awards for bringing their concerns to law enforcement officials.
In short, silencing cybersecurity concerns invites whistleblower retaliation claims, and ignoring them invites regulators’ scrutiny. There is good news however. Following common sense and general best practices for dealing with employees’ concerns can often help avoid these claims. Such measures include formal mechanisms for receiving and following up on employee concerns, meaningful human resources and compliance programs, written policies, and management training.
Dallas Hammer is Of Counsel at Zuckerman Law and chairs the firm’s Whistleblower Rewards Practice Group. Evan Bundschuh is a partner and commercial lines head at GB&A an independent insurance brokerage located in New York focused on insurance programs and risk management solutions for tech companies, financial & professional services, manufacturers and product-based businesses. This post is the first part of a two-part post by the authors.
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.