Cybersecurity Whistleblower Protections Explained
Cybersecurity professionals play a crucial role in protecting our national security and personal information from theft and misuse. Unfortunately, they can face retaliation when delivering unwelcome news to their companies or agencies. View the video below, featuring Katz, Marshall & Banks partners Alexis Ronickher and Debra Katz, to learn about the legal protections that are available to cybersecurity whistleblowers and what type of reward programs might apply.
To learn more about cybersecurity whistleblower protections and Katz, Marshall & Banks, view the following:
KMB Cybersecurity Whistleblower Practice
KMB Cybersecurity Whistleblower Protection Guide
Can Cybersecurity Whistleblowers Receive Monetary Awards from the SEC?
Study Finds Gap Between Executive Awareness and Cybersecurity Reality
Hi. I'm Debra Katz and a founding partner at Katz, Marshall and Banks, the D.C.-based civil rights firm that specializes in the representation of whistleblowers. Today I'm with my partner, Alexis Ronickher, who specializes in the representation of cybersecurity whistleblowers.
So we're going to be discussing today the rights that cybersecurity whistleblowers have from retaliation in the workplace.
Why is this such an important area of the law now?
Cyber crime and cybersecurity is a crucial issue right now in our country. And even our national security is at issue as we learned with the hacking of the OPM personnel information. And now with this new development with Russian hacking to try to get …
People have had their private medical information taking as well.
Exactly. So it's not just identity and social security numbers. But the size of the problem is so vast and it's evolving constantly with cloud computing and mobile devices and the internet of things, that law enforcement regulators aren’t going to be able to keep up with it. So they prioritize what needs to be addressed. But that means that for the everyday type of hacking and theft, companies and organizations, and the government are left protecting our most personal information that they hold. And for that to work, the employees on the front lines in these organizations are the ones who need to be there ringing the bell to lax cybersecurity and vulnerabilities that jeopardize everyone.
So what kinds of rights do these individuals have starting from people who come to us because they have not yet suffered termination, but they know it’s in the offing versus people who have actually been fired? What do you do to assist these people?
When you find yourself being a whistleblower, people find themselves in that position at different stages. And they come to us at different stages. Now, most Americans would be surprised to know that there aren’t particular, specific laws that are designed to protect cybersecurity whistleblowers. There are laws that protect aviation and environmental and even nuclear whistleblowers. Banking whistleblowers. But not cybersecurity whistleblowers.
And so people come to us and they're afraid and they know that they're about to have to report something that's going to likely get them fired. Or they have reported something and they find themselves fired. And what we can do is find out the information they have in their specific circumstances and figure out which of the patchwork of laws we can use to find protections. And there are protections for these cybersecurity whistleblowers. It has to be done the right way. So when someone comes to us not yet having blown the whistle, we can make sure that the way they do it protects them in the best way possible. That if they work for a publicly traded company that we make it clear that it's not just an IT issue when they report, but that they're talking about fraud. Or they're talking about securities violations. If they're working for a government contractor, we make sure that they reference the right codes or the right regulations and standards that the government requires and say we're not meeting what our contract says.
So let's go back to people in publicly traded companies. Why is that different than people in the private sector who are raising cybersecurity issues?
There are protection for both. But for public employees, a publicly traded company or their wholly-owned subsidiaries, affiliates and certain contractors, there's a law called Sarbanes-Oxley and another law called Dodd-Frank Act that have created whistleblower protections for those employees who raise issues of fraud and securities violations.
Now for most people you might not see the interconnection between cybersecurity and fraud and securities violations, but given the integral nature of cybersecurity in American businesses - you know we talked earlier about how it’s millions of dollars a year - the Securities and Exchange Commission has made very clear that cybersecurity – and not disclosing your situation, breaches, vulnerabilities – is a securities violation depending on the circumstances. Because it could have an enormous effect on the value of a company if in fact there are breaches.
Right, so I mean we saw with Home Depot and Target that it absolutely, it's a huge matter. But it's not just consumer financial information. Companies have their intellectual property hacked that is the lifeblood of a company.
If you have a pharmaceutical company that's publicly traded and they get one of their drugs, the information that was not yet released yet and it's hacked, that means that one of their most marketable – one of the things that's going to bring the most value to shareholders – is now vulnerable. And that needs to be disclosed in some manner so that investors are making the right decisions or reasonable decisions. And so that's why the SEC has gotten involved and that's why Sarbanes-Oxley and Dodd-Frank are such powerful vehicles for employees of publicly traded companies or subsidiaries.
What about employees who just work in small companies or not publicly traded companies, who are cybersecurity officials? What kind of legal protections do they have if they raise concerns about problems with cybersecurity at their companies?
For an employee at a private company, it's a little more patchwork. It depends for many people but there’s definitely coverage and it just depends on where you are. So if you're in a state that has laws protecting cybersecurity and you blow the whistle on that, then you'll be protected under the state law that protects. Not all states have it, but many do – protection from whistleblower retaliation.
And also depending on banking employees. They have a specific protection for reporting any violation of law. And so if you’re a bank employee – even for a private bank – you have this specific whistleblower law. As I said, if you’re a federal contractor that's not publicly traded, there's the False Claims Act which might provide coverage.
There're a lot of different laws and it's just finding the right one that covers you and also making sure that you frame your report to not just be phrased in the most natural way for some people which is their specialty – which is there's a cyber vulnerability and I'm reporting this IT issue. But broadening it to encompass a law that might protect them.
That brings us to one of the other pieces of being a whistleblower, which is the potential for providing information to the government and receiving an award for that information.
It is not going to be in every cybersecurity whistleblower context, but for those who have information about regulated companies like publicly traded companies, they may have information that the SEC would find valuable for an enforcement action. If they provide that information and participate in that whistleblower rewards program, they may be eligible for an award between ten to thirty percent of the monies brought in from that enforcement action.
We often say that federal sector whistleblowers are the eyes and ears of the citizens of this country. And I think we anticipate seeing cybersecurity workers playing an increasingly important role in federal agencies and keeping data safe in all sorts of areas – from Department of Treasury to department of energy and homeland security.
What kind of rights protect federal sector whistleblower?
Federal sector whistleblowers actually have very robust rights as whistleblowers. And there's a statute called The Whistleblower Protection Act. Recently, in the last decade, amended to be even more robust. That first allows whistleblowers to disclose information – as long as it's allowable by law – about violations of law also of fraud, waste and abuse. And any kind of jeopardy of public safety and health that cybersecurity fits right in there. And so then what’s prohibited is their supervisors and the agency they work for taking prohibited personnel actions which is not just termination, it's demotion, a transfer that negative. There's a long list of side linings and taking away their security clearance. So there's a lot of protection there.
Can you talk a little bit about what Qui Tam actions are and how that may be something that cybersecurity whistleblowers can be pursuing?
Absolutely. So there's a law – a federal law the False Claims Act – which not surprisingly prohibits defrauding the government when you are submitting bills to be paid for work you've been doing. Whether it's in the healthcare arena when someone bills to Medicare, Medicaid, or a defense contractor providing a fighter jet. You can't defraud the government. It has an interesting mechanism for this which is it to incentivize individuals who know about the fraud to inform the government. The government and that individual pair up to try to prove the fraud and get the money back. If they are successful, the individual, who is known as a relator, can get between fifteen and thirty percent.
There are also protections for preventing retaliation. Exactly. So it's a double win for a whistleblower.
How does that relate to cybersecurity in a medical context?
Obviously there's a lot of regulation. HIPAA, as well as other cybersecurity related regulations that companies, when submitting bills, may certify to, and they may also just be required – and those can possibly be a basis in the defense contracting arena. There are very specific rules now related to cybersecurity that they are required to follow. So all of these may form the basis of a Qui Tam action. They certainly form the basis of a protection from retaliation action. But it's essential that the whistleblower comes to an attorney to really assess the viability.
One of the things that we do at our firm, which is different than perhaps other Qui Tam firms, is we look at the employee’s issue somewhat holistically. Because there's an important piece to this. There may be an ability to go to certain bounty programs. But for us, people come to us because their jobs – their livelihood – is at issue and they obviously want to do the right thing and if they're losing a lot of money, they don't mind the incentive of these reward programs. But more than anything, they want to protect this career that they have fostered. They've worked so hard and their family often depends on.
When we have a cybersecurity whistleblower come to us, we understand that this is an industry – it’s tightly knit. Blowing the whistle was not always viewed positively. As it should be. It should be viewed positively, but it's not always. And so we work to resolve it in a way that's going to protect their career. That ideally is a private manner. That is resolved so that the person can move on. But if there is a Qui Tam piece to this or a SEC piece, we also know how to handle the employment piece – and that rewards piece at the same time – without jeopardizing either.
One of the things that you have done is you have written a very comprehensive manual for cybersecurity whistleblowers. Why would you do such a thing in your otherwise very busy life?
Well, I thought this was important to have out there. A resource for whistleblowers because so often they find themselves in a position – they don't know if they're really a whistleblower. If they realize that something's happening. They don't know if there's protections for them. And there are ways that they can protect themselves from the very beginning, even before they have a chance to reach out to a lawyer. So it's to educate the whistleblower about what the protections are. How they can frame those protections. And hopefully to encourage them about the importance of finding a lawyer who knows what they're doing to help them. So it provides a blueprint and information that should be useful to them in framing their situation.
I really appreciate that you wrote this. As a colleague and as somebody who represents these people because I think that one of the real values of your manual is it empowers people because they know that they're doing very important things. The issues that they're raising in the cybersecurity space are vital in many respects. The public health, safety, financial security, and international security. And it will be increasingly relevant over time.
So thank you for that work. I hope people actually check out your manual and use it. I think it provides really key advice on how protect themselves in these situations