A cybersecurity whistleblower can qualify for an SEC whistleblower award, a False Claims Act qui tam whistleblower award, a CFTC whistleblower award, and an award under a state false claims act.
The whistleblower protection provisions of the Sarbanes-Oxley Act and False Claims Act provide a remedy to combat retaliation against a cybersecurity whistleblower. In addition, various state whistleblower protection laws protect disclosures about violations of laws and regulations governing cybersecurity and data security. And employees of federal government contractors are protected against retaliation for disclosing violations of information security or data privacy requirements.
Leading cybersecurity whistleblower law firm Zuckerman Law has substantial experience representing cybersecurity whistleblowers. To learn more about whistleblower rewards or whistleblower protections for information security professionals, call our cybersecurity whistleblower lawyers for a free, confidential consultation at (202) 262-8959, or click here.
In relevant part, Section 806 of the Sarbanes-Oxley Act forbids a covered employer to “discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee” because of any lawful disclosure or act “regarding any conduct which the employee reasonably believes constitutes a violation of”:
18 U.S.C. § 1514A.
Recently a district court held that disclosures about deficient information security controls are protected under SOX. In that case, the whistleblower questioned the reliability of a monthly tie-out process used to ensure that Tyco’s consolidated financial data reported to the SEC agreed with financial data in its general ledger system. In holding that a complaint concerning inadequate internal control over financial reporting can constitute protected activity, the judge noted: “Data security, approvals, and segregation of duties are controls that exist to ensure the accuracy of financial reporting. See Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Release Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06, 72 Fed. Reg. 35,343 n.27 (June 27, 2007) (“Controls have unique characteristics, for example, they can be: Automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud.”).”
A corporation’s failure to accurately disclose cybersecurity issues could violate SEC Rule 10b-5. See 17 C.F.R. § 240.10b-5. In relevant part, the rule states:
It shall be unlawful for any person … [t]o make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading…in connection with the purchase or sale of any security.
Id.
Shareholders or the SEC can bring actions against corporations that violate this rule. To do so, the SEC must prove that the corporation: 1) made a material, 2) misrepresentation and/or omission, 3) in connection with the purchase or sale of securities, and 4) the corporation had scienter. In addition to the foregoing, shareholders must also show: 1) reliance, 2) loss causation, and 3) damages. See, e.g., Halliburton Co. v. Erica P. John Fund, Inc., 134 S.Ct. 2398, 2407 (2014).
A corporation’s failure to disclose cybersecurity issues that create significant risk factors for the corporation could constitute shareholder fraud. Regulation S-K prescribes certain disclosures that a corporation must include in its public filings, such as its annual report (10-K) and its quarterly report (10-Q). 17 C.F.R. Part 229. Item 503(c) of SEC Regulation S-K requires a corporation to disclose risk factors and discuss the most significant factors that make an offering speculative or risky. 17 C.F.R. Part 229.503(c). This includes the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. Division of Corporation Finance, U.S. Securities & Exchange Commission, CF Disclosure Guidance: Topic No. 2, Cybersecurity (Oct. 13, 2011).
Hundreds of corporations disclose generalized cybersecurity risks in their public filings. If they do so while failing to disclose known actual risks, such as knowledge of an actual breach, the omission can give rise to a shareholder fraud action. See Matrixx Initiative, Inc. v. Siracusano, 131 S.Ct. 1309 (2011).
A corporation’s failure to disclose cybersecurity issues that materially affect the corporation’s financial condition and operations could constitute shareholder fraud. Item 303 of Regulation S-K requires a corporation to discuss its financial condition, changes in financial condition, and results of operations. 17 C.F.R. § 229.303. Four observations about Item 303, known as Management Discussion & Analysis, are particularly relevant to our discussion:
A corporation’s failure to disclose under Item 303 can give rise to an action for shareholder fraud. See Stratte-McClure v. Morgan Stanley, 776 F.3d 94 (2nd Cir. 2015). But see In re NVIDIA Corp. Securities Litigation, 768 F.3d 1046 (9th Cir. 2014).
And though the law provides a safe harbor for such forward-looking statements, if misleading statements or omissions of fact are included in forward-looking statements the corporation will not be insulated. E.g., In re Harman Int’l Indus., Inc. Securities Litigation, No. 14-7017, 2015 WL 3852089 (D.C. Cir. June 23, 2015). In other words, a “warning that identifies a potential risk, but ‘impl[ies] that no such problems were on the horizon even if a precipice was in sight,’ would not meet the statutory standard for safe harbor protection.” Id. at *9 (internal citations omitted).
SOX created the Public Company Accounting Oversight Board (PCAOB) to oversee and guide outside auditors in this endeavor. 15 U.S.C. § 7211. In turn, the PCAOB specifically has addressed auditors’ need to examine corporations’ information technology controls as part of their assessment of internal controls. PCAOB Release No. 2007-005A: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements; PCAOB Release No. 2010-004: Identifying and Assessing Risks of Material Misstatement. In its auditing standards, the PCAOB adopted the framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which also addresses information technology controls.
Thus, a corporation that fails to disclose a material weakness in its information security controls may be non-compliant with SOX.
For the reasons described above, an information security professional’s disclosure of a public corporation’s cybersecurity issues can be protected under SOX. A corporation failing to disclose information security issues could be committing shareholder fraud or violating SEC rules relating to internal controls. However, these scenarios are far from exhaustive. SOX could protect the reporting of cybersecurity issues under many circumstances.
Though cybersecurity whistleblowers can make SOX-protected disclosures, such protection is not automatic. As noted above, SOX protects whistleblowers when they disclose what they reasonably believe to be a violation of one or more of the six enumerated categories. The “reasonable belief” standard is key.
The central inquiry is whether the whistleblower has a reasonable belief that a covered violation has occurred at the time she makes the disclosure. This belief must be subjectively and objectively reasonable. E.g., Van Asdale v. Int’l Game Tech., 577 F.3d 989, 1000-1001 (9th Cir. 2009); Harp v. Charter Commc’ns, Inc., 558 F.3d 722, 723 (7th Cir. 2009); Menendez v. Halliburton, Inc., ARB Nos. 09-002, -003; ALJ No. 2007-SOX-005, slip op. at 12 (ARB Sept. 13, 2011). This means that the whistleblower must know and believe that she is reporting a covered violation, and a reasonable person in the whistleblower’s circumstances must be able to reach the same conclusion. Sylvester v. Paraxel Int’l, ARB No. 07-123, ALJ Nos. 2007-SOX-039, -042, slip op. at 14 (ARB May 25, 2011). Thus, if a whistleblower does not believe she is reporting a violation, or if her disclosure is outlandish or baseless in light of standards like those discussed above, the disclosure will not be protected. For example, the report of a minor information security issue that could have no significant effect on the corporation’s operations may not be protected.
However, it is utterly irrelevant whether the whistleblower communicates that reasonable belief to the employer or puts the employer on notice that she is engaging in protected activity. See Id. at 15-19. Indeed, a disclosure can be protected even if it does not mention fraud, illegal activity, or anything that could reasonably be perceived to be a violation of the six enumerated categories in SOX. Prioleau v. Sikorsky Aircraft Corp., ARB Case No. 10-060 (ARB Nov. 9, 2011).
In Prioleau, the whistleblower disclosed information security concerns. Id. However, at the time of the disclosure, the whistleblower made no mention of SOX or any of the enumerated categories. Id. Rather, the whistleblower reported his concern that two company policies were in conflict regarding a program that automatically deleted e-mails. Id. The Administrative Review Board (an administrative appellate body that reviews SOX claims) reversed an administrative law judge’s decision that the whistleblower failed to engage in protected activity. Id. The board held the disclosures could be protected based on evidence the whistleblower introduced during litigation, which indicated he was aware his disclosures were related to SOX compliance and that his belief was objectively reasonable. Id.
Information security professionals should contact an experienced whistleblower attorney to determine whether SOX covers the disclosures they have made.
The Dodd-Frank Act created the SEC Whistleblower Program, which provides rewards to whistleblowers who report violations of the federal securities laws to the SEC. Eligible whistleblowers are entitled to an award of between 10% and 30% of the monetary sanctions collected in actions brought by the SEC (or related actions brought by other regulatory and law enforcement authorities).
To be eligible for the reward, the whistleblower must voluntarily provide the SEC with information about a violation of the federal securities laws that has occurred, is ongoing, or is about to occur. The whistleblower’s information must lead to an action that results in more than $1 million in monetary sanctions. Whistleblowers need not be current employees to be eligible, though other limitations can apply.
Whistleblower rewards also exist for those reporting violations of federal commodities laws, fraud on the government, tax underpayment, and fraud affecting banks or other financial institutions.
Information security professionals can qualify for rewards under the SEC Whistleblower Program and other whistleblower rewards laws. As discussed above, cybersecurity issues and how corporations deal with them can constitute violations of federal securities laws. And it is a good time to be an information security whistleblower. As the SEC continues to address the impact on U.S. capital markets and public corporations’ responsibilities to shareholders under the law, this emerging and important topic will likely remain an enforcement focus for the foreseeable future.
Importantly, whistleblowers who are represented by attorneys can remain anonymous when reporting through the SEC Whistleblower Program. Further, cybersecurity professionals can be eligible for awards by providing independent analysis regarding violations of federal securities laws, even if they have no employment relationship with the company.
The whistleblower protection provision of the Sarbanes-Oxley Act provides robust protection to corporate whistleblowers, and indeed some SOX whistleblowers have achieved substantial recoveries. Earlier this year, a former in-house counsel at a biotechnology company recovered $11 million in a SOX whistleblower retaliation case alleging that the company fired him for disclosing violations of the Foreign Corrupt Practices Act.
On the fifteenth anniversary of SOX, leading whistleblower law firm Zuckerman Law released a free guide to the SOX whistleblower protection law: Sarbanes-Oxley Whistleblower Protection: Robust Protection for Corporate Whistleblowers. The guide summarizes SOX whistleblower protections and offers concrete tips for corporate whistleblowers based on lessons learned during years of litigating SOX whistleblower cases.
The goal of the guide is to arm corporate whistleblowers with the knowledge to effectively combat whistleblower retaliation, avoid the pitfalls that can weaken a SOX whistleblower case, and formulate an effective strategy to obtain the maximum recovery.
Download our free guide to the Sarbanes-Oxley whistleblower protection law:
If you are seeking representation in an SEC whistleblower bounty case or whistleblower protection case, click here, or call us at 202-262-8959 to schedule a free preliminary consultation.
whistleblower_lawyers_012017_infographic
Zuckerman Law has represented cybersecurity whistleblowers and routinely represents corporate whistleblowers in whistleblower retaliation and whistleblower rewards claims, including in Sarbanes-Oxley whistleblower actions. Dallas Hammer has written extensively about protections for cybersecurity whistleblowers, including the following publications:
Recently, Corporate Crime Reporter interviewed Mr. Hammer about cybersecurity whistleblowing. A summary of the interview is available online at Dallas Hammer on the Rise of Cybersecurity Whistleblowing. And CSO quoted Mr. Hammer in an article titled Cybersecurity whistleblowers: Get ready for more.
To learn more about the SEC Whistleblower Program, download Zuckerman Law’s eBook: SEC Whistleblower Program: Tips from SEC Whistleblower Attorneys to Maximize an SEC Whistleblower Award:
Dallas Hammer, Chair of our Cyber and Information Security Whistleblower Practice, has published a guide for cybersecurity whistleblowers in the Information Systems Security Association Journal titled Cybersecurity Whistleblowing: What Employees at Public Companies Should Know Before Reporting Information Security Concerns, which is available here. Recently the Wall Street Journal quoted Dallas Hammer in an article titled Cybersecurity Whistleblowers Are Growing Corporate Challenge.
See our guide to cybersecurity whistleblower protections and incentives: Practitioners Guide to Cybersecurity Whistleblowing.
For information about the SEC’s Whistleblower Reward Program, download our free ebook SEC Whistleblower Program: Tips from SEC Whistleblower Attorneys to Maximize an SEC Whistleblower Award and see our column in Forbes: One Billion Reasons Why The SEC Whistleblower-Reward Program Is Effective.
Summary
We are a Washington, DC-based law firm that represents whistleblowers in whistleblower rewards and whistleblower retaliation matters and litigates discrimination claims on behalf of employees in the District of Columbia, Maryland, and Virginia. The firm is dedicated to zealously advocating on behalf of our clients to achieve justice and accountability.
Leading SEC Whistleblower Lawyer Quoted About Award to Compliance Professionals An article in Law 360…
Whistleblower Outside U.S. Recovers Record SEC Whistleblower Award A Law360 article titled SEC Welcomes Foreign…
UPDATE: In Digital Realty Trust, Inc. v. Somers, the Supreme Court clarified the scope of…
UPDATE: In Digital Realty Trust, Inc. v. Somers, the Supreme Court clarified the scope of…
Dos And Dont's For Lucrative SEC Whistleblower Tips A Law360 article titled Dos And Dont's…
View Comments
I found the Zuckerman/Hammer team through an online search and worked with Dallas for the most part. Dallas is a caring professional who is an excellent listener and writer, down to earth, knowledgeable, ethical, very responsive and was a great advocate on my behalf. Besides his legal expertise, he provided reassurance and emotional support in a very stressful period of time. Together with Jason, he negotiated a better severance agreement for me. I truly believe I could not have found a better team to represent my interests.