Image of Cybersecurity Whistleblower Rewards and Protections for Employees of Federal Contractors and Grantees

Cybersecurity Whistleblower Rewards and Protections for Employees of Federal Contractors and Grantees

 

Information security and data privacy requirements have become a high priority at federal agencies.  These requirements extend to federal contractors because of their access to government data.  Often, cybersecurity professionals are the first to identify non-compliance with these requirements.  As high-profile data breaches have become more common, those who report violations of cybersecurity and data privacy requirements often experience retaliation and seek legal protection.

Reporting non-compliance or misconduct in the workplace can be necessary, but it can also be daunting.  It is important for cybersecurity whistleblowers to know their legal rights when disclosing such concerns to management or a federal agency, including potential rewards for whistleblowing.

In many cases, federal law protects cybersecurity whistleblowers who work for federal contractors or grantees.  This post provides an overview of those protections.

To schedule a consultation with cybersecurity whistleblower lawyer Dallas Hammer, call us at 571-288-1309 or 202-262-8959.

2021 Civil Cyber-Fraud Initiative

On October 6, 2021, the Department of Justice launched a Civil Cyber-Fraud Initiative, to combat new and emerging cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Monaco announced the purpose of the initiative: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”

The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The benefits of the initiative will include:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
  • Holding contractors and grantees to their commitments to protect government information and infrastructure.
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
  • Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
  • Improving overall cybersecurity practices that will benefit the government, private users and the American public.

What cybersecurity requirements apply to federal contractors?

Federal contractors are subject to data privacy and information security requirements.

The FY 2022 appropriations law includes a cyber reporting provision that requires companies in critical infrastructure (as defined in Presidential Policy Directive 21) to report a covered cyber incident within 72 hours to the Cybersecurity and Infrastructure Security Agency.

The Federal Information Security Management Act (“FISMA”) creates information security requirements for federal agencies to minimize risk to the U.S. government’s data.  FISMA also applies these requirements to state agencies administering federal programs and private business contracting with the federal government.  Federal acquisition regulations codify the cybersecurity and data privacy requirements applicable to federal contractors.  E.g., 48 C.F.R. §§ 252.204-7008, 7012 (providing for cybersecurity standards in contracts with the U.S. Department of Defense); 48 C.F.R. § 52.204-21 (outlining basic procedures for contractors to safeguard information processed, stored, or transmitted under a federal contract).  

Pursuant to the FISMA Implementation Project, the National Institute of Standards and Technology (“NIST”) produces security standards and guidelines to ensure compliance with FISMA.  Key principles of FISMA compliance include a systemic approach to the data that results in baseline controls, a risk assessment procedure to refine controls, and implementation of controls.  A security plan must document the controls.  Those managing the information must also assess the controls’ effectiveness.  NIST also focuses its standards on determining enterprise risk, information system authorization, and ongoing monitoring of security controls.

Essential standards established by NIST include FIPS 199, FIPS 200, and the NIST 800 series.  Core FISMA requirements include:

  • Federal contractors must keep an inventory of all of an organization’s information systems.
  • Contractors must identify the integration between information systems and other systems in the network.
  • Contractors must categorize information and information systems according to risk. This prioritizes security for the most sensitive information and systems.  See “Standards for Security Categorization of Federal Information and Information Systems” FIPS 199.
  • Contractors must have a current information security plan that covers controls, cybersecurity policies, and planned improvements.
  • Contractors must consider an organization’s particular needs and systems and then identify, implement, and document adequate information security controls. See NIST SP 800-53 (identifying suggested cybersecurity controls).
  • Contractors must assess information security risks. See NIST SP 800-30 (recommending that an organization assess risks at the organizational level, the business process level, and the information system level).
  • Contractors must conduct annual reviews to ensure that information security risks are minimal.

In addition to generally-applicable standards, individual contracts may create other cybersecurity or data privacy requirements for a government contractor.  Such requirements are prevalent when the contractor provides information security products or services for the government.

What protections exist for cybersecurity whistleblowers employed at federal contractors?

Federal law contains whistleblower protection provisions that may prohibit employers from retaliating against whistleblowers who report cybersecurity or data privacy concerns.  See Defense Contractor Whistleblower Protection Act, 10 U.S.C. § 2409; False Claims Act, 31 U.S.C. § 3730(h); NDAA Whistleblower Protection Law, 41 U.S.C. § 4712.  These laws protect a broad range of conduct.

Protected conduct under these laws includes:

  • Efforts to stop false claims to the government;
  • Lawful acts in furtherance of an action alleging false claims to the government; and
  • Disclosures of gross mismanagement, gross waste, abuse of authority, or a violation of law, rule, or regulation related to a federal contract or grant. Id.

These provisions have wide coverage.  They protect any employee of any private sector employer that is a contractor or grantee of the federal government.  In some cases, even the employer’s contractors and agents are protected.

An employer’s non-compliance with information security requirements could breach the employer’s contractual obligations to the federal government and violate federal law and regulation.  Thus, whistleblowers who report cybersecurity or data privacy concerns related to a federal contract or grant may be protected from employment retaliation.

What is the burden to establish unlawful retaliation for reporting cybersecurity concerns?

Exact requirements vary, but an employee typically establishes unlawful retaliation by proving that (1) the employee engaged in conduct that is protected by statute, and (2) the protected conduct to some degree caused a negative employment action.  See, e.g., 10 U.S.C. § 2409(c)(6) (incorporating burden of proof from 5 U.S.C. § 1221(e)); 41 U.S.C. § 4712(c)(6) (same); 31 U.S.C. § 3730(h)(1).  

Under some of the applicable protections, an employee need prove only that the protected conduct played any role whatsoever in the employer’s decision to take the challenged employment action.  See 10 U.S.C. § 2409; 41 U.S.C. § 4712.

What damages or remedies can a cybersecurity whistleblower recover for retaliation?

The relief available depends on which laws apply to the particular case.  Remedies may include an amount equal to double an employee’s lost wages, as well as reinstatement or front pay.  In some cases, a whistleblower may also recover uncapped compensatory damages for harms like emotional distress and reputational damage.  Additionally, a prevailing plaintiff can recover reasonable attorneys’ fees and costs.

Recently, a jury awarded a defense contractor whistleblower $1 million in compensatory damages.  The whistleblower proved that the employer more than likely retaliated by demoting him after he reported issues with tests related to a federal contract, according to the jury.  Specifically, the whistleblower alleged he reported and opposed management’s directive to misrepresent the completion status of testing procedures.

In a recent case under the False Claims Act, a whistleblower received more than $2.5 million for retaliation she suffered after internally reporting off-label promotion for a drug outside its FDA-approved use.  The False Claims Act protects employees from retaliation who blow the whistle on fraud against the government, including those who blow the whistle internally to a government contractor or grantee.

Have Qui Tam Whistleblowers Obtained Awards for Reporting Cyberfraud?

Qui Tam Award
Amount
ViolationsDateDOJ Press Release or Media Coverage
$8.6MQui tam relator Glenn alleged that Cisco sold flawed video surveillance gear to government agencies. According to the complaint, the video surveillance product was "riddled with serious security defects." July 31, 2019Cisco whistleblower cybersecurity case brought by Phillips & Cohen settles for $8.6M
$930,000Comprehensive Health Services, LLC agreed to pay $930,000 to resolve allegations that it violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan. The United States alleged that, between 2012 and 2019, CHS failed to disclose to the State Department that it had not consistently stored patients’ medical records on a secure EMR system.March 8, 2022Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan

Do any court cases address whether cybersecurity whistleblowers are protected?

Yes.  Judges and juries have applied these laws to protect cybersecurity whistleblowers.

For example, in United States ex rel. Glenn v. Cisco Systems, Inc., defendant Cisco Systems settled for $8.6 million in what is likely the first successful cybersecurity case brought under the False Claims Act.  The plaintiff/relator James Glenn worked for Cisco and internally reported serious cybersecurity deficiencies in a video surveillance system, soon after which he was fired.  Cisco had sold the surveillance systems to various federal government entities, including the Department of Homeland Security, FEMA, the Secret Service, NASA, and all branches of the military.  After monitoring Cisco’s public pronouncements regarding the system and confirming the company had not solved the problems or reported vulnerabilities to customers, Glenn contacted the FBI.  Multiple states joined in the complaint and brought claims under state laws.

While the case did not proceed to litigation, Glenn received nearly $2 million of the settlement, and the federal government’s attention to the issue proves that cybersecurity and data privacy are of utmost importance.

Surely, as more of our lives and businesses move online, the government will place increased importance on contractors and grantees following data security and privacy requirements and disclosing known vulnerabilities.  Cybersecurity whistleblowers working for government contractors play an important part in revealing these vulnerabilities and keeping the federal government secure.  Still, these whistleblowers may experience retaliation after blowing the whistle internally at their place of work.

How can employees enforce these protections from retaliation?

Employees generally have the right to bring claims of unlawful retaliation for cybersecurity or data privacy whistleblowing in federal court.  However, some claims limit that right to whistleblowers who first exhaust all their administrative remedies.  For example, in some cases, whistleblowers will first need to pursue relief from the Office of Inspector General of the relevant federal agency.  Additionally, cybersecurity whistleblower claims are subject to strict deadlines.  See, e.g., 31 U.S. Code § 3730; 10 U.S.C. § 2409; 41 U.S.C. § 4712.

Cybersecurity Whistleblower Lawyers’ Guide for Cybersecurity Whistleblowers

To schedule a consultation with cybersecurity whistleblower lawyer Dallas Hammer, call us at 571-288-1309 or 202-262-8959.

Best SEC Whistleblower Lawyers & Attorneys     best maryland employment lawyers       

Remedies for Cybersecurity Whistleblowers Suffering Retaliation

False Claims Act Whistleblower Awards for Cybersecurity Whistleblowers

A cybersecurity qui tam whistleblower can be eligible for a large recovery when they report a government contractor that fails to follow required cybersecurity standards.  But there are many pitfalls and obstacles to proving liability, and there are unique rules and procedures that govern qui tam whistleblower cases.

Therefore, it is critical to retain an experienced cybersecurity False Claims Act whistleblower lawyer to maximize your recovery.  This FAQ provides an overview of some of the key aspects of False Claims Act claims.

Whistleblower Retaliation Laws Protecting Employees of Federal Contractors and Grantees

Courageous whistleblowers that come forward to report fraud deserve robust protection against retaliation.  Below is a list of common questions about key aspects of the anti-retaliation provisions of the False Claims Act and the Defense Contractor Whistleblower Protection Act.

Experienced Washington DC False Claims Act Qui Tam Whistleblower Attorneys Representing Whistleblowers Nationwide

The experienced whistleblower attorneys at leading whistleblower law firm Zuckerman Law have substantial experience representing whistleblowers disclosing fraud and other wrongdoing at government contractors and grantees.  To schedule a confidential consultation, click here or call us at 202-262-8959.

Our experience includes:

  • Representing whistleblowers in NDAA retaliation claims before the Department of Defense, and Department of Homeland Security, Department of Justice Offices of Inspectors General.
  • Litigating False Claims Act retaliation cases.
  • Representing qui tam relators in False Claims Act cases.
  • Representing whistleblowers disclosing fraud on the government in Congressional investigations.
  • Training judges, senior Office of Inspector General officials, and federal law enforcement about whistleblower protections.

In addition, we have substantial experience representing whistleblowers under the Whistleblower Protection Act (WPA) and enforcing the WPA, the law that the NDAA whistleblower provisions are based upon.  Two of the attorneys on our team served in senior positions at the U.S. Office of Special Counsel overseeing investigations of whistleblower retaliation claims and whistleblower disclosures.

Jason Zuckerman served as Senior Legal Advisor to the Special Counsel at OSC, where he worked on the implementation of the Whistleblower Protection Enhancement Act and several high-profile investigations, including a matter resulting in the removal of an Inspector General.

Before hiring a lawyer for a high-stakes whistleblower case, assess the lawyer’s reputation, prior experience representing whistleblowers, knowledge of whistleblower laws and prior results.  And consider the experience of other whistleblowers working with that attorney.  See our client testimonials by clicking here.

Zuckerman Law has written extensively about whistleblower protections for employees of government contractors and grantees, including the following articles and blog posts:

Whistleblower Bounties

Whistleblower Protections for Employees of Federal Contractors and Grantees

 

SEC whistleblower rules

Cybersecurity Whistleblower Protection Under the Defense Contractor Whistleblower Protection Act 

Whistleblower Protections Under the National Defense Authorization Act (w-008-5821)

SEC Whistleblower Rewards for Cybersecurity Whistleblowers

Dallas Hammer represents employees in whistleblower, discrimination, and other employment-related litigation, including representing corporate whistleblowers in claims under the whistleblower protection provisions of the Sarbanes-Oxley Act and Dodd-Frank Act; representing federal employees in adverse action appeals at the Merit Systems Protection Board and claims under the Whistleblower Protection Act, including individual right of action appeals; negotiating severance, separation, and employment agreements; and representing employees in discrimination and retaliation actions, including sexual harassment claims under Title VII of the Civil Rights Act and disability discrimination claims under the Americans with Disabilities Act Amendments Act of 2008.

Jason Zuckerman, Principal of Zuckerman Law, litigates whistleblower retaliation, qui tam, wrongful discharge, and other employment-related claims. He is rated 10 out of 10 by Avvo, was recognized by Washingtonian magazine as a “Top Whistleblower Lawyer” in 2015 and selected by his peers to be included in The Best Lawyers in America® and in SuperLawyers.