What Laws Protect and Reward Whistleblowing About Cybersecurity?
With cybersecurity becoming a topic of ever-increasing visibility and importance, information security professionals may ask what protection they have when they raise concerns about inadequate or deficient cybersecurity. The whistleblower protection provision of the Sarbanes-Oxley Act protects certain disclosures about cybersecurity, and other laws provide additional protection. In addition, some disclosures about cybersecurity can qualify for a SEC whistleblower award. The current SEC Chair has announced that cybersecurity is a top enforcement priority for the SEC.
Leading whistleblower law firm Zuckerman Law has substantial experience representing cybersecurity whistleblowers. To learn more about whistleblower rewards or whistleblower protections for information security professionals, call the whistleblower lawyers at Zuckerman Law for a free, confidential consultation at (571) 288-1309, or click here. Dallas Hammer, Chair of our Cyber and Information Security Whistleblower Practice, has published a guide for cybersecurity whistleblowers in the Information Systems Security Association Journal titled Cybersecurity Whistleblowing: What Employees at Public Companies Should Know Before Reporting Information Security Concerns, which is available here.
See our leading guide to cybersecurity whistleblower protections and incentives: Practitioners Guide to Cybersecurity Whistleblowing.
For information about the SEC’s Whistleblower Reward Program, download our free ebook SEC Whistleblower Program: Tips from SEC Whistleblower Attorneys to Maximize an SEC Whistleblower Award and see our column in Forbes: One Billion Reasons Why The SEC Whistleblower-Reward Program Is Effective.
What Does Sarbanes-Oxley Protect?
In relevant part, Section 806 of the Sarbanes-Oxley Act forbids a covered employer to “discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee” because of any lawful disclosure or act “regarding any conduct which the employee reasonably believes constitutes a violation of”:
- Mail fraud;
- Wire fraud;
- Bank fraud;
- Securities or commodities fraud;
- Any SEC rule or regulation; or
- Any provision of Federal law relating to fraud against shareholders.
18 U.S.C. § 1514A.
Are Disclosures of Cybersecurity Issues Protected Under SOX?
Disclosures of information security issues absolutely can be protected under SOX. As noted above, SOX protects disclosures relating to one (or more) of six categories of violations. Disclosures of cybersecurity issues can fall under that umbrella in myriad ways. I will describe just three of those scenarios.
Recently a district court held that disclosures about deficient information security controls are protected under SOX. In that case, the whistleblower questioned the reliability of a monthly tie-out process used to ensure that Tyco’s consolidated financial data reported to the SEC agreed with financial data in its general ledger system. In holding that a complaint concerning inadequate internal control over financial reporting can constitute protected activity, the judge noted: “Data security, approvals, and segregation of duties are controls that exist to ensure the accuracy of financial reporting. See Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Release Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06, 72 Fed. Reg. 35,343 n.27 (June 27, 2007) (“Controls have unique characteristics, for example, they can be: Automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud.”).”
Material Misrepresentation About Cybersecurity Violate SEC Rule 10b-5
A corporation’s failure to accurately disclose cybersecurity issues could violate SEC Rule 10b-5. See 17 C.F.R. § 240.10b-5. In relevant part, the rule states:
It shall be unlawful for any person … [t]o make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading…in connection with the purchase or sale of any security.
Shareholders or the SEC can bring actions against corporations that violate this rule. To do so, the SEC must prove that the corporation: 1) made a material, 2) misrepresentation and/or omission, 3) in connection with the purchase or sale of securities, and 4) the corporation had scienter. In addition to the foregoing, shareholders must also show: 1) reliance, 2) loss causation, and 3) damages. See, e.g., Halliburton Co. v. Erica P. John Fund, Inc., 134 S.Ct. 2398, 2407 (2014).
Shareholder Fraud and Regulation S-K Item 503
A corporation’s failure to disclose cybersecurity issues that create significant risk factors for the corporation could constitute shareholder fraud. Regulation S-K prescribes certain disclosures that a corporation must include in its public filings, such as its annual report (10-K) and its quarterly report (10-Q). 17 C.F.R. Part 229. Item 503(c) of SEC Regulation S-K requires a corporation to disclose risk factors and discuss the most significant factors that make an offering speculative or risky. 17 C.F.R. Part 229.503(c). This includes the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. Division of Corporation Finance, U.S. Securities & Exchange Commission, CF Disclosure guidance: Topic No. 2, Cybersecurity (Oct. 13, 2011).
Hundreds of corporations disclose generalized cybersecurity risks in their public filings. If they do so while failing to disclose known actual risks, such as knowledge of an actual breach, the omission can give rise to a shareholder fraud action. See Matrixx Initiative, Inc. v. Siracusano, 131 S.Ct. 1309 (2011).
Shareholder Fraud and Regulation S-K Item 303
A corporation’s failure to disclose cybersecurity issues that materially affect the corporation’s financial condition and operations could constitute shareholder fraud. Item 303 of Regulation S-K requires a corporation to discuss its financial condition, changes in financial condition, and results of operations. 17 C.F.R. § 229.303. Four observations about Item 303, known as Management Discussion & Analysis, are particularly relevant to our discussion:
- One of Item 303’s main purposes is to provide information about the quality of, and potential variability of, a company’s earnings cash flow, so that investors can ascertain the likelihood that past performance is indicative of future performance, SEC Staff, Report on Review of Disclosure Requirements of Regulation S-K 8-10 (December 2013);
- Corporations must describe any known trends or uncertainties that have had or that the corporation reasonably expects will have a material impact on net sales or revenues or income, 17 C.F.R. § 229.303(a)(3);
- Corporations must describe any unusual or infrequent events, transactions, or significant economic changes that materially affected the amount of reported income; and
- Corporations should address events or uncertainties that could affect past or future operations, 17 C.F.R. § 229.303 (instructions).
A corporation’s failure to disclose under Item 303 can give rise to an action for shareholder fraud. See Stratte-McClure v. Morgan Stanley, 776 F.3d 94 (2nd Cir. 2015). But see In re NVIDIA Corp. Securities Litigation, 768 F.3d 1046 (9th Cir. 2014).
And though the law provides a safe harbor for such forward looking statements, if misleading statements or omissions of fact are included in forward looking statements the corporation will not be insulated. E.g., In re Harman Int’l Indus., Inc. Securities Litigation, No. 14-7017, 2015 WL 3852089 (D.C. Cir. June 23, 2015). In other words, a “warning that identifies a potential risk, but ‘impl[ies] that no such problems were on the horizon even if a precipice was in sight,’ would not meet the statutory standard for safe harbor protection.” Id. at *9 (internal citations omitted).
Material Weaknesses in Internal Controls Under SOX Sections 302 and 404
Even if a corporation makes no mention of cybersecurity in its public filings, it may violate Sections 302 and 404 of the Sarbanes-Oxley Act if it fails to disclose material weaknesses in its internal controls related to information security. Section 302 of SOX requires a corporation’s CEO and CFO to personally certify the accuracy and completeness of financial reports, and they must assess and report on the effectiveness of internal controls around financial reporting. 15 U.S.C. § 7241. Section 404 of SOX requires a corporation to assess the effectiveness of its internal controls in its annual reports, and an outside auditing firm must evaluate that assessment. Material weaknesses in those internal controls must be identified. See, e.g., 15 U.S.C. § 7213(a)(2)(A)(iii)(III).
SOX created the Public Company Accounting Oversight Board (PCAOB) to oversee and guide outside auditors in this endeavor. 15 U.S.C. § 7211. In turn, the PCAOB specifically has addressed auditors’ need to examine corporations’ information technology controls as part of their assessment of internal controls. PCAOB Release No. 2007-005A: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements; PCAOB Release No. 2010-004: Identifying and Assessing Risks of Material Misstatement. In its auditing standards, the PCAOB adopted the framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which also addresses information technology controls.
Thus, a corporation that fails to disclose a material weakness in its information security controls may be non-compliant with SOX.
Shareholder Fraud, Internal Controls, and SOX
For the reasons described above, an information security professional’s disclosure of a public corporation’s cybersecurity issues can be protected under SOX. A corporation failing to disclose information security issues could be committing shareholder fraud or violating SEC rules relating to internal controls. However, these scenarios are far from exhaustive. SOX could protect the reporting of cybersecurity issues under many circumstances.
SEC Prioritizing Cybersecurity
The SEC’s Office of Compliance Inspections and Examinations (OCIE) announced on February 7, 2018 that the SEC is prioritizing cybersecurity:
Cybersecurity protection is critical to the operation of our markets. The scope and severity of risks that cyber threats present have increased dramatically. The impact of a successful cyber attack may have consequences that extend beyond the firm compromised to other market participants and retail investors, who may not be well informed of these risks and consequences. We are focused on working with firms to identify and manage cybersecurity risks and to encourage market participants to actively and effectively engage in this effort. We will continue to prioritize cybersecurity in each of our examination programs. Our examinations have and will continue to focus on, among other things, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.
Is a Disclosure About Cybersecurity Protected Whistleblowing Under the Sarbanes-Oxley Act?
Though cybersecurity whistleblowers can make SOX-protected disclosures, such protection is not automatic. As noted above, SOX protects whistleblowers when they disclose what they reasonably believe to be a violation of one or more of the six enumerated categories. The “reasonable belief” standard is key.
The central inquiry is whether the whistleblower has a reasonable belief that a covered violation has occurred at the time she makes the disclosure. This belief must be subjectively and objectively reasonable. E.g., Van Asdale v. Int’l Game Tech., 577 F.3d 989, 1000-1001 (9th Cir. 2009); Harp v. Charter Commc’ns, Inc., 558 F.3d 722, 723 (7th Cir. 2009); Menendez v. Halliburton, Inc., ARB Nos. 09-002, -003; ALJ No. 2007-SOX-005, slip op. at 12 (ARB Sept. 13, 2011). This means that the whistleblower must know and believe that she is reporting a covered violation, and a reasonable person in the whistleblower’s circumstances must be able to reach the same conclusion. Sylvester v. Paraxel Int’l, ARB No. 07-123, ALJ Nos. 2007-SOX-039, -042, slip op. at 14 (ARB May 25, 2011). Thus, if a whistleblower does not believe she is reporting a violation, or if her disclosure is outlandish or baseless in light of standards like those discussed above, the disclosure will not be protected. For example, the report of a minor information security issue that could have no significant effect on the corporation’s operations may not be protected.
However, it is utterly irrelevant whether the whistleblower communicates that reasonable belief to the employer or puts the employer on notice that she is engaging in protected activity. See Id. at 15-19. Indeed, a disclosure can be protected even if it does not mention fraud, illegal activity, or anything that could reasonably be perceived to be a violation of the six enumerated categories in SOX. Prioleau v. Sikorsky Aircraft Corp., ARB Case No. 10-060 (ARB Nov. 9, 2011).
In Prioleau, the whistleblower disclosed information security concerns. Id. However, at the time of the disclosure, the whistleblower made no mention of SOX or any of the enumerated categories. Id. Rather, the whistleblower reported his concern that two company policies were in conflict regarding a program that automatically deleted e-mails. Id. The Administrative Review Board (an administrative appellate body that reviews SOX claims) reversed an administrative law judge’s decision that the whistleblower failed to engage in protected activity. Id. The board held the disclosures could be protected based on evidence the whistleblower introduced during litigation, which indicated he was aware his disclosures were related to SOX compliance and that his belief was objectively reasonable. Id.
Information security professionals should contact an experienced whistleblower attorney to determine whether SOX covers the disclosures they have made.
What is the SEC Whistleblower Reward Program?
The Dodd-Frank Act created the SEC Whistleblower Program, which provides rewards to whistleblowers who report violations of the federal securities laws to the SEC. Eligible whistleblowers are entitled to an award of between 10% and 30% of the monetary sanctions collected in actions brought by the SEC (or related actions brought by other regulatory and law enforcement authorities).
To be eligible for the reward, the whistleblower must voluntarily provide the SEC with information about a violation of the federal securities laws that has occurred, is ongoing, or is about to occur. The whistleblower’s information must lead to an action that results in more than $1 million in monetary sanctions. Whistleblowers need not be current employees to be eligible, though other limitations can apply.
Whistleblower rewards also exist for those reporting violations of federal commodities laws, fraud on the government, tax underpayment, and fraud affecting banks or other financial institutions.
Qualifying for an SEC Whistleblower Award
How Can Cybersecurity Whistleblowers Obtain a SEC Whistleblower Reward?
Information security professionals can received rewards under the SEC Whistleblower Program and other whistleblower rewards laws. As discussed above, cybersecurity issues and how corporations deal with them can constitute violations of federal securities laws. And it is a good time to be an information security whistleblower. As I have discussed in a previous blog, the SEC has had a particular focus on cybersecurity for the past few years. As the SEC continues to address the impact to U.S. capital markets and public corporations’ responsibilities to shareholders under the law, this emerging and important topic will likely remain an enforcement focus for the foreseeable future.
Importantly, whistleblowers who are represented by attorneys can remain anonymous when reporting through the SEC Whistleblower Program. Further, cybersecurity professionals can be eligible for awards by providing independent analysis regarding violations of federal securities laws, even if they have no employment relationship with the company.
Experienced Cybersecurity Whistleblower Lawyers
Zuckerman Law has represented cybersecurity whistleblowers, and routinely represents corporate whistleblowers in whistleblower retaliation and whistleblower rewards claims, including in Sarbanes-Oxley whistleblower actions. Dallas Hammer has written extensively about protections for cybersecurity whistleblowers, including the following publications:
- The Rise of Cybersecurity Whistleblowing, NYU Law Compliance & Enforcement Blog (December 2016)
- Cybersecurity Whistleblowing: What Employees at Public Companies Should Know Before Reporting Information Security Concerns, ISSA Journal (June 2016)
Recently, Corporate Crime Reporter interviewed Mr. Hammer about cybersecurity whistleblowing. A summary of the interview is available online at Dallas Hammer on the Rise of Cybersecurity Whistleblowing. And CSO quoted Mr. Hammer in an article titled Cybersecurity whistleblowers: Get ready for more.
To learn more about the SEC Whistleblower Program, download Zuckerman Law’s eBook: SEC Whistleblower Program: Tips from SEC Whistleblower Attorneys to Maximize an SEC Whistleblower Award:
SEC Whistleblower Rewards
SOX Corporate Whistleblower Protection Law
The whistleblower protection provision of the Sarbanes-Oxley Act provides robust protection to corporate whistleblowers, and indeed some SOX whistleblowers have achieved substantial recoveries. Earlier this year, a former in-house counsel at a biotechnology company recovered $11 million in a SOX whistleblower retaliation case alleging that the company fired him for disclosing violations of the Foreign Corrupt Practices Act.
On the fifteenth anniversary of SOX, leading whistleblower law firm Zuckerman Law released a free guide to the SOX whistleblower protection law: Sarbanes-Oxley Whistleblower Protection: Robust Protection for Corporate Whistleblowers. The guide summarizes SOX whistleblower protections and offers concrete tips for corporate whistleblowers based on lessons learned during years of litigating SOX whistleblower cases.
The goal of the guide is to arm corporate whistleblowers with the knowledge to effectively combat whistleblower retaliation, avoid the pitfalls that can weaken a SOX whistleblower case, and formulate an effective strategy to obtain the maximum recovery.
Download our free guide to the Sarbanes-Oxley whistleblower protection law:
- Practitioner’s Guide to Cybersecurity Whistleblowing
- Tips for SEC Whistleblowers
- Leading SEC Whistleblower Law Firm Featured in Article About Growing Wave of Whistleblower Lawsuits
- SEC Whistleblower Reward Program FAQ
- Auditors’ and accountants’ guide to SEC whistleblower awards
- Whistleblower Protections and Incentives for Auditors and Accountants
- How to Report EB-5 Fraud and Earn an SEC Whistleblower Award
- CFTC Strengthens Anti-Retaliation Protections for Whistleblowers and Improves CFTC Whistleblower Award Program
- SEC Cracking Down on Ponzi Schemes
- SEC Scrutinizes “Fake News” Stock Promotion Schemes
- SEC Whistleblower Program: Exposing Insider Trading
- SEC Awards for Disclosures of Foreign Bribery or FCPA Violations
- Whistleblower Rewards and Bounties for Disclosures of Market Manipulation Schemes
- SEC Targeting Investment Adviser Fraud
- Compliance Personnel, Auditors, Officers and Directors Can Obtain SEC Whistleblower Awards
- Money Laundering and the SEC Whistleblower Program
- International Whistleblower Representation – SEC Whistleblower Attorney
- Anonymous Whistleblowing: Does the SEC Whistleblower Program Protect a Whistleblower’s Identity?
- SEC Awards for Disclosures of Foreign Bribery or FCPA Violations
- Securities Fraud Enforcement Action Prompts the Question: What Was the Company Smoking?
- Compliance Officer Whistleblower Representation
- SEC Whistleblower Program: What is the SEC Form TCR?
- Tale of Two Whistleblowers: Lessons Learned from Today’s SEC Whistleblower Award
- Whistleblowers Help CFTC Obtain Record Penalties for Commodities Fraud
- Report Underscores Importance of Whistleblower Rewards and Protections for Internal Auditors
- SEC Sanctions: Whistleblower Reference Guide
- Protections and Rewards for Cybersecurity Whistleblowers
- CFTC Announces Second Whistleblower Award in 2016 as the Agency’s Whistleblower Reward Program Picks Up Steam
- EB-5 Visa Scandal Underscores the Critical Role Whistleblowers Play in Exposing EB-5 Fraud
- SEC Enforcement Director Touts Success of SEC Whistleblower Program
- SEC Whistleblower Program Not Limited to Corporate Insiders
- SEC Pays $3M Award to Whistleblower
- SEC Draft Strategic Plan Affirms the Importance of the SEC’s Whistleblower Reward Program
- Whistleblower Lawyer Interviewed About SEC Whistleblower Award
- Wall Street Journal Quotes Jason Zuckerman on Dodd-Frank SEC Regulations
- SEC Whistleblower Lawyer Quoted in National Law Journal About SEC Whistleblower Program
- SEC Whistleblower Lawyer Zuckerman Quoted About SEC Whistleblower Award for Independent Analysis
- SEC Whistleblower Lawyer Jason Zuckerman Quoted About Tips for SEC Whistleblowers
- Whistleblower Lawyer Jason Zuckerman Quoted About SEC Whistleblower Award
- Whistleblower Lawyer Interviewed About the Rise of Cybersecurity Whistleblowing
- Whistleblower Attorney Zuckerman Quoted in Washington Post About SEC Order
- Whistleblower Attorney Dallas Hammer Interviewed by Bloomberg About Dodd-Frank Protected Whistleblowing
- SEC Whistleblower Lawyer Zuckerman Quoted About SEC Whistleblower Award for Independent Analysis
- Audit committees need to dig into personal relationships
- Whistleblower Bounties Pose Challenges
- CFO Magazine Quotes Whistleblower Attorney Jason Zuckerman About Dodd-Frank Whistleblower Rules
- Fiscal Times Quotes Jason Zuckerman About Dodd-Frank Act Whistleblower Reward Provisions
- Whistleblower Attorney Jason Zuckerman Quoted About Battle Over Corporate Whistleblower Rules