Failure to Report Cybersecurity Breach -Cybersecurity Whistleblower Rewards

Has Your Employer Failed to Report a Cyber Hacking Breach or Apply Adequate Cybersecurity Measures?

Billing Clerks, IT Professionals, Executives, Managers, Consultants, Bankers & Other Insiders Have Been Awarded $4 Billion+ in Cybersecurity Whistleblower Rewards

Cybercrime is estimated to cost the global economy as much as $575 billion per year. This number could quadruple to $2 trillion this year. In this post we look at how to claim a cash reward for reporting cyberv vulnerabilities or breaches. (At the end of this post see our three appendices, Appendix 1, 8 Helpful Resources on cybersecurity rules and regulations, Appendix 2, 5 essential criteria on selecting the best cybersecurity whistleblower lawyer and Appendix 3, a quick reference guide to the 4 whistleblower programs that pay rewards in cybersecurity cases.)

The Federal False Claims Act, the Justice Department’s bank fraud program and Securities and Exchange Commission pay cash rewards to “relators”, the first person who reports (blows the whistle) on otherwise-unknown information about banks, defense contractors, investment agencies,  government vendors or government subcontractors in cases of:

• Failure to Promptly Report Cybersecurity Breaches
• Failure to Promptly Report Suspected Cyberhacking Incidents
• Failure to Provide Adequate data security
• Failure to Regularly Update Cyber security Programs
• Failure to Adequately Safeguard Customer and Government Data

Has Your Defense Contractor or Subcontractor Employer Failed to Report a Cybersecurity Breach?

IT professionals, federal contract administrators and other defense contractor or subcontractor employees are in prime position to detect weaknesses in security measures or breaches in cybersecurity systems.

Cyber hacks into the computer systems of companies supplying software, radar technology, aircraft, ammunition and other supplies to our U.S. defense programs pose a significant danger to national security and the men and women of our armed forces.

Failure to report cyberattacks among Department of Defense (DOD) contractors and subcontractors may violate the federal False Claims Act. The Defense Federal Acquisition Regulation Supplement (DFRAS) cybersecurity rule, titled Safeguarding Covered Defense Information and Cyber Incident Reporting, requires that those participating in any kind of defense department contract:

• Have security measures in place on all computer systems, and
• Report all incidents of cyber hacking or security breaches to the Department of Justice within 72 hours of discovery.

Specifically, contractors and their subcontractors must implement “adequate security” commensurate with potential consequences and probability of loss, misuse or unauthorized access to, or modification of, information.

Contractors must report any cyber incident that affects the contractor’s information system, covered defense information or the contractor’s ability to provide operationally critical support within 72 hours of discovery.

Whether hackers succeed or not in acquiring sensitive information, any breach in cybersecurity that goes unreported could violate the False Claims Act. The False Claims Act awards whistleblowers with between 15% and 30% of any government recovery arising from settlement or successful lawsuit. Million dollar-plus whistleblower awards are not uncommon since many defense department contracts can range in the millions to tens of millions of dollars.

Whistleblower awards can’t be paid for publicly known information claims like frequent reports but if a contractor fails to implement appropriate cybersecurity measures or fails to report a breach in the system, a False Claims violation may exist.

The Defense Acquisition Regulation System (“DFARS”) rules for contractors didn’t take final effect December 31, 2017. But already there has been one whistleblower victory.

In 2015, the director of compliance for a major DOD and NASA aerospace defense contractor accused his former employer of major cybersecurity flaws and failing to self report those flaws to the government. The contractor moved to dismiss and argued that only the government could make the determination of whether or not its alleged security lapses were “material.” The company believes that cybersecurity should not be left to whistleblowers. In a case of first impression, on May 9th, 2016 the court sided with the whistleblower.

To qualify for a whistleblower award, the whistleblower must have “original source” (inside) information about the failure to report a cyber hacking incident or failure to take the required security measures involving a federal program or contract. If you think you have information and want to learn if it might qualify for a whistleblower award, call the MahanyLaw whistleblower team. Your call is confidential: 202.800.9791

Has a Bank, Public Company or Financial Institution Failed to Report A Cybersecurity Breach?

Failure to report weak security systems and cyber hacks continues to pose a problem for U.S. financial institutions and public companies. Bankers, financial advisors, broker-dealers, IT professionals and other employees are in a unique position to detect security breaches or cybersecurity system errors.

Not only do weak systems expose sensitive personal information, but careless handling of data presents an equally serious threat. An employee accidentally attaching a sensitive file to an email or downloading data to a personal device is all it takes for a massive data breach to take place.

To qualify for an SEC whistleblower award (this is separate and distinct from False Claims Act whistleblower awards discussed above), the whistleblower must have “original source” information about the failure to comply with regulatory requirements. The federal government enforces a number of stringent cybersecurity and breach reporting regulations on American banks and financial institutions.

Cyber security mismanagement can also violate securities laws for companies and agencies regulated by the Securities and Exchange Commission (SEC) and may amount to securities fraud.

The SEC’s Regulation Systems Compliance and Integrity rule requires organizations to incorporate computer networking systems with security levels “adequate to maintain operational capacity and fair and orderly markets,” and to “take corrective action” and report incidents following system breaches. In addition, the Dodd-Frank Act commands the SEC and CFTC to require financial institutions to design and execute robust identity theft prevention measures.

The SEC’s Safeguards Rule (Rule 30(a)) of Regulation S-P) requires that investment companies and their agents adopt policies to implement certain safeguards. The safeguards must be designed to:

• Ensure security and confidentiality of customer information,
• Protect against anticipated threats or hazards to the security or integrity of customer records and information, and
• Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customers.

The SEC also requires public companies to report cyberbreaches that have a significant impact on investors and corporate finances.

Despite stringent federal regulations, financial institutions continue to fail to report incidents of cyber hacking or security breaches.  Any breach that is not reported could potentially qualify for a whistleblower lawsuit under the SEC whistleblower program or FIRREA (the Financial Institutions Reform, Recovery and Enforcement Act).

The SEC offers whistleblowers between 10% and 30% of any $1 million-plus recovery arising from settlement or successful lawsuit. Because cybersecurity breaches among financial institutions often involved millions of dollars, the potential for a whistleblower award of $1 million or more under the SEC whistleblower program is high. FIRREA can pay awards of up to $1.6 million.

In September 2017, the Chairman of the Securities and Exchange Commission reaffirmed that cybersecurity is a top SEC enforcement concern. That sentiment appears bolstered by the SEC’s investigation of Yahoo over their data breach. The SEC is investigating why Yahoo failed to report the breach for a year and whether it should have notified investors faster.

For a confidential assessment of your reward potential, contact our whistleblower legal team today. Our whistleblower lawyers helped the U.S. government secure the  largest single settlement in U.S. history ($16.67 billion against Bank of America). We also brought on the former head of the SEC’s Investigations Unit. To see if you qualify for a cybersecurity whistleblower reward, contact us for a confidential consultation. We can be reached online, by email or by phone at 202.800.9791>

Fired or Harassed for Reporting Your Employer’s Cybersecurity Breach or Violation?

The U.S. False Claims Act and Securities and Exchange Commission protect qualifying employees who report cybersecurity breaches or violations from “retaliation” – termination, harassment, demotion or threats in response to reporting a cybersecurity violation. The FIRREA bank fraud statute also has whistleblower anti- retaliation protections.

MahanyLaw retaliation lawyers help employees collect damages due to employer retaliation in response to reporting violations either internally or externally. Damages can include double back pay, job reinstatement, and other related losses.

MahanyLaw – Cybersecurity Whistleblower Lawyers

Whistleblower claims must be made within legal time limits (statute of limitations) and only the first whistleblower to report a violation is usually eligible for the cash whistleblower award. Whistleblower claims must be done right from the very start, so be sure to consult an experienced whistleblower lawyer to learn your options.

MahanyLaw has a unique process for maximizing whistleblower rewards, protecting your privacy and fighting retaliation should it occur. We look forward to explaining how our proven strategy to maximize the likelihood and amount of a whistleblower award can work for you. Our whistleblower law firm attorneys have the experience and knowledge to help you report financial and government contractor cybersecurity violations.

Brian Mahany and MahanyLaw whistleblower lawyers have helped recover over $10 Billion for U.S. taxpayers an earning over $100 Million in whistleblower rewards for people reporting violations in recent years.

If you have inside information about inadequate cybersecurity or failure to report a cyber breach, contact attorney Brian Mahany at or by telephone at (414) 704-6731 (direct). You can also report online for a confidential, no-cost consultation. All inquiries are protected by the attorney – client privilege and kept strictly confidential.

Appendix 1:

8 Helpful Resources On Cybersecurity Rules & Regulations

Several resources are available for employees of defense contractors, subcontractors, financial institutions and public companies that outline the recommended cybersecurity safeguards and reporting recommendations. Courts may refer to these resources and other criteria in determining whether a company has violated statutes regarding information systems safety. Many of these resources undergo frequent updates. Be sure to consult with a cybersecurity whistleblower lawyer if you have questions on whether a company’s actions qualify you for a whistleblower award.

Resource #1: Basic Safeguarding of Covered Contractor Information Systems

A publication from the Federal Acquisition Regulations (FAR Subpart 4.19 and 48 CFR 52.204-21) that offers guidelines on information systems security for Department of Defense contractors. Among other things, these rules require contractors to:

• Identify, report and correct information and information system flaws and intrusions in a timely manner (within 72 hours);
• Provide protection from malicious code at appropriate locations within organizational information systems;
• Update malicious code protection mechanisms when new releases are available; and
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

http://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems

Resource #2: Safeguarding Covered Defense Information and Cyber Incident Reporting

A Defense Federal Acquisition Regulation Supplement (DFARS) publication, (48 CFR § 252.204-7012) offering guidelines for Department of Defense contractors on safeguarding information systems and reporting cyber incidents. Among other things, these rules require contractors to:

• Provide adequate information systems security in compliance with published standards
• Investigate and report apparent or actual breaches
• Preserve affected systems and media
• Grant DoD access to data and facilities for investigation and/or damage assessment

http://www.gpo.gov/fdsys/pkg/CFR-2014-title48-vol3-sec252-204-7012.pdf

Resource #3: Federal Trade Commission Gramm-Leach-Bliley Act Safeguards Rule

For financial institutions, rule 30(a) of SEC Regulation S-P requires that companies who offer financial products or services to consumers safeguard sensitive data and disclose information-sharing practices to customers. When failure to apply required information security measures leads to exposure of vulnerable information, the company violates the Safeguards Rule and securities laws.

Under the Safeguards Rule, a customer information protection program must:

• Designate one or more employees to coordinate the information security program
• Identify foreseeable internal and external risks to customer information
• Assess sufficiency of safeguards in place to control these risks
• Design and implement safeguards to control the identified risks
• Regularly test and monitor the effectiveness of those safeguards
• Select service providers that can maintain appropriate safeguards, design contracts requiring they implement and maintain safeguards, oversee their treatment of customer information
• Evaluate and adjust the program in light of security testing and monitoring results

http://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Resource #4: SEC Regulation Systems Compliance and Integrity Rule

This rule requires self-regulatory organizations, including stock and options exchanges, registered clearing agencies, FINRA and the MSRB, alternative trading systems and disseminators of consolidated market data, to incorporate computer networking systems with security levels adequate to maintain operational capacity and fair and orderly markets, and to report incidents and take corrective action following system breaches.

http://www.sec.gov/spotlight/regulation-sci.shtml

Resource #5 SEC Announces Enforcement Cyber-Based Threat Initiatives

The SEC announced the formation of a Cyber Unit within the SEC’s Enforcement Division.

https://www.sec.gov/news/press-release/2017-176

Resource #6 SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures

SEC interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

https://www.sec.gov/rules/interp/2018/33-10459.pdf

Resource #7: Federal Deposit Insurance Corporation (FDIC), Board of Governors of the Federal Reserve System and Office of the Comptroller of the Currency (OCC)

These agencies are jointly establishing Proposed Regulations to enhance cyber risk management standards for financial institutions with assets of $50 billion or more. These agencies have also published the Interagency Guidelines Establishing Information Security Standards implementing Gramm-Leach-Bliley Act (GLBA) safeguarding requirements. – 2000

http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm

http://www.federalreserve.gov/bankinforeg/interagencyguidelines.htm

Resource #8: Federal Financial Institutions Examination Council (FFIEC)

The FFIEC IT Handbook and Cybersecurity Assessment Tool offer agency expectations regarding cybersecurity risk management for financial institutions.

http://www.fdic.gov/regulations/information/information/FFIEC.html

http://www.ffiec.gov/cyberassessmenttool.htm

More Questions On Receiving a Cybersecurity Whistleblower Reward?

Ready to see if you have a case? Contact the cybersecurity whistleblower lawyers at MahanyLaw online, by email at or by phone at +1.202.800.9791. All inquiries are protected by the attorney – client privilege and kept strictly confidential. Cases accepted worldwide.

Appendix 2:

5 Essential Criteria For Selecting A Cybersecurity Whistleblower Lawyer

Selecting your cybersecurity whistleblower lawyer could be the single most important decision you make. The right lawyer can mean the difference between a successful whistleblower claim and the loss of your right to a cash award. Even more importantly, having the right lawyer to guide you through the process from the start can safeguard your job, career, reputation and future.

Willingness to Proceed Without Government Intervention

Do not hire an employment or personal injury lawyer, members of the so-called “file and forget” club. They file your case and simply hope the government pursues the case. Always choose an experienced cybersecurity whistleblower lawyer with years of experience, one that is willing to take your claim all the way, whether the government opts to intervene or not.

Experience Fighting Large, Powerful Companies and Investigative Experts

Your cybersecurity whistleblower lawyer must be fully equipped to take on the most complex of cybersecurity cases. This means being well-versed in whistleblower law, having experience with huge, powerful companies like Ford, Boeing or Bank of America, and having access to the best investigative experts in the nation to help prepare your case.

Wide Jurisdictional Knowledge and Expertise

Cybersecurity whistleblower cases in particular often span a number of jurisdictions. Our cybersecurity whistleblower lawyers work with clients nationwide and have filed cases in 32 jurisdictions. This level of experience and scope of practice can be paramount in persuading the government to devote resources to your case.

Prepared to Pursue Your Claim Through Trial

Obtaining a False Claims Act whistleblower award requires filing a lawsuit in federal court. While that task sounds daunting to many lawyers, our team of experienced whistleblower lawyers have years of experience investigating claims, preparing complaints and working with the Justice Department and investigative agencies. Before filing, we often interview prosecutors to determine their level of enthusiasm, determine their resources and find the jurisdiction with the best case law. If necessary, we even prosecute the case through trial.

Dedicated Employment Law Professionals for Retaliation Claims

Familiarity with the multitude of anti-retaliation laws is vital in handling cybersecurity whistleblower claims, especially when you are still employed by the company in question. Our whistleblower clients have first-hand access to our dedicated employment lawyer who helps to answer questions, mitigate risks and guide our clients through every step of the process.

To learn more, please visit our cybersecurity whistleblower page. Ready to see if you have a case? Contact the cybersecurity whistleblower lawyers at MahanyLaw online, by email at or by phone at +1.202.800.9791. All inquiries are protected by the attorney – client privilege and kept strictly confidential. Cases accepted worldwide.

Appendix 3:

4 Award Programs For Cybersecurity Whistleblowers 

Program #1: Federal False Claims Act (FCA)

Individuals with information regarding defense contractors, subcontractors and other companies who knowingly violate cybersecurity regulations and/or fail to report violations may be eligible to collect a cash whistleblower award under the FCA. (Claims filed under the FCA are often called “qui tam lawsuits.”)

Award amount: Between 15% and 30% of total government recovery. The government is entitled to triple damages and very large fines making potential awards significant in size.

Knowledge: Original source information required. Violations must be material.

Time Limits: First to file bar. 6 years of violation or 3 years of time violation should have been discovered. May go back up to 10 years.

Anonymity: Filed under seal. Identity released late in investigation or at time of legal proceeding. Subsequent identity disclosure can rarely be protected through “Jane Doe” filings although most courts will not allow.

Other: Whistleblower may proceed with private prosecution should government decline to intervene (award is raised to between 25% and 30%).

Program #2: Financial Institutions Reform, Recovery and Enforcement Act (FIRREA)/h4>

FIRREA awards whistleblowers who report misconduct that jeopardizes the financial security of banks, mortgage companies and financial institutions.

Award Amount: Up to $1.6 million. Maximum awards are common.

Knowledge: Original source information of banking misconduct or fraud.

Time Limits: 10-year statute of limitations.

Anonymity: Strong confidentiality.

Other: Low burden of proof.

Program #3: Securities and Exchange Commission-(SEC) Whistleblower Program

The SEC Whistleblower Program awards whistleblowers who report brokerage firms who fail to properly safeguard customer information and public companies that fail to disclose material cybersecurity risk or actual breaches.

Award Amount: Between 10% and 30% of government recovery when sanctions are at least $1 million.

Knowledge: Original source information relating to securities violation.

Time Limits: First to file provisions apply.

Anonymity: Strong confidentiality, can file anonymously but only with an attorney.

Other: No option for private action if SEC declines to intervene.

The CFTC awards whistleblowers who report violations of the Commodity Exchange Act

Award Amount: Between 10% and 30% of government recovery when sanctions are at least $1 million.

Knowledge: Original source information relating to securities violation.

Time Limits: First to file provisions apply.

Anonymity: Strong confidentiality.

More Questions About Cybersecurity Whistleblowers?

If you have further questions about becoming a cybersecurity whistleblower, whistleblower rights, employer retaliation or other concerns contact the cybersecurity whistleblower lawyers at MahanyLaw online, by email at or by phone at +1.202.800.9791. All inquiries are protected by the attorney – client privilege and kept strictly confidential. Cases accepted worldwide. (Remember always, never email or call us from a company phone, email account or computer.)

 

MAHANYLAW

WHISTLEBLOWER AND FRAUD RECOVERY LAWYERS

CASES ACCEPTED NATIONWIDE

Washington – 202.800.9791

Detroit – 313.879.2070

Los Angeles – 213.291.2474

Milwaukee – 414.258.2375