Has Your Employer Failed to Report a Cyber Hacking Breach or Apply Adequate Cybersecurity Measures?
Billing Clerks, IT Professionals, Executives, Managers, Consultants, Bankers & Other Insiders Have Been Awarded $4 Billion+ in Whistleblower Rewards
The Federal False Claims Act, the Justice Department’s bank fraud program and Securities and Exchange Commission pay cash rewards to “relators”, the first person who reports (blows the whistle) on otherwise-unknown information about banks, defense contractors, investment agencies, government vendors or government subcontractors in cases of:
- Failure to Promptly Report Cybersecurity Breaches
- Failure to Promptly Report Suspected Cyberhacking Incidents
- Failure to Provide Adequate data security
- Failure to Regularly Update Cyber security Programs
- Failure to Adequately Safeguard Customer and Government Data
Has Your Defense Contractor or Subcontractor Employer Failed to Report a Cybersecurity Breach?
IT professionals, federal contract administrators and other defense contractor or subcontractor employees are in prime position to detect weaknesses in security measures or breaches in cybersecurity systems.
Cyber hacks into the computer systems of companies supplying software, radar technology, aircraft, ammunition and other supplies to our U.S. defense programs pose a significant danger to national security and the men and women of our armed forces.
Failure to report cyberattacks among Department of Defense (DOD) contractors and subcontractors may violate the federal False Claims Act. The Defense Federal Acquisition Regulation Supplement (DFRAS) cybersecurity rule, titled Safeguarding Covered Defense Information and Cyber Incident Reporting, requires that those participating in any kind of defense department contract:
- Have security measures in place on all computer systems, and
- Report all incidents of cyber hacking or security breaches to the Department of Justice within 72 hours of discovery.
Specifically, contractors and their subcontractors must implement “adequate security” commensurate with potential consequences and probability of loss, misuse or unauthorized access to, or modification of, information.
Contractors must report any cyber incident that affects the contractor’s information system, covered defense information or the contractor’s ability to provide operationally critical support within 72 hours of discovery.
Whether hackers succeed or not in acquiring sensitive information, any breach in cybersecurity that goes unreported could violate the False Claims Act. The False Claims Act awards whistleblowers with between 15% and 30% of any government recovery arising from settlement or successful lawsuit. Million dollar-plus whistleblower awards are not uncommon since many defense department contracts can range in the millions to tens of millions of dollars.
Whistleblower awards can’t be paid for publicly known information claims like frequent reports but if a contractor fails to implement appropriate cybersecurity measures or fails to report a breach in the system, a False Claims violation may exist.
The Defense Acquisition Regulation System (“DFARS”) rules for contractors didn’t take final effect December 31, 2017. But already there has been one whistleblower victory.
In 2015, the director of compliance for a major DOD and NASA aerospace defense contractor accused his former employer of major cybersecurity flaws and failing to self report those flaws to the government. The contractor moved to dismiss and argued that only the government could make the determination of whether or not its alleged security lapses were “material.” The company believes that cybersecurity should not be left to whistleblowers. In a case of first impression, on May 9th, 2016 the court sided with the whistleblower.
To qualify for a whistleblower award, the whistleblower must have “original source” (inside) information about the failure to report a cyber hacking incident or failure to take the required security measures involving a federal program or contract. If you think you have information and want to learn if it might qualify for a whistleblower award, call the MahanyLaw whistleblower team. Your call is confidential: 202.800.9791
Has Your Bank or Financial Institution Employer Failed to Report A Cybersecurity Breach?
Failure to report weak security systems and cyber hacks continues to pose a problem for U.S. banks. Bankers, financial advisors, broker-dealers, IT professionals and other financial employees are in a unique position to detect security breaches or cybersecurity system errors.
Not only do weak systems expose sensitive personal information, but careless handling of data presents an equally serious threat. An employee accidentally attaching a sensitive file to an email or downloading data to a personal device are among potential violations.
To qualify for an SEC whistleblower award (this is separate and distinct from False Claims Act whistleblower awards discussed above), the whistleblower must have “original source” information about the failure to comply with regulatory requirements. The federal government enforces a number of stringent cybersecurity and breach reporting regulations on American banks and financial institutions.
Cyber security mismanagement can also violate securities laws for companies and agencies regulated by the Securities and Exchange Commission (SEC) and may amount to securities fraud.
The SEC’s Regulation Systems Compliance and Integrity rule requires organizations to incorporate computer networking systems with security levels “adequate to maintain operational capacity and fair and orderly markets,” and to “take corrective action” and report incidents following system breaches. In addition, the Dodd-Frank Act commands the SEC and CFTC to require financial institutions to design and execute robust identity theft prevention measures.
The SEC’s Safeguards Rule (Rule 30(a)) of Regulation S-P) requires that investment companies and their agents adopt policies to implement certain safeguards. The safeguards must be designed to:
- Ensure security and confidentiality of customer information,
- Protect against anticipated threats or hazards to the security or integrity of customer records and information, and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customers.
The SEC also requires public companies to report cyberbreaches that have a significant impact on investors and corporate finances.
Despite stringent federal regulations, financial institutions continue to fail to report incidents of cyber hacking or security breaches. Any breach that is not reported could potentially qualify for a whistleblower lawsuit under the SEC whistleblower program or FIRREA (the Financial Institutions Reform, Recovery and Enforcement Act).
The SEC offers whistleblowers between 10% and 30% of any $1 million-plus recovery arising from settlement or successful lawsuit. Because cybersecurity breaches among financial institutions often involved millions of dollars, the potential for a whistleblower award of $1 million or more under the SEC whistleblower program is high. FIRREA can pay awards of up to $1.6 million.
In September 2017, the Chairman of the Securities and Exchange Commission reaffirmed that cybersecurity is a top SEC enforcement concern. That sentiment appears bolstered by the SEC’s investigation of Yahoo over their data breach. The SEC is investigating why Yahoo failed to report the breach for a year and whether it should have notified investors faster.
For a confidential assessment of your reward potential, contact our whistleblower legal team today. Among other qualifications we led the case resulting in the largest single settlement in U.S. history. For a Confidential opinion on your information: 202.800.9791
Fired or Harassed for Reporting Your Employer’s Cybersecurity Breach or Violation?
The U.S. False Claims Act and Securities and Exchange Commission protect qualifying employees who report cybersecurity breaches or violations from “retaliation” – termination, harassment, demotion or threats in response to reporting a cybersecurity violation. The FIRREA bank fraud statute also has whistleblower anti- retaliation protections.
MahanyLaw retaliation lawyers help employees collect damages due to employer retaliation in response to reporting violations either internally or externally. Damages can include double back pay, job reinstatement, and other related losses.
MahanyLaw – Cybersecurity Whistleblower Lawyers
Whistleblower claims must be made within legal time limits (statute of limitations) and only the first whistleblower to report a violation is usually eligible for the cash whistleblower award. Whistleblower claims must be done right from the very start, so be sure to consult an experienced whistleblower lawyer to learn your options.
MahanyLaw has a unique process for maximizing whistleblower rewards, protecting your privacy and fighting retaliation should it occur. We look forward to explaining how our proven strategy to maximize the likelihood and amount of a whistleblower award can work for you. Our whistleblower law firm attorneys have the experience and knowledge to help you report financial and government contractor cybersecurity violations.
Brian Mahany and MahanyLaw whistleblower lawyers have helped recover over $5 Billion for U.S. taxpayers, earning over $100 Million in whistleblower rewards for people reporting violations in recent years.
If you have inside information about inadequate cybersecurity or failure to report a cyber breach, contact attorney Brian Mahany at or by telephone at (414) 704-6731 (direct). You can also report online for a confidential, no-cost consultation. All inquiries are protected by the attorney – client privilege and kept strictly confidential.
There is No Award unless you Report!