The Law Firm of Piacentile, Stefanowski & Malherbe LLP

Cybersecurity and Whistleblowers

Cyberspace crime and fraud have been on an uprise during the last several years. Given the dramatic changes brought on by the digitalization of so many industries, including cryptocurrencies in the finance world, this trend will continue into the foreseeable future. Maintaining a secure cyberspace is particularly difficult due to various factors, including the ability of malicious actors to operate from anywhere in the world and the varied and multiple links that exist between cyberspace and the real world. Given these characteristics, cyberspace crime and fraud can take many forms, including phishing scams, theft of personal data to then be sold to third parties or held for ransom, and the theft of both public and private sector confidential information and trade secrets. In our digital age, both the government and private companies need to step up to protect any digital data they possess and any technological and digital platforms they use.

At the federal level, the United States Department of Justice (DOJ) recently announced that the False Claims Act (FCA) will be used as a weapon to fight fraud in affecting the nation's cybersecurity. Originally enacted during the Civil War to combat defense contractor fraud, the FCA will now be used to combat cybersecurity fraud involving government contractors. When making this announcement, the DOJ announced the creation of an initiative to combat these types of frauds: the Civil Cyber-Fraud Initiative. Under this initiative, the DOJ will be prosecuting government contractors that provide cybersecurity services if they knowingly provide deficient products or services to the federal government. The misrepresentation of cybersecurity practices and protocols can also lead to actions against these contractors. Lastly, the DOJ indicated that liability could arise if contractors do not meet their obligations of monitoring and reporting cybersecurity breaches and incidents.

To respond to threats in cyberspace, the Cybersecurity & Infrastructure Security Agency (CISA) was created in 2018 as a component of the Department of Homeland Security. Specifically, the CISA is tasked with eliminating and reducing threats to U.S. cyber infrastructure. CISA has identified the following sectors as being vulnerable to cyberspace frauds and attacks: chemical industries, commercial facilities, communications companies, and infrastructure, critical manufacturing, dams, national defense, emergency services, healthcare, energy production, and transmission, financial services, food and agriculture, government facilities, information technology, nuclear reactors and waste, waste and wastewater systems, and transportation infrastructure. Of these, the healthcare industry is a prime example of a sector that is vulnerable to cyber-attacks. Given the Health Insurance Portability and Accountability Act (HIPAA), this industry has already been subject to various complex cybersecurity requirements. Given the DOJ’s recent announcement though, federal contractors in this field will have to ensure that, in addition to complying with HIPAA requirements, any claims submitted for payment to the federal government do not run afoul of the FCA. Failure to do so can lead to enforcement actions. Under the FCA, this means the possibility of treble damages and statutory civil penalties for each submitted false claim.

In its fight against cyberspace fraud and crime, the government will greatly depend on whistleblowers. As has always been the case under the FCA, the government rarely has all the necessary information to successfully prosecute those who commit fraud. In many instances, only whistleblowers have the required evidence and information required for a case to be successful. To promote whistleblowers coming forward, the FCA provides financial rewards. When a whistleblower, or a relator as they are defined in the statute, files a case under the FCA, they are entitled to a percentage of any eventual recovery made by the government. This percentage is usually between 15–25% but can be as high as 30% in certain circumstances. Additionally, the FCA includes an anti-retaliation provision, protecting whistleblowers if their employers take any adverse actions against them for blowing the whistle.

Although cyberspace frauds prosecuted under the FCA will soon come to light, the Securities and Exchange Commission (SEC) has already carried out enforcement actions against registered broker-dealers and investment advisors for not adopting effective cybersecurity policies and procedures. The SEC has also proposed new rules concerning cybersecurity. The proposed rules would apply to public companies, establishing reporting requirements surrounding material cybersecurity breaches. Companies subject to the proposed rules would also need to periodically disclose summaries of adopted cybersecurity policies and procedures. Similar rules were also recently proposed, but applicable to registered investment advisors and registered investment companies. All of these demonstrate the SEC’s intent on maintaining an investment market where effective policies and procedures are adopted by all players to avoid cybersecurity breaches.

Of relevance, the SEC has a whistleblower program. Under this program, whistleblowers can come forward with information on violations of the statutes and rules administered by the Commission. Like the FCA, this program provides rewards to whistleblowers that come forward with material information. These awards range from 10–30% of the sanctions collected by the SEC, based on the provided information. Although the previously discussed rules have not been adopted, once they are, whistleblowers can come forward under the SEC whistleblower program with material information concerning cybersecurity matters and expect to be rewarded for doing so.

If you have information on cyberspace fraud or deficiencies in cybersecurity policies and protocols, be they in publicly traded companies or related to services and products provided by government contractors, please contact our firm. Our attorneys will be able to fully evaluate your matter, determining what protections and financial incentives you may be entitled to if you decide to blow the whistle. Evaluation is free of charge and completely confidential.