Whistleblower attorneys Dallas Hammer and Jason Zuckerman are urging the sponsor of the Personal Data Notification and Protection Act of 2017 (H.R. 3806) to add a provision to the bill protecting cybersecurity whistleblowers against retaliation.
Based on their experience representing information security professionals, Hammer and Zuckerman have found that many cybersecurity whistleblowers have no recourse when they lose their job or suffer other retaliation for disclosing information security deficiencies.
For some companies, silencing a whistleblower is more expedient and far less costly than addressing the whistleblower’s concerns. The retaliation harms not just the whistleblower, but also harms a company’s customers and shareholders. As SEC Chairman Clayton noted in his September 20, 2017 public statement, cybersecurity vulnerabilities can result in denials of service and the destruction of systems, “loss or exposure of consumer data, theft or exposure of intellectual property, and investor losses resulting from the theft of funds or market value declines in companies subject to cyberattacks.” Protecting employees who report information security deficiencies is critical to enabling companies to detect cybersecurity threats that may otherwise go undetected.
Though pockets of protection exist for disclosures about deficient cybersecurity, those limited protections leave a large part of the workforce without any remedy. For example, the Sarbanes-Oxley Act’s (SOX) whistleblower protection provision is limited to publicly-traded companies’ employees and contractors, which leaves cybersecurity whistleblowers at private companies largely unprotected. Further, even employees who are covered under SOX often encounter difficulty proving that a disclosure concerning deficient information security is protected under SOX. As discussed in an article titled The Cybersecurity Threat: Compliance and the Role of Whistleblowers, cybersecurity disclosures “are likely to fall outside the scope of ‘protected activity’ enumerated under” the anti-retaliation provisions of SOX and the Dodd-Frank Act. Other existing federal statutes likewise provide incidental coverage but leave unprotected whistleblowers whose cybersecurity disclosures do not overlap with the law’s often narrow, topical focus.
Protecting and encouraging whistleblowers has proven an effective and important component of remedying a broad range of social ills from nuclear safety to the misuse of federal funds. Whistleblowers help prevent and mitigate harmful events that would otherwise go undetected for years, if they are ever discovered at all. Safeguarding sensitive electronically-stored information is a pressing public concern that affects nearly every industry. Any legislative effort to address this concern should include a provision that enables cybersecurity whistleblowers to come forward. A whistleblower provision would remove the ambiguity of whether SOX provides coverage and instead provide a clear assurance to employees that they can report cyber threats without fear of reprisal.