by Dallas Hammer and Jason Zuckerman

Congress should act to protect cybersecurity whistleblowers because information security has never been so important, or so challenging. In the wake of a barrage of shocking revelations about data breaches and companies mishandling of customer data, a bipartisan consensus has emerged in support of legislation to give consumers more control over their personal information, require companies to disclose how they collect and use consumer data, and impose penalties for data breaches and misuse of consumer data. The Federal Trade Commission (“FTC”) has been held out as the best agency to implement this new regulation.[1] But for any such legislation to be effective, it must protect the courageous whistleblowers who risk their careers to expose data breaches and unauthorized use of consumers’ private data.

Whistleblowers strengthen regulatory regimes, and cybersecurity regulation would be no exception. Republican and Democratic leaders from the executive and legislative branches have extolled the virtues of whistleblowers.[2] High-profile cases abound. Recently, Christopher Wylie exposed Cambridge Analytica’s misuse of Facebook user data to manipulate voters, including its apparent theft of data from 50 million Facebook users as part of a psychological profiling campaign. Though additional research is needed, the existing empirical data reinforces the consensus that whistleblowers help prevent, detect, and remedy misconduct.[3] Therefore it is reasonable to conclude that protecting and incentivizing whistleblowers could help the government address the many complex challenges facing our nation’s information systems.

Indeed, whistleblowers could have an outsized impact for cybersecurity regulation. Cybersecurity affects every aspect of business and is one of the most dynamic aspects of any enterprise. Because threats are varied and ever-changing, information security relies on front-line cybersecurity professionals and their managers.

In contrast, silencing cybersecurity whistleblowers has serious consequences. As SEC Chairman Jay Clayton noted in a September 20, 2017 Statement on Cybersecurity, cybersecurity vulnerabilities can create significant risks to the operational performance of market participants and of markets as a whole, including denials of service and “loss or exposure of consumer data, theft or exposure of intellectual property, and investor losses resulting from the theft of funds or market value declines in companies subject to cyberattacks.” Protecting cybersecurity whistleblowers mitigates these risks by enhancing companies’ ability to promptly detect and correct vulnerabilities and breaches.

Existing laws do not adequately protect cybersecurity whistleblowers. Many anti-retaliation provisions arose because Congress reacted to a specific, historical problem. The savings and loan crisis of the 1980s, the Enron matter and similar scandals in the early 2000s, and the problematic practices underlying the housing bubble all resulted in major legislation. Railroads, airlines, and nuclear plants are all subject to industry-specific anti-retaliation laws. Each state adds its own layer of protections that have often evolved in a manner similar to their federal counterparts. The result is an overlapping, complex patchwork of protections for whistleblowers.

This existing patchwork sometimes protects cybersecurity whistleblowers. A cybersecurity professional at a public company may find protection under the Sarbanes-Oxley Act (PDF: 1.36 MB). Likewise, an employee who blows the whistle on cybersecurity issues at a company that provides goods or services to the federal government may find protection under the False Claims Act and the NDAA, which protects employees of federal contractors.

But all too often, cybersecurity whistleblowers fall through gaps in existing protections. As discussed in The Cybersecurity Threat: Compliance and the Role of Whistleblowers, some cybersecurity disclosures “are likely to fall outside the scope of ‘protected activity’ enumerated under” the anti-retaliation provisions of SOX and the Dodd-Frank Act. And last year, the Supreme Court held in Digital Realty (PDF: 251 KB) that the Dodd-Frank’s whistleblower protection provision does not cover internal disclosures, thereby substantially limiting the scope of Dodd-Frank whistleblower protection.

Therefore, a specific federal law protecting cybersecurity whistleblowers would fill a gap that currently poses an obstacle to any federal information security legislation and would bring a uniform policy to an issue in need of one. If a company is handling sensitive customer data, we want to protect whistleblowers regardless of whether their employer is a public company or whether it does business with the government. In short, cybersecurity (like the safety of air travel or nuclear power plants) is too large and important of an issue to allow any gaps in whistleblower protection.

Implementing a robust protection against retaliation, and a potential reward program at the FTC, could be modeled on existing laws. Existing federal whistleblower protection provisions often define protected activity to include (1) the provision of information disclosing an employee’s reasonable belief of a violation of the law in question; (2) testifying, participating, or assisting in any proceeding under the law in question; and (3) refusing to perform duties that would violate the law in question. A cybersecurity whistleblower protection provision modeled on this approach would not only follow a proven formula for setting the appropriate scope of protections, but it would also inform the provision’s interpretation with an extensive body of existing case law.

A key feature of such a provision is that it would cover disclosures made internally to a company’s management or compliance programs, as well as certain disclosures made outside the organization. Internal disclosures should be protected to incentivize employees to use internal compliance processes when appropriate.[4] Often, employees who report concerns are seeking only to fix a problem, not become a whistleblower. Research has shown that employees in fact report internally, at least as a first measure, most of the time.[5] Therefore, any law excluding internal disclosures would be substantially under-inclusive.

Similarly, employers have expressed the concern that whistleblower provisions entice an employee to report potential violations to the government first, by-passing internal compliance processes meant to detect and resolve such issues.[6] Protecting internal disclosures would help address this legitimate concern from employers.

External disclosures should also be protected because assisting the government’s law enforcement efforts is one of the core social benefits whistleblowers provide. An anti-retaliation provision that failed to protect whistleblowers who cooperate with authorities or participate in legal process would chill whistleblowing and therefore fail to achieve its purpose. Though oversight of misconduct related to cybersecurity is dispersed throughout the government, existing whistleblower laws again provide tried-and-true approaches for appropriately defining the coverage and scope of protections.

Likewise, information security legislation should include a program to reward cybersecurity whistleblowers because the data shows that incentivizing whistleblowers works. Since Congress amended the False Claims Act in 1987 to improve incentives for those who report fraud on the federal government, whistleblowers have initiated more than 70% of the cases brought under the law.[7] During the last decade, the government recorded the ten highest one-year totals in the history of the law.[8] DOJ officials have repeatedly acknowledged whistleblowers’ role in that success. Similarly, the SEC whistleblower program led to the recovery of more than $1.7 billion this past year alone.[9]

On average, a breach costs an organization in the United States nearly $8 million.[10] A mega breach can cost a company hundreds of millions of dollars.[11] Those figures include notification and post data breach response costs, such as communication and engagement with regulators and litigation resulting from breaches.[12] Notification and post data breach response costs were highest in the United States.[13]

How quickly an organization identifies and addresses a breach has a material impact on the breach’s ultimate cost.[14] Firms that identified breaches in fewer than 100 days saved more than $1 million compared to those that did not.[15] Firms that contained breaches in fewer than 30 days also saved $1 million more than those that did not.[16] Yet, on average it took companies 197 days to identify a data breach and 69 days to contain it.[17]

Thus, based on the foregoing data, it is reasonable to conclude that a whistleblower rewards program that facilitates early identification and remediation of breaches could be an integral tool in containing the costs of data breaches. Further, as with other similar programs, whistleblower rewards could be made out of funds recovered from respondents as the result of the FTC’s enforcement activities under the new law. Additionally, rewards would be limited to whistleblowers whose information led to or substantially contributed to the enforcement action in question. Accordingly, rewards would be made only when the whistleblowing actually augmented the government’s enforcement efforts, and at a net gain to the public fisc.

Blowing the whistle is risky for employees who can face termination and blacklisting if their disclosures are met with animosity. For example, recent articles about Facebook describe a culture that is hostile to dissent in which management ignored warnings employees made in September 2015 about CA scraping user data. In addition, Facebook hired opposition research firm Definers Public Affairs, which then maligned individuals that exposed Facebook’s role in CA’s improper use of customer data and Russian misinformation. As documented in John Carreyrou’s Bad Blood: Secrets and Lies in a Silicon Valley Startup, retaliation against whistleblowers at Silicon Valley technology firms is often brutal. Thankfully, a clear path exists to protecting whistleblowers and thereby ensuring that badly needed legislation on cybersecurity is as effective as possible.

Footnotes

[1] See, e.g., Data Breaches: Range of Consumer Risks Highlights Limitations of Identity Theft Services, Government Accountability Office, GAO-19-230 (March 2019) PDF: 2.46 MB).

[2] E.g., Whistleblowers Deserve our Profound Gratitude, Grassley (July 30, 2018); Attorney General Holder Remarks on Financial Fraud Prosecutions at NYU School of Law ( ).

[3] Whistleblowers and Outcomes of Financial Misrepresentation Enforcement Actions; Call, Martin, Sharp, Wilde; Journal of Accounting Research, Vol. 56 Issue 1 at 123-171 (March 2018).

[4] See U.S. Sec. & Exch. Comm’n, 2017 Annual Report to Congress on the Dodd-Frank Whistleblower Program (PDF:6.38 MB), at 4, 7 (last visited May 20, 2019); U.S. Sec. & Exch. Comm’n, No. 2011-116, SEC Adopts Rules to Establish Whistleblower Program (May 25, 2011) (discussing need to promote appropriate use of internal compliance mechanisms).

[5] E.g., Masaki Iwasaki, How External Whistleblower Rewards Affect Internal Reporting, The CLS Blue Sky Blog, July 6, 2018 (last visited May 20, 2019).

[6] See id.; U.S. Sec. & Exch. Comm’n, Release No. 34-64545, Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934 at 5 (Aug. 12, 2011).

[7] U.S. Dep’t of Justice, Civil Div., Fraud Statistics – Overview, October 1, 1986 – September 30, 2018 (last visited May 20, 2019).

[8] Id.

[9] U.S. Sec. & Exch. Comm’n, 2018 Annual Report to Congress on the Dodd-Frank Whistleblower Program, at 1, available at https://www.sec.gov/sec-2018-annual-report-whistleblower-program.pdf (last visited May 20, 2019).

[10] 2018 Cost of a Data Breach Study: Global Overview at 9, Ponemon Institute LLC (July 2018).

[11] Id. at 39-41.

[12] Id. at 27-28.

[13] Id.

[14] Id. at 9.

[15] Id.

[16] Id.

[17] Id.

Jason Zuckerman and Dallas Hammer are principals at Washington DC whistleblower law firm Zuckerman Law.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.