No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Governance

Ignoring Issues Raised By Cybersecurity Whistleblowers Only Compounds the Problem

by Debra Katz
September 11, 2015
in Governance
Ignoring Issues Raised By Cybersecurity Whistleblowers Only Compounds the Problem

with co-author Alexis H. Ronickher

Although 2015 is far from over, it is already proving to be a blockbuster year for headline-grabbing data breaches at corporations and at U.S. government agencies. These “mega breaches” range from the theft of over 20 million personnel files from the U.S. Office of Personnel Management, which seriously compromised national security, to the hack and subsequent data dump of Ashley Madison, the dating website that facilitates infidelity, which exposed the identities of 32 million of its customers. Similarly, the data breach at the health insurer Anthem led to the breach of 80 million medical records, including social security numbers and birthdays, making millions of its customers vulnerable to identity theft.

As these cyber attacks highlight, the importance of cybersecurity in the modern business environment is paramount. The cost of “mega breaches” for companies can be catastrophic. For example, Target reported that its 2013 breach cost the company $264 million in direct expenses.

Even smaller, more run-of-the-mill breaches can cost businesses millions. According to a study by data security research organization Ponemon Institute, the total average cost of a data breach for companies is $3.8 million. These direct costs include hiring experts to fix the breach, investigating the cause and offering credit monitoring for victims. This number does not include business losses caused by customers being wary of patronizing a business, which the report says can eclipse the direct costs.

To our knowledge, none of these highly public “mega breaches” have yet involved a whistleblower—an employee who warned the company beforehand of its cybersecurity vulnerability but was ignored and retaliated against. It is only a matter of time, however, before we see a headline announcing that a hacked company knew about its vulnerabilities yet did nothing to protect its customers, but instead fired the whistleblower who identified and sought to fix the problem. Not only is this a public relations and business nightmare—since customers would be outraged by the cavalier mismanagement of their personal information and penalize the company by boycotting it—it also is likely legal disaster.

Cybersecurity Problems Can Become Securities Violations

For public companies and other entities regulated by the Securities and Exchange Commission (SEC), mismanagement of their cybersecurity could violate securities laws.  The SEC has made clear that it will be monitoring public traded companies’ cybersecurity management and that cybersecurity risks and incidents might be deemed to be material to a reasonable investor if they are significant. In 2011, the SEC’s Office of Corporation Finance issued guidance that public companies needed to include disclosures of material cybersecurity risks and incidents in their SEC filings. Over the subsequent year and a half, the SEC demonstrated it was serious about ensuring compliance with its guidance by sending approximately 50 comment letters to companies probing into their cybersecurity disclosures.

Securities violations caused by lax cybersecurity are not limited to disclosure violations.  We have represented a number of whistleblowers who internally reported cybersecurity practices that may well be deemed to constitute violations of internal controls requirements, as well as activities that may have amounted to securities fraud.

While the SEC has yet to take an enforcement action against a company for cybersecurity failures (and just recently declined to recommend action against Target for its breach), its guidance and ongoing investigations make clear that it is only a matter of time before a case arises in which it takes such an enforcement action. As stated by David Glockner, the Director of the SEC’s Chicago Regional Office, at the 2015 “SEC Speaks” conference, cybersecurity is “high on [the SEC’s] radar.”

Public companies that ignore internal whistleblower reports of cybersecurity problems run the risk that the whistleblower will provide the SEC that information as part of the SEC’s whistleblower program established through the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). The SEC whistleblower program incentivizes whistleblowers who provide the agency information about potential securities violations by issuing awards of 10 to 30 percent of the amount of sanctions and penalties the SEC imposes on wrongdoers as a result of the whistleblower’s information and provides incentives to whistleblowers who first report internally. Given the risk of external reporting, it would be imprudent for public companies to ignore the reports of cybersecurity whistleblowers.

Liability For Unlawful Retaliation Against Cybersecurity Whistleblowers

Many, if not most, cybersecurity whistleblowers are protected from retaliation even though there is no specific federal cybersecurity whistleblower anti-retaliation statute. If a whistleblower works for a public company, the anti-retaliation provisions of the Sarbanes-Oxley Act and the Dodd-Frank Act likely provide protection for the whistleblower. As detailed above, a company’s cybersecurity practices and vulnerabilities can lead to securities violations. They can also result in fraudulent activities. It may seem on first blush that cybersecurity vulnerabilities and fraud are wholly unrelated, but we have had several cybersecurity whistleblower cases that demonstrate how easily one can lead to the other. A real life example is when a company knowingly provided a false certification about its cybersecurity practices (or lack thereof) to a bank in order to continue being able to accept payment cards. Another is when a company knowingly provided false information about its lack of cybersecurity vulnerabilities to another company in order to induce it to engage in a business venture. If the employee’s report pertains to such unlawful conduct, the whistleblower is protected under these statutes from retaliation, including termination.

Many cybersecurity whistleblowers are also protected under state whistleblowing statutes or common law causes of action. If the whistleblower reported or refused to engage in conduct that could reasonably amount to fraud, the whistleblower likely has a state-law wrongful termination claim.

State protections are not limited to employees who report fraud. There are federal and a significant number of state statutes that protect against the disclosure of sensitive personal information. Under the laws of many states, blowing the whistle regarding violations of these laws is protected activity. These protections are not hypothetical. In 2010, a California appeals court upheld a jury verdict of wrongful termination based on the whistleblower raising concerns about insufficient cybersecurity protections that the employee reasonably believed violated the federal Healthcare Information Portability and Accountability Act (HIPAA).[1] Similarly, in 2009, a New Jersey federal district court denied the employer’s summary judgment motion on the statutory wrongful termination claim based on the plaintiff’s refusal to engage in conduct that could have jeopardized his confidential information in violation of the New Jersey Identity Theft Protection Act.[2]

Companies Can Avoid These Problems

Why do companies lash out against cybersecurity whistleblowers instead of addressing the problems they report, particularly given the high stakes of a “mega breach” and the legal protections afforded whistleblowers? While every situation is different, in our experience, there have been some consistent themes for why companies fail to address the problem and instead shoot the messenger.

First, top executives do not want to admit that such a serious problem has developed during their watch. It is easier for them to tell themselves that the company has been following the same cybersecurity practices for years without any problem, so clearly the whistleblower is either wrong or exaggerating the issue. It is critical for executives to remember that just because a practice has worked in prior years does not mean that it will continue working. More so than other areas, cybersecurity is constantly evolving and companies need to be agile to address new challenges. Additionally, when it comes to cybersecurity, seemingly small vulnerabilities can lead to “mega breaches.” Take for example the JPMorgan breach last year. While JPMorgan had a comparatively robust cybersecurity program, hackers were still able to gain access to the data from 83 million accounts. This vulnerability that allowed them access was isolated and non-systemic—JPMorgan failed to upgrade one of its network servers to require double authentication.

Second, adequately addressing the problem often impedes current business opportunities or processes, which executives are often unwilling to do. Focusing on the immediate inconveniences and losses that properly addressing the problems would have, they deem the cost too great. What they need to remember is that the cost of ignoring cybersecurity vulnerabilities is far greater both because of the costs of a breach and because of the potential legal exposure, particularly if they compound the problem by retaliating against the whistleblower.

In our experience, most whistleblowers—and cybersecurity whistleblowers in particular—are looking out for the best interests of the company they work for and only report externally out of fear of retaliation and concern that the problems they see will go unaddressed. In the cybersecurity context, if companies demonstrate through both their words and actions that whistleblowers can safely report problems and that the company is committed to actively addressing those problems, the company will have both a more robust cybersecurity posture and avoid significant legal liability.

 

[1]  Cutler v. Dike et al., No. B210624, 2010 WL 3341663 (Cal. Ct. App. Aug. 26, 2010).

[2]  Zungoli v. United Parcel Srvc, Inc., et al., Civ. No. 07-2194, 2009 WL 1085440 (D.N.J. Apr. 22, 2009).


Previous Post

Equinix Selects ACL GRC and ACL Analytics to Drive Operational Risk Management

Next Post

Farewell to Chocolate Thunder, Baylor Football and Due Diligence

Debra Katz

Debra Katz

Debra S. Katz is a founding partner with the whistleblower and employment law firm Katz, Marshall & Banks, LLP, in Washington, D.C. (http://www.kmblegal.com). She specializes in the representation of employees in whistleblower-retaliation cases and in representing individuals in the submission of “tips” to whistleblower reward programs such as those administered by the SEC and the Internal Revenue Service. She serves on the Board of Directors of the Project on Government Oversight, a nonpartisan independent government watchdog that champions good government reforms and works to strengthen laws and regulations to protect whistleblowers from intimidation and retaliation. Ms. Katz earned her law degree from the University of Wisconsin Law School. She can be reached at katz@kmblegal.com.  

Related Posts

launch visual lease esg steward

Visual Lease Launches ESG Tool for Asset Portfolios

by Corporate Compliance Insights
March 31, 2023

Lease software provider Visual Lease announced it has launched a new product, VL ESG Steward,  designed to help organizations track...

PW FCPA Enforcement and Anticorruption 2022 Review_f

FCPA Enforcement & Anti-Corruption Developments

by Corporate Compliance Insights
March 30, 2023

The year that was in FCPA & anti-corruption efforts 2022: A Year in Review FCPA Enforcement & Anti-Corruption Developments What’s...

JTC ESG and Impact Investing_f

The Evolution of ESG & Impact Investing: Are You Ready?

by Corporate Compliance Insights
March 30, 2023

Making money *and* doing the right thing Survey Report The Evolution of ESG & Impact Investing: Are You Ready? What’s...

Regology 2023 State of Regulatory Compliance_f

2023 State of Regulatory Compliance

by Corporate Compliance Insights
March 30, 2023

Understanding the impact of regulatory challenges Survey Report 2023 State of Regulatory Compliance What’s in this report from Regology:As the...

Next Post
Farewell to Chocolate Thunder, Baylor Football and Due Diligence

Farewell to Chocolate Thunder, Baylor Football and Due Diligence

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT