No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
    • Upcoming
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Blowing the Whistle: Exploring Federal Protections After Twitter Testimony

Without comprehensive federal digital privacy laws, whistleblowers remain public’s last line of defense

by Katherine Krems
September 28, 2022
in Cybersecurity, Data Privacy
whistleblower congress

Twitter’s been in the news of late thanks to Elon Musk’s (failed?) takeover bid, but another recent bit of Twitter news could be even more concerning for data privacy advocates. A former employee testified before Congress about the company’s blatant disregard for cybersecurity protections, and as tech companies continue to amass an unprecedented volume of private data (and with no blanket federal privacy laws in sight), attorney Katherine Krems explores what laws do protect whistleblowers.

On Sept. 13, Twitter whistleblower Peiter “Mudge” Zatko testified in front of Congress, telling tales of the company’s egregious disregard for even the most basic cybersecurity protections.

Congress has thus far failed to pass a national data privacy law, the most basic way to protect Americans’ information online and ensure that companies comply with minimum requirements. In the absence of national standards, whistleblowers will bear the burden of speaking out about companies’ and federal agencies’ failures to adequately protect the information with which they are entrusted and holding these organizations accountable. 

Cybersecurity whistleblowing is a relatively new area of the law, as companies hold increasing amounts of data and repeatedly fail to safeguard that information. While the United States scrambles to pass a national data privacy/information security law, it’s worth considering whether employees like Zatko, who witness in their jobs the mishandling of data or misrepresentation of cybersecurity protections at work, are protected from retaliation if they speak out.

Here is an overview of some of the laws that may apply if an employee raises concerns about cybersecurity and data security vulnerabilities at work.

The Whistleblower Protection Act (WPA)

  • The WPA prohibits retaliation against most federal employees who raise concerns about what they reasonably believe evidences a violation of law, rule or regulation; gross mismanagement; gross waste of funds; an abuse of authority; and/or a substantial and specific danger to public health and safety.
  • There has been minimal adjudication on cybersecurity whistleblowing under the WPA. However, in many instances, the WPA would apply where a federal employee raises concerns about cybersecurity or data privacy failures that violate a law, rule or regulation or fall into another protected category under the act. 
  • As discussed above, the U.S. has virtually no federal laws specifically regulating cybersecurity. Thus, there are few regulations that govern how the federal government protects and safeguards information stored online. 
  • Still, there are some laws and regulations in effect today that would apply to protect federal government employee cybersecurity whistleblowers.
  • As an example, Executive Order on Improving the Nation’s Cybersecurity, which President Joe Biden signed in May 2021, requires that within 180 days, federal agencies adopt multi-factor authentication and encryption for data stored at rest and in transit. 
  • A federal employee who raises concerns about an agency’s failure to implement two-factor authentication and data encryption as required by the EO would likely be protected from retaliation under the WPA.

The National Defense Authorization Act (NDAA) & False Claims Act (FCA)

  • The NDAA and FCA protect from retaliation whistleblowers who report violations of requirements relating to federal contractors and/or use of federal funds and resources in federal contracts and grants. 
  • The NDAA applies to defense contractors. The NDAA of 2022, signed by Biden in December 2021, includes general requirements for the government to update a cybersecurity incident response plan, but it does not include a mandatory reporting requirement for contractors to report cyber incidents. 
  • The FCA protects from retaliation whistleblowers who report violations of requirements related to false and fraudulent submissions for payment to the federal government. An FCA whistleblower, also called a “relator,” can try to file on behalf of the government a qui tam claim that the government was defrauded.
  • Defense contractors (arguably covered by both the NDAA and the FCA) are also required to adhere to the cybersecurity requirements contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which provides baseline requirements for cybersecurity precautions necessary for the protection of controlled unclassified information (CUI). 
  • The NIST standards include incident reporting requirements, but what constitutes an incident that must be reported is still up for debate. At this point, it is unclear under what circumstances whistleblowers alleging violations of the NIST standards are protected from reprisal.
  • If the administration and/or Congress pass more stringent regulations clearly requiring reporting of cybersecurity incidents, whistleblowers raising concerns about violations of these laws would have a stronger cause of action.

Sarbanes Oxley Act (SOX), Dodd-Frank & SEC Whistleblower Program

  • SOX protects from retaliation whistleblowers, who are employees of publicly traded companies and contractors of publicly traded companies, when they report that the company engaged in a violation of the securities laws, mail or wire fraud and other regulations prohibiting financial fraud and fraud against its shareholders. 
  • The Dodd-Frank provision protects employees who report violations of the securities laws to the SEC.
  • The SEC also has a program in which a whistleblower can report a violation of the securities laws to the SEC. The whistleblower may be eligible for an award if the report results in an enforcement action with monetary sanctions over $1,000,000.
  • Whistleblowers who report concerns related to cybersecurity and data privacy may be covered by the anti-retaliation provisions of SOX and Dodd-Frank and may be able to report violations of cybersecurity requirements to the SEC.
  • For example, cybersecurity breaches or serious cybersecurity vulnerabilities may be material to investors if those breaches and/or vulnerabilities render an investment in a company particularly risky. A company that fails to disclose such a breach or vulnerability may be guilty of a material misstatement in violation of the securities laws, and a whistleblower disclosing this misstatement may be protected by SOX or Dodd-Frank. 
  • The SEC appears poised to adopt new rules requiring that public companies implement stricter cybersecurity protections, including better management of cybersecurity risks, incident responses and reporting of cybersecurity incidents.  

In his testimony, Zatko discussed the importance of Congress enacting privacy regulations and protecting whistleblowers, as an employee who was terminated after he raised concerns about cybersecurity vulnerabilities, he understands first-hand the danger of speaking out. For now, until federal lawmakers enact comprehensive cybersecurity and data privacy regulations, whistleblowers are the last line of defense to protect the security of our online information.

This article was first published on the blog for Kalijarvi, Chuzi, Newman & Fitch. It’s republished here with permission.

Tags: Social Media RiskWhistleblowing
Previous Post

TrustArc Guide for Implementing PIAs

Next Post

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

Katherine Krems

Katherine Krems

Katherine "Kate" Krems, an associate attorney with Kalijarvi, Chuzi, Newman & Fitch, P.C. in Washington, D.C., represents employees in discrimination, sexual harassment and whistleblower retaliation cases.

Related Posts

doj sign and sculpture

DOJ’s New CEP Proposes Guaranteed Declination for Some Self-Reporters

by Jennifer L. Gaskin
May 13, 2025

The Trump Administration continues reshaping its approach to corporate crime, with the DOJ issuing major revisions of its corporate enforcement...

megaphone

Whistleblowers Poised to Play Leading Role in Cybersecurity Enforcement

by Geoff Schweller
January 14, 2025

DOJ, SEC rely heavily on whistleblowing in enforcing cyber rules

top stories 2024 collage

Top Stories of 2024

by Jennifer L. Gaskin
December 11, 2024

Seismic shifts are threatening to reshape the modern compliance landscape, from Supreme Court decisions tossing out decades of regulatory advantages...

misty mountaintops

Which Hills Are Worth Dying On?

by Vera Cherepanova
November 20, 2024

Whistleblowing & the delicate art of knowing when to push back — and when to let go

Next Post
cpo and ciso

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
    • Upcoming
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights