Protections and Rewards for Cybersecurity Whistleblowers
With cybersecurity becoming a topic of ever-increasing visibility and importance, information security professionals ask what protection they have when they make potentially unpopular disclosures of cybersecurity issues. Though no whistleblower retaliation statute deals directly with the topic, the Sarbanes-Oxley Act will often protect cybersecurity professionals who work directly for public corporations or those corporations’ service providers. Yet further, the Dodd-Frank Act could allow information security workers to receive a whistleblower reward for reporting cybersecurity concerns to the SEC or CFTC, in some cases.
However, the relationship among cybersecurity issues, SOX, and the Dodd-Frank Act is not yet clearly defined. Accordingly, information security professionals should educate themselves about whistleblower protections. Doing so could make the difference between being protected, receiving a whistleblower reward, or suffering retaliation without recourse.
What Does SOX Protect?
In relevant part, Section 806 of the Sarbanes-Oxley Act forbids a covered employer to “discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee” because of any lawful disclosure or act “regarding any conduct which the employee reasonably believes constitutes a violation of”:
Securities or commodities fraud;
any SEC rule or regulation; or
any provision of Federal law relating to fraud against shareholders.
18 U.S.C. § 1514A.
Can Disclosures of Cybersecurity Issues Be Protected Under SOX?
Disclosures of information security issues absolutely can be protected under SOX. As noted above, SOX protects disclosures relating to one (or more) of six categories of violations. Disclosures of cybersecurity issues can fall under that umbrella in myriad ways. I will describe just three of those scenarios.
Shareholder Fraud Under SEC Rule 10b-5 Generally
A corporation’s failure to accurately disclose cybersecurity issues could violation SEC Rule 10b-5. See 17 C.F.R. § 240.10b-5. In relevant part, the rule states:
It shall be unlawful for any person … [t]o make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading…in connection with the purchase or sale of any security.
Shareholders or the SEC can bring actions against corporations that violate this rule. To do so, the SEC must prove that the corporation: 1) made a material, 2) misrepresentation and/or omission, 3) in connection with the purchase or sale of securities, and 4) the corporation had scienter. In addition to the foregoing, shareholders must also show: 1) reliance, 2) loss causation, and 3) damages. See, e.g.,Halliburton Co. v. Erica P. John Fund, Inc., 134 S.Ct. 2398, 2407 (2014).
Shareholder Fraud and Regulation S-K Item 503
A corporation’s failure to disclose cybersecurity issues that create significant risk factors for the corporation could constitute shareholder fraud. Regulation S-K prescribes certain disclosures that a corporation must include in its public filings, such as its annual report (10-K) and its quarterly report (10-Q). 17 C.F.R. Part 229. Item 503(c) of SEC Regulation S-K requires a corporation to disclose risk factors and discuss the most significant factors that make an offering speculative or risky. 17 C.F.R. Part 229.503(c). This includes the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. Division of Corporation Finance, U.S. Securities & Exchange Commission, CF Disclosure guidance: Topic No. 2, Cybersecurity (Oct. 13, 2011).
Hundreds of corporations disclose generalized cybersecurity risks in their public filings. If they do so while failing to disclose known actual risks, such as knowledge of an actual breach, the omission can give rise to a shareholder fraud action. See Matrixx Initiative, Inc. v. Siracusano, 131 S.Ct. 1309 (2011).
Shareholder Fraud and Regulation S-K Item 303
A corporation’s failure to disclose cybersecurity issues that materially affect the corporation’s financial condition and operations could constitute shareholder fraud. Item 303 of Regulation S-K requires a corporation to discuss its financial condition, changes in financial condition, and results of operations. 17 C.F.R. § 229.303. Four observations about Item 303, known as Management Discussion & Analysis, are particularly relevant to our discussion:
One of Item 303’s main purposes is to provide information about the quality of, and potential variability of, a company’s earnings cash flow, so that investors can ascertain the likelihood that past performance is indicative of future performance, SEC Staff, Report on Review of Disclosure Requirements of Regulation S-K 8-10 (December 2013);
Corporations must describe any known trends or uncertainties that have had or that the corporation reasonably expects will have a material impact on net sales or revenues or income, 17 C.F.R. § 229.303(a)(3);
Corporations must describe any unusual or infrequent events, transactions, or significant economic changes that materially affected the amount of reported income, ; and
Corporations should address events or uncertainties that could affect past or future operations, 17 C.F.R. § 229.303 (instructions).
A corporation’s failure to disclose under Item 303 can give rise to an action for shareholder fraud. See Stratte-McClure v. Morgan Stanley, 776 F.3d 94 (2nd Cir. 2015). But see In re NVIDIA Corp. Securities Litigation, 768 F.3d 1046 (9th Cir. 2014).
And though the law provides a safe harbor for such forward looking statements, including misleading statements or omissions of fact with forward looking statements will preclude the corporation from insulating itself. E.g., In re Harman Int’l Indus., Inc. Securities Litigation, No. 14-7017, 2015 WL 3852089 (D.C. Cir. June 23, 2015). In other words, a “warning that identifies a potential risk, but ‘impl[ies] that no such problems were on the horizon even if a precipice was in sight,’ would not meet the statutory standard for safe harbor protection.” Id. at *9 (internal citations omitted).
Material Weaknesses in Internal Controls Under SOX Sections 302 and 404
Even if a corporation makes no mention of cybersecurity in its public filings, it may violate Sections 302 and 404 of the Sarbanes-Oxley Act if it fails to disclose material weaknesses in its internal controls related to information security. Section 302 of SOX requires a corporation’s CEO and CFO to personally certify the accuracy and completeness of financial reports, and they must assess and report on the effectiveness of internal controls around financial reporting. 15 U.S.C. § 7241. Section 404 of SOX requires a corporation to assess the effectiveness of its internal controls in its annual reports, and an outside auditing firm must evaluate that assessment. Material weaknesses in those internal controls must be identified. See, e.g., 15 U.S.C. § 7213(a)(2)(A)(iii)(III).
SOX created the Public Company Accounting Oversight Board (PCAOB) to oversee and guide outside auditors in this endeavor. 15 U.S.C. § 7211. In turn, the PCAOB specifically has addressed auditors’ need to examine corporations’ information technology controls as part of their assessment of internal controls. PCAOB Release No. 2007-005A: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements; PCAOB Release No. 2010-004: Identifying and Assessing Risks of Material Misstatement. In its auditing standards, the PCAOB adopted the framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which also addresses information technology controls.
Thus, a corporation that fails to disclose a material weakness in its information security controls may be non-compliant with SOX.
Shareholder Fraud, Internal Controls, and SOX
For the reasons described above, an information security professional’s disclosure of a public corporation’s cybersecurity issues can be protected under SOX. A corporation failing to disclose information security issues could be committing shareholder fraud or violating SEC rules relating to internal controls. However, these scenarios are far from exhaustive. SOX could protect the reporting of cybersecurity issues under many circumstances.
When Is a Specific Disclosure Protected?
Though cybersecurity whistleblowers can make SOX-protected disclosures, such protection is not automatic. As noted above, SOX protects whistleblowers when they disclose what they reasonably believe to be a violation of one or more of the six enumerated categories. The “reasonable belief” standard is key.
The central inquiry is whether the whistleblower has a reasonable belief that a covered violation has occurred at the time she makes the disclosure. This belief must be subjectively and objectively reasonable.E.g., Van Asdale v. Int’l Game Tech., 577 F.3d 989, 1000-1001 (9th Cir. 2009); Harp v. Charter Commc’ns, Inc., 558 F.3d 722, 723 (7th Cir. 2009); Menendez v. Halliburton, Inc., ARB Nos. 09-002, -003; ALJ No. 2007-SOX-005, slip op. at 12 (ARB Sept. 13, 2011). This means that the whistleblower must know and believe that she is reporting a covered violation, and a reasonable person in the whistleblower’s circumstances must be able to reach the same conclusion. Sylvester v. Paraxel Int’l, ARB No. 07-123, ALJ Nos. 2007-SOX-039, -042, slip op. at 14 (ARB May 25, 2011). Thus, if a whistleblower does not believe she is reporting a violation, or if her disclosure is outlandish or baseless in light of the standards like those discussed above, the disclosure will not be protected. For example, the report of a minor information security issue that could have no significant effect on the corporation’s operations may not be protected.
However, it is utterly irrelevant whether the whistleblower communicates that reasonable belief to the employer or puts the employer on notice that she is engaging in protected activity. See Id. at 15-19. Indeed, a disclosure can be protected even if it does not mention fraud, illegal activity, or anything that could reasonably be perceived to be a violation of the six enumerated categories in SOX. Prioleau v. Sikorsky Aircraft Corp., ARB Case No. 10-060 (ARB Nov. 9, 2011).
In Prioleau, the whistleblower disclosed information security concerns. Id. However, at the time of the disclosure, the whistleblower made no mention of SOX or any of the enumerated categories. Id. Rather, the whistleblower reported his concern that two company policies were in conflict regarding a program that automatically deleted e-mails. Id. The Administrative Review Board (an administrative appellate body that reviews SOX claims) reversed a decision granting the employer summary judgment because the whistleblower failed to engage in protected activity. Id. The board held that because the whistleblower proffered evidence during litigation that indicated he was aware that his disclosures were related to SOX compliance and that his belief was objectively reasonable, the disclosures could be protected. Id.
Information security professionals should contact an experienced whistleblower attorney to determine whether disclosures they have made fall within the six categories of violations covered by SOX.
What is the SEC Whistleblower Rewards Program?
The Dodd-Frank Act created the SEC Whistleblower Program, which provides rewards to whistleblowers who report violations of the federal securities laws to the SEC. Eligible whistleblowers are entitled to an award of between 10% and 30% of the monetary sanctions collected in actions brought by the SEC (or related actions brought by other regulatory and law enforcement authorities).
To be eligible for the reward, the whistleblower must voluntarily provide the SEC with information about a violation of the federal securities laws that has occurred, is ongoing, or is about to occur. The whistleblower’s information must lead to an action that results more than $1 million in monetary sanctions. Whistleblowers need not be current employees to be eligible, though other limitations can apply.
Whistleblower rewards also exist for those reporting violations of federal commodities laws, fraud on the government, tax underpayment, and fraud affecting banks or other financial institutions.
How Can Cybersecurity Whistleblowers Receive and SEC Whistleblower Reward?
Information security professionals can received rewards under the SEC Whistleblower Program and other whistleblower rewards laws. As discussed above, cybersecurity issues and how corporations deal with them can constitute violations of federal securities laws. And it is a good time to be an information security whistleblower. As I have discussed in a previous blog, the SEC has had a particular focus on cybersecurity for the past few years. As the SEC continues to address the impact to U.S. capital markets and public corporations’ responsibilities to shareholders under the law, this emerging and important topic will likely remain an enforcement focus for the foreseeable future.
Importantly, whistleblowers who are represented by attorneys can remain anonymous when reporting through the SEC Whistleblower program. Further, cybersecurity professionals can be eligible for awards by providing independent analysis regarding violations of federal securities laws, even if they have no employment relationship with the company.