Contact UsMillions of individuals and businesses are affected by cybercrime each year, and the number of incidents is on the rise. For companies and government agencies to effectively protect the confidential personal and business information they possess, their employees must alert them to lax cybersecurity standards and cyber vulnerabilities.
Unfortunately, retaliation against employees who blow the whistle on cybersecurity problems is all too common. However, there are state and federal laws that provide legal protections and financial incentives for cybersecurity whistleblowers. The Cybersecurity Whistleblower Protections guide provides a description of the major legal claims and federal whistleblower rewards programs that may be available to employees who report cybersecurity deficiencies. It also offers specific suggestions to help you blow the whistle in a manner that best protects you. Download a free copy of the Cybersecurity Whistleblower Protections manual to get the following information:
Current Protections for Cybersecurity Whistleblowers
A. Federal Statutes Providing Protections to Cybersecurity Whistleblowers
2. Protections for Employees of Banks and Other Depository Institutions
3. False Claims Act Protections
4. Protections for Nuclear Whistleblowers
5. Protections for Federal Government Employees
B. State Laws Prohibiting Wrongful Termination in Violation of Public Policy
1. Federal Law Bases for Public Policy
2. State Law Bases for Public Policy
Rewards for Cybersecurity Whistleblowers
A. SEC Whistleblower Program
B. CFTC Whistleblower Program
C. Qui Tam Lawsuits under the False Claims Act
Things to Think About Before You Blow the Whistle
A. Report a Violation of Law, Not Simply Cybersecurity Vulnerabilities
B. Report in Writing to Someone Who Can Address the Problem
C. Be Careful About Taking Documents
D. Seek Legal Representation
E. If Terminated, Diligently Look For New Work
Frequently Asked Questions
Are you protected against retaliation if you report cybersecurity vulnerabilities to your employer?
The short answer is: it depends. There are no federal statutes specifically designed to offer protections to cybersecurity whistleblowers. Instead, several federal statutes and state laws work together to form a patchwork of protections for whistleblowers who report cyber vulnerabilities in various industries and various contexts.
How can you prove retaliation by your employer?
In most contexts, establishing a claim of retaliation requires that an employee show three elements: (1) she engaged in “protected activity,” i.e., reported or opposed actions that she reasonably believed violated certain federal or state laws or regulations; (2) she suffered an “adverse employment action,” e.g., a termination, demotion, reduction in pay, or discipline; and (3) there was a causal connection between the protected activity and the adverse employment action.
What laws protect cybersecurity whistleblowers from retaliation by their employer?
While many laws may offer protections to cybersecurity whistleblowers in very specific contexts, the statutes most likely to provide cybersecurity whistleblowers with protections against retaliation are the Sarbanes-Oxley Act; the Dodd-Frank Act; the False Claims Act; the Whistleblower Protection Act; and the National Defense Authorization Act. Cybersecurity whistleblowers may also find protections against retaliatory terminations under state laws prohibiting employers from terminating employees for reasons that violate public policy.
Can cybersecurity whistleblowers receive a reward for reporting violations?
Yes. If the cybersecurity vulnerabilities constituted or led to violations of securities laws, the whistleblower could be entitled to rewards under the SEC Whistleblower Program. If the issues identified by the cybersecurity whistleblower concerned violations of the Commodities Exchange Act and related regulations, the whistleblower could earn a reward through the CFTC Whistleblower Program. Finally, if the cybersecurity issues implicated a contract the whistleblower’s company had with the federal government, and were sufficiently serious as to constitute fraud against the government, the whistleblower could be entitled to an award under the qui tam provisions of the False Claims Act.
How long do you have to report a data breach [cybersecurity problem] to be entitled to a whistleblower reward?
The answer to this question depends on the whistleblower reward program at issue. Generally speaking, the statute of limitations for violations that would form the basis of a submission to the SEC or CFTC Whistleblower Programs is generally five years. Claims under the False Claims Act must be brought within six years of the date the company committed the violation. In all cases, however, the whistleblower should not unreasonably delay reporting her concerns, as failing to promptly report the issues could negatively impact the size of the whistleblower’s award.
Can you be fired for reporting a cybersecurity incident?
There is no question that you can be fired. However, as set forth above, a number of statutes legally prohibit employers from terminating an employee for reporting cybersecurity concerns, meaning that if they do so, they could be subject to legal liability.
Can I be a whistleblower if I signed an NDA to protect intellectual property?
Yes. The SEC and CFTC have both issued regulations prohibiting employment agreements that would constrain a whistleblower’s ability to report violations of the laws underlying those programs to the government. Similarly, courts interpreting the False Claims Act have repeatedly held that employment agreements purporting to constrain an employee from using confidential information to evidence a violation of a False Claims Act are not enforceable.
What if I already reported violations and nothing was done?
If your employer is failing to address your reasonable concerns of cybersecurity vulnerabilities, you should consider contacting an attorney to evaluate whether those concerns could form the basis for a submission to a whistleblower reward program. If they are not, but the concerns are serious, you should also discuss with your attorney whether you could report your concerns to an appropriate federal or state agency to notify a regulator of the cybersecurity issues.
If you believe you have information about cybersecurity violations – or you have provided such information and were retaliated against as a result – contact the nationally recognized whistleblower attorneys at Katz, Marshall & Banks, LLP. Your communications with us are confidential and without charge or further obligation.
To learn more about Cybersecurity Whistleblowers Protections and Katz, Marshall & Banks, view the following:
- Cybersecurity Whistleblower Practice
- Can Cybersecurity Whistleblowers Receive Monetary Awards from the SEC?
- Study Finds Gap Between Executive Awareness and Cybersecurity Reality
Our Whistleblower blog also provides additional information and recent news.