What Laws Protect and Reward Whistleblowing About Cybersecurity?
With cybersecurity becoming a topic of ever-increasing visibility and importance, information security professionals may ask what protection they have when they make potentially unpopular disclosures of cybersecurity issues. Though no whistleblower retaliation statute deals directly with the topic, the Sarbanes-Oxley Act will often protect cybersecurity professionals who work directly for public corporations or those corporations’ service providers. Yet further, the Dodd-Frank Act could allow information security workers to receive a whistleblower reward for reporting cybersecurity concerns to the SEC or CFTC, in some cases.
However, the relationship among cybersecurity issues, SOX, and the Dodd-Frank Act is not yet clearly defined. Accordingly, information security professionals should educate themselves about whistleblower protections. Doing so could make the difference between being protected, receiving a whistleblower reward, or suffering retaliation without recourse.
What Does Sarbanes-Oxley Protect?
In relevant part, Section 806 of the Sarbanes-Oxley Act forbids a covered employer to “discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee” because of any lawful disclosure or act “regarding any conduct which the employee reasonably believes constitutes a violation of”:
- Mail fraud;
- Wire fraud;
- Bank fraud;
- Securities or commodities fraud;
- Any SEC rule or regulation; or
- Any provision of Federal law relating to fraud against shareholders.
18 U.S.C. § 1514A.
Are Disclosures of Cybersecurity Issues Be Protected Under SOX?
Disclosures of information security issues absolutely can be protected under SOX. As noted above, SOX protects disclosures relating to one (or more) of six categories of violations. Disclosures of cybersecurity issues can fall under that umbrella in myriad ways. I will describe just three of those scenarios.
Material Misrepresentation About Cybersecurity Can Violate SEC Rule 10b-5
A corporation’s failure to accurately disclose cybersecurity issues could violate SEC Rule 10b-5. See 17 C.F.R. § 240.10b-5. In relevant part, the rule states:
It shall be unlawful for any person … [t]o make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading…in connection with the purchase or sale of any security.
Shareholders or the SEC can bring actions against corporations that violate this rule. To do so, the SEC must prove that the corporation: 1) made a material, 2) misrepresentation and/or omission, 3) in connection with the purchase or sale of securities, and 4) the corporation had scienter. In addition to the foregoing, shareholders must also show: 1) reliance, 2) loss causation, and 3) damages. See, e.g., Halliburton Co. v. Erica P. John Fund, Inc., 134 S.Ct. 2398, 2407 (2014).
Shareholder Fraud and Regulation S-K Item 503
A corporation’s failure to disclose cybersecurity issues that create significant risk factors for the corporation could constitute shareholder fraud. Regulation S-K prescribes certain disclosures that a corporation must include in its public filings, such as its annual report (10-K) and its quarterly report (10-Q). 17 C.F.R. Part 229. Item 503(c) of SEC Regulation S-K requires a corporation to disclose risk factors and discuss the most significant factors that make an offering speculative or risky. 17 C.F.R. Part 229.503(c). This includes the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. Division of Corporation Finance, U.S. Securities & Exchange Commission, CF Disclosure guidance: Topic No. 2, Cybersecurity (Oct. 13, 2011).
Hundreds of corporations disclose generalized cybersecurity risks in their public filings. If they do so while failing to disclose known actual risks, such as knowledge of an actual breach, the omission can give rise to a shareholder fraud action. See Matrixx Initiative, Inc. v. Siracusano, 131 S.Ct. 1309 (2011).
Shareholder Fraud and Regulation S-K Item 303
A corporation’s failure to disclose cybersecurity issues that materially affect the corporation’s financial condition and operations could constitute shareholder fraud. Item 303 of Regulation S-K requires a corporation to discuss its financial condition, changes in financial condition, and results of operations. 17 C.F.R. § 229.303. Four observations about Item 303, known as Management Discussion & Analysis, are particularly relevant to our discussion:
- One of Item 303’s main purposes is to provide information about the quality of, and potential variability of, a company’s earnings cash flow, so that investors can ascertain the likelihood that past performance is indicative of future performance, SEC Staff, Report on Review of Disclosure Requirements of Regulation S-K 8-10 (December 2013);
- Corporations must describe any known trends or uncertainties that have had or that the corporation reasonably expects will have a material impact on net sales or revenues or income, 17 C.F.R. § 229.303(a)(3);
- Corporations must describe any unusual or infrequent events, transactions, or significant economic changes that materially affected the amount of reported income; and
- Corporations should address events or uncertainties that could affect past or future operations, 17 C.F.R. § 229.303 (instructions).
A corporation’s failure to disclose under Item 303 can give rise to an action for shareholder fraud. See Stratte-McClure v. Morgan Stanley, 776 F.3d 94 (2nd Cir. 2015). But see In re NVIDIA Corp. Securities Litigation, 768 F.3d 1046 (9th Cir. 2014).
And though the law provides a safe harbor for such forward looking statements, if misleading statements or omissions of fact are included in forward looking statements the corporation will not be insulated. E.g., In re Harman Int’l Indus., Inc. Securities Litigation, No. 14-7017, 2015 WL 3852089 (D.C. Cir. June 23, 2015). In other words, a “warning that identifies a potential risk, but ‘impl[ies] that no such problems were on the horizon even if a precipice was in sight,’ would not meet the statutory standard for safe harbor protection.” Id. at *9 (internal citations omitted).
Material Weaknesses in Internal Controls Under SOX Sections 302 and 404
Even if a corporation makes no mention of cybersecurity in its public filings, it may violate Sections 302 and 404 of the Sarbanes-Oxley Act if it fails to disclose material weaknesses in its internal controls related to information security. Section 302 of SOX requires a corporation’s CEO and CFO to personally certify the accuracy and completeness of financial reports, and they must assess and report on the effectiveness of internal controls around financial reporting. 15 U.S.C. § 7241. Section 404 of SOX requires a corporation to assess the effectiveness of its internal controls in its annual reports, and an outside auditing firm must evaluate that assessment. Material weaknesses in those internal controls must be identified. See, e.g., 15 U.S.C. § 7213(a)(2)(A)(iii)(III).
SOX created the Public Company Accounting Oversight Board (PCAOB) to oversee and guide outside auditors in this endeavor. 15 U.S.C. § 7211. In turn, the PCAOB specifically has addressed auditors’ need to examine corporations’ information technology controls as part of their assessment of internal controls. PCAOB Release No. 2007-005A: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements; PCAOB Release No. 2010-004: Identifying and Assessing Risks of Material Misstatement. In its auditing standards, the PCAOB adopted the framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which also addresses information technology controls.
Thus, a corporation that fails to disclose a material weakness in its information security controls may be non-compliant with SOX.
Shareholder Fraud, Internal Controls, and SOX
For the reasons described above, an information security professional’s disclosure of a public corporation’s cybersecurity issues can be protected under SOX. A corporation failing to disclose information security issues could be committing shareholder fraud or violating SEC rules relating to internal controls. However, these scenarios are far from exhaustive. SOX could protect the reporting of cybersecurity issues under many circumstances.
Is a Disclosure About Cybersecurity Protected Whistleblowing Under the Sarbanes-Oxley Act?
Though cybersecurity whistleblowers can make SOX-protected disclosures, such protection is not automatic. As noted above, SOX protects whistleblowers when they disclose what they reasonably believe to be a violation of one or more of the six enumerated categories. The “reasonable belief” standard is key.
The central inquiry is whether the whistleblower has a reasonable belief that a covered violation has occurred at the time she makes the disclosure. This belief must be subjectively and objectively reasonable. E.g., Van Asdale v. Int’l Game Tech., 577 F.3d 989, 1000-1001 (9th Cir. 2009); Harp v. Charter Commc’ns, Inc., 558 F.3d 722, 723 (7th Cir. 2009); Menendez v. Halliburton, Inc., ARB Nos. 09-002, -003; ALJ No. 2007-SOX-005, slip op. at 12 (ARB Sept. 13, 2011). This means that the whistleblower must know and believe that she is reporting a covered violation, and a reasonable person in the whistleblower’s circumstances must be able to reach the same conclusion. Sylvester v. Paraxel Int’l, ARB No. 07-123, ALJ Nos. 2007-SOX-039, -042, slip op. at 14 (ARB May 25, 2011). Thus, if a whistleblower does not believe she is reporting a violation, or if her disclosure is outlandish or baseless in light of standards like those discussed above, the disclosure will not be protected. For example, the report of a minor information security issue that could have no significant effect on the corporation’s operations may not be protected.
However, it is utterly irrelevant whether the whistleblower communicates that reasonable belief to the employer or puts the employer on notice that she is engaging in protected activity. See Id. at 15-19. Indeed, a disclosure can be protected even if it does not mention fraud, illegal activity, or anything that could reasonably be perceived to be a violation of the six enumerated categories in SOX. Prioleau v. Sikorsky Aircraft Corp., ARB Case No. 10-060 (ARB Nov. 9, 2011).
In Prioleau, the whistleblower disclosed information security concerns. Id. However, at the time of the disclosure, the whistleblower made no mention of SOX or any of the enumerated categories. Id. Rather, the whistleblower reported his concern that two company policies were in conflict regarding a program that automatically deleted e-mails. Id. The Administrative Review Board (an administrative appellate body that reviews SOX claims) reversed an administrative law judge’s decision that the whistleblower failed to engage in protected activity. Id. The board held the disclosures could be protected based on evidence the whistleblower introduced during litigation, which indicated he was aware his disclosures were related to SOX compliance and that his belief was objectively reasonable. Id.
Information security professionals should contact an experienced whistleblower attorney to determine whether SOX covers the disclosures they have made.
What is the SEC Whistleblower Reward Program?
The Dodd-Frank Act created the SEC Whistleblower Program, which provides rewards to whistleblowers who report violations of the federal securities laws to the SEC. Eligible whistleblowers are entitled to an award of between 10% and 30% of the monetary sanctions collected in actions brought by the SEC (or related actions brought by other regulatory and law enforcement authorities).
To be eligible for the reward, the whistleblower must voluntarily provide the SEC with information about a violation of the federal securities laws that has occurred, is ongoing, or is about to occur. The whistleblower’s information must lead to an action that results in more than $1 million in monetary sanctions. Whistleblowers need not be current employees to be eligible, though other limitations can apply.
Whistleblower rewards also exist for those reporting violations of federal commodities laws, fraud on the government, tax underpayment, and fraud affecting banks or other financial institutions.
How Can Cybersecurity Whistleblowers Receive an SEC Whistleblower Reward?
Information security professionals can received rewards under the SEC Whistleblower Program and other whistleblower rewards laws. As discussed above, cybersecurity issues and how corporations deal with them can constitute violations of federal securities laws. And it is a good time to be an information security whistleblower. As I have discussed in a previous blog, the SEC has had a particular focus on cybersecurity for the past few years. As the SEC continues to address the impact to U.S. capital markets and public corporations’ responsibilities to shareholders under the law, this emerging and important topic will likely remain an enforcement focus for the foreseeable future.
Importantly, whistleblowers who are represented by attorneys can remain anonymous when reporting through the SEC Whistleblower Program. Further, cybersecurity professionals can be eligible for awards by providing independent analysis regarding violations of federal securities laws, even if they have no employment relationship with the company.
Experienced Cybersecurity Whistleblower Lawyers
Zuckerman Law has represented cybersecurity whistleblowers, and routinely represents corporate whistleblowers in whistleblower retaliation and whistleblower rewards claims, including in Sarbanes-Oxley whistleblower actions. Dallas Hammer has written extensively about protections for cybersecurity whistleblowers, including the following publications:
- The Rise of Cybersecurity Whistleblowing, NYU Law Compliance & Enforcement Blog (December 2016)
- Cybersecurity Whistleblowing: What Employees at Public Companies Should Know Before Reporting Information Security Concerns, ISSA Journal (June 2016)
Recently, Corporate Crime Reporter interviewed Mr. Hammer about cybersecurity whistleblowing. A summary of the interview is available online at Dallas Hammer on the Rise of Cybersecurity Whistleblowing. And CSO quoted Mr. Hammer in an article titled Cybersecurity whistleblowers: Get ready for more.
To learn more about the SEC Whistleblower Program, download Zuckerman Law’s eBook: SEC Whistleblower Program: Tips from SEC Whistleblower Attorneys to Maximize an SEC Whistleblower Award:
- Tips for SEC Whistleblowers
- Leading SEC Whistleblower Law Firm Featured in Article About Growing Wave of Whistleblower Lawsuits
- SEC Whistleblower Reward Program FAQ
- Auditors’ and accountants’ guide to SEC whistleblower awards
- Whistleblower Protections and Incentives for Auditors and Accountants
- How to Report EB-5 Fraud and Earn an SEC Whistleblower Award
- CFTC Strengthens Anti-Retaliation Protections for Whistleblowers and Improves CFTC Whistleblower Award Program
- SEC Cracking Down on Ponzi Schemes
- SEC Scrutinizes “Fake News” Stock Promotion Schemes
- SEC Whistleblower Program: Exposing Insider Trading
- SEC Awards for Disclosures of Foreign Bribery or FCPA Violations
- Whistleblower Rewards and Bounties for Disclosures of Market Manipulation Schemes
- SEC Targeting Investment Adviser Fraud
- Compliance Personnel, Auditors, Officers and Directors Can Obtain SEC Whistleblower Awards
- Money Laundering and the SEC Whistleblower Program
- International Whistleblower Representation – SEC Whistleblower Attorney
- Anonymous Whistleblowing: Does the SEC Whistleblower Program Protect a Whistleblower’s Identity?
- SEC Awards for Disclosures of Foreign Bribery or FCPA Violations
- Securities Fraud Enforcement Action Prompts the Question: What Was the Company Smoking?
- Compliance Officer Whistleblower Representation
- SEC Whistleblower Program: What is the SEC Form TCR?
- Tale of Two Whistleblowers: Lessons Learned from Today’s SEC Whistleblower Award
- Whistleblowers Help CFTC Obtain Record Penalties for Commodities Fraud
- Report Underscores Importance of Whistleblower Rewards and Protections for Internal Auditors
- SEC Sanctions: Whistleblower Reference Guide
- Protections and Rewards for Cybersecurity Whistleblowers
- CFTC Announces Second Whistleblower Award in 2016 as the Agency’s Whistleblower Reward Program Picks Up Steam
- EB-5 Visa Scandal Underscores the Critical Role Whistleblowers Play in Exposing EB-5 Fraud
- SEC Enforcement Director Touts Success of SEC Whistleblower Program
- SEC Whistleblower Program Not Limited to Corporate Insiders
- SEC Pays $3M Award to Whistleblower
- SEC Draft Strategic Plan Affirms the Importance of the SEC’s Whistleblower Reward Program
- Whistleblower Lawyer Interviewed About SEC Whistleblower Award
- Wall Street Journal Quotes Jason Zuckerman on Dodd-Frank SEC Regulations
- SEC Whistleblower Lawyer Quoted in National Law Journal About SEC Whistleblower Program
- SEC Whistleblower Lawyer Zuckerman Quoted About SEC Whistleblower Award for Independent Analysis
- SEC Whistleblower Lawyer Jason Zuckerman Quoted About Tips for SEC Whistleblowers
- Whistleblower Lawyer Jason Zuckerman Quoted About SEC Whistleblower Award
- Whistleblower Lawyer Interviewed About the Rise of Cybersecurity Whistleblowing
- Whistleblower Attorney Zuckerman Quoted in Washington Post About SEC Order
- Whistleblower Attorney Dallas Hammer Interviewed by Bloomberg About Dodd-Frank Protected Whistleblowing
- SEC Whistleblower Lawyer Zuckerman Quoted About SEC Whistleblower Award for Independent Analysis
- Audit committees need to dig into personal relationships
- Whistleblower Bounties Pose Challenges
- CFO Magazine Quotes Whistleblower Attorney Jason Zuckerman About Dodd-Frank Whistleblower Rules
- Fiscal Times Quotes Jason Zuckerman About Dodd-Frank Act Whistleblower Reward Provisions
- Whistleblower Attorney Jason Zuckerman Quoted About Battle Over Corporate Whistleblower Rules