Whistleblower cases may be the next trend in cybersecurity litigation. Morrison & Foerster’s Kristen J. Mathews, Mark David McPherson and Janie Schulman discuss various measures and best practices for companies in guarding against potential liability.
While there has (understandably) been a media frenzy about whistleblowers and protections for them in the last few weeks, whistleblowers have not yet received as much attention as they may soon receive in one particular context: cybersecurity incidents.
Given the number of cybersecurity incidents in recent years and the diversity of companies and, indeed, industries affected by them, this is somewhat surprising. There is no reason to think that employees and outsiders to a company are not raising concerns about companies’ cybersecurity practices either internally or with regulators. Here, we highlight the reasons companies should be thinking about internal warnings about their cybersecurity practices, how to address these kinds of whistleblowers and their concerns and how to defend against whistleblower claims in this context.
Cybersecurity-related whistleblowers could easily come into play in a variety of circumstances:
- An employee or outsider could raise concerns about a company’s cybersecurity practices generally, including its remediation of known vulnerabilities, in a way that calls into question the company’s disclosures to shareholders about the strength of its practices. This issue could come up when a company has received a cybersecurity assessment or penetration test report that identifies security vulnerabilities. An employee or outsider may believe the company has not remediated the vulnerabilities quickly or effectively enough.
- An employee could raise concerns about how a company has responded to a customer’s or other third party’s data security questions, such as a diligence questionnaire. The employee may believe the company’s response was inaccurate or contained a material omission. This situation could arise whether the customer is another private company or a government entity.
- An employee or outsider could raise concerns about how a company handled a data security incident. The company may not have notified customers, shareholders or regulators of the incident, perhaps because of a legal exception or a risk-of-harm threshold present in the applicable law or because of the company’s risk-benefit analysis. An employee, however, may think the company should have notified the customers, shareholders or regulators.
- An employee or outsider could raise concerns about a cybersecurity vulnerability that affects a company’s financial reporting controls or mechanisms, such as a cyberattack where the intruder gained access to applications used by the company’s finance or accounting department.
These are just a sampling of the contexts in which cybersecurity whistleblowing might arise, and the consequences could prove substantial. One company recently defended a cybersecurity whistleblower claim in the context of a contract with the U.S. government. On July 31, 2019, a federal judge approved a settlement of a long-pending qui tam case between Cisco Systems Inc. and a former employee. In the settlement, Cisco agreed to pay $2.6 million to the federal government and up to $6 million to 15 states to resolve claims that Cisco sold “a video surveillance system that [it] knew to possess dangerous, undisclosed and impermissible security weaknesses.”
Employees and outsiders have a variety of incentives to raise cybersecurity concerns. First, they could seek their own recovery, as Cisco’s employee did, under statutes such as the False Claims Act or the Dodd-Frank Act. The scope of the FCA is limited — only a whistleblower raising concerns about a product or service provided to the federal government (or states, under state versions of the FCA) could pursue an FCA claim. Nevertheless, the number of companies that provide products or services to the federal or state governments continues to grow, as does the opportunity for FCA claims, and the government’s requirements for cybersecurity are extensive. The Dodd-Frank Act also provides an award (or “bounty”) program and protections for whistleblowers. Under the statute, a whistleblower can recover a percentage of monetary sanctions the SEC collects in an enforcement action if the whistleblower reports “original information” to the SEC and the SEC orders monetary sanctions in excess of $1 million (15 U.S.C. § 78u-6).
Second, apart from a possible recovery, employees may seek the protections against retaliation included within the dozens of federal and state whistleblower protection statutes. While there are more than 40 such statutes at the federal level alone (plus similar protections enacted by states), some of the key protections include:
Sarbanes-Oxley Act (SOX)
The statute protects employees who report certain kinds of fraud or violations of SEC rules to internal supervisors as well as to any federal regulatory or law enforcement agency or any member of Congress (18 U.S.C. §1514A).
Whistleblowing reports under Dodd-Frank can be made to the SEC by either employees or outsiders under Dodd-Frank’s bounty hunter program, as long as the company being reported is regulated by the SEC. In addition to expanding the whistleblower protections under SOX, Dodd-Frank provides protections from retaliation against a whistleblower independent of the protections provided by SOX (15 U.S.C. § 78u-6). SOX and Dodd-Frank are similar, but Dodd-Frank permits double recovery of back pay and does not require filing a complaint with the Secretary of Labor (as SOX does). Dodd-Frank, however, only protects employees who report alleged illegal activity to the SEC (Digital Realty Trust, Inc. v. Somers, 583 U.S.___, 138 S. Ct. 767 (2018)).
Consumer Financial Protection Act
A different provision of Dodd-Frank, codified as part of the CFPB statutes (12 U.S.C. § 5567), protects whistleblowers who provide information to the CFPB about violations that fall within the CFPB’s jurisdiction (or who testify in a CFPB proceeding, file a proceeding or refuse to participate in an act that would violate a CFPB regulation). The CFPB asserts jurisdiction to pursue companies for cyber practices that are unfair, deceptive or abusive, and there is at least one consent order the CFPB obtained relating to cybersecurity practices.
This Regulation, part of the scheme of regulations the Gramm-Leach-Bliley Act (GLB) imposes on brokers, dealers, investment companies and investment advisors, establishes certain data security requirements (17 C.F.R. § 248.1 et seq). It does not independently provide whistleblower protections, but an employee who raises concerns about compliance with Regulation S-P’s data security requirements could be covered by the whistleblower protections of SOX or Dodd-Frank.
State Law Protections of Whistleblowers
As just two examples, Cal. Labor Code § 1102.5 and N.Y. Lab. Law §§ 740, 741 protect employees of any type of company who disclose or threaten to disclose to a regulator a potential legal violation or who refuse to participate in conduct that would constitute a legal violation.
California’s whistleblower statute applies to any kind of legal violation by a public or private company and also extends protections to employees who report internally to “a person with authority over the employee” or to another employee with the authority to “investigate, discover or correct” the reported violation.
The reach of these various statutory schemes is vast, applying to most large companies and many small companies in the United States. Regulation S-P applies only to brokers, dealers, investment companies and investment advisors, but that group alone encompasses many companies in the financial investment industry. While the CFPA applies only to consumer finance companies, the SOX whistleblower protections apply to employees of any publicly traded company; its privately held subsidiaries, contractors, subcontractors and agents; and employees of nationally recognized statistical rating organizations who provide information regarding alleged violations of certain federal anti-fraud statutes, alleged securities law violations or violations of federal laws prohibiting fraud against shareholders. (Likewise, the whistleblower protections in the Dodd-Frank Act potentially apply to any employee of a public company who provides information relating to an SEC proceeding or who makes disclosures required by federal commodities and securities laws and regulations.) In addition, some state whistleblower protection laws, like California’s, apply to both public and private companies and to violations of any kind of law.
Addressing Cybersecurity Whistleblowers
To guard against potential liability, we recommend companies consider the following measures any time it learns of an employee raising cybersecurity concerns about the company’s products, data governance structures or practices:
Thoroughly investigate the concern.
This is the obvious — and most essential — step, but it cannot be overstated. While a company should of course conduct any investigation in proportion to the scope of the concern being raised, the company should satisfy itself that no concern about cybersecurity has gone unaddressed. Carefully considering and addressing any reported cybersecurity concern is the best way for any company to avoid a claim that the company’s products or services suffer security flaws, that the company misrepresented its security practices to investors or that the company retaliated against an employee for raising any cybersecurity concerns.
Consider retaining an independent outside cybersecurity firm.
An outside firm could take a fresh look at the product, decision or practice the whistleblower is critiquing, advise the company whether there is merit to the whistleblower’s concern and, if so, recommend steps the company can take to mitigate or remedy the concern.
Consider revising the audit committee’s procedures for handling confidential complaints.
15 U.S.C. 78j-1(m)(4) requires audit committees of a company’s board to establish a procedure for accepting and reviewing confidential submissions by employees concerning questionable accounting or auditing matters. Most public companies’ procedures extend more broadly and address the procedure for handling any complaint, whether pertaining to accounting or auditing matters or otherwise. Companies should consider whether to revise their whistleblower procedures to ensure that any complaint it receives concerning a cybersecurity matter is immediately forwarded to the general counsel (as well as to the audit committee if the cybersecurity matter pertains to accounting or auditing issues).
Consider revising the company’s incident response plan.
Companies should consider their procedures for identifying the control group that will assess and determine any incident response (or response to a pen-testing exercise or other information-security assessment), limiting the number of employees who will participate in correspondence and meetings about an incident and how to respond. In addition to offering benefits in streamlining discussion and ensuring a swift, effective and appropriate response, limiting the number of employees to those who need to know about an incident and who have the experience and authority to properly address it will reduce the number of employees who could allege that they were retaliated against for taking a position on how the company should respond to an incident or security assessment.
Document any adverse employment actions carefully.
Companies must scrupulously avoid taking any actions that could be construed as adverse employment actions in retaliation for an employee’s raising of a complaint. But there are times when a company must take adverse employment action against an employee for reasons entirely unrelated to the employee’s previous (or subsequent) airing of a complaint. A common example in the cybersecurity context is when the company terminates an employee on the ground that the employee was somehow responsible for not remediating a vulnerability that was exploited in a cybersecurity incident or on the ground that the employee did not react to a cybersecurity incident appropriately. These circumstances often have a complicated history, and the termination decision could easily prompt a whistleblower complaint by the employee. Whistleblower protection laws highlight the need for companies to carefully and contemporaneously document the reasons for taking any adverse action against an employee. This is true whether the employee has raised a cybersecurity concern or not: It is as important to document the legitimate bases for an adverse action against an employee who may later raise a cybersecurity concern as it is to document the bases for such an action against an employee who previously raised a concern.
Defending Cybersecurity Whistleblower Claims
If these strategies fail to avert a whistleblower suit, there are a number of things a company should do immediately:
- Issue a document retention notice. A company may have already done so even before receiving a complaint from a whistleblower, if the company knew of the whistleblower’s retaliation allegations and litigation seemed likely. If not, issuing a retention notice is important to prevent a whistleblower case from becoming a case about whether a company mishandled documents about the whistleblower.
- Consider whether the company has a binding arbitration agreement with its employees. Increasingly, companies do. (But note: Pre-dispute mandatory arbitration agreements are not enforceable in SOX whistleblower retaliation actions.)
- Consider possible legal defenses, such whether the law under which the employee is suing has an exhaustion of remedies requirement. SOX, for example, requires an employee to first file a claim with OSHA within 180 days.
- Hire outside counsel immediately. The issues highlighted here are just a few of the dozens of issues to consider if you are forced to defend a whistleblower claim. Outside counsel can help you navigate the issues and formulate a strategy to best protect your company.
Cybersecurity-related whistleblowing is likely to become increasingly common, and the potential downsides to a company that does not address these concerns carefully can be material. Companies should pay special attention to this body of law when an employee or outsider raises a cybersecurity concern about how a company is addressing a security vulnerability in its own systems or in its product offering or about an actual or suspected cybersecurity compromise. Companies should also carefully scrutinize potential employee terminations, demotions or reprimands stemming from a cybersecurity vulnerability or compromise or from the company’s response to either of these problems. In this complex and evolving legal landscape, it will pay off for a company to take special care to navigate these decisions and their potential ramifications safely.