With cybersecurity becoming a topic of ever-increasing visibility and importance, information security professionals may ask what protection they have when they make potentially unpopular disclosures of cybersecurity issues. Though no whistleblower retaliation statute deals directly with the topic, the Sarbanes-Oxley Act of 2002 (SOX) will often protect cybersecurity professionals who work directly for public corporations or those corporations’ service providers. Yet further, the Dodd-Frank Act of 2010 (DFA) could allow information security workers to receive a whistleblower reward for reporting cybersecurity concerns to the U.S. Securities and Exchange Commission (SEC) or the U.S. Commodity Futures Trading Commission (CFTC), in some cases.
However, the relationship among cybersecurity issues, SOX, and the DFA is not yet clearly defined. Accordingly, information security professionals should educate themselves about whistleblower protections. Doing so could make the difference between being protected, receiving a whistleblower reward, or suffering retaliation without recourse.
What Does Sarbanes-Oxley Protect?
In relevant part, Section 806 of the Sarbanes-Oxley Act forbids a covered employer to “discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee” because of any lawful disclosure or act “regarding any conduct which the employee reasonably believes constitutes a violation of”:
- Mail fraud;
- Wire fraud;
- Bank fraud;
- Securities or commodities fraud;
- Any SEC rule or regulation; or
- Any provision of Federal law relating to fraud against shareholders.
Can Disclosures of Cybersecurity Issues Be Protected Under SOX?
Disclosures of information security issues may be protected under SOX. As noted above, SOX protects disclosures relating to one (or more) of six categories of violations. Disclosures of cybersecurity issues can fall under that umbrella in myriad ways. I will describe just three of those scenarios.
Cybersecurity risks, Regulation SK Item 503, and SEC Rule 10b-5
A public company may address cybersecurity issues in its public filings pursuant to its requirement to disclose significant risks to its business. If in doing so the company omits known, actual threats, it may violate the securities laws.
For example, investors alleged that pharmaceutical company Matrixx Initiatives, Inc. committed securities fraud by failing to disclose reports of a possible link between cold remedy Zicam (Matrixx’s leading product) and loss of smell. Investors claimed Matrixx told the market that its revenues were going to rise 50 and then 80 percent. However, Matrixx had information indicating a significant risk to its leading revenue-generating product, according to the lawsuit. The U.S. Supreme Court ruled that the investors’ case could proceed, reasoning that when a corporation makes a statement to the market, Rule 10b-5 requires the corporation to ensure its statements are not misleading considering all the circumstances. Similarly, a corporation could violate the law by disclosing general cybersecurity risks pursuant to Item 503 while withholding material information about known, actual risks.
Regulation S-K prescribes certain disclosures that a corporation must include in its public filings, such as its annual report (10-K) and its quarterly report (10-Q). Item 503(c) of SEC Regulation S-K requires a corporation to disclose risk factors and discuss the most significant factors that make an offering speculative or risky. This includes the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.
A company may violate SEC Rule 10b-5 when making public disclosures if it misstates or omits a material fact. In relevant part, the rule states:
“It shall be unlawful for any person … [t]o make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading…in connection with the purchase or sale of any security.”
Shareholders or the SEC can bring actions against corporations that violate this rule. To do so, the SEC must prove that the corporation: 1) made a material, 2) misrepresentation and/or omission, 3) in connection with the purchase or sale of securities, and 4) the corporation had scienter. In addition to the foregoing, shareholders must also show: 1) reliance, 2) loss causation, and 3) damages.
Hundreds of corporations disclose generalized cybersecurity risks in their public filings. If they do so while failing to disclose known actual risks, such as knowledge of an actual breach, the omission can give rise to a Rule 10b-5 action.
Management Discussion of Cybersecurity Issues Under Regulation S-K Item 303
A corporation’s failure to disclose cybersecurity issues that materially affect the corporation’s financial condition and operations could violate the securities laws and regulations. Item 303 of Regulation S-K requires a corporation to discuss its financial condition, changes in financial condition, and results of operations. Four observations about Item 303, known as Management Discussion & Analysis, are particularly relevant to our discussion:
- One of Item 303’s main purposes is to provide information about the quality of, and potential variability of, a company’s earnings cash flow, so that investors can ascertain the likelihood that past performance is indicative of future performance;
- Corporations must describe any known trends or uncertainties that have had or that the corporation reasonably expects will have a material impact on net sales or revenues or income;
- Corporations must describe any unusual or infrequent events, transactions, or significant economic changes that materially affected the amount of reported income; and
- Corporations should address events or uncertainties that could affect past or future operations.
Because predictions about the future are inherently uncertain, the law provides a safe harbor for such forward-looking statements. But if misleading statements or omissions of fact are included in forward-looking statements, the corporation may not be insulated. In Harman, an electronics company made forward-looking statements that reflected positively on its sales outlook. However, the plaintiffs alleged the company was aware of historical facts strongly indicating that its sales prospects were less than stellar. In holding that the plaintiffs’ case could proceed, the court found that the company’s cautionary statements about the forward-looking information were not meaningful because they were misleading in light of the historical facts. Because the company warned of only general, unspecified risks that could affect its rosy outlook, but did not disclose actual risks that had already manifested, the safe harbor would not apply to the forward-looking statements. The court explained that a “warning that identifies a potential risk, but ‘impl[ies] that no such problems were on the horizon even if a precipice was in sight,’ would not meet the statutory standard for safe harbor protection.”
Corporations often include generic disclosures in their management discussion and analysis about cybersecurity issues that could materially affect the corporation’s financial condition and operations. A company’s omission of facts pertaining to an actual, known risk could violate the requirements of Regulation S-K Item 303 and possibly Rule 10b-5. Thus, reporting an information security issue that contradicts or undermines the company’s management discussion and analysis of cybersecurity could be protected under SOX.
Material Weaknesses in Internal Controls Under SOX Sections 302 and 404
Even if a corporation makes no mention of cybersecurity in its public filings, it may violate Sections 302 and 404 of the Sarbanes-Oxley Act if it fails to disclose material weaknesses in its internal controls related to information security. Section 302 of SOX requires a corporation’s CEO and CFO to personally certify the accuracy and completeness of financial reports, and they must assess and report on the effectiveness of internal controls around financial reporting. Section 404 of SOX requires a corporation to assess the effectiveness of its internal controls in its annual reports, and an outside auditing firm must evaluate that assessment. Material weaknesses in those internal controls must be identified.
A material weakness is a deficiency in internal controls that presents more than a slight chance that a material misstatement of the company’s financial statements will not be prevented or detected on a timely basis. A deficiency in internal controls arises when a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A material weakness in internal control over financial reporting may exist even when financial statements are not materially misstated. Rather, material weakness is assessed from the potential misstatement that could occur, not the amount that is actually misstated as the result of a control deficiency.
SOX created the Public Company Accounting Oversight Board (PCAOB) to oversee and guide outside auditors in evaluating a corporation’s internal controls. The PCAOB specifically has addressed auditors’ need to examine corporations’ information technology controls as part of their assessment of internal controls. In its auditing standards, the PCAOB adopted the framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which also addresses information technology controls.
Thus, a corporation that fails to disclose a material weakness in its information security controls may be non-compliant with SOX. Accordingly, a disclosure of a cybersecurity issue that demonstrates a material weakness in the company’s internal controls may be protected.
Shareholder Fraud, Internal Controls, and SOX
For the reasons described above, an information security professional’s disclosure of a public corporation’s cybersecurity issues can be protected under SOX. A corporation failing to disclose information security issues could be committing shareholder fraud or violating SEC rules relating to internal controls. However, these scenarios are far from exhaustive. SOX could protect the reporting of cybersecurity issues under many circumstances.
When Is a Specific Disclosure Protected?
Though cybersecurity whistleblowers can make SOX-protected disclosures, such protection is not automatic. As noted above, SOX protects whistleblowers when they disclose what they reasonably believe to be a violation of one or more of the six enumerated categories. The “reasonable belief” standard is key to determining whether a specific disclosure is protected.
The central inquiry to determining whether any given disclosure is protected is whether the whistleblower has a reasonable belief that she is reporting a covered violation at the time she makes the disclosure. This belief must be subjectively and objectively reasonable. This means that the whistleblower must know and believe that she is reporting a covered violation, and a reasonable person in the whistleblower’s circumstances must be able to reach the same conclusion. Thus, if a whistleblower does not believe she is reporting a violation, or if her disclosure is outlandish or baseless in light of standards like those discussed above, the disclosure will not be protected. For example, the report of a minor information security issue that could have no significant effect on the corporation’s operations may not be protected.
However, it is utterly irrelevant whether the whistleblower communicates that reasonable belief to the employer or puts the employer on notice that she is engaging in protected activity. Indeed, a disclosure can be protected even if it does not mention fraud, illegal activity, or anything that could reasonably be perceived to be a violation of the six enumerated categories in SOX.
In Prioleau, the whistleblower disclosed information security concerns. However, at the time of the disclosure, the whistleblower made no mention of SOX or any of the enumerated categories. Rather, the whistleblower reported his concern that two company policies were in conflict regarding a program that automatically deleted e-mails. The Administrative Review Board (an administrative appellate body that reviews SOX claims) reversed an administrative law judge’s decision that the whistleblower failed to engage in protected activity. The board held that the disclosures could be protected based on evidence the whistleblower introduced during litigation, which indicated he was aware his disclosures were related to SOX compliance and that his belief was objectively reasonable.
Information security professionals should contact an experienced whistleblower attorney to determine whether SOX covers the disclosures they have made.
Other Protections May Also Apply
In addition to SOX, numerous other laws may cover cybersecurity workers who blow the whistle. But like SOX, may or may not apply depending on the specific facts. For example, if an information security issue constitutes misconduct related to a federal contract or grant, several laws may protect cybersecurity professionals from reprisal. If the misconduct involves fraud on the government, the False Claims Act may provide protection from retaliation, as well as an opportunity for a whistleblower reward. Similarly, federal employees who report an information security issue they believe constitutes a violation of law, rule, or regulation or other specified misconduct may be covered by the Whistleblower Protection Act.
In short, though no specific law protects cybersecurity whistleblowers, many anti-retaliation laws may nonetheless protect information security workers who report problems. However, the patchwork of provisions require careful analysis to determine which laws could apply to any given real-world scenario.
How Can Cybersecurity Whistleblowers Receive a Reward?
The Dodd-Frank Act created the SEC Whistleblower Program, which provides rewards to whistleblowers who report violations of the federal securities laws to the SEC. Eligible whistleblowers are entitled to an award of between 10% and 30% of the monetary sanctions collected in actions brought by the SEC (or related actions brought by other regulatory and law enforcement authorities).
To become eligible, an individual must submit a whistleblower tip to the SEC’s Office of the Whistleblower. A tip must meet several requirements to qualify for an award. However, a key threshold is whether the SEC opens an investigation, reopens an investigation, or inquires into different conduct as part of a current investigation because of the whistleblower’s information. New information that significantly contributes to the success of an existing matter can also qualify. Another key requirement is that the SEC action must result in an order of monetary sanctions exceeding $1 million.
In practice, the program has been picking up steam. Since the inception of the whistleblower program in 2011, the SEC has awarded more than $67 million to 29 whistleblowers. In September 2014, the agency announced a more than $30 million whistleblower award, exceeding the prior highest award of more than $14 million announced in October 2013. In May 2016 alone, the SEC awarded more than $8 million, including its third highest whistleblower award.
Whistleblower rewards also exist for those reporting violations of federal commodities laws, fraud on the government, tax underpayment, and fraud affecting banks or other financial institutions.
Information security professionals can receive rewards under the SEC Whistleblower Program and the other whistleblower rewards laws. As discussed above, cybersecurity issues and how corporations deal with them can constitute violations of federal securities laws. And it is a good time to be an information security whistleblower. As I have discussed in a previous blog, the SEC has had a particular focus on cybersecurity for the past few years. As the SEC continues to address the impact to U.S. capital markets and public corporations’ responsibilities to shareholders under the law, this emerging and important topic will likely remain an enforcement focus for the foreseeable future.
As the foregoing illustrates, there are many circumstances where blowing the whistle on cybersecurity issues related to a public company could be protected under the law, despite the lack of a whistleblower retaliation law aimed directly at cybersecurity whistleblowers. Further, cybersecurity issues may entitled whistleblowers to an award if they report actual violations of the securities laws to the SEC. However, ensuring such protection requires an understanding of how cybersecurity issues at public companies relate to the securities laws and rules regulating those companies.
Dallas Hammer is an attorney at Zuckerman Law and chairs the firm’s Whistleblower Rewards Practice Group. Mr. Hammer’s practice largely focuses on representing corporate and financial institution whistleblowers before federal agencies such as the Securities Exchange Commission, Department of Justice, and Department of Labor. Specifically, Mr. Hammer has represented executives and employees in both the private and federal sectors who have blown the whistle on cybersecurity issues.
Key Considerations for Obtaining an SEC Whistleblower Reward
- A whistleblower must voluntarily give the SEC original information about a possible violation of the federal securities laws that has occurred, is ongoing, or is about to occur.
- More than one person can act together as whistleblowers, but companies and organizations do not qualify.
- A whistleblower need not be a current or former employee to be an eligible whistleblower.
- Whistleblowers who are represented by attorneys can remain anonymous when reporting through the SEC Whistleblower program.
- Cybersecurity professionals can be eligible for awards by providing independent analysis regarding violations of federal securities laws, even if they have no employment relationship with the company.
- Other exclusions and limitations may apply.
- You can find out more about the SEC Whistleblower Program here.
SOX in Context
Sparked by dramatic corporate and accounting scandals, the Sarbanes Oxley Act represents the most important securities legislation since the original federal securities laws of the 1930s. Those scandals included those affecting Enron, Tyco International, Adelphia, Peregrine Systems, and WorldCom. Passed in 2002, SOX effected dramatic change across the corporate landscape to re-establish investor confidence in the integrity of corporate disclosures and financial reporting. Pres. George W. Bush, who signed SOX into law, described it as “the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt. The era of low standards and false profits is over; no boardroom in America is above or beyond the law.” Based on the lessons learned from the corporate and accounting scandals, protecting whistleblowers formed an integral part of the reforms.
 SEC Staff, Report on Review of Disclosure Requirements of Regulation S-K 8-10 at 42 fn. 125 (December 2013).
 17 C.F.R. § 229.303(a)(3).
 17 C.F.R. § 229.303 (instructions).
 E.g., In re Harman Int’l Indus., Inc. Securities Litigation, 791 F.3d 90 (D.C. Cir. June 23, 2015).
 Id. at 102 (internal citations omitted).
 See, e.g., 15 U.S.C. § 7213(a)(2)(A)(iii)(III).
 PCAOB Release No. 2007-005A: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements, Appendix A; see also Financial Accounting Standards Board Statement No. 5: Accounting for Contingencies.
 PCAOB Release No. 2007-005A: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements; PCAOB Release No. 2010-004: Identifying and Assessing Risks of Material Misstatement.
 E.g., Van Asdale v. Int’l Game Tech., 577 F.3d 989, 1000-1001 (9th Cir. 2009); Harp v. Charter Commc’ns, Inc., 558 F.3d 722, 723 (7th Cir. 2009); Menendez v. Halliburton, Inc., ARB Nos. 09-002, -003; ALJ No. 2007-SOX-005, slip op. at 12 (ARB Sept. 13, 2011).
 Testimony Concerning Implementation of the Sarbanes-Oxley Act of 2002, William H. Donaldson, Chairman U.S. Securities and Exchange Commission, Before the Senate Committee on Banking, Housing and Urban Affairs.
 148 CONG. REC. No. 103 (2002) (statement of Sen. Patrick Leahy) (“We learned from Sherron Watkins of Enron that these corporate insiders are the key witnesses that need to be encouraged to report fraud and help prove it in court.”)