Cybersecurity is an increasingly important field of whistleblower law. In recent years, lack of awareness among top business leaders has facilitated a number of hacks and data breaches. In today’s data-driven work environment, strong cybersecurity policies and practices are essential to data security. By failing to protect even small amounts of information, organizations can violate federal law and be subjected to sanctions.
Despite the importance of online security in both the private and public sectors, many professionals are not aware of their legal rights when it comes to blowing the whistle on cybersecurity violations. Although there are currently no federal laws directly covering cybersecurity whistleblowing, cybersecurity whistleblowers often qualify for a number of federal and state statutory protections.
In the video below, Katz Banks Kumin partner Alexis Ronickher breaks down the laws that can protect cybersecurity whistleblowers in both the public and private sectors.
Depending on where you live, you may have a state law retaliation claim if you blow the whistle on cybersecurity problems. The majority of states protect whistleblowers from wrongful termination, although each state's law is different. States often have laws that expressly protect cybersecurity so you may have a strong legal hook based on the state law claim. Some states require you to report externally to law enforcement or the appropriate regulatory agencies. Others also protect internal reports. Some states require you to report or refuse to engage in criminal conduct. If you live in a state that criminalizes cybersecurity breaches, that conduct may be sufficient to fulfill such a requirement.
You may also have a retaliation claim under the False Claims Act if your company falsely represents its cybersecurity posture or risks to the US government as part of its efforts to win a government contract.
While there are no specific laws that protect cybersecurity whistleblowers, Sarbanes-Oxley and the Dodd-Frank Act most likely protect you. The SEC has made clear through their guidance, statements and now beginning with enforcement actions, that cybersecurity is a securities issue. If you work for a public company and raise issues in cybersecurity, you are likely protected by SOX and the Dodd-Frank Act. Particularly if the company is fraudulently representing its cybersecurity posture to induce other businesses or customers to do business with it or if it has publicly misrepresented its cybersecurity risk in the SEC filings or public statements.