Cybersecurity Whistleblower Rewards | How to Claim a Cash Reward

Uncle Sam PAYS Cybersecurity Whistleblower Rewards. Cyber Crime Is One of the Largest Threats Facing Our Nation. Learn What You Can Do to Stop These Threats and Earn a Cash Reward

Has Your Employer Failed to Report a Cyber Hacking Breach or Apply Adequate Cybersecurity Measures?

Billing Clerks, IT Professionals, Executives, Managers, Consultants, Bankers & Other Insiders Have Been Awarded $4 Billion+ in Cybersecurity Whistleblower Rewards

Cybercrime is estimated to cost the global economy as much as $575 billion per year. With so many people working at home because of Coronavirus, this number could skyrocket to $6 trillion by next year.

As the world becomes more dependent on technology, cybersecurity is now a critical concern for government agencies, banks, investors and the public. has emerged as a critical issue for customers, investors, and government regulators. Entire businesses can and have been wiped out because of hacking incidents. Nation state hackers even try to steal sensitive data and influence elections.

Typically, we only hear of these incidents after the fact (if at all). We are aware of companies and defense contractors that deliberately conceal vulnerabilities or successful hacking incidents for months or years. Thats where whistleblowers step in. They are critical in protecting the public, businesses and the government.

Although there is no “one size fits all” whistleblower program for cybersecurity violations, large cash rewards are available under a variety of government programs. If you have inside information about data breaches, hacking incidents or and cyber vulnerabilities involving banks, public companies, commodities dealers, brokerage firms or government contractors, you may be eligible for a reward. Our team of experienced whistleblower lawyers and industry experts are ready to help you stop fraud and maximize a reward. In the paragraphs below we describe the rewards available for cybersecurity whistleblowers.

(At the end of this page see our three appendices, Appendix 1, 9 Helpful Resources on Cybersecurity Rules and Regulations, Appendix 2, 5 Essential Criteria for Selecting the Best Cybersecurity Whistleblower Lawyer and Appendix 3, a quick reference guide to the 4 whistleblower programs that pay rewards in cybersecurity cases.)

The Federal False Claims Act, the Justice Department’s bank fraud program (FIRREA) and Securities and Exchange Commission pay cash rewards to whistleblowers. Common to all program are the first to file requirements meaning the first person who reports (blows the whistle) gets the reward. Whistleblower rewards are generally available for otherwise-unknown information about banks, defense contractors, investment agencies, government vendors or government subcontractors in cases of:

Failure to Promptly Report Cybersecurity Breaches
Failure to Promptly Report Suspected Cyberhacking Incidents
Failure to Provide Adequate Data Security
Failure to Regularly Update Cyber Security Programs
Failure to Adequately Safeguard Customer and Government Data

Defense Contractors / Government Contractors / Vendors Cybersecurity Breaches

IT professionals, federal contract administrators and other defense contractor or subcontractor employees are in prime position to detect weaknesses in security measures or breaches in cybersecurity systems.

Cyber hacks into the computer systems of companies supplying software, radar technology, aircraft, ammunition and other supplies to our U.S. defense programs pose a significant danger to national security and the men and women of our armed forces. Ditto for companies that provide cloud computing services for federal agencies. (Several states have similar reward programs too.)

Failure to report cyberattacks among Department of Defense (DOD) contractors and subcontractors may violate the federal False Claims Act. The Defense Federal Acquisition Regulation Supplement (DFRAS) cybersecurity rule, titled Safeguarding Covered Defense Information and Cyber Incident Reporting, requires that those participating in any kind of defense department contract:

Have security measures in place on all computer systems, and
Report all incidents of cyber hacking or security breaches to the Department of Justice within 72 hours of discovery.

Specifically, contractors and their subcontractors must implement “adequate security” commensurate with potential consequences and probability of loss, misuse or unauthorized access to, or modification of, information.

Contractors must report any cyber incident that affects the contractor’s information system, covered defense information or the contractor’s ability to provide operationally critical support within 72 hours of discovery.

Whether hackers succeed or not in acquiring sensitive information, any breach in cybersecurity that goes unreported could violate the False Claims Act. The False Claims Act awards whistleblowers with between 15% and 30% of any government recovery arising from settlement or successful lawsuit. Million dollar-plus whistleblower awards are not uncommon since many defense department contracts can range in the millions to tens of millions of dollars.

Whistleblower awards can’t be paid for publicly known information such as hacking incidents that are already reported in the media reports but if a contractor fails to implement appropriate cybersecurity measures or fails to report a breach in the system, a False Claims violation may exist.

The Defense Acquisition Regulation System (“DFARS”) rules for contractors didn’t take final effect December 31, 2017. But already there has been one whistleblower victory.

In 2015, the director of compliance for a major DOD and NASA aerospace defense contractor accused his former employer of major cybersecurity flaws and failing to self report those flaws to the government. The contractor moved to dismiss and argued that only the government could make the determination of whether or not its alleged security lapses were “material.” The company believes that cybersecurity should not be left to whistleblowers. In a case of first impression, on May 9th, 2016 the court sided with the whistleblower.

In 2019, Cisco Systems, Inc. paid $8.6 million to settle claims that it sold video surveillance software to federal, state and local government agencies that was vulnerable to hacking. The case was filed by a whistleblower. Fifteen states also pursued claims against Cisco for similar problems.

In 2017, eClinicalWorks paid $155 million to resolve a False Claims Act suit claiming that the company misrepresented its electronic health records software. The company was also accused of paying kickbacks.

Cybersecurity Maturity Model Certification (CMMC) and Whistleblower Rewards

When it comes to cybersecurity regulations and government contracting, there is an alphabet soup of regulations, NIST, DFARS, FARS… In September 2020, the government announced even more stringent cybersecurity regulations for defense contractors. Called the Cybersecurity Maturity Model Certification or CMMC, the new rules will phase in between now and 2025.

Once again, both defense contractors and their subs will be liable for lax cybersecurity. Companies violating the new rules could be responsible for triple damages and large penalties. Whistleblowers who report violations of the CMMC regulations could receive up to 30% of these fines and penalties.

To qualify for a whistleblower award, the whistleblower must have “original source” (inside) information about the failure to report a cyber hacking incident or failure to take the required security measures involving a federal program or contract. If you think you have information and want to learn if it might qualify for a whistleblower award, call the MahanyLaw whistleblower team. Your call is confidential, contact us online or by phone 202.800.9791. (All inquiries protected by the attorney – client privilege and kept confidential)

Has a Bank, Public Company or Financial Institution Failed to Report A Cybersecurity Breach?

Failure to report weak security systems and cyber hacks continues to pose a problem for U.S. financial institutions and public companies. Bankers, financial advisors, broker-dealers, IT professionals and other employees are in a unique position to detect security breaches or cybersecurity system errors.

Not only do weak systems expose sensitive personal information, but careless handling of data presents an equally serious threat. An employee accidentally attaching a sensitive file to an email or downloading data to a personal device is all it takes for a massive data breach to take place.

Cybersecurity Whistleblower Rewards and the SEC

If a public company fails to disclose cyberbreaches or cyber vulnerabilities, rewards may be available from the Securities Exchange Commission. The SEC whistleblower program is separate and distinct from the False Claims Act (discussed above). Once again, however, rewards are generally limited to whistleblowers who possess inside whistleblower information about the failure to comply with regulatory requirements.

The SEC’s Regulation Systems Compliance and Integrity rule requires organizations to incorporate computer networking systems with security levels “adequate to maintain operational capacity and fair and orderly markets,” and to “take corrective action” and report incidents following system breaches. In addition, the Dodd-Frank Act commands the SEC and CFTC to require financial institutions to design and execute robust identity theft prevention measures.

The SEC’s Safeguards Rule (Rule 30(a)) of Regulation S-P) requires that investment companies and their agents adopt policies to implement certain safeguards. The safeguards must be designed to:

Ensure security and confidentiality of customer information,
Protect against anticipated threats or hazards to the security or integrity of customer records and information, and
Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customers.

The SEC also requires public companies to report cyberbreaches that have a significant impact on investors and corporate finances.

In September 2017, the Chairman of the Securities and Exchange Commission reaffirmed that cybersecurity is a top SEC enforcement concern. That sentiment appears bolstered by the SEC’s investigation of Yahoo over their data breach. The SEC is fined Yahoo $35 million for failing to report the breach for a year.

The SEC offers whistleblowers between 10% and 30% of any $1 million-plus recovery arising from settlement or successful lawsuit. Because cybersecurity breaches among financial institutions often involved millions of dollars, the potential for a whistleblower award of $1 million or more under the SEC whistleblower program is high.

Banks and Cybersecurity Whistleblower Rewards

Despite stringent federal regulations, financial institutions continue to fail to report incidents of cyber hacking or security breaches. Any breach that is not reported could potentially qualify for a whistleblower lawsuit under a law called FIRREA (the Financial Institutions Reform, Recovery and Enforcement Act).

Because the government insures most banks accounts (FDIC and NCUA), it wants to make sure that banks are well protected against ransomware attacks, hacking and data breaches. Like with defense contractors, there is an alphabet soup of cybersecurity regulations and agencies that make sure your bank accounts are safe. But all the regulations in the world don’t mean anything if bad banks hide vulnerabilities or don’t quickly report hacking.

Under the FIRREA law, banks are liable if they engage in practices that threaten the safety of the bank. And a violation can give rise to a whistleblower reward. FIRREA pays rewards of up to $1.6 million.

For a confidential assessment of your reward potential, contact our whistleblower legal team today. Our whistleblower lawyers helped the U.S. government secure the largest single settlement in U.S. history ($16.67 billion against Bank of America). We also brought on the former head of the SEC’s Investigations. To see if you qualify for a cybersecurity whistleblower reward, contact us for a confidential consultation. We can be reached online, by email or by phone at 202.800.9791.

Fired or Harassed for Reporting Your Employer’s Cybersecurity Breach or Violation?

The U.S. False Claims Act and Securities and Exchange Commission Whistleblower Program protect qualifying employees who report cybersecurity breaches or violations from “retaliation” – termination, harassment, demotion or threats in response to reporting a cybersecurity violation. The FIRREA bank fraud statute also has whistleblower anti- retaliation protections.

MahanyLaw retaliation lawyers help employees collect damages due to employer retaliation in response to reporting violations either internally or externally. Damages can include double back pay, job reinstatement, and other related losses.

MahanyLaw – Cybersecurity Whistleblower Lawyers

Whistleblower claims must be made within legal time limits (statute of limitations) and only the first whistleblower to report a violation is usually eligible for the cash whistleblower award. Whistleblower claims must be done right from the very start, so be sure to consult an experienced whistleblower lawyer to learn your options.

MahanyLaw has a unique process for maximizing whistleblower rewards, protecting your privacy and fighting retaliation should it occur. We look forward to explaining how our proven strategy to maximize the likelihood and amount of a whistleblower award can work for you. Our whistleblower law firm attorneys have the experience and knowledge to help you report financial and government contractor cybersecurity violations.

Brian Mahany and MahanyLaw whistleblower lawyers have helped our clients recover over over $100 Million in whistleblower rewards in recent years.

If you have inside information about inadequate cybersecurity or failure to report a cyber breach, contact attorney Brian Mahany at or by telephone at (414) 704-6731 (direct). You can also report online for a confidential, no-cost consultation. All inquiries are protected by the attorney – client privilege and kept strictly confidential.

Appendix 1:

9 Helpful Resources On Cybersecurity Rules & Regulations

Several resources are available for employees of defense contractors, subcontractors, financial institutions and public companies that outline the recommended cybersecurity safeguards and reporting recommendations. Courts may refer to these resources and other criteria in determining whether a company has violated statutes regarding information systems safety. Many of these resources undergo frequent updates. Be sure to consult with a cybersecurity whistleblower lawyer if you have questions on whether a company’s actions qualify you for a whistleblower award.

Resource #1: Basic Safeguarding of Covered Contractor Information Systems

A publication from the Federal Acquisition Regulations (FAR Subpart 4.19 and 48 CFR 52.204-21) that offers guidelines on information systems security for Department of Defense contractors. Among other things, these rules require contractors to:

Identify, report and correct information and information system flaws and intrusions in a timely manner (within 72 hours);
Provide protection from malicious code at appropriate locations within organizational information systems;
Update malicious code protection mechanisms when new releases are available; and
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems

Resource #2: Safeguarding Covered Defense Information and Cyber Incident Reporting

A Defense Federal Acquisition Regulation Supplement (DFARS) publication, (48 CFR § 252.204-7012) offering guidelines for Department of Defense contractors on safeguarding information systems and reporting cyber incidents. Among other things, these rules require contractors to:

Provide adequate information systems security in compliance with published standards
Investigate and report apparent or actual breaches
Preserve affected systems and media
Grant DoD access to data and facilities for investigation and/or damage assessment

https://www.govinfo.gov/app/details/CFR-2014-title48-vol3-sec252-204-7012.pdf

Resource #3: Federal Trade Commission Gramm-Leach-Bliley Act Safeguards Rule

For financial institutions, rule 30(a) of SEC Regulation S-P requires that companies who offer financial products or services to consumers safeguard sensitive data and disclose information-sharing practices to customers. When failure to apply required information security measures leads to exposure of vulnerable information, the company violates the Safeguards Rule and securities laws.

Under the Safeguards Rule, a customer information protection program must:

Designate one or more employees to coordinate the information security program
Identify foreseeable internal and external risks to customer information
Assess sufficiency of safeguards in place to control these risks
Design and implement safeguards to control the identified risks
Regularly test and monitor the effectiveness of those safeguards
Select service providers that can maintain appropriate safeguards, design contracts requiring they implement and maintain safeguards, oversee their treatment of customer information
Evaluate and adjust the program in light of security testing and monitoring results

https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Resource #4: SEC Regulation Systems Compliance and Integrity Rule

This rule requires self-regulatory organizations, including stock and options exchanges, registered clearing agencies, FINRA and the MSRB, alternative trading systems and disseminators of consolidated market data, to incorporate computer networking systems with security levels adequate to maintain operational capacity and fair and orderly markets, and to report incidents and take corrective action following system breaches.

https://www.sec.gov/spotlight/regulation-sci.shtml

Resource #5 SEC Announces Enforcement Cyber-Based Threat Initiatives

The SEC announced the formation of a Cyber Unit within the SEC’s Enforcement Division.

https://www.sec.gov/news/press-release/2017-176

Resource #6 SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures

SEC interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

https://www.sec.gov/rules/interp/2018/33-10459.pdf

Resource #7: Federal Deposit Insurance Corporation (FDIC), Board of Governors of the Federal Reserve System and Office of the Comptroller of the Currency (OCC)

These agencies are jointly establishing Proposed Regulations to enhance cyber risk management standards for financial institutions with assets of $50 billion or more. These agencies have also published the Interagency Guidelines Establishing Information Security Standards implementing Gramm-Leach-Bliley Act (GLBA) safeguarding requirements. – 2000

https://www.federalreserve.gov/apps/foia/proposedregs.aspx

https://www.federalreserve.gov/supervisionreg/interagencyguidelines.htm

Resource #8: Federal Financial Institutions Examination Council (FFIEC)

The FFIEC IT Handbook and Cybersecurity Assessment Tool offer agency expectations regarding cybersecurity risk management for financial institutions.

https://www.ffiec.gov/cyberassessmenttool.htm

Resource #9 Cybersecurity Maturity Model Certification CMMC

In September 2020, the government released a new cybersecurity program for all defense contractors and subcontractors.

https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

More Questions On Receiving a Cybersecurity Whistleblower Reward?

Ready to see if you have a case? Contact the cybersecurity whistleblower lawyers at MahanyLaw online, by email at or by phone at +1.202.800.9791. All inquiries are protected by the attorney – client privilege and kept strictly confidential. Cases accepted worldwide.

Appendix 2:

5 Essential Criteria For Selecting A Cybersecurity Whistleblower Lawyer

Selecting your cybersecurity whistleblower lawyer could be the single most important decision you make. The right lawyer can mean the difference between a successful whistleblower claim and the loss of your right to a cash award. Even more importantly, having the right lawyer to guide you through the process from the start can safeguard your job, career, reputation and future.

Willingness to Proceed Without Government Intervention

Do not hire an employment or personal injury lawyer, members of the so-called “file and forget” club. They file your case and simply hope the government pursues the case. Always choose an experienced cybersecurity whistleblower lawyer with years of experience, one that is willing to take your claim all the way, whether the government opts to intervene or not. With the government declining an average of 80% of the cases filed, it is critical you have a lawyer willing to fight big corporations and take the case all the way even if the government doesn’t.

Experience Fighting Large, Powerful Companies and Investigative Experts

Your cybersecurity whistleblower lawyer must be fully equipped to take on the most complex of cybersecurity cases. This means being well-versed in whistleblower law, having experience with huge, powerful companies like Ford, Boeing or Bank of America, and having access to the best investigative experts in the nation to help prepare your case.

Wide Jurisdictional Knowledge and Expertise

Cybersecurity whistleblower cases in particular often span a number of jurisdictions. Our cybersecurity whistleblower lawyers work with clients nationwide and have filed cases in almost 40 jurisdictions. This level of experience and scope of practice can be paramount in persuading the government to devote resources to your case.

Prepared to Pursue Your Claim Through Trial

Obtaining a False Claims Act whistleblower award requires filing a lawsuit in federal court. While that task sounds daunting to many lawyers, our team of experienced whistleblower lawyers have years of experience investigating claims, preparing complaints and working with the Justice Department and investigative agencies. Before filing, we often interview prosecutors to determine their level of enthusiasm, determine their resources and find the jurisdiction with the best case law. If necessary, we even prosecute the case through trial.

Our team also has experienced former government prosecutors and agents that know just want the government wants to see in a successful whistleblower case.

Dedicated Employment Law Professionals for Retaliation Claims

Familiarity with the multitude of anti-retaliation laws is vital in handling cybersecurity whistleblower claims, especially when you are still employed by the company in question. Our whistleblower clients have direct access to dedicated employment lawyers ready to help to answer questions, mitigate risks and guide our clients through every step of the process.

Appendix 3:

4 Award Programs For Cybersecurity Whistleblowers

Program #1: Federal False Claims Act (FCA)

Individuals with information regarding defense contractors, subcontractors and other companies who knowingly violate cybersecurity regulations and/or fail to report violations may be eligible to collect a cash whistleblower award under the FCA. (Claims filed under the FCA are often called “qui tam lawsuits.”)

Award amount: Between 15% and 30% of total government recovery. The government is entitled to triple damages and very large fines making potential awards significant in size.

Knowledge: Original source information required. Violations must be material.

Time Limits: First to file bar. 6 years of violation or 3 years of time violation should have been discovered. May go back up to 10 years.

Anonymity: Filed under seal. Identity released late in investigation or at time of legal proceeding. Subsequent identity disclosure can rarely be protected through “Jane Doe” filings although most courts will not allow.

Other: Whistleblower may proceed with private prosecution should government decline to intervene (award is raised to between 25% and 30%).

Program #2: Financial Institutions Reform, Recovery and Enforcement Act (FIRREA)

FIRREA awards whistleblowers who report misconduct that jeopardizes the financial security of banks, mortgage companies and financial institutions.

Award Amount: Up to $1.6 million. Maximum awards are common.

Knowledge: Original source information of banking misconduct or fraud.

Time Limits: 10-year statute of limitations.

Anonymity: Strong confidentiality.

Other: Low burden of proof.

Program #3: Securities and Exchange Commission-(SEC) Whistleblower Program

The SEC Whistleblower Program awards whistleblowers who report brokerage firms who fail to properly safeguard customer information and public companies that fail to disclose material cybersecurity risk or actual breaches.

Award Amount: Between 10% and 30% of government recovery when sanctions are at least $1 million.

Knowledge: Original source information relating to securities violation.

Time Limits: First to file provisions apply.

Anonymity: Strong confidentiality, can file anonymously but only with an attorney.

Other: No option for private action if SEC declines to intervene.

Program #4 Commodity Futures Trading Commission Whistleblower Program

The CFTC Whistleblower Program rewards whistleblowers who report violations of the Commodity Exchange Act.

Award Amount: Between 10% and 30% of government recovery when sanctions are at least $1 million.

Knowledge: Original source information relating to securities violation.

Time Limits: First to file provisions apply.

Anonymity: Strong confidentiality.

More Questions About Cybersecurity Whistleblowers?

If you have further questions about becoming a cybersecurity whistleblower, whistleblower rights, employer retaliation or other concerns contact the cybersecurity whistleblower lawyers at MahanyLaw online, by email at or by phone at +1.202.800.9791. All inquiries are protected by the attorney – client privilege and kept strictly confidential. Cases accepted worldwide. (Remember always, never email or call us from a company phone, email account or computer.)

MAHANYLAW

WHISTLEBLOWER AND FRAUD RECOVERY LAWYERS

CASES ACCEPTED NATIONWIDE