A New Threat To Directors: Cyber Whistleblowing
Your company’s security controls are lacking, and a high level employee in IT is naturally worried – he’s addressed his concerns a number of times. Employees are regularly transmitting unencrypted information, sharing passwords and using non-compliant cloud services to share data and sensitive client side IP. This doesn’t seem overly alarming, we’ve all made similar mistakes, so the comments fall on deaf ears and operations continue. A few months later however the employee becomes increasingly vocal so senior management decides to let him go. Problem solved. Or…the problem might just be beginning.
Companies that ignore (and retaliate against) employees who address cybersecurity vulnerabilities can face significantly increased liability resulting from a new breed of whistleblower claims – cyber whistleblowing. With cyber regulatory oversight increasing at a rapid rate, these claims are poised to increase as well. While no federal laws specifically protect cybersecurity whistleblowers, existing anti-retaliation provisions are often broad enough to cover employees who raise information security concerns. Most notably, federal statutes prohibiting retaliation against corporate whistleblowers and employees who report misconduct in connection with federal funds, as well as state wrongful discharge actions, may apply to cybersecurity whistleblowers.
Federal Statutes Prohibiting Retaliation as a Source of Cyber Whistleblower Protection
The Sarbanes-Oxley Act (“SOX”) protects employees of public corporations who report a wide range of misconduct, such as shareholder fraud or other violations of securities laws. Cybersecurity issues often fall within this broad coverage. For example, public corporations must maintain adequate internal controls to ensure the company knows the disposition of its assets (including intangible assets like proprietary or confidential business data). SOX requires public corporations to disclose whether those internal controls have any material weaknesses. Blowing the whistle on materially-deficient internal controls is protected under SOX. Internal controls include policies and procedures pertaining to the prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could materially affect its financial statements. Cybersecurity policies and procedures specifically aim to prevent and detect the misuse and improper disposition of electronically-stored information, so they could qualify as internal controls. In short, employees of public corporations who suffer retaliation for disclosing cybersecurity concerns may have a statutory cause of action under SOX.
The Dodd-Frank Act’s (“DFA”) whistleblower protections often overlap with the SOX anti-retaliation provision. However, the DFA may also protect employees of private firms if the disclosed cybersecurity concerns amount to a material misrepresentation in connection with the purchase or sale of securities or violations of other applicable securities laws.
Employees of companies doing business with the federal government enjoy even broader protections under the False Claims Act (“FCA”) and the National Defense Authorization Act (“NDAA”). The FCA prohibits an employer from retaliating against an employee who opposes false claims on the government. Virtually every federal contractor has cybersecurity obligations, regardless of whether the contract directly pertains to cybersecurity. For example, in May 2016 the U.S. Department of Defense, the General Services Administration, and NASA published a joint rule establishing basic information security requirements for many federal contracts, regardless of the particular work to be performed….The implied certification of liability holds that a company has violated the law if, when submitting a claim for payment, it falsely represents that it has complied with all material terms of the contract. This representation need not be explicit, but rather may be inferred. The violated terms need not deal specifically with the subject of the contract. In other words, if cybersecurity issues are a material term of the contract, it does not matter whether the contract is to provide IT services to the government or to produce bus seats. If considered material to the contract, breaching these obligations can cause a company to violate the FCA when it tries to get paid, even if it has performed the primary work. A cybersecurity whistleblower who has reported such a breach could be considered to have opposed false claims. Accordingly, retaliation against an employee who blows the whistle regarding cybersecurity issues on federal contracts could give rise to a statutory retaliation claim under the FCA.
The NDAA’s whistleblower protections go even further, prohibiting retaliation against an employee for disclosing any violation of law, rule, or regulation related to federal contracts or grants. The protections also extend to employees who report abuses of authority, gross mismanagement, or gross waste in relation to federal contracts or grants. Finally, the NDAA protects disclosures of substantial and specific dangers to public health or safety. Many federal rules and regulations potentially apply to federal contractors and grantees with regard to cybersecurity issues, such as the one discussed above. Therefore, a cybersecurity whistleblower could likely be protected under the NDAA if her employer receives federal funds.
State Wrongful Discharge Actions as a Source of Cyber Whistleblower Protection
For employers, state wrongful discharge actions may be the most vexing source of cyber whistleblower protections. State wrongful discharge actions vary considerably from jurisdiction to jurisdiction. Because “public policy” defines the scope of protected activity, it can be difficult to determine with certainty whether any particular disclosure is covered. Additionally, some state wrongful discharge actions permit punitive damages. Further, unlike the federal statutes discussed above, these actions can apply to all employers. While preventing and assessing potential exposure under these claims can be more difficult, it is a task that no company should ignore.
For example, a sole proprietorship receiving no federal funds in a state that has no specific cyber whistleblower law, like Maryland, may mistakenly believe it is in the clear. However, although Maryland has no specific cyber whistleblower law, it does have a common law wrongful discharge action. That action protects employees from retaliation for refusing to violate the law or for meeting a statutory obligation. The Maryland Personal Information Protection Act (“MPIPA”) requires covered businesses to notify consumers in the event of certain data breaches. A company understandably may be reluctant to make such a disclosure. However, if the company terminates an employee for refusing to conceal a data breach in violation of MPIPA or for notifying consumers in compliance with MPIPA, it may face a retaliation claim. Under certain circumstances, an employee can recover punitive damages for wrongful discharge in Maryland.
The Increase in Cyber Whistleblowing and Attendant Regulator Oversight
Cyber whistleblowing claims are relatively new, so many organizations are unaware of their existence, and the fact that many of these claims are pursued and resolved quietly leaves many corporations and their directors in the dark. In addition, many companies that have yet to experience a breach likely believe that their current cyber controls are sufficient, resulting in executives taking a somewhat passive defiant stance against the ever-growing security requirements that, to them, may seem overbearing. Even when the risk is understood, the time, costs and resulting downtime required to implement stronger controls often act as a deterrent to implementation.
However, regulators have recognized the growing importance of cybersecurity and are steadily increasing cyber oversight. They are also more frequently looking to whistleblowers to augment their oversight and enforcement capabilities. When a company ignores its employees’ concerns about cyber risks, those employees can receive potentially huge awards for bringing their concerns to law enforcement officials.
In short, silencing cybersecurity concerns invites whistleblower retaliation claims, and ignoring them invites regulators’ scrutiny. There is good news however. Following common sense and general best practices for dealing with employees’ concerns can often help avoid these claims. Such measures include formal mechanisms for receiving and following up on employee concerns, meaningful human resources and compliance programs, written policies, and management training.
Risk Mitigation & Insurance
Companies seeking to mitigate that risk of cybersecurity whistleblowing through insurance face a unique set of challenges. Cyber whistleblower claims fall in an area somewhere between cyber and D&O insurance, and poorly structured policies will yield little to no coverage. Organizations that have placed both policies nonetheless will likely assume that they have performed their due diligence and that coverage is in place for claims at time of loss. However, affording broad coverage for even standard whistleblower claims can be difficult.
When addressing their insurability, whistleblowing claims provide many challenges, from policy definitions to exclusions. Due to the regulatory nature of these claims, one of the main challenges revolves around securing coverage for investigations and the pre-claim costs associated, which can be difficult. Many policies affirmatively include within their definition of “claim” or “securities claim,” coverage for regulatory and administrative proceedings which may lead directors to assume a degree of indemnification from the insurer during an investigation, however this does not translate to such coverage – many policies remain silent on (thus precluding coverage for) investigations. Even when policy forms do include investigations within their definition of claim, they will often limit coverage solely to “formal” investigations and/or those that name individual insureds for wrongful acts. This can surmount to the insured absorbing considerable damages due to the fact that the “informal” investigative phase is generally directed at the entity and may last a year before any individuals are named or any formal proceedings are brought, if ever. Policies may also restrict coverage through their definitions of “damages” which will often, at least initially, preclude pre-claim costs related to document production, discovery, and interviews. Most policies also initially preclude from “loss”, coverage for resulting fines, penalties and punitive damages. Even when sophisticated buyers/brokers buyers are successful in carving these back, the matter of their insurability alone is a challenge which is often contested in court.
The fact that these claims have a cyber element may help provide an additional source of coverage (in a cyber policy) but also creates one additional barrier when it comes to affording indemnification under a D&O policy, as many policies are not crafted for cyber exposures. In fact, some insurers have been adding explicit cyber exclusions to their D&O policies. In order to coordinate coverage for cyber whistleblowing claims, buyers should attempt to avoid this exclusion entirely. When avoidance isn’t an option buyers should attempt to negotiate a carve back for cyber whistleblower claims brought under SOX, Dodd Frank and additional statutes.
Companies seeking coverage under their cyber policies will face a separate set of challenges. For one, almost all cyber policies contain broad securities exclusions. Being that these claims often fall under securities laws, companies (particularly public companies) must negotiate a carve back for whistleblower claims that fall under SOX/Dodd Frank. Failure to do so can yield the cyber policy unresponsive depending on its language. Additionally, the scope of regulatory defense coverage will often vary significantly from policy to policy, ranging from broad to nonexistent. In addition to addressing the same challenges of coordinating coverage for investigations (as above), insureds must also ensure that cyber policies broadly define “network” and “privacy” wrongful acts to include (among others acts) unintentional violations, failure to disclose a breach, and failure to reasonably implement privacy or security policies – which can be difficult to obtain. Further, poorly worded policies may also limit data solely to PII, failing to cover corporate confidential information. Affirmative coverage should also be included for fines and penalties (which again, may still be contested in court). Similar to their D&O counterparts, cyber policies also often contain their own version of the “insured vs insured” exclusion. However unlike D&O policies that are used to carving back coverage for whistleblower claims, cyber policies often contain no such carve back. Buyers must be knowledgeable enough to request these carve backs and even then, insurers may not be responsive.
Lastly, companies may also need to alter their perception of “whistleblower claims” as whistles can also be blown in unexpected ways. In at least one such controversial case, cyber vulnerabilities contained within a cardiac device were discovered by a security research firm who, instead of alerting the manufacturer or FDA, presented their findings to an investment firm for trading purposes. While this is both a very controversial and exceptional case, it highlights that companies with cyber vulnerabilities need to be aware that all eyes are watching.
The best approach for mitigating risk is to give cybersecurity the attention it deserves. Senior executives should also admit their own vulnerabilities and accept that their knowledge of cyber risk is limited, relying on their CISOs and tech teams to make important decisions. Companies should promote a positive environment for employees and treat all security recommendations (both outside and inside) as valued information and an opportunity for improved security. And when vulnerabilities are discovered, a swift reaction can be your best friend. Last, partnering with a qualified broker and counsel to assist with placing carefully structured cyber and d&o policies is critical. For smaller companies that are unaware of their workings we have published basic cyber insurance and D&O insurance guides.