Cybersecurity Whistleblowers

Cyberattacks pose an extraordinary risk not only to the privacy and financial well-being of consumers, but also to the country’s national security. Data breaches and other risks posed by cyberattacks have risen precipitously over the past two decades, as more and more parts of the economy rely on the internet and as hacking becomes easier to conduct and ubiquitous.

Cybersecurity whistleblowers are critical to defending against this growing threat. The public needs to know that the private companies we entrust with critical tasks – like managing and investing our retirement funds, or storing and transmitting our private information – have someone “on the inside” ensuring the security of our data. Likewise, in a world where technology is developing at rapid rates and the slow-moving government bureaucracy has difficulty keeping up, it is critical that public employees working for agencies responsible for securing our national defense and spending taxpayer money are empowered to be vigilant against lax cybersecurity standards. While cybersecurity whistleblower protection is still developing, Katz, Marshall & Banks attorneys have been leading advocates for strengthened protections.

 What Protections Exist for Cybersecurity Whistleblowers?

Although there are a number of holes in the protections currently afforded cybersecurity whistleblowers – and there are no statutes that explicitly provide protections against retaliation to employees who make such reports – there are a handful of statutes and other laws on which a cybersecurity whistleblower may rely to create an actionable claim for whistleblower retaliation

Employees of publicly traded companies:

The Sarbanes-Oxley Act of 2002 (SOX) provides that no publicly traded company may take an adverse employment action against an employee because the employee complained about activities he or she reasonably believed constituted fraud or a violation of securities laws. The Dodd-Frank Act of 2010 (“Dodd-Frank”) offers enhanced protections to many of the same whistleblowers protected under SOX.

There are two main theories under which a cybersecurity whistleblower at a publicly traded company may reap the protections of SOX or Dodd-Frank. First, complaints alleging fraud on the part of the employer – for instance, intentional misrepresentation of cybersecurity vulnerabilities – should constitute protected activity. See Dietz v. Cypress Semiconductor Corp., ARB Case No. 15-017 (Mar. 30, 2016). Second, various rules of the U.S. Securities and Exchange Commission (SEC) relate to cybersecurity:

(1)Rule 30(a) of Regulation S-P (the “Safeguards Rule”) requires companies to adopt written policies and procedures reasonably designed to protect customer records and information. 17 C.F.R. § 248.30(a).

(2)A company may be failing to meet SEC disclosure requirements with respect to its compliance with cybersecurity norms and standards. 

(3)A company’s failure to disclose cybersecurity risks may represent a failure to disclose material weaknesses in its internal controls. See 15 U.S.C. § 7241; 15 U.S.C. § 7213.

A whistleblower who reports a company for failing to adhere to any of these cybersecurity rules has likely engaged in protected activity under SOX and Dodd-Frank. However, the question of whether Dodd-Frank’s protections extend to internal disclosures, or only disclosures that are made directly to the SEC, is still being debated by federal courts.

Federal government employees:

The Whistleblower Protection Act (WPA) protects public employees from adverse employment actions that occur because they disclosed information relating to unlawful activities or “gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety.” Were a federal employee to suffer retaliation because she complained about her agency’s failure to adhere to applicable cybersecurity standards, that action could constitute a WPA violation. Data security standards for the federal government may be found in the Federal Information Security Management Act, 44 U.S.C. § 3541, et seq. (as amended), Office of Management and Budget policies, and National Institute of Standards and Technology (NIST) standards and guidelines as expressed in Federal Information Processing Standards and Special Publications (SP). NIST’s Cybersecurity Framework may also impose requirements on certain federal agencies under Executive Order 13,636.

Other employees:

Employees who are not employed by either the federal government or a publicly traded company may still find protection under state wrongful discharge laws. Most states prohibit to some extent an employer from terminating an employee for reasons that violate “public policy.” Courts typically turn to existing statutory or constitutional law to discern public policy that has already been approved and affirmed by the legislature.

Almost every state that permits a so-called “wrongful discharge in violation of public policy” claim allows such a claim to be based on state law; many states, but far from all, allow such a claim to be based on federal law. Depending on the state, a cybersecurity whistleblower may be able to rely on the following federal laws to form the basis for a claim of wrongful discharge in violation of public policy:

(1)The Health Insurance Portability and Accountability Act (HIPAA). 42 U.S.C. §§ 1320d et seq.  HIPAA includes a section known as the HIPAA Security Rule, which “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.” Cybersecurity whistleblowers reporting their employers’ failure to adequately protect electronic personal health information may have a claim of wrongful discharge in violation of public policy under state law.

(2)The Gramm-Leach-Bliley Act (GLBA). 15 U.S.C. §§ 6801 et seq.  Under the GLBA’s Safeguards Rule, financial institutions are required to “take steps to ensure the security and confidentiality of” consumer data, including “names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers.” Although the GLBA provides no private right of action for retaliation, cybersecurity whistleblowers working at a financial institution who make complaints about their company’s failure to adequately protect customer information, either internally or to an appropriate government agency, may nevertheless have a wrongful discharge claim under state law. 

(3)The Communications Act of 1934. 47 U.S.C. §§ 151 et seq. Three sections of the Communications Act have been interpreted by the Federal Communications Commission (FCC) to require telecommunications companies to meet adequate data security standards: 47 U.S.C. § 201(b); 47 U.S.C. § 222(a); and 47 U.S.C. § 222(c)(1). These provisions impose certain requirements on telecommunications carriers to protect customer information and restrict access to identifiable customer information. A worker in that industry who was retaliated against after reporting her company’s failure to adhere to those standards may have a viable claim for wrongful discharge in violation of public policy.

(4)The Federal Trade Commission Act of 1914 (FTCA). 15 U.S.C. §§ 41 et seq. The FTCA confers authority on the Federal Trade Commission (FTC) to pursue companies for “unfair or deceptive acts or practices in or affecting commerce[.]” 15 U.S.C. § 45(a)(1). The FTCA defines “unfair” practices as those that “cause or [are] likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). The FTC has on multiple occasions exercised this authority against companies who fail to adhere to adequate standards in protecting consumer data, both under the “unfairness prong” and the “deception prong.” Workers who suffer retaliation because they opposed their employers’ misrepresentations about their own data security standards may have grounds to allege that the employers’ actions violated public policy.

Many states have also passed their own cybersecurity laws. For instance, Virginia enacted S.B. 1121 on March 17, 2015, which rendered the directors of state executive agencies responsible for securing their department’s electronic data and required that they comply with Virginia’s “Information Technology Security and Risk Management Program” requirements. California also passed meaningful cybersecurity legislation in 2015 with A.B. 670, which requires the state Office of Information Security to create cybersecurity assessment standards and subject state entities to those assessments on a yearly basis. Whistleblowers who experience retaliation after reporting violations of state cybersecurity or privacy statutes may have a viable claim for wrongful discharge in violation of public policy.

What Should a Cybersecurity Whistleblower Do After Experiencing Retaliation?

Due to the patchwork nature of the law in this area, it is critical that cybersecurity whistleblowers retain experienced counsel to evaluate their claims and assist them in achieving a fair result. Drawing on years of experience in employment negotiation and litigation, Katz, Marshall & Banks strives for resolutions of our clients’ retaliation claims that bring closure to a stressful ordeal and allow for positive movement forward in their careers. If you are a cybersecurity employee who is considering blowing the whistle, or have already done so and are experiencing retaliation, contact the experienced lawyers at Katz, Marshall & Banks, LLP. Your communications with us are confidential, and without charge or further obligation.