Cybersecurity and Data Privacy Whistleblower Protections

CYBERSECURITY & DATA
PRIVACY WHISTLEBLOWER
INCENTIVES AND
PROTECTIONS
Jeremy Schneider, Jackson Lewis P.C.
Jason Zuckerman, Zuckerman Law

Agenda
◦ Cybersecurity
◦ Data privacy
◦ Federal Cybersecurity Whistleblower Protections
◦ Protections for Government Contractors
◦ SOX & Dodd-Frank Protection for Cybersecurity Disclosures
◦ State Whistleblower Protections
◦ State False Claims Acts
◦ Common Law Wrongful Discharge
◦ Cybersecurity Whistleblower Rewards
◦ Responding Effectively to Employee Concerns & Mitigating the Risk of Retaliation Claims
◦ Unlawful Restrictions on Whistleblowers
◦ Tips for Whistleblowers

Cybersecurity Risks
◦ Liability to customers
◦ Erodes goodwill
◦ Affects stock price
◦ Costs of remedying the breach can be substantial

Risks for Government Contractors
◦ Contractors of federal and state governments must comply with cybersecurity
requirements
◦ Safeguarding contractor information systems FAR 52.204-21(48 CFR § 52.204-
21) and DFARS 252.204-7012 (48 CFR § 252.204-7012)
◦ FCA liability

SEC Prioritizing Cybersecurity
◦ The SEC has extended the principles of securities laws (such as safeguard
requirements, internal controls, and disclosure obligations) to cybersecurity issues.
◦ Cybersecurity remains an examination priority of the SEC.

2021 SEC Examination Priorities
Division will review whether firms have taken appropriate measures to:
◦ safeguard customer accounts and prevent account intrusions;
◦ oversee vendors and service providers, and address malicious email activities;
◦ respond to incidents, including ransomware; and
◦ manage operational risk as a result of dispersed employees in a work-from-
home environment.

Failure to Disclose Cybersecurity Issues
May Constitute Shareholder Fraud
◦ Failing to disclose known cybersecurity risks or material cybersecurity issues can
violate securities laws. See Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27, 44-45
(2011); Stratte-McClure v. Morgan Stanley, 776 F.3d 94 (2nd Cir. 2015).
◦ When it comes to shareholder fraud, the SEC is focused on timely and thoughtful
disclosure of material cybersecurity issues. See SEC Release No. 2018-71
(announcing enforcement action against Altaba for failing to disclose data
breach).

Altaba – A Case Study
◦ In April 2018, Altaba agreed to pay a $35 million to resolve charges that it defrauded
shareholders by not disclosing a data breach. Key allegations included:
◦ Within days of the breach, Altaba’s information security team learned that hackers had stolen from
the company sensitive personal data pertaining to hundreds of millions of people.
◦ Altaba did not publicly report the breach for more than two years.
◦ The company failed to take adequate measures to assess its disclosure obligations, including a failure
to effectively investigate the circumstances, a failure to consult with auditors or outside counsel, and
a lack of disclosure controls and procedures to ensure it was properly assessing cybersecurity risks
and breaches for potential investor disclosure.

Altaba – A Case Study (cont.)
“We do not second-guess good faith exercises of judgment about
cyber-incident disclosure. But we have also cautioned that a company’s
response to such an event could be so lacking that an enforcement
action would be warranted. This is clearly such a case,”
- Steven Peikin, Former Co-Director of the SEC Enforcement
Division

Material Weaknesses in Internal Controls
◦ SOX section 302 requires CEO and CFO to certify accuracy and completeness of financial reports and
assess and report on effectiveness of internal controls of financial reporting.
◦ SOX section 404 requires a corporation to assess the effectiveness of internal controls in annual reports,
including having an outside auditing firm evaluate the assessment.
◦ The company must identify material weaknesses in internal controls.
◦ The Public Company Accounting Oversight Board (PCAOB) guides auditors assessing effectiveness of
internal controls.
◦ PCAOB has addressed need for auditors to examine corporations' information technology controls.
◦ Even if a corporation does not mention cybersecurity in its public filings, it may violate sections 302 and 404
where it fails to disclose material weaknesses in cybersecurity-related internal controls.

Data Privacy
◦ Data privacy (also known as information privacy) is a branch of cybersecurity.
◦ Its focus is the lawful collection, handling, and use of data.
◦ Data privacy and cybersecurity are interconnected, and where you find one, you almost always
find the other.
◦ Data privacy focuses on the proper handling of sensitive information, including personal
information, financial information, and confidential information.
◦ Focuses on use of personally identifiable information (PII), which is information that can be traced to a
specific unique individual.
◦ Deals with how companies treat PII customer information internally.
◦ Cybersecurity focuses on protection from external threats.

Current Federal Data Privacy Regulation
◦ Decades of gridlock in Congress, but some targeted federal regulation:
◦ Privacy Act - Government agency use of PII
◦ GLBA – Financial institution disclosure of use of PII
◦ HIPAA – Health information
◦ COPPA – Children’s online privacy
◦ The FTC enforces federal data privacy regulation, including COPPA (Children’s Online Privacy Protection Act),
GLBA (Gramm-Leach-Bliley Act), and Privacy Act.
◦ FTC also enforces data privacy protection through Section 5 of the FTC Act.
◦ Section 5 of the FTC Act bars unfair and deceptive acts and practices in or affecting commerce.
◦ Includes where a company violates consumers’ privacy rights or claims to adhere to data privacy standards that it does not
follow.
◦ CFPB also enforces data privacy regulation related to financial institutions, including GLBA.
◦ GLBA requires financial institutions to properly disclose to consumers how they use PII and to protect that data.

Current Data Privacy Regulation
◦ In 2016, the EU enacted the General Data Protection Regulation (GDPR):
◦ Requires companies to collect minimal personal information and safeguard that information.
◦ Applies to entities handling or processing European data (including many U.S. companies);
◦ Carries massive penalties – fines for violations can be up to $20 million or 4% of worldwide annual revenue.
◦ Fines for violations can be up to $20 million or 4% of annual GDP.
◦ In 2016, the EU and U.S. agreed to Privacy Shield, a voluntary data privacy regime that became mandatory once elected by businesses:
◦ Permitted the transfer of European data from EU to U.S.
◦ Participating organizations required to have private recourse mechanisms to remedy failures to comply.
◦ In July 2020, the Court of Justice of the EU (CJEU) ruled that Privacy Shield does not provide adequate protection to comply with GDPR.
◦ The decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the Privacy Shield framework, and the FTC is
still holding companies accountable for commitments under Privacy Shield.
◦ The EU and U.S. are in negotiations to arrive at an enhanced Privacy Shield framework so that U.S. organizations are able to fully comply with the
GDPR when transferring personal data from the EU to the U.S.
◦ Sen. Sherrod Brown introduced broad federal legislation (DATA2020) in 2020 re: data privacy
◦ Comprehensive legislation could pass in the next few years.

Data Privacy Laws
◦ California Consumer Privacy Act (CCPA) – effective Jan. 1, 2020
◦ Companies must disclose to consumers what personal information they collect.
◦ Consumers may opt out of having companies sell their information – similar model to GDPR.
◦ Violations result in fines.
◦ Also provides a private right of action where a company fails to implement reasonable security measures
to protect personal information, and that information is stolen as a result of a breach.
◦ California Privacy Rights Act (CPRA) – effective Jan. 1, 2023
◦ Expands on rights provided in the CCPA, including expanding private right of action and creating the
California Privacy Protection Agency to enforce and implement data privacy laws and impose fines.

Virginia CDPA
◦ Virginia Consumer Data Protection Act (CDPA) – effective Jan. 1, 2023
◦ Applies to all conducting business in VA that (i) control or process personal
data of at least 100,000 consumers and/or (ii) derive over 50 percent of gross
revenue from the sale of personal data and control or process personal data of
at least 25,000 consumers.
◦ Outlines responsibilities and privacy protection standards for data controllers
and processors.
◦ Does not apply to state or local governmental entities and contains exceptions
for certain types of data and information governed by federal law.

Virginia CDPA
◦ Defines personal data as “any information that is linked or reasonably linkable to an
identified or identifiable natural person,” but excludes employment data, publicly-
available data, and pseudonymous data (data not linkable to a person’s identity
without more information).
◦ Entities controlling personal data must establish a mechanism for consumers to
exercise rights and explain mechanism in privacy notice.
◦ Grants VA consumers the right to access, correct, delete personal information.
◦ Can also opt out of sale of personal data and use for targeted advertising.

Virginia CDPA
◦ Entities controlling and processing consumer sensitive data must obtain consent
before processing sensitive data.
◦ Sensitive data includes data re: nationality and ethic origin, religion, mental/physical health,
sexual orientation, citizenship/immigration status, genetic/biometric data, data from a known
child, geolocation data.
◦ Attorney general has exclusive right of enforcement.
◦ Violations result in fines – no private right of action.
◦ Reporting a violation of VA CDPA could be protected whistleblowing under the VA
Whistleblower Protection Law.

FEDERAL
CYBERSECURITY
WHISTLEBLOWER
PROTECTIONS

Federal Sources of Cybersecurity Whistleblower
Protection
◦False Claims Act and NDAA/DCWPA
◦Sarbanes-Oxley and Dodd-Frank Act
◦Consumer Financial Protection Act
◦FIRREA

PROTECTIONS FOR
GOVERNMENT
CONTRACTORS

FCA Retaliation: Scope of Coverage
◦ Protects:
◦ Employees;
◦ Contractors; and
◦ Agents

FCA-Protected Conduct
◦ Two forms of protected conduct:
◦ lawful acts done by the employee contractor, agent or associated
others in furtherance of an action under this section;
◦ or other efforts to stop one or more violations of the FCA

◦In furtherance of a qui tam action:
◦Investigating a potential FCA violation
◦Opposing an FCA violation internally
◦Reporting a FCA violation to the government
◦Assisting a qui tam relator

◦ Efforts to stop an FCA violation:
• The focus of the second prong is preventative—stopping “violations” –
and it is met if the whistleblower demonstrates that they took lawful
measures to stop or avert what they reasonably believed would be a
violation of the FCA.
• The purpose of second prong is to untether protected efforts from the
need to show that a FCA action is in the offing.
• “[A] layperson should not be burdened with the ‘sometimes impossible
task’ of correctly anticipating how a given court will interpret a particular
statute.” Singletary v. Howard Univ., No. 18-7158, 2019 WL 4554535 (D.C.
Cir. Sept. 20, 2019).

Protections for Whistleblowers
Working for Government Contractors
◦ Federal Information Security Management Act (FISMA) creates information security
requirements for federal agencies.
◦ Federal acquisition regulations codify cybersecurity and data privacy requirements applicable to
federal contractors.
◦ Requires a systemic approach to data security that includes baseline controls and risk assessment
procedure.
◦ A security plan must document the controls.

Federal Information Security Management Act
(FISMA)
FISMA requirements include:
◦ Federal contractors must keep an inventory of all information systems.
◦ Contractors must categorize information and information systems according to risk. See “Standards for Security Categorization of
Federal Information and Information Systems” FIPS 199.
◦ Contractors must have a current information security plan that covers controls, cybersecurity policies, and planned improvements.
◦ Contractors must consider an organization’s particular needs and systems and then identify, implement, and document adequate
information security controls. See NIST SP 800-53 (identifying suggested cybersecurity controls).
◦ Contractors must assess information security risks. See NIST SP 800-30.
◦ Contractors must conduct annual reviews to ensure that information security risks are minimal.

Duty Speech/“Step Out” Defense
◦ Malanga v. NYU Langone Med. Ctr., 2015 WL 7019819 (S.D.N.Y. Nov. 12, 2015) (FCA) (duty speech
doctrine invalid post-FERA).
◦ United States ex rel. Reed v. KeyPoint Government Solutions, No. 17-1379, (10th Cir. Apr. 30, 2019).
◦ Senior quality control analyst discovered fraud while performing job duties and reported it
through her chain of command.
◦ Not protected because job duties may have required her to seek remedial action from
employees other than her direct supervisor.

FCA-Prohibited Retaliation
◦ A prohibited adverse action occurs when an employee is:
◦ discharged;
◦ demoted;
◦ suspended;
◦ threatened;
◦ harassed; or
◦ in any other manner discriminated against in the terms and conditions of
employment.

FCA-Prohibited Retaliation
Constructive Discharge
◦ If an employer ignores or fails to remediate a whistleblower’s internal disclosures, does
that constitute constructive discharge?
◦ Smith v. LHC Grp., Inc., 727 F. App'x 100 (6th Cir. 2018).
◦ Smith raised concerns about employees altering reimbursement paperwork and making
false representations about staffing for the purpose of admitting patients.
◦ As Director of Nursing, Smith was concerned about potential prosecution and
jeopardizing her nursing license.
◦ Company ignored her disclosures and failed to take remedial action.
◦ Requiring an employee “to engage in activity she considers illegal and immoral” may
create intolerable working conditions sufficient for constructive discharge.

Post-employment retaliation
◦ United States ex rel. Felten v. William Beaumont Hospital, No. 2:10-cv-
13440 (6th Cir. March 31, 2021).
◦ Felten bought qui tam alleging kickbacks to physicians for referrals of
Medicare patients.
◦ After qui tam settled for $84.5M, Felten pursued retaliation claim
alleging he was terminated and blacklisted, i.e., former employer
disparaged him to nearly 40 prospective employers.

◦ No temporal qualifier accompanying “employee” in 3730(h).
◦ Half of proscribed retaliatory acts – “threatened,” “harassed,” and “discriminated” – are
not restricted to a current employment relationship and can refer to former employees.
◦ Discrimination in the “terms and conditions of employment” include conditions of
employment that can persist after an employee’s termination.
◦ “If employers can simply threaten, harass, and discriminate against employees without
repercussion as long as they fire them first, potential whistleblowers could be dissuaded
from reporting fraud against the government.”

◦ Potts v. Center for Excellence in Higher Education, Inc., 2018 WL 5796963 (10th Cir.
Nov. 6, 2018).
◦ After Potts resigned, operator of for-profit college sued her for disparaging them to the
Commission of Career Schools and Colleges concerning alleged deceptions in maintaining
accreditation.
◦ Potts alleged that the suit against her violated the FCA’s anti-retaliation provision.
◦ FCA retaliation proscribes retaliation only against current employees, not former employees.

FCA: Causation
◦ Courts require a showing of “but for” causation.
◦ The “but for” causation standard "means a defendant cannot avoid liability
just by citing some other factor that contributed to its challenged
employment decision." Bostock v. Clayton Cty., 590 U. S. __ (2020), slip op at
*6.
◦ The plaintiff's protected activity or characteristic(s) "need not be the sole or
primary cause of the employer’s adverse action." Id. at *14.

FCA Retaliation Remedies
◦ Reinstatement
◦ Two times the amount of back pay
◦ Uncapped special damages
◦ Emotional distress
◦ Reputational harm
◦ Humiliation

FCA Retaliation Remedies
◦ In lieu of reinstatement, a judge can award front pay to compensate
the plaintiff until such time as they can regain their former career
track.
◦ Get expert analysis and testimony about career damage.
◦ Track mitigation efforts.
◦ Analyze available comparable positions.
◦ Document harm to reputation.

FCA Retaliation Procedure
◦ Three-year statute of limitations
◦ Heightened pleading standard does not apply
◦ No exhaustion requirement
◦ Retaliation claim can be brought under seal with qui tam action

National Defense Authorization Act (NDAA)
Retaliation Provisions
◦DoD, NASA, and Coast Guard Contractors, 10 U.S.C. § 2409
◦Contractors of other agencies, 41 U.S.C. § 4712

NDAA Scope of Coverage
◦Covers employees of nearly all government
contractors, subcontractors and grantees, and
personal services contractors.
◦Excludes contractors of Intelligence agencies.

NDAA-Protected Conduct
• Broad scope of protected conduct:
• Violation of law, rule, or regulation relating to federal contracts,
including competition for or negotiation of a contract;
• Gross mismanagement, gross waste of federal funds, abuse of
authority; or
• Substantial and specific danger to public health or safety.

NDAA-Prohibited Retaliation
◦ NDAA whistleblower provisions bar a broad range of retaliatory acts,
including:
◦ discharging;
◦ demoting; or
◦ otherwise discriminating against a whistleblower.

NDAA Causation and Affirmative Defense
◦“Contributing factor” causation
◦Knowledge and timing suffice
◦(WPA standard)
◦Same-decision affirmative defense must be proven by
clear and convincing evidence

NDAA Remedies
◦ Reinstatement;
◦ back pay;
◦ uncapped compensatory damages (emotional distress damages); and
◦ attorneys’ fees and costs.

NDAA Procedure
◦ Must file initially with OIG.
◦ Complainant can remove to federal court 210 days after filing.
◦ OIG investigates and issues report.
◦ Not later than 30 days after receiving IG report, agency head required to act on
findings.
◦ Contractors and grantees have 60 days from the issuance of an order to appeal to
Circuit Court.

FCA Anti-Retaliation Provision Sections 827 and 828 of NDAA
Coverage Employee, contractor, or agent Employee of a contractor, subcontractor, or grantee/personal
services contractor
Protected
Conduct
Lawful acts done by the employee, contractor, agent or
associated others 1) in furtherance of an action under the
FCA or 2) other efforts to stop 1 or more violations
-Violation of law, rule, or regulation related to a federal
contract
-Gross mismanagement of a federal contract or grant
-Gross waste of federal funds
-Abuse of authority relating to a federal contract or grant
-Substantial and specific danger to public health or safety
Administrative
Exhaustion
File directly in federal court Must file initially at OIG; can remove to federal court after
210 days
Causation Standard “But for” causation (not sole factor) Contributing Factor
Damages Double back pay, reinstatement, special damages (emotional
distress damages and harm to reputation), attorney fees
Back pay, reinstatement, special damages, attorney fees
Statute of
Limitations
3 years 3 years

Pleading Considerations
◦ With the exception of a hostile work environment claim, each adverse action has
its own statute of limitations (although time-barred acts are still evidence).
◦ Administrative exhaustion requirement for each adverse action.
◦ Split of authority about pleading standard at administrative agencies.
◦ Advantages and disadvantages to pleading multiple claims.

SOX & DODD-FRANK
WHISTLEBLOWER
PROTECTION
FOR CYBERSECURITY
DISCLOSURES

Sarbanes-Oxley Act (SOX)-Protected Conduct
Section 806 of SOX protects a disclosure about any conduct that the whistleblower reasonably believes violates:
◦ federal criminal prohibitions against securities fraud, bank fraud, mail fraud, or wire fraud;
◦ any rule or regulation of the SEC; or
◦ any provision of federal law relating to fraud against shareholders.
when the information or assistance is provided to or the investigation is conducted by:
◦ a federal regulatory or law enforcement agency;
◦ Congress; or
◦ a person with supervisory authority over the employee.

SOX-Protected Conduct
◦ “Reasonable belief” standard:
◦ Disclosure of potential violation protected.
◦ Complainant need not allege shareholder fraud.
◦ No magic words required (e.g., fraud or misrepresentation).
◦ Complainant no longer needs to show that their disclosures “definitively and specifically”
relate to the relevant laws.
◦ Reasonable but mistaken belief protected.

SOX Protections for
Cybersecurity Whistleblowers
◦ Disclosures relating to inadequate data security and inadequate control
over financial reporting can constitute SOX-protected activity.
◦ “Data security, approvals, and segregation of duties are controls that
exist to ensure the accuracy of financial reporting.” See Thomas v. Tyco
Int’l Mgmt. Co., LLC, 262 F. Supp. 3d 1328, 1336 (S.D. Fla. 2017).

SOX Protections for
Cybersecurity Whistleblowers
◦ Some cybersecurity disclosures are not protected under SOX.
◦ Reilly v. GlaxoSmithKline, LLC, 820 F. App'x 93, 96 (3d Cir. 2020).
◦ Reilly identified and pressed for resolution of concerns about access authorization and server
stability.
◦ Asserted that his disclosures implicated weaknesses in internal controls and could lead to
inaccurate financial reporting, in violation of SEC rules.
◦ Third Circuit held that Reilly’s disclosures do not “’relate in an understandable way’ to any of
section 806's enumerated forms of fraud.”

Scope of adverse actions
◦ DOL construes adverse actions broadly:
◦ threat of retaliation;
◦ “outing” a whistleblower;
◦ constructive discharge;
◦ harassment.
◦ Most anti-retaliation laws employ the Burlington Northern materiality standard.

“Outing” a whistleblower
Halliburton, Inc. v. Admin. Review Bd., 771 F.3d 254, 259 (5th Cir. 2014)
◦ Merely “outing” a whistleblower is an adverse action under SOX.
◦ “[The] targeted creation of an environment in which the whistleblower is
ostracized is . . . in effect, a potential deprivation of opportunities for future
advancement.”
◦ Menendez resigned and did not suffer economic loss.
◦ ALJ awarded special damages.

SOX contributing factor causation
Palmer v. Canadian National Railway, ARB No. 16-035, ALJ No. 2014-FRS-154 (ARB
Sept. 30, 2016) (en banc)
◦ “Contributing factor” = protected activity played some role—even an
insignificant or insubstantial role—in the adverse action.
◦ Decision-maker knowledge of the protected
activity and close temporal proximity will
suffice to prove causation in some cases.
◦ Whistleblower need not prove pretext.

Contributing factor causation
◦ Palmer
◦ “We want to reemphasize how low the standard is for the employee to meet, how
‘broad and forgiving’ it is. ‘Any’ factor really means any factor. It need not be
‘significant, motivating, substantial or predominant’ — it just needs to be a factor.”
◦ Potential forms of proof:
◦ temporal proximity;
◦ the falsity of an employer’s explanation for the adverse action;
◦ inconsistent application of an employer’s policies;
◦ the employer’s shifting explanations for its actions; or
◦ animus toward the whistleblower’s protected activity.

Same-decision affirmative defense
• In contrast to Title VII, not a burden of production.
• What is “clear and convincing evidence”?
• Not enough for the employer to show that it could have taken the same
action; it must show that it would have taken the same action.
• Quantified, the probabilities might be in the order of above 70%.

Distinctions Between Section 806 of SOX
and Section 922A of Dodd-Frank

CFPA Whistleblower Protection Law
◦ 12 U.S.C. § 5567
◦ Covers any individual performing tasks related to the offering or provision of a
consumer financial product or service.
◦ Protects disclosures concerning any act or omission that the employee reasonably
believes to be a violation of any CFPB regulation or any other consumer financial
protection law that the Bureau enforces.
◦ Burden-shifting framework, remedies and procedures similar to Section 806 of
SOX.

CFPA Regulation of Cybersecurity and Data
Privacy
◦ CFPB authorized to enforce prohibition against any unfair, deceptive, or abusive act or practice in
connection with consumer financial products and services.
◦ In 2016, CFPB took enforcement action against Dwolla, Inc. for deceiving consumers about its
data security practices. CFPB did not allege a data breach or data leak.
◦ Section 502 of Gramm-Leach-Bliley prohibits a financial institution from disclosing nonpublic
personal information about a consumer to nonaffiliated third parties.
◦ Implementing regulations impose data privacy requirements.

FIRREA Whistleblower Protection Law
◦ Financial Institutions Reform, Recovery and Enforcement Act (FIRREA) anti-retaliation
provision, 12 U.S. Code § 1831j
◦ Prohibits retaliation against employees of FDIC-insured institutions for reporting to any Federal
banking agency or the AG:
◦ a possible violation of any law or regulation; or
◦ gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and
specific danger to public health or safety.
◦ Internal disclosures not protected
◦ Private right of action with 2-year SOL
◦ Remedies include reinstatement, compensatory damages, and “other appropriate actions to
remedy any past discrimination.”

STATE
WHISTLEBLOWER
PROTECTIONS

STATE WHISTLEBLOWER PROTECTION LAWS
◦ Several states have enacted some form of a whistleblower protection law protecting private
sector employees.
◦ New Jersey and California statutes are robust.
◦ Some of the statutes do not protect internal disclosures.
◦ State whistleblower protection laws protecting disclosures of state law violations protect
disclosures about violations of state data privacy law.

Virginia whistleblower protection law
◦ Va. Code § 40.1-27.3
◦ Effective July 1, 2020

Protected conduct
◦ Refusing an employer’s order to perform an action that violates any federal or
state law or regulation when the employee informs the employer that the order
is being refused for that reason; or
◦ Providing information to or testifying before any governmental body or law
enforcement official conducting an investigation, hearing, or inquiry into any
alleged violation by the employer of federal or state law or regulation.

Prohibited retaliation
◦ The statute proscribes a broad range of retaliatory acts, including discharging,
disciplining, threatening, discriminating against, or penalizing an employee or
taking other retaliatory action regarding an employee’s compensation, terms,
conditions, location, or privileges of employment because of the employee’s
protected conduct.

Remedies
◦ A whistleblower can bring a claim under the Virginia Whistleblower Protection
Law within one year of the retaliatory adverse action.
◦ The court may order as a remedy to the employee:
◦ an injunction to restrain a continuing violation;
◦ reinstatement to the same or an equivalent position held before the employer took the
retaliatory action; and/or
◦ compensation for lost wages, benefits, and other remuneration, together with interest,
and attorneys’ fees and costs.

State FCAs
◦31 states have enacted FCAs similar to the federal
FCA, most of which have similar prohibitions against
retaliation.
◦State contracts often include FISMA requirements.

Wrongful Discharge Tort
◦ 42 states recognize a common law wrongful discharge tort
action/public policy exception to at-will employment.
◦ Vary on protecting internal disclosures and remedying retaliatory
personnel actions other than termination.
◦ Most protect refusal to engage in illegal activity and exercising a
statutory right.
◦ Jury trial
◦ Punitive damages

Wrongful Discharge Tort
◦ Split of authority as to whether a statutory remedy preempts a wrongful discharge
claim.
◦ Some states, such as CA, permit whistleblowers to pursue both statutory and
common law remedies.
◦ In WA, an alternative remedy preempts a wrongful discharge claim only when the
alternative remedy provides an exclusive remedy.

$4.3 Million Verdict in Reverse Hacking Wrongful
Discharge Case
◦ Shawn Carpenter, former network security analyst at Sandia National
Laboratories, was awarded $4.3 million by a New Mexico jury for wrongful
termination.
◦ Terminated for his independent probe of a network security breach.
◦ Used hacking techniques to trace attacks back to Chinese cyberespionage group.
◦ Shared information from his investigation with Army Counterintelligence Group
and FBI.
◦ Sandia fired him for inappropriate use of confidential information.

CYBERSECURITY
WHISTLEBLOWER
REWARDS

False Claims Act Qui Tam
• Whistleblower qui tam cases have led to the recovery of more than $56 billion in
taxpayer funds.
• 80 percent of the cases brought under the FCA are initiated by whistleblowers.

False Claims Act Qui Tam
◦ First-to-file bar
◦ Public disclosure bar and original source exception
◦ Filed under seal
◦ Relator share:
◦ If government intervenes, 15 to 25 percent
◦ If government declines to intervene, 25 to 30 percent
◦ Heightened pleading requirement

Cybersecurity False Claims Act Settlements
United States, ex rel. Glenn v. Cisco Sys. Inc.
◦ In 2019, Cisco Systems paid $8.6 million to settle an FCA claim alleging it sold a video surveillance system
that contained security weaknesses that hackers could exploit to access software managing video feeds.
◦ Relator Glenn worked at a networking company that was a Cisco partner and reported security risks to his
employer and Cisco’s Product Security Incident Response Team.
◦ PSIRT never responded, even after Glenn followed up and continued to sell to DHS, Navy, Army, FEMA,
and other federal customers.
◦ Case was brought under federal FCA and FCAs of 15 states and DC.
◦ Glenn received 20% of settlement.

SEC Whistleblower Program
◦ Voluntarily provides the SEC with original information about
violations of the federal securities laws.
◦ Information provided must lead to a successful SEC action resulting
in monetary sanctions exceeding $1 million.
◦ Also awards independent analysis.
◦ Award can range from 10% to 30% of collected sanctions.

◦ Three core facets:
◦ Whistleblower can file anonymously through counsel;
◦ SEC enforces prohibition against retaliation; and
◦ SEC prohibits companies from impeding whistleblowing.

◦ 40,000 tips
◦ FY20 6,900 tips
◦ $800 million paid to 155 whistleblowers
◦ Whistleblower disclosures have led to more than $3.5 billion in
monetary sanctions, including $1.5 billion of disgorgement of ill-
gotten gains, half of which was returned to investors.

◦ 81% of corporate insiders who received awards in FY 2020 raised their concerns
internally prior to reporting to SEC.
◦ Approximately 40% of whistleblowers who received awards during FY 2020 were
outsiders not affiliated with the entity about which they were reporting.
◦ Since the inception of the program, approximately 68% of the award recipients
were current or former insiders of the entity about which they reported a
violation to the SEC, and 84% raised their concerns internally before reporting to
the SEC.

RESPONDING EFFECTIVELY
TO EMPLOYEE CONCERNS &
MITIGATING THE RISK OF
RETALIATION CLAIMS

How to Identify Potential Whistleblower
Complaints
◦ Whistleblower protection laws are typically commensurate with their
scope
◦ For example, the FCA concerns government fraud, so employees who
complain about issues related to perceived government fraud have
protection.
◦ So, when an employee complains about potential violations of law
having to do with cybersecurity and data privacy, they are potentially
engaging in protected activity.

How to Respond to Whistleblower Complaints
◦ DON’T
◦ Assume employee is confiding in you as a friend
◦ Tell the employee they must put the complaint in writing
◦ Promise confidentiality
◦ Minimalize, trivialize, or excuse the conduct complained of
◦ “Pretaliate”
◦ Ignore the complaint
◦ Treat it just like any other employee complaint

◦ DO
◦ Encourage reporting
◦ Be vigilant and continuously confirm compliance with the law
◦ Maintain the employee’s anonymity to greatest extent possible
◦ Conduct a thorough and unbiased investigation
◦ Properly document complaints and the investigation of complaints
◦ Take corrective action, if necessary

◦Why Encourage Reporting?
◦ Gives you the opportunity to fix the problem internally
◦ Employees are statistically less likely to go directly to the government if they report internally
◦ Helps you identify those who have actual knowledge vs. malcontents or conspiracy theorists
◦ Minimizes exposure to liability
◦ Involves counsel early on
◦ Shows good faith

◦How to Encourage Reporting?
◦ Have a clear policy on how to report fraud, etc.
◦ Create an anti-retaliation policy for whistleblower conduct
◦ Train your employees/managers on the policy and laws like the FCA/Dodd Frank/SOX, etc.
◦ Make employees feel comfortable about reporting suspected wrongdoing
◦ Appoint compliance officer/establish compliance program
◦ Establish anonymous reporting channels – hotlines, etc.

◦Conduct Internal Investigations – Practical Reasons
◦ To ensure fairness in the administration of policies
◦ To confirm compliance with legal/contractual requirements
◦ To obtain a full, objective understanding of the facts
◦ To address & stop problems before they escalate
◦ To continuously improve

◦Conduct Internal Investigations – Legal Reasons
◦ To meet employer’s burden to take appropriate measures to prevent wrongful or illegal conduct
◦ To fulfill the organization’s legal requirements
◦ To meet contractual or regulatory requirements
◦ To meet program requirements
◦ To develop a defense to claims

◦Conduct Internal Investigations – Other Reasons
◦ Compliance with internal policies
◦ Electronic monitoring/acceptable use policies
◦ NLRA issues
◦ Preservation of documents/evidence
◦ If complaints end up being meritless, take steps to limit employee’s access to certain documents so they
cannot develop a qui tam suit

Avoiding Retaliation Claims
Best Practices:
◦ Thoroughly document all employee performance issues
◦ Use complaints as a way to continually confirm compliance
◦ Have a clear whistleblower policy and FOLLOW IT!
◦ Include whistleblowers in the process
◦ Encourage the employee to maintain confidentiality, but do not outright forbid or
discourage them from reporting to the government

Best Practices:
◦ Offer whistleblowers continued assistance if they experience any problems
◦ Unless absolutely necessary, do not inform whistleblower’s supervisors of the
complaint and/or investigation
◦ Share the results of the investigation with the whistleblower
◦ Train management on policies, retaliation, and the pertinent laws

If you take action against a whistleblower, make sure
decisions:
◦ are based on legitimate, nondiscriminatory business reasons
◦ comply with company policies
◦ are consistent as to similarly-situated people
◦ are defensible based on business reasons that can be readily articulated
◦ are supported by clear, reliable documentation

◦ Use validity of employee complaint as a guide for how to take action
◦ If complaint has merit, consider:
◦ taking time to fully investigate complaint prior to taking action
◦ crafting performance improvement plan with clearly cognizable performance goals
◦ offering severance w/ general release
◦ If complaint has no merit:
◦ cut off access to information that could be used to support a claim
◦ formally documenting results and providing report to employee/whistleblower prior to taking action

UNLAWFUL
RESTRICTIONS ON
WHISTLEBLOWING

Invalid “Gag Clauses” Barring Whistleblowing
◦ Blatant contractual provisions barring whistleblowing to regulators or
law enforcement have always been unlawful.
◦ Post-Dodd-Frank, there is a sea change in barring provisions that have
the effect of impeding lawful whistleblowing.

◦ Exchange Act Rule 21F-17
◦ “No person may take any action to impede an individual from communicating
directly with the Commission staff about a possible securities law violation,
including enforcing, or threatening to enforce, a confidentiality agreement . . .
with respect to such communications.”

◦ SEC has taken steps to combat contractual provisions:
• requiring employees to waive possible whistleblower awards;
• prohibiting employees from disclosing the subject of an internal investigation;
and/or
• requiring notice prior to responding to an inquiry from the SEC.

FY2021 NDAA
◦ Section 883 of National Defense Authorization Act (NDAA) for Fiscal Year 2021 amends
Defense Contractor Whistleblower Protection Act (DCWPA) by prohibiting DoD from awarding
a contract to a contractor that requires its employees to sign a confidentiality agreement “that
would prohibit or otherwise restrict such employees from lawfully reporting waste, fraud, or abuse
related to the performance of a Department of Defense contract to a designated investigative or
law enforcement representative of the Department of Defense authorized to receive such
information.”
◦ Section 883 requires DoD contractors to inform their employees of this limitation on
confidentiality agreements, i.e., inform them of their right to lawfully report waste, fraud, abuse,
and other wrongdoing.

OSHA 9/15/16 Guidance
OSHA guidelines barring provisions that impede whistleblowing:
◦ Provisions that require employees to waive the right to receive a monetary award
from a government-administered reward program.
◦ Provisions that require the employee to advise the employer before voluntarily
communicating with the government.
◦ Provisions that require the employee to affirm they have not previously provided
information to the government.

Whistleblower Rewards Claims
◦ Identify specific, original information.
◦ Establish a material violation.
◦ Do not delay reporting, but be patient during investigation.
◦ Provide a roadmap for a successful enforcement action.
◦ Provide strong investigative leads.
◦ Don’t provide privileged information.
◦ Respect the seal in a qui tam.

Whistleblower Retaliation Claims
◦ Investigate before blowing the whistle
◦ Ideally, engage in written protected conduct and identify the specific facts evidencing a
potential violation
◦ Identify and plead all retaliatory acts
◦ Avoid having unclean hands, e.g., be cautious gathering evidence
◦ Document reputational harm and emotional distress
◦ Identify all potential claims to maximize damages
◦ Exhaust administrative remedies

Cybersecurity and Data Privacy Whistleblower Protections

More Related Content

What's hot (16)

Similar to Cybersecurity and Data Privacy Whistleblower Protections (20)

More from Zuckerman Law Whistleblower Law Firm (17)

Recently uploaded (20)

Cybersecurity and Data Privacy Whistleblower Protections

Editor's Notes