Companies that experience a cyber breach face several immediate and difficult challenges: quickly getting a handle on the scope of the breach, making sure that the intruder is out of their system, remediating any vulnerability, assessing what data was accessed (if any), deciding whether to reach out to law enforcement, determining whether any mandatory notification obligations have been triggered, and weighing whether to make any voluntary notification to regulators, customers, investors, etc. One thing companies should consider adding to that list is potential whistleblowers.
The Sarbanes-Oxley Act (“SOX”), 18 U.S.C. § 1514A, protects whistleblowers when they disclose information they reasonably believe to relate to alleged mail, wire, bank, or securities fraud, or violations of SEC rules and regulations. When a publicly-traded company experiences a major cyber event, but delays notification (as has been alleged against Equifax), a whistleblower could alert the SEC to that fact in an effort to claim a reward under the SEC’s whistleblower program.
Under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”), 15 U.S.C. § 78u-6, a whistleblower who reports violations of federal securities laws to the SEC is eligible for an award of between 10% and 30% of the monetary sanctions collected by the SEC and other law enforcement authorities. To be eligible for the award, the whistleblower must voluntarily provide the SEC with original information about a possible violation of the federal securities laws that has occurred, is ongoing, or is about to occur, which leads to a successful SEC action resulting in monetary sanctions exceeding $1 million.
Indeed, whistleblower issues may arise even before a breach has occurred. In a recent case concerning retaliation claims under SOX, Dodd-Frank, and Florida’s Whistleblower Act—Thomas v. Tyco International Management Co., LLC, 2017 WL 4466507 (S.D. Fla. Mar. 31, 2017)—the district court found that a former employee who tipped off the Department of Labor and the SEC to alleged deficiencies in data security around the company’s financial reporting process had an objectively reasonable basis for believing that the company violated applicable securities law. To date, the SEC has not issued any press release or suggested any enforcement action related to these allegations, but if it pursues the allegations and obtains a subsequent judgment or settlement, the whistleblower could be entitled to a cut of those proceeds.
In addition to the securities laws, whistleblowers could seek recovery under the False Claims Act (“FCA”), 31 U.S.C. § 3729 et seq., or the National Defense Authorization Act for Fiscal Year 2013 (“NDAA”), 10 U.S.C. § 2409, 41 U.S.C. § 4712, which enable employees working under most federal contracts to bring qui tam suits in cases where their companies are alleged to have defrauded the federal government through noncompliance with the cybersecurity obligations stipulated in those contracts.
Considering the federal government’s increasing focus on cybersecurity, the success of the SEC’s whistleblower program, and the potential financial rewards at stake for individuals, companies that are responding to cybersecurity deficiencies or breaches should add potential whistleblowers to their list of things to consider in making their notification decisions.