No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Anticipating the Next New Variety of Cybersecurity Litigation

How to Prevent Cybersecurity Whistleblowers and Defend Against Their Claims

by Kristen J. Mathews, Mark David McPherson and Janie Schulman
November 12, 2019
in Cybersecurity, Featured
blue polygonal whistle on dark background

Whistleblower cases may be the next trend in cybersecurity litigation. Morrison & Foerster’s Kristen J. Mathews, Mark David McPherson and Janie Schulman discuss various measures and best practices for companies in guarding against potential liability.

While there has (understandably) been a media frenzy about whistleblowers and protections for them in the last few weeks, whistleblowers have not yet received as much attention as they may soon receive in one particular context: cybersecurity incidents.

Given the number of cybersecurity incidents in recent years and the diversity of companies and, indeed, industries affected by them, this is somewhat surprising. There is no reason to think that employees and outsiders to a company are not raising concerns about companies’ cybersecurity practices either internally or with regulators. Here, we highlight the reasons companies should be thinking about internal warnings about their cybersecurity practices, how to address these kinds of whistleblowers and their concerns and how to defend against whistleblower claims in this context.

Cybersecurity-related whistleblowers could easily come into play in a variety of circumstances:

  • An employee or outsider could raise concerns about a company’s cybersecurity practices generally, including its remediation of known vulnerabilities, in a way that calls into question the company’s disclosures to shareholders about the strength of its practices. This issue could come up when a company has received a cybersecurity assessment or penetration test report that identifies security vulnerabilities. An employee or outsider may believe the company has not remediated the vulnerabilities quickly or effectively enough.
  • An employee could raise concerns about how a company has responded to a customer’s or other third party’s data security questions, such as a diligence questionnaire. The employee may believe the company’s response was inaccurate or contained a material omission. This situation could arise whether the customer is another private company or a government entity.
  • An employee or outsider could raise concerns about how a company handled a data security incident. The company may not have notified customers, shareholders or regulators of the incident, perhaps because of a legal exception or a risk-of-harm threshold present in the applicable law or because of the company’s risk-benefit analysis. An employee, however, may think the company should have notified the customers, shareholders or regulators.
  • An employee or outsider could raise concerns about a cybersecurity vulnerability that affects a company’s financial reporting controls or mechanisms, such as a cyberattack where the intruder gained access to applications used by the company’s finance or accounting department.

These are just a sampling of the contexts in which cybersecurity whistleblowing might arise, and the consequences could prove substantial. One company recently defended a cybersecurity whistleblower claim in the context of a contract with the U.S. government. On July 31, 2019, a federal judge approved a settlement of a long-pending qui tam case between Cisco Systems Inc. and a former employee. In the settlement, Cisco agreed to pay $2.6 million to the federal government and up to $6 million to 15 states to resolve claims that Cisco sold “a video surveillance system that [it] knew to possess dangerous, undisclosed and impermissible security weaknesses.”

Employees and outsiders have a variety of incentives to raise cybersecurity concerns. First, they could seek their own recovery, as Cisco’s employee did, under statutes such as the False Claims Act or the Dodd-Frank Act. The scope of the FCA is limited — only a whistleblower raising concerns about a product or service provided to the federal government (or states, under state versions of the FCA) could pursue an FCA claim. Nevertheless, the number of companies that provide products or services to the federal or state governments continues to grow, as does the opportunity for FCA claims, and the government’s requirements for cybersecurity are extensive. The Dodd-Frank Act also provides an award (or “bounty”) program and protections for whistleblowers. Under the statute, a whistleblower can recover a percentage of monetary sanctions the SEC collects in an enforcement action if the whistleblower reports “original information” to the SEC and the SEC orders monetary sanctions in excess of $1 million (15 U.S.C. § 78u-6).

Second, apart from a possible recovery, employees may seek the protections against retaliation included within the dozens of federal and state whistleblower protection statutes. While there are more than 40 such statutes at the federal level alone (plus similar protections enacted by states), some of the key protections include:

Sarbanes-Oxley Act (SOX)

The statute protects employees who report certain kinds of fraud or violations of SEC rules to internal supervisors as well as to any federal regulatory or law enforcement agency or any member of Congress (18 U.S.C. §1514A).

Dodd-Frank Act

Whistleblowing reports under Dodd-Frank can be made to the SEC by either employees or outsiders under Dodd-Frank’s bounty hunter program, as long as the company being reported is regulated by the SEC. In addition to expanding the whistleblower protections under SOX, Dodd-Frank provides protections from retaliation against a whistleblower independent of the protections provided by SOX (15 U.S.C. § 78u-6). SOX and Dodd-Frank are similar, but Dodd-Frank permits double recovery of back pay and does not require filing a complaint with the Secretary of Labor (as SOX does).  Dodd-Frank, however, only protects employees who report alleged illegal activity to the SEC (Digital Realty Trust, Inc. v. Somers, 583 U.S.___, 138 S. Ct. 767 (2018)).

Consumer Financial Protection Act

A different provision of Dodd-Frank, codified as part of the CFPB statutes (12 U.S.C. § 5567), protects whistleblowers who provide information to the CFPB about violations that fall within the CFPB’s jurisdiction (or who testify in a CFPB proceeding, file a proceeding or refuse to participate in an act that would violate a CFPB regulation). The CFPB asserts jurisdiction to pursue companies for cyber practices that are unfair, deceptive or abusive, and there is at least one consent order the CFPB obtained relating to cybersecurity practices.

Regulation S-P

This Regulation, part of the scheme of regulations the Gramm-Leach-Bliley Act (GLB) imposes on brokers, dealers, investment companies and investment advisors, establishes certain data security requirements (17 C.F.R. § 248.1 et seq). It does not independently provide whistleblower protections, but an employee who raises concerns about compliance with Regulation S-P’s data security requirements could be covered by the whistleblower protections of SOX or Dodd-Frank.

State Law Protections of Whistleblowers

As just two examples, Cal. Labor Code § 1102.5 and N.Y. Lab. Law §§ 740, 741 protect employees of any type of company who disclose or threaten to disclose to a regulator a potential legal violation or who refuse to participate in conduct that would constitute a legal violation.

California’s whistleblower statute applies to any kind of legal violation by a public or private company and also extends protections to employees who report internally to “a person with authority over the employee” or to another employee with the authority to “investigate, discover or correct” the reported violation.

The reach of these various statutory schemes is vast, applying to most large companies and many small companies in the United States. Regulation S-P applies only to brokers, dealers, investment companies and investment advisors, but that group alone encompasses many companies in the financial investment industry. While the CFPA applies only to consumer finance companies, the SOX whistleblower protections apply to employees of any publicly traded company; its privately held subsidiaries, contractors, subcontractors and agents; and employees of nationally recognized statistical rating organizations who provide information regarding alleged violations of certain federal anti-fraud statutes, alleged securities law violations or violations of federal laws prohibiting fraud against shareholders. (Likewise, the whistleblower protections in the Dodd-Frank Act potentially apply to any employee of a public company who provides information relating to an SEC proceeding or who makes disclosures required by federal commodities and securities laws and regulations.) In addition, some state whistleblower protection laws, like California’s, apply to both public and private companies and to violations of any kind of law.

Addressing Cybersecurity Whistleblowers

To guard against potential liability, we recommend companies consider the following measures any time it learns of an employee raising cybersecurity concerns about the company’s products, data governance structures or practices:

Thoroughly investigate the concern.

This is the obvious — and most essential — step, but it cannot be overstated. While a company should of course conduct any investigation in proportion to the scope of the concern being raised, the company should satisfy itself that no concern about cybersecurity has gone unaddressed. Carefully considering and addressing any reported cybersecurity concern is the best way for any company to avoid a claim that the company’s products or services suffer security flaws, that the company misrepresented its security practices to investors or that the company retaliated against an employee for raising any cybersecurity concerns.

Consider retaining an independent outside cybersecurity firm.

An outside firm could take a fresh look at the product, decision or practice the whistleblower is critiquing, advise the company whether there is merit to the whistleblower’s concern and, if so, recommend steps the company can take to mitigate or remedy the concern.

Consider revising the audit committee’s procedures for handling confidential complaints.

15 U.S.C. 78j-1(m)(4) requires audit committees of a company’s board to establish a procedure for accepting and reviewing confidential submissions by employees concerning questionable accounting or auditing matters. Most public companies’ procedures extend more broadly and address the procedure for handling any complaint, whether pertaining to accounting or auditing matters or otherwise. Companies should consider whether to revise their whistleblower procedures to ensure that any complaint it receives concerning a cybersecurity matter is immediately forwarded to the general counsel (as well as to the audit committee if the cybersecurity matter pertains to accounting or auditing issues).

Consider revising the company’s incident response plan.

Companies should consider their procedures for identifying the control group that will assess and determine any incident response (or response to a pen-testing exercise or other information-security assessment), limiting the number of employees who will participate in correspondence and meetings about an incident and how to respond. In addition to offering benefits in streamlining discussion and ensuring a swift, effective and appropriate response, limiting the number of employees to those who need to know about an incident and who have the experience and authority to properly address it will reduce the number of employees who could allege that they were retaliated against for taking a position on how the company should respond to an incident or security assessment.

Document any adverse employment actions carefully.

Companies must scrupulously avoid taking any actions that could be construed as adverse employment actions in retaliation for an employee’s raising of a complaint. But there are times when a company must take adverse employment action against an employee for reasons entirely unrelated to the employee’s previous (or subsequent) airing of a complaint. A common example in the cybersecurity context is when the company terminates an employee on the ground that the employee was somehow responsible for not remediating a vulnerability that was exploited in a cybersecurity incident or on the ground that the employee did not react to a cybersecurity incident appropriately. These circumstances often have a complicated history, and the termination decision could easily prompt a whistleblower complaint by the employee. Whistleblower protection laws highlight the need for companies to carefully and contemporaneously document the reasons for taking any adverse action against an employee. This is true whether the employee has raised a cybersecurity concern or not: It is as important to document the legitimate bases for an adverse action against an employee who may later raise a cybersecurity concern as it is to document the bases for such an action against an employee who previously raised a concern.

Defending Cybersecurity Whistleblower Claims

If these strategies fail to avert a whistleblower suit, there are a number of things a company should do immediately:

  • Issue a document retention notice. A company may have already done so even before receiving a complaint from a whistleblower, if the company knew of the whistleblower’s retaliation allegations and litigation seemed likely. If not, issuing a retention notice is important to prevent a whistleblower case from becoming a case about whether a company mishandled documents about the whistleblower.
  • Consider whether the company has a binding arbitration agreement with its employees. Increasingly, companies do. (But note: Pre-dispute mandatory arbitration agreements are not enforceable in SOX whistleblower retaliation actions.)
  • Consider possible legal defenses, such whether the law under which the employee is suing has an exhaustion of remedies requirement. SOX, for example, requires an employee to first file a claim with OSHA within 180 days.
  • Hire outside counsel immediately. The issues highlighted here are just a few of the dozens of issues to consider if you are forced to defend a whistleblower claim. Outside counsel can help you navigate the issues and formulate a strategy to best protect your company.

Cybersecurity-related whistleblowing is likely to become increasingly common, and the potential downsides to a company that does not address these concerns carefully can be material. Companies should pay special attention to this body of law when an employee or outsider raises a cybersecurity concern about how a company is addressing a security vulnerability in its own systems or in its product offering or about an actual or suspected cybersecurity compromise. Companies should also carefully scrutinize potential employee terminations, demotions or reprimands stemming from a cybersecurity vulnerability or compromise or from the company’s response to either of these problems. In this complex and evolving legal landscape, it will pay off for a company to take special care to navigate these decisions and their potential ramifications safely.


Tags: Dodd-Frank ActSOX ComplianceWhistleblowing
Previous Post

Navigating the California Consumer Privacy Act

Next Post

Oversight of Merged Companies

Kristen J. Mathews, Mark David McPherson and Janie Schulman

Kristen J. Mathews, Mark David McPherson and Janie Schulman

Kristen J. Mathews is a partner in Morrison & Foerster LLP’s Global Privacy + Data Security Group. For more than 20 years, Kristen’s practice has focused on advising clients on the full spectrum of the most complex privacy and cybersecurity issues, including regulatory and compliance matters. An early leader in the privacy sphere, Kristen has developed comprehensive knowledge and long-term perspective, cultivated a client base across a broad range of industries and established herself as one of the top lawyers in her field.
Mark David McPherson is a partner in the San Francisco office of Morrison & Foerster. For more than 20 years, Mark David has represented companies and individuals in their most difficult and complex legal disputes. He has served as a trusted advisor as companies and individuals navigate regulatory or internal investigations, and he has advocated for his clients in high-stakes litigation — including numerous trials and appeals. While Mark David’s subject matter expertise includes state and federal securities laws, federal transportation law, RICO, the Alien Tort Statute, the Foreign Sovereign Immunities Act and deceptive practices statutes, his focus has turned most recently to cases or investigations involving data security incidents and privacy laws.
Janie Schulman is a litigation partner in Morrison & Foerster’s Los Angeles office, Co-Chair of the firm’s Employment and Labor Group and a Fellow of the American College of Labor and Employment Lawyers. She has specialized in employment, whistleblower retaliation and trade secrets litigation and counseling for almost 30 years. Janie has developed expertise in employment law issues unique to several industries, including financial services, technology, medical/life sciences, retail and hospitality. She litigates and tries complex lawsuits alleging whistleblower retaliation under the Sarbanes-Oxley Act, misappropriation of trade secrets, employee and customer raiding, unfair competition and breach of restrictive covenants.

Related Posts

call of duty activision

Activision Settlement Highlights Where Companies Often Go Wrong With Whistleblowers

by Katherine Krems
March 8, 2023

The SEC has long relied on whistleblowers to enforce securities law, often making it worth their while to the tune...

Syncing your ESG programme across the business: five tips for building ESG into your organisation

Syncing your ESG programme across the business: five tips for building ESG into your organisation

by Aarti Maharaj
February 9, 2023

In today's business landscape, there's a growing awareness of how ESG issues affect the bottom line. While companies are adopting...

hottest takes

The Hottest Compliance Takes of 2022

by Staff and Wire Reports
December 14, 2022

Nobody was canceled for anything they wrote for our pages in 2022 — at least that we know of. But...

cci top 10 stories collage

Top 10 Compliance Stories of 2022

by Jennifer L. Gaskin
December 7, 2022

The more things change, the more they stay the same. This time last year, we summarized the top 10 ESG...

Next Post
black and white drawing of man's hand holding magnifying glass

Oversight of Merged Companies

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT