with co-author Alexis H. Ronickher
Although 2015 is far from over, it is already proving to be a blockbuster year for headline-grabbing data breaches at corporations and at U.S. government agencies. These “mega breaches” range from the theft of over 20 million personnel files from the U.S. Office of Personnel Management, which seriously compromised national security, to the hack and subsequent data dump of Ashley Madison, the dating website that facilitates infidelity, which exposed the identities of 32 million of its customers. Similarly, the data breach at the health insurer Anthem led to the breach of 80 million medical records, including social security numbers and birthdays, making millions of its customers vulnerable to identity theft.
As these cyber attacks highlight, the importance of cybersecurity in the modern business environment is paramount. The cost of “mega breaches” for companies can be catastrophic. For example, Target reported that its 2013 breach cost the company $264 million in direct expenses.
Even smaller, more run-of-the-mill breaches can cost businesses millions. According to a study by data security research organization Ponemon Institute, the total average cost of a data breach for companies is $3.8 million. These direct costs include hiring experts to fix the breach, investigating the cause and offering credit monitoring for victims. This number does not include business losses caused by customers being wary of patronizing a business, which the report says can eclipse the direct costs.
To our knowledge, none of these highly public “mega breaches” have yet involved a whistleblower—an employee who warned the company beforehand of its cybersecurity vulnerability but was ignored and retaliated against. It is only a matter of time, however, before we see a headline announcing that a hacked company knew about its vulnerabilities yet did nothing to protect its customers, but instead fired the whistleblower who identified and sought to fix the problem. Not only is this a public relations and business nightmare—since customers would be outraged by the cavalier mismanagement of their personal information and penalize the company by boycotting it—it also is likely legal disaster.
Cybersecurity Problems Can Become Securities Violations
For public companies and other entities regulated by the Securities and Exchange Commission (SEC), mismanagement of their cybersecurity could violate securities laws. The SEC has made clear that it will be monitoring public traded companies’ cybersecurity management and that cybersecurity risks and incidents might be deemed to be material to a reasonable investor if they are significant. In 2011, the SEC’s Office of Corporation Finance issued guidance that public companies needed to include disclosures of material cybersecurity risks and incidents in their SEC filings. Over the subsequent year and a half, the SEC demonstrated it was serious about ensuring compliance with its guidance by sending approximately 50 comment letters to companies probing into their cybersecurity disclosures.
Securities violations caused by lax cybersecurity are not limited to disclosure violations. We have represented a number of whistleblowers who internally reported cybersecurity practices that may well be deemed to constitute violations of internal controls requirements, as well as activities that may have amounted to securities fraud.
While the SEC has yet to take an enforcement action against a company for cybersecurity failures (and just recently declined to recommend action against Target for its breach), its guidance and ongoing investigations make clear that it is only a matter of time before a case arises in which it takes such an enforcement action. As stated by David Glockner, the Director of the SEC’s Chicago Regional Office, at the 2015 “SEC Speaks” conference, cybersecurity is “high on [the SEC’s] radar.”
Public companies that ignore internal whistleblower reports of cybersecurity problems run the risk that the whistleblower will provide the SEC that information as part of the SEC’s whistleblower program established through the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). The SEC whistleblower program incentivizes whistleblowers who provide the agency information about potential securities violations by issuing awards of 10 to 30 percent of the amount of sanctions and penalties the SEC imposes on wrongdoers as a result of the whistleblower’s information and provides incentives to whistleblowers who first report internally. Given the risk of external reporting, it would be imprudent for public companies to ignore the reports of cybersecurity whistleblowers.
Liability For Unlawful Retaliation Against Cybersecurity Whistleblowers
Many, if not most, cybersecurity whistleblowers are protected from retaliation even though there is no specific federal cybersecurity whistleblower anti-retaliation statute. If a whistleblower works for a public company, the anti-retaliation provisions of the Sarbanes-Oxley Act and the Dodd-Frank Act likely provide protection for the whistleblower. As detailed above, a company’s cybersecurity practices and vulnerabilities can lead to securities violations. They can also result in fraudulent activities. It may seem on first blush that cybersecurity vulnerabilities and fraud are wholly unrelated, but we have had several cybersecurity whistleblower cases that demonstrate how easily one can lead to the other. A real life example is when a company knowingly provided a false certification about its cybersecurity practices (or lack thereof) to a bank in order to continue being able to accept payment cards. Another is when a company knowingly provided false information about its lack of cybersecurity vulnerabilities to another company in order to induce it to engage in a business venture. If the employee’s report pertains to such unlawful conduct, the whistleblower is protected under these statutes from retaliation, including termination.
Many cybersecurity whistleblowers are also protected under state whistleblowing statutes or common law causes of action. If the whistleblower reported or refused to engage in conduct that could reasonably amount to fraud, the whistleblower likely has a state-law wrongful termination claim.
State protections are not limited to employees who report fraud. There are federal and a significant number of state statutes that protect against the disclosure of sensitive personal information. Under the laws of many states, blowing the whistle regarding violations of these laws is protected activity. These protections are not hypothetical. In 2010, a California appeals court upheld a jury verdict of wrongful termination based on the whistleblower raising concerns about insufficient cybersecurity protections that the employee reasonably believed violated the federal Healthcare Information Portability and Accountability Act (HIPAA).[1] Similarly, in 2009, a New Jersey federal district court denied the employer’s summary judgment motion on the statutory wrongful termination claim based on the plaintiff’s refusal to engage in conduct that could have jeopardized his confidential information in violation of the New Jersey Identity Theft Protection Act.[2]
Companies Can Avoid These Problems
Why do companies lash out against cybersecurity whistleblowers instead of addressing the problems they report, particularly given the high stakes of a “mega breach” and the legal protections afforded whistleblowers? While every situation is different, in our experience, there have been some consistent themes for why companies fail to address the problem and instead shoot the messenger.
First, top executives do not want to admit that such a serious problem has developed during their watch. It is easier for them to tell themselves that the company has been following the same cybersecurity practices for years without any problem, so clearly the whistleblower is either wrong or exaggerating the issue. It is critical for executives to remember that just because a practice has worked in prior years does not mean that it will continue working. More so than other areas, cybersecurity is constantly evolving and companies need to be agile to address new challenges. Additionally, when it comes to cybersecurity, seemingly small vulnerabilities can lead to “mega breaches.” Take for example the JPMorgan breach last year. While JPMorgan had a comparatively robust cybersecurity program, hackers were still able to gain access to the data from 83 million accounts. This vulnerability that allowed them access was isolated and non-systemic—JPMorgan failed to upgrade one of its network servers to require double authentication.
Second, adequately addressing the problem often impedes current business opportunities or processes, which executives are often unwilling to do. Focusing on the immediate inconveniences and losses that properly addressing the problems would have, they deem the cost too great. What they need to remember is that the cost of ignoring cybersecurity vulnerabilities is far greater both because of the costs of a breach and because of the potential legal exposure, particularly if they compound the problem by retaliating against the whistleblower.
In our experience, most whistleblowers—and cybersecurity whistleblowers in particular—are looking out for the best interests of the company they work for and only report externally out of fear of retaliation and concern that the problems they see will go unaddressed. In the cybersecurity context, if companies demonstrate through both their words and actions that whistleblowers can safely report problems and that the company is committed to actively addressing those problems, the company will have both a more robust cybersecurity posture and avoid significant legal liability.
[1] Cutler v. Dike et al., No. B210624, 2010 WL 3341663 (Cal. Ct. App. Aug. 26, 2010).
[2] Zungoli v. United Parcel Srvc, Inc., et al., Civ. No. 07-2194, 2009 WL 1085440 (D.N.J. Apr. 22, 2009).