Cybersecurity is on the mind of every American, or at least it should be. Forbes says that cybercrime could cost as much as $2 trillion this year! Those numbers may not be fathomable to most Americans but everyone today knows someone whose account was hacked or identity stolen. Entire cities and many companies are being crippled by ransomware attacks. As I write this post, Lake County, Indiana just announced it was attacked and earlier this week the schools in Flagstaff weren’t able to open because of a malware attack.
Most of these attacks were preventable. But companies turn a blind eye to these attacks and simply bury their head in the sand. Obviously that doesn’t work. If the company is a government contractor, public company or financial institution, there may be cash cybersecurity whistleblower protections for those who step forward and report. As one of the most respected cybersecurity whistleblower law firms in the country, we have helped our clients collect over $100 million in rewards.
Congress passed these whistleblower reward programs to incentivize insiders with knowledge of unreported cyber breaches or cybersecurity weaknesses to step forward. Many are afraid, however, because they fear retaliation. In this post we look at the protections available for cyber whistleblowers.
Protection #1: Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002 (SOX) protects workers of publicly-traded companies or companies with SEC-reporting requirements (and contractors and subcontractors of these companies) who disclose information to the SEC about violations of federal securities laws, including mail and wire fraud, bank fraud, securities fraud or any SEC rule.
SOX offers protection for both internal and external whistleblowers. Successful SOX anti-retaliation cases must prove that (1) the injured party engaged in protected activity, (2) the injured party suffered an unfavorable consequence, and (3) a causal connection exists between the protected activity and the unfavorable action. Claimants have 180 days to file a retaliation complaint.
Remedies under SOX include reinstatement (including an adjustment for seniority status), back pay with interest, and occasionally damages for reputational harm or emotional distress.
Protection #2: Dodd-Frank Act
The Dodd-Frank Wall Street Reform and Consumer Protection Act protects publicly-traded company workers who disclose information on federal securities laws violations to the SEC. Protections may or may not extend to those who report violations internally. Under Dodd-Frank, no employer may “discharge, demote, suspend, threaten, harass, directly or indirectly, or [discriminate]” against a whistleblower because that whistleblower provided information to the SEC, assisted in an SEC investigation or made disclosures protected by SOX.
Successful Dodd-Frank whistleblower retaliation claims must prove (1) the whistleblower was engaged in a protected activity, (2) adverse employment action occurred, and (3) the employment action was related to the protected activity. Claimants have 6 years to file a retaliation complaint (up to 10 years in limited circumstances).
Remedies under Dodd-Frank include reinstatement (including an adjustment for seniority status), double back pay with interest, litigation costs, expert witness fees and reasonable attorneys’ fees.
Protection #3: False Claims Act
The False Claims Act (FCA) allows whistleblowers with information about fraud involving government programs or funds to receive cash rewards for reporting fraud. In the cybersecurity world, that usually means government contractors (including defense contractors) who don’t meet the minimum cybersecurity protections mandated by rules and regulations and their contracts with the government.
The False Claims Act has powerful rules to protect whistleblowers from retaliation for their “efforts to stop one or more violations” of the FCA. Retaliation may include termination, demotion, denial of promotion, threats, harassment, or other discrimination. Claimants have 3 years to file a retaliation complaint.
Remedies under the FCA include double damages, interest on any back pay, court costs, restoration of seniority, legal fees and “compensation for any special damages.”
Protection #4: FIRREA
The Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA) pays whistleblowers up to $1.6 million for information about wrongdoing by banks. That wrongdoing could include failure to protect customer accounts from cyberhacking. Because the FDIC and NCUA insure bank and credit union accounts, the government has a strong interest in keeping banks solvent. That means ensuring they have robust cybersecurity measures in place.
To better ensure that whistleblowers step forward and report wrongdoing, FIRREA also protects employees of banks and financial institutions who report any possible violation of any law or regulation (including FDIC and Federal Reserve cybersecurity rules), waste or danger to the public (including a bank’s failure to safeguard vulnerable customer information). FIRREA protections do not apply to whistleblowers who report internally or who deliberately participated in the wrongdoing.
FIRREA anti-retaliation provisions have yet to be tested in a reported court case, however may cover termination, demotion, denial of promotion, threats, harassment or blacklisting. Claimants have 2 years to file a retaliation complaint.
Protection #5: Whistleblower Protection Act
A federal agency violates the Whistleblower Protection Act (WPA) if it takes or fails to take (or threatens to take or fail to take) a personnel action with respect to any government worker or job applicant because of any disclosure of information by the employee or applicant that he or she reasonably believes evidences a violation of a law, rule or regulation; gross mismanagement; gross waste of funds; an abuse of authority; or a substantial and specific danger to public health or safety.
More Questions On Cybersecurity Whistleblowers?
To learn more, please visit our cybersecurity whistleblower page. Ready to see if you have a case? Contact the cybersecurity whistleblower lawyers at MahanyLaw online, by email at or by phone at +1.202.800.9791. All inquiries are protected by the attorney – client privilege and kept strictly confidential. Cases accepted worldwide.
*No copyright data available for image.