Saturday, September 9, 2017

The latest mega breach is a big one. This week Equifax announced that it had suffered a breach of data belonging to as many as 143 million Americans. That’s about half the country. Worse, the breached data was sensitive: names, social security numbers, birth dates, addresses, and some driver’s license numbers. Even in a world where mega breaches are commonplace, this one is staggering in both scope and severity. The total impact is impossible to foresee, but it so far it has been swift and harsh for the company.

Equifax stock tumbled 13% today, though there has been a modest rebound in afterhours trading, as of writing. Multiple state and federal agencies are initiating investigations. News broke that three Equifax executives sold stock after the company discovered the breach in June, but before Equifax announced the stock. The company responded that the executives had no knowledge of the breach at the time of the transactions, but the timing could not be much worse. (And right after the SEC put consideration of an insider trading rule on the backburner despite some uncertainty arising in the courts.) To add to the problem of perception – there’s no indication that the sales were prescheduled under a 10b5-1 plan.

However, I want to focus on a particular drop in the bucket: the fact that at least one class action lawsuit has already been filed alleging that Equifax was negligent in its information security. A similar case arising from the Yahoo mega breach recently passed a big hurdle.

This development is significant to me because it relates to a much smaller potential class of victims: innocent Equifax employees, who did the right thing. As the Enron scandal roiled in 2001, many rank-and-file employees who had nothing to do with the fraud lost not only their jobs, but also their life savings as Enron’s stock value evaporated. Enron whistleblower Sherron Watkins suffered retaliation for trying to bring the misconduct to light.

Thankfully, corporate whistleblowers have much more robust protections today than they did in 2001. I have written and talked previously about how cybersecurity whistleblowers can often enjoy those same protections, for example here and here. The developing Equifax story provides an opportunity to present a hypothetical opportunity to demonstrate that legal theory.

Suppose a large, publicly-traded corporation was arguably negligent with its cybersecurity controls. Perhaps the budget was anemic, or the company did not have adequate safeguards and procedures to protect customer data, or company executives violated information security protocols. Perhaps the company delayed in reporting a breach that significantly affected its business, or did not report the breach at all.

Would an employee who reported the deficient cybersecurity have any protections under the law? Though the answer must depend on the specific facts of any given matter, the answer would often be yes, even though there is no specific federal law protecting cybersecurity whistleblowers. For example, I often analyze cybersecurity whistleblower claims under the anti-retaliation provision of the Sarbanes-Oxley Act. Though it’s a gross overgeneralization, suffice to say that the Sarbanes-Oxley Act protects corporate whistleblowers. However, as I have explained in a blog post, cybersecurity issues often involve securities law issues. This type of hypothetical provides ample opportunity to draw those connections. Failing to disclose material deficiencies in a firm’s information security could violate a public corporation’s duty to disclose known risks, especially if cybersecurity is the public corporation’s business. The company may have had a duty to file an 8K, or the company may have misrepresented its information security efforts in its public filings.

But what about an employee who has information about the misconduct but did not come forward before the cybersecurity issue was disclosed? Even then, the whistleblower laws can be of assistance. Disclosing information to the SEC that significantly contributes to an existing investigation can entitle the whistleblower to an award if certain criteria are met.

In summary, the Equifax breach reminds me that when a corporate scandal erupts, innocent employees sometimes suffer the same or worse as other victims, while also frequently being lumped in with the alleged wrongdoers. Thankfully, whistleblower laws exist to help make that tough road a little less bumpy.