Twitter’s been in the news of late thanks to Elon Musk’s (failed?) takeover bid, but another recent bit of Twitter news could be even more concerning for data privacy advocates. A former employee testified before Congress about the company’s blatant disregard for cybersecurity protections, and as tech companies continue to amass an unprecedented volume of private data (and with no blanket federal privacy laws in sight), attorney Katherine Krems explores what laws do protect whistleblowers.
On Sept. 13, Twitter whistleblower Peiter “Mudge” Zatko testified in front of Congress, telling tales of the company’s egregious disregard for even the most basic cybersecurity protections.
Congress has thus far failed to pass a national data privacy law, the most basic way to protect Americans’ information online and ensure that companies comply with minimum requirements. In the absence of national standards, whistleblowers will bear the burden of speaking out about companies’ and federal agencies’ failures to adequately protect the information with which they are entrusted and holding these organizations accountable.
Cybersecurity whistleblowing is a relatively new area of the law, as companies hold increasing amounts of data and repeatedly fail to safeguard that information. While the United States scrambles to pass a national data privacy/information security law, it’s worth considering whether employees like Zatko, who witness in their jobs the mishandling of data or misrepresentation of cybersecurity protections at work, are protected from retaliation if they speak out.
Here is an overview of some of the laws that may apply if an employee raises concerns about cybersecurity and data security vulnerabilities at work.
The Whistleblower Protection Act (WPA)
- The WPA prohibits retaliation against most federal employees who raise concerns about what they reasonably believe evidences a violation of law, rule or regulation; gross mismanagement; gross waste of funds; an abuse of authority; and/or a substantial and specific danger to public health and safety.
- There has been minimal adjudication on cybersecurity whistleblowing under the WPA. However, in many instances, the WPA would apply where a federal employee raises concerns about cybersecurity or data privacy failures that violate a law, rule or regulation or fall into another protected category under the act.
- As discussed above, the U.S. has virtually no federal laws specifically regulating cybersecurity. Thus, there are few regulations that govern how the federal government protects and safeguards information stored online.
- Still, there are some laws and regulations in effect today that would apply to protect federal government employee cybersecurity whistleblowers.
- As an example, Executive Order on Improving the Nation’s Cybersecurity, which President Joe Biden signed in May 2021, requires that within 180 days, federal agencies adopt multi-factor authentication and encryption for data stored at rest and in transit.
- A federal employee who raises concerns about an agency’s failure to implement two-factor authentication and data encryption as required by the EO would likely be protected from retaliation under the WPA.
The National Defense Authorization Act (NDAA) & False Claims Act (FCA)
- The NDAA and FCA protect from retaliation whistleblowers who report violations of requirements relating to federal contractors and/or use of federal funds and resources in federal contracts and grants.
- The NDAA applies to defense contractors. The NDAA of 2022, signed by Biden in December 2021, includes general requirements for the government to update a cybersecurity incident response plan, but it does not include a mandatory reporting requirement for contractors to report cyber incidents.
- The FCA protects from retaliation whistleblowers who report violations of requirements related to false and fraudulent submissions for payment to the federal government. An FCA whistleblower, also called a “relator,” can try to file on behalf of the government a qui tam claim that the government was defrauded.
- Defense contractors (arguably covered by both the NDAA and the FCA) are also required to adhere to the cybersecurity requirements contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which provides baseline requirements for cybersecurity precautions necessary for the protection of controlled unclassified information (CUI).
- The NIST standards include incident reporting requirements, but what constitutes an incident that must be reported is still up for debate. At this point, it is unclear under what circumstances whistleblowers alleging violations of the NIST standards are protected from reprisal.
- If the administration and/or Congress pass more stringent regulations clearly requiring reporting of cybersecurity incidents, whistleblowers raising concerns about violations of these laws would have a stronger cause of action.
Sarbanes Oxley Act (SOX), Dodd-Frank & SEC Whistleblower Program
- SOX protects from retaliation whistleblowers, who are employees of publicly traded companies and contractors of publicly traded companies, when they report that the company engaged in a violation of the securities laws, mail or wire fraud and other regulations prohibiting financial fraud and fraud against its shareholders.
- The Dodd-Frank provision protects employees who report violations of the securities laws to the SEC.
- The SEC also has a program in which a whistleblower can report a violation of the securities laws to the SEC. The whistleblower may be eligible for an award if the report results in an enforcement action with monetary sanctions over $1,000,000.
- Whistleblowers who report concerns related to cybersecurity and data privacy may be covered by the anti-retaliation provisions of SOX and Dodd-Frank and may be able to report violations of cybersecurity requirements to the SEC.
- For example, cybersecurity breaches or serious cybersecurity vulnerabilities may be material to investors if those breaches and/or vulnerabilities render an investment in a company particularly risky. A company that fails to disclose such a breach or vulnerability may be guilty of a material misstatement in violation of the securities laws, and a whistleblower disclosing this misstatement may be protected by SOX or Dodd-Frank.
- The SEC appears poised to adopt new rules requiring that public companies implement stricter cybersecurity protections, including better management of cybersecurity risks, incident responses and reporting of cybersecurity incidents.
In his testimony, Zatko discussed the importance of Congress enacting privacy regulations and protecting whistleblowers, as an employee who was terminated after he raised concerns about cybersecurity vulnerabilities, he understands first-hand the danger of speaking out. For now, until federal lawmakers enact comprehensive cybersecurity and data privacy regulations, whistleblowers are the last line of defense to protect the security of our online information.