Cybersecurity Whistleblower Lawyer

Our cybersecurity whistleblower attorneys have represented technology and compliance insiders who have raised concerns about potential risks to investors and markets, as well as the U.S. government and taxpayers.

Our team consists of top cybersecurity legal experts, including former SEC commissioner Allison Herren Lee, one of the leading securities laws practitioners today; and former SEC Enforcement Senior Counsel, Andrew Feller. Together, these experts are positioned to represent cybersecurity whistleblowers under the SEC, CFTC, and other whistleblower programs.

Our partners also include Forbes’ America’s Top 200 Lawyers Stephen M. Kohn, and leading False Claims Act attorney David Colapinto. Together, these two have represented whistleblowers in numerous False Claims Act qui tam cases, resulting in billions of dollars in recoveries for the United States.

If you’re an employee of a company who has a contract with the U.S. government, or an individual who knows of a broker-dealer or investment adviser failing to address fraud or specific cybersecurity risks, there is no firm better suited to represent you than the leading Washington, DC whistleblower law firm, Kohn, Kohn and Colapinto.

Cybercrime is a major concern that poses a serious risk to millions of investors worldwide. According to the FBI’s internet crime report, IC3 received a record number of complaints from the American public in 2023, with potential losses exceeding $12.5 billion, a 22% increase in losses suffered from the year prior. From the years 2019 to 2023, over $37 billion dollars were reported lost. And the FBI believes this is only a small fraction of the total given the elusiveness of such cyber crimes.

To prevent cybercrime, companies are subject to numerous laws and government regulations requiring them to implement and maintain extensive cybersecurity controls, and to make timely reports of intrusions, data exfiltration, and other cybersecurity incidents.

However, these risks can be mitigated with the help of employees who have information of their company failing to meet specific government or regulatory requirements. These brave whistleblowers can be the last line of defense in protecting investors and market integrity.

An experienced cybersecurity whistleblower attorney can advise you on whether your concerns fall under a specific law or whistleblower program, helping to ensure you are eligible for protection against retaliation, and possibly an award. The key laws and programs that cybersecurity whistleblowers can file under are:

False Claims Act

The False Claims Act law allows any individual to report a business who holds a contract with the U.S. government, and who pose a cybersecurity fraud risk. This is particularly relevant for healthcare, defense, construction, and other sectors that have government contracts.

Under the False Claims Act, individuals can file a qui tam lawsuit on behalf of the government and receive a share of any recovery stemming from a cybersecurity breach, or a failure to disclose such breaches. Whistleblowers may be eligible for a mandatory award between 15% and 30% of the proceeds collected.

Anti-Money Laundering Whistleblower Program

The Department of Treasury is particularly concerned about cyber-enabled financial crime, ransomware attacks, and the misuse of virtual assets through the laundering of illicit proceeds. Such activity may constitute a violation of the Bank Secrecy Act (BSA).

Under the Anti-Money Laundering and Sanctions Whistleblower Program, whistleblowers who provide the U.S. Department of Treasury with information regarding violations of the BSA may receive an award of up to 30% of monetary sanctions obtained from a successful investigation.

SEC Whistleblower Program

The SEC Whistleblower Program allows individuals to report concerns to the SEC if they see that their company is failing to take necessary steps to adopt cybersecurity best practices, create policies, or develop internal controls that prevent cyberattacks or protect sensitive information. In addition, individuals may report a failure of their company to disclose material cybersecurity incidents in a timely manner (see cybersecurity disclosure rule).

The SEC Whistleblower Program provides protection against retaliation, and potential awards between 10% and 30% of the amount collected by the SEC, when the information leads to an enforcement action with financial remedies of $1 million or more.

CFTC Whistleblower Program

The CFTC’s new Cybersecurity and Emerging Technologies Task Force addresses critical issues such as ensuring robust cybersecurity controls for registrants, prosecuting cyberattacks aimed at market manipulation in spot and derivatives markets, and investigating technology-enabled theft of non-public information, among other emerging areas, such as AI.

Like the SEC Whistleblower Program, the CFTC Whistleblower Program also offers protection from retaliation and potential awards between 10% and 30%, when a whistleblower’s information leads to a successful enforcement action with financial remedies of $1 million or more.

There are multiple whistleblower protection laws, such as the Sarbanes-Oxley Act (SOX) and the Dodd-Frank Act, which contain anti-retaliation provisions. However, given the complexity of such laws, not all cybersecurity whistleblowers will be eligible for protection. For that reason, potential whistleblowers should speak with an experienced and knowledgeable whistleblower attorney to gain more clarity.

Additional Resources
Want to learn more before blowing the whistle? Read our guide Cybersecurity Whistleblower Protections & Rewards to learn more about the legal protections and awards available for individuals who report cyber threats and are facing retaliation.

Anyone can become a whistleblower under the laws and programs listed above. You may want to seek legal assistance if there is strong evidence of cybersecurity risks OR information about your company failing to address risks. Failure to take the proper cybersecurity measures may be a violation of such laws.

Under the False Claims Act, red flags might include:

• Failing to maintain or update cybersecurity policies as agreed upon in a contract
• Hiding breaches or covering up breaches while under government contract
• Failure to store files on secure (and encrypted) networks or environments

Under the AML laws enforced by FinCEN:

• Cyber-enabled financial crime
• Ransomware attacks
• Misuse of virtual assets to launder money

Under securities and commodities laws, red flags might include:

• Inadequate cybersecurity disclosures
• Mismanagement of cybersecurity risks
• Insider trading related to cybersecurity events
• False or misleading statements about cybersecurity products or services
• Cyberattacks and data breaches
• Use of emerging technologies

Reporting any one of these failures may provide protections under the SOX, but not the Dodd-Frank Act, which does not provide protection from retaliation if a whistleblower has not yet reported their concerns externally to the SEC for which it oversees. Therefore, while reporting internally may offer some protection under SOX, it’s generally advisable to also report externally to the SEC to maximize protection under both laws.