Cybersecurity Whistleblower Protections & Rewards [2023 Guide]

Cybersecurity and data privacy remain at the forefront of urgent concerns for individuals, businesses, and governments alike. According to the FBI’s internet crime report, nearly 33 billion accounts will be breached in 2023 with the cost of these breaches predicted at $8 trillion.

For businesses, the repercussions of cybercrime are profound, with projected losses of approximately $10.5 trillion over the coming five years due to cybersecurity breaches. Foreign cyber-attacks have compromised the national security of the United States, targeting critical infrastructure, the energy sector, and electoral processes.

In this guide, we cover the current state of cybersecurity and data privacy whistleblowing, the government’s response to the issue, the protections available to those who experience retaliation and the potential rewards for their information.

To fight increasing online threats, government agencies and regulators are taking action. For example, in 2018, the U.S. Securities and Exchange Commission (SEC) fined Altaba (formerly Yahoo!) $35 million for not properly reporting a security breach affecting about 3 billion accounts. That year, the SEC also charged an Equifax executive with insider trading. Knowing about a major breach at Equifax, the executive sold stock before the breach became public. The U.S. Federal Trade Commission (FTC) also fights against companies that don’t protect customer data.

However, these agencies can’t stop cybercrime alone. Technology moves fast, stretching their resources. This means there are still weaknesses that criminals can exploit. Companies and agencies with sensitive data must protect their systems. Workers need to stay alert and report any cyber threats. But people who report these issues often face negative consequences, like getting fired, which makes them afraid to speak up. To change this, workers need to know they will be protected and perhaps even rewarded for reporting problems. There’s no specific federal law that protects people who report cybersecurity issues, like there is in other industries. But there are some federal and state laws that could help, depending on the situation.

1. The Sarbanes-Oxley Act

Protects employees reporting fraud at publicly traded companies.

Protection Offered
The Sarbanes-Oxley Act (SOX) was enacted in 2002 in the wake of corporate scandals. It protects whistleblowers in publicly traded companies who report various forms of fraud, including fraud against shareholders and violations of SEC rules and federal laws relating to fraud against shareholders.

Protected Activity
A protected activity under SOX would include reporting suspected fraud, providing information to or assisting in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of federal securities laws, SEC rules, or any provision of federal law relating to fraud against shareholders.

Adverse Action Protection
If an employee has been subjected to retaliatory action (such as dismissal, demotion, harassment, or any other form of discrimination) because of their lawful whistleblowing activities, they are protected under SOX.

Claim Procedure
A whistleblower must file a complaint with the Occupational Safety and Health Administration (OSHA) within 180 days of the alleged retaliation. OSHA will investigate the complaint, and if it finds merit, it can order remedies such as reinstatement or back pay.

2. The Dodd-Frank Act

Shields those reporting securities violations to the SEC.

Protection Offered
The Dodd-Frank Wall Street Reform and Consumer Protection Act enhances the whistleblower protection provisions of SOX. It offers additional protections to those who report securities law violations to the SEC.

Protected Activity
This includes providing the SEC with information relating to a violation of securities laws.

Adverse Action Protection
The Act prohibits retaliation by employers against individuals who provide the SEC with information about securities violations or who make disclosures that are required or protected under the Sarbanes-Oxley Act and other securities laws.

Claim Procedure
Whistleblowers can bring a private action in federal court if they believe they have been retaliated against. They must do so within 6 years of the retaliatory act or within 3 years after the date when facts material to the right of action are known or reasonably should have been known by the employee, but not more than 10 years after the violation.

3. The Financial Institutions Reform, Recovery, and Enforcement Act

Covers employees reporting legal violations at financial institutions.

Protection Offered
FIRREA is designed to protect whistleblowers in the banking sector. It encourages employees to report misconduct related to the operation of financial institutions.

Protected Activity
Reporting actions that the employee reasonably believes to be violations of law related to the operation of banks and other depository institutions.

Adverse Action Protection
Employees who suffer retaliation may seek civil remedies.

Claim Procedure
The procedure for reporting under FIRREA is not as clearly established as with other statutes. However, whistleblowers typically report violations to the appropriate authorities, such as the Federal Reserve or the Office of the Comptroller of the Currency, and may then seek a private right of action if they face retaliation.

4. The False Claims Act

Protects those opposing government fraud.

Protection Offered
The FCA is a tool for fighting fraud against the federal government. It includes a “qui tam” provision that allows individuals to sue on behalf of the government and be rewarded a percentage of the recovery.

Protected Activity
Whistleblowing under the FCA involves reporting fraudulent claims made for payment to the federal government.

Adverse Action Protection
The Act protects whistleblowers from being discharged, demoted, harassed, or otherwise discriminated against for engaging in protected activity related to uncovering and stopping fraud against the federal government.

Claim Procedure
A whistleblower must file a qui tam lawsuit in federal court under seal. The government will then investigate the claim and decide whether to intervene. The whistleblower could receive a portion of any recovered funds if the case is successful (see rewards section below for more info).

5. The Energy Reorganization Act

Protects nuclear industry employees opposing legal violations.

Protection Offered
This Act protects employees in the nuclear industry who report safety concerns or other violations of the Act, the Atomic Energy Act, or regulations of the Nuclear Regulatory Commission (NRC).

Protected Activity
Protected activities include reporting safety violations or refusing to engage in any practice deemed unsafe or illegal under the Energy Reorganization Act.

Adverse Action Protection
The Act prohibits employers from retaliating against employees who engage in protected activities.

Claim Procedure
Complaints must be filed with OSHA within 180 days of the alleged retaliation. Following an OSHA investigation, remedies may include reinstatement or monetary compensation.

6. The Whistleblower Protection Act

Shields federal employees reporting legal violations.

Protection Offered
The Whistleblower Protection Act is specifically designed to protect federal employees who disclose government illegality, waste, and corruption.

Protected Activity
This includes reporting legal violations, gross mismanagement, or significant threats to public safety.

Adverse Action Protection
Federal employees are shielded against retaliatory actions such as unfavorable personnel actions or impacts on employment status.

Claim Procedure
A whistleblower must first seek corrective action from the Merit Systems Protection Board (MSPB) within 30 days of the alleged prohibited personnel action. If dissatisfied with the MSPB’s resolution, the whistleblower may appeal to the U.S. Court of Appeals for the Federal Circuit.

7. The National Defense Authorization Act for Fiscal Year 2013

Protects employees reporting issues related to federal contracts.

Protection Offered
This Act provides protection for employees of government contractors and subcontractors who report waste, fraud, or abuse related to a contract with the Department of Defense or other federal agencies.

Protected Activity
Reporting gross mismanagement, gross waste, abuse of authority, or a substantial and specific danger to public health or safety.

Adverse Action Protection
It protects against reprisals, including termination, demotion, or other forms of discrimination.

Claim Procedure
A complaint must be filed with the Inspector General of the respective agency within 3 years of the retaliatory action. The Inspector General will investigate and make a determination.

---

Understanding protected activities, what constitutes an adverse action, and adhering to procedural requirements are crucial to effectively leveraging these statutes, as none are explicitly aimed at cybersecurity whistleblowing.

Employees who report cybersecurity issues may not only get job protection but could also receive money as a reward. If they give information that helps the U.S. Securities and Exchange Commission (SEC), the U.S. Commodity Futures Trading Commission (CFTC), or the U.S. Department of Justice (DOJ) makes a successful case or settlement, they might get a significant financial reward. Below is an overview of those reward laws:

1. SEC Whistleblower Program

The Dodd-Frank Act established a program that rewards individuals who provide valuable information to the Securities and Exchange Commission (SEC). If their information leads to a legal action where the SEC collects more than $1 million, the whistleblower can receive a reward of 10% to 30% of the money collected.

To be eligible, whistleblowers must give the SEC information about violations of securities laws before the SEC asks them for it. The information must come from their own knowledge or analysis and not be known to the SEC already or from public sources. They can also report anonymously through a lawyer, and the SEC tries hard to protect their identity.

As of August 2023, the SEC has issued more than $1.7 billion in whistleblower awards since the program’s inception in 2011.

Learn more about the SEC Whistleblower Program.

2. CFTC Whistleblower Program

Similar to the SEC program, the Commodity Futures Trading Commission (CFTC) program rewards those who report violations of the Commodities Exchange Act, which could include issues like insider trading in commodity markets.

The rules are like the SEC’s: you must provide original information voluntarily, and if your information leads to an enforcement action with over $1 million in penalties, you could get a 10% to 30% reward. Anonymity is also protected here if you report through a lawyer.

Since the inception of the Whistleblower Program through FY 2023, the CFTC has issued 41 orders granting awards totaling almost $350 million.

Learn more about the CFTC Whistleblower Program.

3. Qui Tam Lawsuits under the False Claims Act (FCA)

The FCA allows people to sue on behalf of the government if they know of someone defrauding the government. If successful, they can receive a share of the money recovered. Recoveries since 1986, when Congress substantially strengthened the civil False Claims Act, now total more than $72 billion.

You can file a suit if you know about someone making false claims for government money, like overcharging for goods or services or not meeting contract requirements, including cybersecurity standards. The wrongdoing must be significant and intentional or due to serious negligence.

You file a lawsuit secretly (under seal) to allow the government to investigate without the defendant’s knowledge. The government can decide to join the lawsuit, which greatly increases the chances of success. If the government doesn’t join and you win, you could get 25% to 30% of the recovery. If the government joins, you get 15% to 25%.

The FCA is particularly relevant when government contractors fail to meet cybersecurity standards. If a product sold to the government has a serious cybersecurity flaw, this could form the basis for a lawsuit.

Learn more about the False Claims Act and Qui Tam lawsuits.

---

These reward programs and legal avenues are complex and have specific rules and procedures. Whistleblowers are advised to seek legal counsel to guide them through the process and help them protect their rights.

In the complex realm of cybersecurity, individuals who identify and report on infractions face the risk of retribution from their employers. To fortify their legal position should such challenges arise, whistleblowers can adopt a series of strategic and proactive measures.

Focus on Legal Breaches When Reporting

It’s essential for whistleblowers to emphasize any legal transgressions linked to the cybersecurity flaws they uncover. The crux of their protection lies in demonstrating that their report transcends technical issues and touches upon violations of the law.

A nuanced and precise description of how the vulnerabilities contravene legal statutes is critical, with the added caveat that the whistleblower’s reasonable belief in a violation is what garners protection, rather than the accuracy of the legal claim itself.

Document Your Findings and Report Formally

To bulletproof their position, whistleblowers should meticulously document their findings and report them through formal channels. This involves crafting a detailed written report and submitting it to an authoritative figure within the company, such as a compliance officer or higher management.

The documented report should strictly address the facts related to the legal violation, steering clear of unrelated issues which might dilute its seriousness. Clear documentation serves as undeniable proof of the whistleblower’s actions and the nature of the report.

Handle Sensitive Information with Care

Unearthing potential misconduct often involves handling sensitive documents. Whistleblowers must navigate this with care, accessing only information they are authorized to and avoiding any unauthorized investigation that could be used against them.

Adhering to company protocols, even when asked to stop an investigation, is key. If in possession of sensitive documents post-termination, seeking legal advice is crucial, given the murky legalities surrounding the possession of such materials.

Secure Expert Legal Advice Promptly

The protective laws for cybersecurity whistleblowers are still nascent and not extensively outlined. Consequently, seeking guidance from a legal expert specializing in whistleblower laws is vital. This advice is not only pivotal when planning to disclose information but also paramount if retaliation has occurred.

An attorney will navigate the whistleblower through legal intricacies, ensure compliance with reporting protocols, and provide counsel on the timing and wording of disclosures.

Understand Your Rights and Protections

A thorough understanding of your rights under various laws, such as the Sarbanes-Oxley Act (SOX), is imperative. Some statutes offer protections for internal reporting, while others may mandate external reporting to be shielded under the law. A whistleblower should be cognizant of such nuances.

Act Promptly if Facing Retaliation

If retaliation occurs, taking swift action is important. Certain laws impose strict deadlines for seeking legal redress, like the 180-day window under SOX.

Prior to accepting any severance package, which typically includes a release of claims against the employer, a whistleblower should consult with an attorney to evaluate the strength and potential value of their claims.

Diligently Seek Comparable Employment

In cases of termination, it’s not only about seeking legal remedies but also about fulfilling the duty to mitigate damages. Whistleblowers should start an earnest job hunt for a similar role as soon as possible. Keeping a detailed log of job search efforts is crucial to defend against any claims of insufficient efforts to find new employment.

Maintain Professional Conduct Throughout

Throughout the whistleblowing process, maintaining a professional demeanor is crucial. This not only applies to how the whistleblower reports the issue but also to their conduct in the workplace. Upholding a level of professionalism may help in reducing the risk of retaliation and preserving the whistleblower’s reputation in their industry.

---

By adhering to these guidelines, whistleblowers can not only protect themselves but also foster a culture of accountability and integrity within their organizations.

Have you witnessed a violation of securities or commodities law, or faced retaliation after reporting one? Your courage to speak up can make a difference. Contact Kohn, Kohn & Colapinto. Your action not only helps protect everyone’s digital safety, and investors, but may also qualify you for legal protection and possible rewards.