Blowing the Whistle as a Cybersecurity Professional
Cybersecurity is a fact of business life, but employers are not always pleased when a cybersecurity professional reports a serious and expensive cyber deficiency. Often, instead of addressing the problem, they shoot the messenger and retaliate against the whistleblower.
Surprisingly, there are no specific laws that protect cybersecurity professionals who report their employer’s cyber vulnerabilities or breaches. Nevertheless, cybersecurity whistleblowers can defend against retaliation. They can take advantage of other laws that protect employees from retaliation, even though they were not initially designed with cybersecurity whistleblowers in mind. These include statutes regulating industries that employ cybersecurity professionals and catch-all state law prohibitions against wrongful termination in violation of public policy.
Since these anti-retaliation protections were not originally intended to protect cybersecurity whistleblowers, it is critical for cybersecurity whistleblowers to take certain steps to best position themselves for legal protection. Such steps include articulating the connection between the cybersecurity deficiency and potential legal violations, making the report in writing, and seeking the advice of an experienced whistleblower attorney.
Laws That Protect Cybersecurity Professionals
Sarbanes-Oxley Act and the Dodd-Frank Act: Arguably the broadest protections available for cybersecurity whistleblowers under federal law are provided by the Sarbanes-Oxley Act of 2002 (SOX) and the Dodd-Frank Act of 2010. SOX provides protections to cybersecurity whistleblowers who work for publicly traded companies and their subsidiaries, affiliates, contractors, and subcontractors. Dodd-Frank enhances SOX’s protections by providing those same whistleblowers with more generous remedies, a longer statute of limitations, and the ability to file directly in federal court. It also protects whistleblowers at private companies subject to SEC rules and regulations, such as registered investment firms and advisors.
SOX and Dodd-Frank do not protect employees from retaliation for reporting any kind of wrongdoing or illegality; rather, they cover only those employees who make complaints concerning fraud or securities violations. The connection between securities law and cybersecurity may not be obvious for most cybersecurity professionals, and it may not be present in every case. The U.S. Securities and Exchange Commission (SEC), however, issued guidance in 2011 informing companies of the importance of including disclosures about their exposure to cybersecurity risks in their required public filings. Additionally, the SEC recently announced that it is investigating Yahoo’s failure to timely disclose the two mega-breaches it announced in 2016.
The False Claims Act: The False Claims Act protects employees who attempt to stop fraud against the government from retaliation. A company’s cybersecurity deficiencies and vulnerabilities can result in fraud against the government if the company knowingly made false representations to the government about its cyber posture. Additionally, Federal Acquisition Regulations (FAR), which govern the federal acquisition process, include cybersecurity standards. Deficiencies or vulnerabilities that violate these standards could constitute fraud against the government.
FIRREA: The Financial Institutions Reform Recovery and Enforcement Act of 1989 (FIRREA) protects employees in the banking industry from retaliation for reporting a possible violation of any law or regulation, as well as of any gross mismanagement, waste, abuse, or danger to public health or safety. To gain this protection, however, a whistleblower must report her disclosure to the federal government.
The Energy Reorganization Act: Cybersecurity whistleblowers in the nuclear industry may also be entitled to statutory protections against retaliation under the Energy Reorganization Act of 1978 (ERA). The ERA protects an employee from retaliation for opposing or notifying her employer of, among other things, violations of Nuclear Regulatory Commission regulations, which include specific cybersecurity requirements.
The Whistleblower Protection Act: Federal government employees who raise cybersecurity concerns are likely protected by the Whistleblower Protection Act, as amended by the Whistleblower Protection Enhancement Act. Those statutes prohibit adverse personnel actions against any federal government employee who discloses a reasonable belief about a violation of any law, rule or regulation; about gross mismanagement, a gross waste of funds or an abuse of authority; or about a substantial and specific danger to public health or safety. Lapses in the federal government’s cybersecurity could constitute “gross mismanagement” or a “substantial and specific danger to public health or safety.”
State Law Wrongful Discharge: Cybersecurity whistleblowers who fall outside the scope of federal retaliation protections may still be able to find protections under state laws prohibiting wrongful discharge in violation of public policy. Most states have laws prohibiting employers from firing employees for reasons that violate “public policy,” which depending on the state can be based on state or federal laws. There are several federal laws relating to cybersecurity that do not provide protections against retaliation, but could serve as a basis for public policy, including: the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, The Communications Act of 1934, and the Federal Trade Commission Act of 1914. As for state laws, states have various data security laws that could provide a basis of public policy depending on the facts of the case.
How to Blow the Whistle
When blowing the whistle, the most critical step that a cybersecurity whistleblower can take to protect herself is to articulate the connection between the cybersecurity vulnerability she is reporting and a legal violation. This is because the law protects whistleblowers who report legal violations or who refuse to engage in unlawful conduct. The link between a cybersecurity vulnerability and a legal violation often is not self-evident. It is critical, therefore, for a cybersecurity whistleblower to articulate clearly that the issue she is reporting is not simply a cybersecurity vulnerability, but also involves actual or potential legal violations. The whistleblower should be as specific as possible about the potential legal violation. Provided the whistleblower has a reasonable belief that the conduct is unlawful, she should be protected even if she is wrong.
If possible, the whistleblower’s report should be in writing, so that there is no question as to the substance of the report. Employers frequently defend themselves against retaliation claims by arguing that the employee never reported legal violations, but rather simply reported an ordinary IT problem. The whistleblower should keep the report as focused as possible, not including complaints about other topics, such as personnel or personality conflicts. Additionally, since the report could become critical evidence if the employer retaliates, the tone should be professional and not insubordinate. The report should be made to someone who can address the problem, such as a supervisor or a compliance officer. That being said, under some laws, a whistleblower is protected only if she reports the problem externally to law enforcement or other appropriate officials.
A whistleblower should be careful about reviewing and taking an employer’s documents. A whistleblower can generally review documents to which she has access in the normal course of business, but if she searches through a document, computer server, or even a filing cabinet that she does not have a right to access, she may be giving the company a non-retaliatory basis for termination. Similarly, if her employer tells her to halt any further investigation or analysis of the matter, the whistleblower generally should comply. Arguments can be made to defend the whistleblower’s further investigation, but the whistleblower will be in the safest position if she fully complies with the employer’s order. If terminated, a whistleblower may be tempted to retain incriminating company documents, but the law governing such conduct is unsettled, so the whistleblower should consult with a whistleblower attorney before doing so.
Ideally a whistleblower will have consulted with an experienced whistleblower attorney prior to blowing the whistle. This helps the whistleblower frame the report in a manner that clearly connects the cyber deficiency with a legal violation. It also informs the whistleblower as to whether internal whistleblowing is protected in her case or whether she needs to report the violation to the government to be protected.
Most whistleblowers, however, do not have that luxury. If a whistleblower finds herself unexpectedly facing retaliation, it is imperative that the whistleblower seek representation immediately. Some laws, such as SOX, require the whistleblower to take legal action within 180 days of the retaliatory act. The whistleblower also should not sign a severance agreement prior to discussing her case with a knowledgeable attorney. Such an agreement will almost surely release all claims the whistleblower has against her employer, and depending on the facts of the case, the whistleblower may have a strong claim for more compensation than the employer initially has offered.