[Post updated May 2018] Chances are pretty good that you or someone you know has been the victim of cyberhacking. We live in a digital age today and unfortunately, our digital infrastructure is vulnerable to a wide range of risk of cyber crime and hacking. Banks, big corporations and defense contractors are even bigger targets. Unfortunately, many of the cyberhacking and cybersecurity breaches go unreported and companies often only pay lip service to security protocols until it’s too late. There are awards, however, that can be paid to whistleblowers who report companies that fail to follow the law.
Whistleblower awards are available to workers with inside information about cyber hacking and cyber security involving defense contractors, banks and financial institutions, and other U.S. companies.
This post has four sections:
- Defense Contractors and Cybersecurity Whistleblower Awards
- Banks and Financial Services Cyberhacking Whistleblower Awards
- Healthcare Whistleblowers (HIPPA and Patient Data Security)
- SEC Cybersecurity Whistleblower Awards
- Whistleblower Anti-retaliation Protections
Defense Contractors and Cybersecurity Whistleblower Awards
In 2015, the Department of Defense released significant new cyber reporting rules. Those rules come on the heels of a number of attacks on both U.S. defense contractors and government agencies. One of those attacks successfully penetrated the Office of Personnel Management resulting in the records of over 21 million federal workers being hacked.
Under the new rules, Uncle Sam needs to be notified immediately when a defense contractor is cyber hacked. These rules apply to those companies that supply missile systems, communications software, combat logistics and other supplies and any service to the defense department. Intelligence agencies have or are implementing similar rules.
Contractors are also responsible for beefing up their cyber security protocols and protections to prevent hacking.
Companies that fail to protect their data or fail to report hacking incidents can be held responsible for these lapses. Under the federal False Claims Act, whistleblowers reporting these breaches can receive up to 30% of whatever the government collects from the wrongdoer.
With so many troops and intelligence personnel deployed around the world, defense contractors need to step up their game immediately. Unfortunately, we know of many that have not. Their negligence and recklessness directly puts American lives at risk and endangers thousands of servicemen and women worldwide.
Banks and Cyberhacking Whistleblower Awards – FIRREA
We entrust banks with trillions of dollars. Without even thinking about it, we deposit our paychecks in banks every day. Criminals know this and have started cyberattacks on banks. Earlier hacks were almost always aimed at individual bank customers but as organized crime and foreign banks become more involved in cybercrime, the banks themselves are becoming the targets.
In February 2016, sophisticated hackers attempted to steal $951 million from the Bangladesh Bank. While some may think this has nothing to do with Americans, the hack attempt came through the U.S. Federal Reserve Bank in New York. Regulators stopped the heist but not before $81 million was lost.
The Bangladesh hack wasn’t an isolated incident. Public reports show that the U.S. Federal Reserve and JPMorgan Chase have also been targets. Full details are rarely released to avoid public panic and to allow law enforcement to better investigate. That doesn’t mean that bank hacking incidents are isolated. The compliance professionals that we speak with say that these attempts happen daily.
The Office of the Comptroller of the Currency (OCC) and other banks regulators have issued numerous rules requiring banks and other financial institutions to tighten up security measures and require banks to report hacking incidents.
Under the Financial Institutions Reform, Recovery and Enforcement Act – FIRREA – whistleblowers with inside information about events and incidents that threaten the financial stability of a bank can receive cash awards. A bank that covers up a hacking incident or fails to protect customer accounts is certainly engaged in activities that threaten the bank’s stability. Because the FDIC backs most bank deposits in the U.S., the government wants to stop cybersecurity incidents before they cause losses to the banks and their customers.
Under the FIRREA, whistleblowers with inside knowledge of violations can receive up to $1.6 million in awards.
FIRREA awards have an added benefit in that whistleblowers may be able to remain completely anonymous.
Healthcare Whistleblowers – HIPAA and Patient Data Security
When we think of cyberhackers, we worry about our social security numbers and bank account information floating around the dark web. What could be worse? For some, it is their healthcare information!
Health information privacy is protected by HIPAA – the Health Insurance Portability and Accountability Act of 1996. This legislation provides data privacy and security provisions for safeguarding medical information. All healthcare providers are covered by HIPAA.
What happens, however, when a doctors office, hospital, substance abuse counselor or pharmacy doesn’t take proper safeguards?
Last October, hackers obtained access to a plastic surgery center’s patient files. According to a report originally published by foxnews.com, the hackers obtained photos and other sensitive information of top celebrities including patients who were having genitalia and breast enhancement procedures.
Many times hackers access records but nothing ever happens. Simply because a hacker gained access to files doesn’t mean any information was taken. Unfortunately, that was not the case here. The hackers reportedly said, “We’re going to pitch it all up for everyone to nab. The entire patient list with corresponding photos. The world has never seen a medical dump of a plastic surgeon to such degree.”
We are currently seeking healthcare industry workers or people working for data companies with inside knowledge of HIPAA violations or patient data being maintained on unsecured or unprotected platforms.
Even if you decide not to become a whistleblower, your information could be valuable to help prevent cyber attacks and patient data thefts. All inquiries are confidential. For more information, contact attorney Brian Mahany online, by email at or by phone at 202-800-9791. All inquiries are protected by the attorney – client privilege and kept completely confidential.
U.S. Corporations – Information Security Whistleblower Awards
Information security, compliance officers, IT professionals and others may be eligible for awards under the SEC’s Whistleblower Program. Companies that fail to implement proper anti-hacking and cybersecurity protocols may be liable under federal securities laws.
Cybersecurity has garnered a great deal of attention from regulators in recent years including from the SEC. Last year the SEC fined a brokerage firm, R.T. Jones Capital Equities Management, $75,000 for lax data security measures. An investigation revealed that the firm was hacked in 2013, probably from China. The SEC cited the company for not having data encryption or firewalls. RT Jones had 8400 clients.
In announcing the fine, the SEC said, “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
Since then, the SEC has repeatedly reiterated that future violations will probably face much steeper fines and penalties. We expect that larger public companies will face millions or tens of millions in penalties.
A company that fails to disclose cyber security weaknesses or hacks could be in violation of SEC Rule 10b-5 which makes it “unlawful for any person … [t]o make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading…in connection with the purchase or sale of any security.”
Public companies are also required to disclose significant risk factors both in offering materials and in required public filings. The new Sarbanes – Oxley Act also has provisions requiring a company’s senior officers to disclose material weaknesses.
Like the FIRREA program above, SEC whistleblowers can usually remain anonymous.
Cybersecurity and Whistleblower Retaliation
Whistleblower retaliation is illegal under both federal and state law. Although there are no specific provisions for cyberhacking whistleblowers, if you fall within the False Claims Act (e.g. defense contractor whistleblowers) or under the SEC’s whistleblower program, you should be protected.
We are one of the few law firms that can handle both your whistleblower claim and any possible retaliation should it occur.
MahanyLaw – Cybersecurity Whistleblower Lawyers
Whistleblowers are the backbone of the government’s war on fraud and greed. Whistleblowers who report cyberhacking or cybersecurity threats are doing the right thing. We understand that it can be tough to stand up to a big corporation or bank. All of our whistleblowers who did so, however, said it was the right thing to do and would do so again. That includes those that didn’t receive an award.
Cash awards and anti-retaliation provisions are two more reasons to step forward.
Need more information or want to discuss whether you may have a valid claim? Simply give us a call or contact us online. Serving whistleblowers is what we do and there is never a fee unless we recover money for you.
Additional Resources from the Due Diligence Blog