Cybersecurity Whistleblowing Is Murkier Than You May Think

Corporate Counsel | 10.11.16

How can your breach turn into a securities law violation? The answer may be "via whistleblower." More and more, corporate employees are reporting cybersecurity vulnerabilities to the U.S. Securities and Exchange Commission after not receiving satisfactory responses from managers about issues they raise. Companies with a strong internal reporting protocol may believe that they need not worry about missing a valid internal report. But organizations should not be so sure. Cyber whistleblowers may present themselves in ways that are virtually unrecognizable from a traditional whistleblower perspective. Recognizing a potential cyber whistleblower may require companies to appreciate nuances previously unanticipated by most internal reporting schemes.

Consider the following scenario. An IT employee approaches his manager. He expresses concern that his co-workers are not following appropriate cybersecurity practices. Specifically, he is aware that employees share passwords for certain systems. The employee knows that his co-workers do this for convenience, but he is concerned that doing so presents a risk to company information. Many managers would not recognize this as a potential whistleblower situation. However, this simple complaint may indeed form the basis for a whistleblower report. If the employee believes that the vulnerability is serious and puts consumer or company information in jeopardy, the employee may take this information to the SEC.

What does the SEC have to do with all this? It's become a very attractive venue for whistleblowers to lodge complaints. The Dodd-Frank Wall Street Reform and Consumer Protection Act amended the Securities Exchange Act to create a bounty program that pays monetary awards to whistleblowers who provide original information about violations of securities law leading to enforcement actions with penalties over $1 million. Whistleblowers who provide qualifying tips receive monetary awards between 10 percent and 30 percent of any recoveries, including from related actions.

Cybersecurity weaknesses may form the basis for an alleged securities law violation because securities laws and regulations increasingly require protection of sensitive data. For example, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule requires companies to protect consumer records through administrative, technical and procedural safeguards. Institutions are required to develop and implement an information security program appropriate for the size, complexity, nature and scope of the financial institution's business. Under this rule, if a company fails to adopt adequate cybersecurity controls or procedures and the failures lead to the exposure of consumer personal information, the company may be found to have violated the Safeguards Rule and, in turn, securities law.

Returning to our example above, the company's failure to maintain an adequate password management protocol could be viewed as a failure to adopt and enforce adequate procedural safeguards under GLBA. In recent years, a robust password management procedure has come to be recognized as a fundamental cyber hygiene practice.

Unlike other types of corporate whistleblowing, cyber whistleblowing may fly under the radar until the whistleblower makes a report to the SEC. The concerns of cyber whistleblowers often arise during the course of normal job duties. Moreover, IT managers may not be aware of the SEC bounty program or that reports need to be elevated. Employees who feel that their valuable advice has not been accepted, and those who feel obligated to come forward out of a sense of civic duty, are increasingly aware of the SEC's prioritization of cybersecurity in its enforcement agenda—and the potential for monetary bounties. And cyber whistleblowers have begun to come forward.

The SEC began signaling its interest in cybersecurity procedures in 2011, when it issued cybersecurity guidance to financial firms. The guidance made clear that the agency considers cybersecurity to be an issue critical to the integrity of financial markets, and advised companies to disclose material cybersecurity risks to shareholders. Since then, the SEC has conducted two examination sweeps aimed at evaluating the cybersecurity posture of financial firms.

At that point, the financial industry saw the writing on the wall. Cyber­security enforcement actions were an inevitable reality, which came to fruition in September 2015, when the SEC announced the entry of its first consent decree in In re R.T. Jones Capital Equities Management. The commission alleged that R.T. Jones, the St. Louis-based investment company, failed to protect its customers' personal information by neglecting to conduct periodic risk assessments, employ a firewall, encrypt personal information and maintain a cybersecurity incident response plan in violation of the GLBA Safeguards Rule.

Around the time that the SEC announced the R.T. Jones enforcement action and consent decree, senior SEC leaders went to Silicon Valley to let tech leaders know that they were not hidden from the agency's watchful eye. Thus, for both nonfinancial public companies and financial companies, the SEC is determined to take a more active regulatory approach, and cybersecurity is high on the enforcement agenda.

But companies need not fear cyber whistleblowers. Organizations can implement simple procedures designed to acknowledge employee concerns and encourage them to report internally.

First, companies must make internal reporting mechanisms available and readily accessible. Employees should be able to report issues, including anonymously, to managers, human resources, compliance, ethics and legal. And they should be able to do so using a telephone, an email hotline or the company's website. Such reporting mechanisms should be made highly visible, and employees should be encouraged to use them when appropriate circumstances arise. Employee handbooks and codes of conduct should explain why it is important to report concerns, and why the company encourages it. Managers should be trained to identify potential whistleblower situations, and to escalate employee concerns in an appropriate way.

Second, companies should safeguard the confidentiality of the whistleblower to the extent possible. Company policies should explain that reports will be treated as confidentially as possible, consistent with the business's need to conduct a proper investigation. For anonymous reports, this means resisting the urge to try to identify the whistleblower. It is very difficult to retaliate against a whistleblower when nobody knows who that individual is. For nonanonymous reports, investigators should nonetheless avoid doing anything to unnecessarily "out" a whistleblower, such as identifying the employee in witness interviews or in document preservation memos. And they should be told not to ask witnesses in an investigation whether they are SEC whistleblowers. The SEC takes the position that employees are not required to inform their employers whether or what they have reported to the SEC.

Third, employee handbooks and codes of conduct should contain anti-retaliation provisions that make clear the organization will not tolerate any adverse action against an individual due to his or her good-faith report of wrongdoing. The policy should direct employees to report any potential retaliation to HR or Legal, and should explain that anyone found to have retaliated against an employee could be subject to discipline up to and including termination. Companies should also appoint an independent representative from Legal or HR to review employment decisions involving a whistleblower, including performance reviews, before they are finalized to ensure that they are not retaliatory and won't expose the company to legal risk.

This is not to say that once some-one "blows the whistle" they are immune from employer discipline. But because of the increased risks involved, it is important to have independent review of management decisions involving whistleblowers.

Finally, companies should review their third-party vendor practices (contractors, consultants, auditors, hotline administrators) to ensure that they, too, contain optimal whistleblower procedures. Companies should also ensure that their own policies clearly encourage third-party reports.

Cybersecurity whistleblowing is an emerging area fraught with potential pitfalls. By creating a trusting environment for whistleblowers to report internally, a company can go a long way toward uncovering and remedying violations of law quickly and effectively. And when a company implements procedures designed to adequately address employee concerns and ensure that they feel that their complaints are heard, it may mitigate potential regulatory scrutiny.

Renee Phillips is a partner in Orrick, Herrington & Sutcliffe's New York office and co-head of the firm's whistleblower task force. Shea Leitch is an attorney in the firm's Washington, D.C., office and a member of its e-discovery and information governance group and cybersecurity and data privacy team.

Reprinted with permission from the October 10, 2016 edition of Corporate Counsel © 2016 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-257-3382 or [email protected].