cybersecurity, lock

In today’s increasingly connected world, cybersecurity has become a top priority for individuals, businesses, and the government. Whistleblowers play a crucial role in uncovering cybersecurity vulnerabilities, protecting sensitive information, and promoting a safer digital landscape. 

At Jeff Newman Law, we understand the challenges faced by cybersecurity whistleblowers, and we are committed to providing the legal support and representation you need to expose wrongdoing. 

If you suspect cybersecurity misconduct, know about a systems breach, or have discovered a vulnerability that needs to be addressed, don’t hesitate to reach out for a free confidential consultation. Our dedicated team of whistleblower attorneys will help you navigate the complex legal landscape, gather evidence to build a strong case, and report the issue to the appropriate authorities.

Relevant Whistleblower Programs

Unlike certain other types of whistleblower issues, there is no single government agency responsible for handling cybersecurity whistleblower cases. Instead, multiple federal agencies could be relevant depending on the type of cybersecurity concerns at issue and the parties involved.

Two of the main avenues for reporting cybersecurity incidents are:

  • Bringing a qui tam action under the False Claims Act
  • Filing a complaint under the SEC Whistleblower program

The particular facts of the cyber incident will dictate which option is appropriate.

False Claims Act Whistleblower Provisions

If the cybersecurity incident at issue involves a government contractor or grant recipient, then a qui tam action under the False Claims Act may be appropriate.

The federal False Claims Act (or FCA) authorizes qui tam lawsuits, in which a private individual sues on behalf of the government, against individuals or companies that have defrauded the government. And, crucially, the federal government requires government contractors to meet certain cybersecurity requirements and minimum standards.

Indeed, the Department of Justice (DOJ) launched a Civil Cyber-Fraud Initiative in 2021 to “utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.”

Requirements for government contractors, depending on the circumstances, can include:

  • Maintaining certain standards for safeguarding government contract information;
  • Reporting cybersecurity incidents within 72 hours of discovery;
  • Meeting even higher cybersecurity standards for safeguarding classified information or complying with certain agency-specific requirements.

Thus, government contractors can run afoul of their obligations in several ways, including by failing to report cyber incidents after they occur or by misrepresenting their compliance with the standards required of them to handle government contracts.

In a successful qui tam action, whistleblowers are entitled to between 15% and 30% of the amount recovered by the government, plus legal fees and other expenses associated with the action.

SEC Whistleblower Program

The Securities and Exchange Commission (SEC) Whistleblower Program is also a potential avenue for cybersecurity whistleblowing, particularly for cybersecurity issues involving public companies or other regulated financial institutions.

The SEC released guidance in 2018 addressing how companies should disclose cybersecurity threats and incidents given the increasing risk that companies and their data face. Whether it be data breaches or distributed denial-of-service attacks, cyberattacks can have substantial consequences on a companyā€™s bottom line.

For instance, Equifax settled with multiple federal agencies for $575 million after their 2017 data breach which affected over 145 million people, demonstrating the material consequences a cybersecurity incident can have on a company.

The SEC thus advised public companies on the importance of making prompt disclosures of cyber risks and incidents to their investors. The SEC also advised that any directors or officers who trade on material and nonpublic information about a company’s cybersecurity profile–for instance, an undisclosed cyber incident–could be in violation of securities laws.

The SEC has also issued specialized regulations and guidance for other financial institutions such as broker-dealers or financial advisers.

Cybersecurity whistleblowers can receive an award of 10 to 30% of the amount collected by the SEC for a successful whistleblower complaint.

Examples of Cybersecurity Incidents

Here are just a few of the types of cybersecurity whistleblower cases and real-world cybersecurity incidents to keep in mind.

Data Breaches and Unauthorized Access

Data breaches occur when unauthorized individuals gain access to sensitive information, potentially causing significant harm to businesses and individuals. Cybersecurity whistleblowers can help uncover these breaches and shed light on the vulnerabilities that led to them.

  • Equifax Data Breach: In 2017, a massive data breach at Equifax, one of the major credit reporting agencies, exposed the personal information of approximately 147 million people. The breach led to a $575 million settlement with the Federal Trade Commission, Consumer Financial Protection Bureau, and 50 U.S. states and territories.

Insider Trading

As noted, the SEC’s cybersecurity guidance specifically flagged the issue of corporate insiders trading on material non-public information (MNPI) related to a company’s cybersecurity risk profile.

Examples of Cybersecurity Whistleblower Cases

Cybersecurity whistleblowers can shine a light on a variety of issues, from data breaches to insider trading on MNPI. And although it only recently launched, the DOJ’s Civil Cyber-Fraud Initiative has already led to several whistleblower claims.

Noncompliance with Requisite Regulations and Standards

Companies are required to comply with various cybersecurity regulations and standards to protect the data and privacy of their customers, particularly if they contract with the federal government. Whistleblowers can reveal instances of noncompliance, prompting corrective action and potential penalties for the offending company.

  • Aerojet Rocketdyne: A cybersecurity whistleblower brought a qui tam action under the False Claims Act alleging that the company, which paid $9 million to settle the claim, misrepresented its compliance with cybersecurity requirements for government contractors.

Failure to report

When cyber incidents occur, companies and entities must report such incidents promptly to investors and the SEC (if a publicly traded company), the government agency (if requirements are pursuant to a government contract), clients, etc. Failure to make such reports can lead to exposure, whether it be for reporting violations under securities laws or through the FCA.

  • Comprehensive Health Services, LLC: The DOJ’s first False Claims Act case brought under the Civil Cyber-Fraud Initiative involved two different qui tam actions brought by whistleblowers. Comprehensive Health Services paid over $900,000 to resolve allegations that it incorrectly attested to complying with requirements for the government contracts at issue and also that it failed to report improper handling of medical information.

Whistleblower Protections

Various laws, such as the False Claims Act and the Dodd-Frank Act, offer protection for cybersecurity whistleblowers.

Provisions of the FCA prevent employers from retaliating against whistleblowers through firing, demoting, harassing, or taking any discriminatory measure in response to their disclosure.

Meanwhile, for SEC whistleblowers, the Dodd-Frank Act also has an anti-retaliation provision which likewise protects whistleblowers from employer retaliation. And the Sarbanes-Oxley Act of 2002 (SOX) states that publicly traded companies cannot retaliate against an employee for reporting conduct or activities that the employee reasonably believed to be fraud or a violation of securities laws.

Keep in mind, though, that Dodd-Frank only protects whistleblowers who have reported violations to the SEC, whereas SOX protects whistleblowers whether they report violations to the SEC or only internally within the company.

The Importance of Seeking Legal Advice and Representation

A skilled whistleblower attorney can help you navigate the complex legal landscape and protect the whistleblower’s rights throughout the process. By partnering with an experienced attorney, whistleblowers can mitigate the risks involved in exposing cybersecurity issues while making a positive impact.

Working with an experienced whistleblower attorney is particularly important when reporting cybersecurity issues given the patchwork nature of the federal law and federal agencies involved in the process. 

Speak with an experienced whistleblower attorney today

Cybersecurity whistleblowers play a vital role in protecting sensitive data and promoting better security practices. By understanding the types of cases, hiring a skilled whistleblower attorney, and recognizing the potential impact, whistleblowers can make a positive difference in the digital landscape.

At Jeff Newman Law, we represent whistleblowers in cybersecurity cases, and we have a track record of recovering multi-million dollar settlements on behalf of our whistleblower clients. 

Contact us for a free confidential assessment of whether you might have a potential cybersecurity violations lawsuit that could result in a whistleblower award: