This article first appeared in Security Magazine on April 28, 2020
The COVID-19 pandemic has forced many companies to convert all or nearly all their employees to remote work in efforts to continue operating. While many companies had remote work capabilities in place before, few had the infrastructure to seamlessly host their entire workforce. Within days, companies had to create that ability. Compounding the challenge, this transition is occurring while many of those same companies are taking an enormous economic hit that has forced them to reduce staff to keep their businesses afloat.
Given these rapid adjustments, it is inevitable that major cybersecurity vulnerabilities will arise. The COVID-19 crisis, however, does not provide a blanket excuse for companies to ignore their legal obligations to comply with information security legal requirements, particularly companies in highly regulated industries, such as healthcare, finance and government contracting. Ignoring those obligations will only increase a company’s legal exposure in the future.
Encouraging employees to speak up about cybersecurity vulnerabilities and having a process that provides a place for them to do so is key to mitigating this danger. At the same time, it is imperative that an employee who is thinking about escalating data security concerns understand the scope of the legal protections available to them against retaliation for making such reports.
COVID-19 Related Cybersecurity Vulnerabilities
The list of cybersecurity issues that may arise because of the glut of employees now working remotely is long, but a few examples illustrate the potential severity of the issue. Already there are COVID-19 related phishing attempts, which can infect computers with malware or compromise login credentials. The temptation for remote employees to use their own personal computer systems to complete work tasks will greatly increase the number of “entry points” for malicious users and malware. Other tasks, like the handling of classified information, will become significantly more onerous and may tempt organizations to cut corners to maintain productivity. Even the technology that workers have increasingly turned to facilitate remote work comes with its own data security concerns. Zoom Video Communications Inc. – a company whose business has increased dramatically as a result of the pandemic – has faced increased scrutiny about the security of its video conferences.
Experts warn that cyber criminals have already begun working to take advantage of the COVID-19 pandemic, and there is no reason to believe those efforts will relent over the coming months. Instead of ignoring their cybersecurity vulnerabilities, companies must make the necessary investments to secure sensitive information, which includes empowering their employees to raise concerns and report problems.
Retaliation Fears can Chill Reports
While employees are the key to identifying cybersecurity vulnerabilities quickly, many companies have failed to create a welcoming environment for whistleblowers. A recent study by HR Acuity found that over a third of employees who identified inappropriate, illegal, or unethical behavior declined to report it. The top reasons those employees cited for not coming forward were that they “didn’t trust it would matter or be handled appropriately” and that they “were afraid of consequences or retaliation.”
In the midst of a pandemic, these fears are likely to be exacerbated. Employees with concerns about cybersecurity vulnerabilities are likely to reasonably fear that management will brush aside their concerns to handle matters that it views as more pressing. For those willing to report despite the fear of inaction, they may still fear retaliation against them if they do not drop the matter once they receive push back from higher ups. At a time when millions of Americans simultaneously face unemployment, even the most stalwart cybersecurity professionals may choose to stay quiet rather than jeopardize their jobs.
Legal Protections for Cybersecurity Whistleblowers
For workers in the information security space to feel empowered to report concerns they identify, they must understand the legal protections available to them. There is no federal statute designed to protect cybersecurity whistleblowers. Instead, there is a patchwork of federal and state laws that work together to protect whistleblowers from retaliation when their reports about data security concerns implicate certain industries or laws.
There are over half a dozen federal and state laws that provide protections to workers in the cybersecurity space—which are detailed in the authors’ Cybersecurity Whistleblower Protections Guide. Three of these avenues of relief, however, are the most commonly available to cybersecurity whistleblowers who face retaliation: the Sarbanes-Oxley Act (SOX), the False Claims Act (FCA), and state wrongful discharge laws.
Broadly speaking, SOX prohibits employers from retaliating against employees of publicly traded companies or their contractors who report fraud or violations of rules and regulations promulgated by the U.S. Securities and Exchange Commission (SEC). A company may commit fraud in the context of cybersecurity by, for instance, materially misrepresenting its cybersecurity capabilities or vulnerabilities to clients, customers, or regulators. With respect to SEC regulations, the Commission issued guidance documents in 2011 and 2018 clarifying the cybersecurity obligations of publicly traded companies under the securities laws. Among other obligations, public companies are required to disclose to investors material information about cybersecurity risks and cyber incidents.
Thus, companies not only must inform investors when they have experienced a cyber-attack, but must also notify investors when a circumstance exists that exposes the company to a meaningful risk of such an attack. For example, if a publicly traded financial institution learns that its customers’ data has been hacked during the COVID-19 crisis because it was not able to maintain its data security standards due to remote working, it may need to disclose that in investors. In such a case, a whistleblower may engage in SOX-protected activity by reporting, either internally or to an appropriate governmental authority, that her employer was covering up or mischaracterizing the cyber attack.
The FCA protects employees from retaliation for investigating or opposing fraud against the government. Companies who contract with the U.S. government are subject to a number of cybersecurity standards set forth in a lengthy Federal Acquisition Regulation (FAR). Among these requirements, certain companies that contract with the U.S. government must comply with the standards set forth in National Institute of Standards and Technology (“NIST”) Special Publication 800-171, which includes a detailed set of data security guidelines.
Contractors for the U.S. Department of Defense are subject to even stricter guidelines. Under the FCA, employers are prohibited from retaliating against a cybersecurity whistleblower who attempted to stop a material violation of these guidelines. A hypothetical example of such a protected report could occur in the context of access control, i.e., the process of limiting system access to authorized users and devices, a cybersecurity requirement under NIST SP 800-171. If an employee was terminated for reporting her discovery that her company lacked any practicable method to ensure access control for remote workers and was refusing to address the cybersecurity deficiency, she would have a retaliation claim under the FCA.
For both SOX and the FCA, “materiality” is an important concept for whistleblowers to bear in mind. Courts are likely to find that single-employee violations of cybersecurity rules or policies are not sufficiently “material” – i.e., important – to constitute violations of the relevant statutes and regulations. As a result, a whistleblower who reports that her coworker emailed a file to his personal email address is unlikely to garner protections under the whistleblower laws. Rather, issues that are likely to be material to investors and regulators are those that are either systemic in nature or known to company leadership and highly impactful.
Lastly, state wrongful discharge laws provide a broad catch-all potential avenue for relief for cybersecurity whistleblowers. While state employment laws vary widely, courts in most states have created a cause of action to employees who are terminated for some reason that violates “public policy.” The breadth of what constitutes a “public policy” for the purposes of a wrongful discharge claim is inconsistent among the states. Courts in many states, however, have found that an employer has violated public policy when it terminates an employee because that employee reported a violation of the law. Such claims of wrongful termination in violation of public policy have the potential to extend what constitutes “protected activity” – i.e., activity for which an employee is protected from retaliation – to reports of a wide array of federal and state statutes and regulations.
As just one example, the Health Insurance Portability and Accountability Act, best known as HIPAA, is a federal law that protects health information. The law does not provide a right of action for an employee who is terminated for reporting HIPAA violations to sue in court. Nevertheless, California law protects employees from retaliation for blowing the whistle on violations of both state and federal law. A California employee, therefore, may have a claim for wrongful termination in violation of public policy if she finds herself terminated for reporting that the remote workplace technologies her healthcare employer used failed to adequately safeguard protected health information.
How to Safely Blow the Whistle
Since there is no one law that provides blanket cybersecurity whistleblower protections, it is critical for a whistleblower to frame her reports of cybersecurity vulnerabilities in a way that implicates a legal violation. To do so, the whistleblower must articulate clearly that the issue she is reporting is not simply a cybersecurity vulnerability, but also involves actual or potential violations of law. In doing so, it benefits the whistleblower to be as specific as possible about the potential legal violation.
Since the substance of a cybersecurity whistleblower’s report is critical to garnering legal protections from retaliation, putting the report in writing can provide valuable proof of the protected activity. Employers frequently defend themselves against retaliation claims by arguing that the employee never reported legal violations, but rather simply reported a standard IT problem, complained about a business decision, or merely advocated for an alternative approach. They will not be able to do this if the report is in writing. The tone of the report should be professional and the report should be made to someone who can address the problem, such as a supervisor or a compliance officer. Reports to coworkers will generally not be sufficient to provide a whistle with legal protection. It is also important to remember that under some laws, a whistleblower is protected only if she reports the problem externally to law enforcement or other appropriate government officials.
Finally, a whistleblower needs to be very careful about taking company documents or data, since doing so can backfire and jeopardize the whistleblower’s legal protections. A whistleblower can generally review documents to which she has access in the normal course of business, but if she searches through a document, computer server, or even a filing cabinet that she does not have a right to access, she may be giving the company a non-retaliatory basis for terminating her. A whistleblower may also be tempted to retain incriminating company documents if the company discharges the whistleblower after she has blown the whistle. The law governing such conduct is unsettled, so it is best for a whistleblower to consult with a whistleblower attorney about retaining such company documents.
Whistleblower Rewards Programs
Whistleblowers also should be aware that the SEC and the U.S. Department of Justice (DOJ) administer whistleblower programs that provide rewards to whistleblowers who provide information about violations of the securities laws and fraud against the government, respectively. The viability of these programs for cybersecurity whistleblowers has been reinforced in recent years, with the first cybersecurity whistleblower receiving an award under the FCA in 2019. More information on these programs can be found in the Guide linked above.
The Importance of Legal Representation
All of us are living through a frightening time. Thousands of people are dying, millions of jobs have been lost, and all our lives have been disrupted to varying degrees. During these periods of vulnerability, any cybersecurity professional that finds herself considering blowing the whistle, whether internally or externally, should seek experienced legal representation as soon as possible. If a whistleblower consults with a knowledgeable attorney prior to blowing the whistle, the attorney can advise the whistleblower on which, if any, whistleblower laws might protect her and what she must do to ensure she qualifies for protection.
Legal representation is even more critical if the whistleblower is terminated, and the whistleblower should not sign a severance agreement prior to discussing her case with a knowledgeable attorney. Such an agreement will almost surely release all claims the whistleblower has against her employer, and depending on the facts of the case, the whistleblower may have a strong claim for more compensation than the employer initially has offered.