Whistleblowers Poised to Play Leading Role in Cybersecurity Enforcement

The DOJ’s civil cyber-fraud initiative has been increasingly active in making compliance with cybersecurity requirements a False Claims Act (FCA) enforcement priority, and qui tam whistleblowers remain crucial to FCA enforcement. At the same time, the SEC, which in 2023 adopted enhanced requirements regarding material cybersecurity incidents and reporting, relies heavily on its own whistleblower program for its enforcement efforts.

Under the FCA and SEC whistleblower program, individuals with knowledge about companies with deficient cybersecurity products or services or about a company’s failure to disclose a cyber breach are thus empowered to blow the whistle to the government. If their whistleblowing contributes to a successful enforcement action, they may be eligible for a monetary award.

False Claims Act cybersecurity whistleblowing

In 2021, the DOJ announced the launch of its civil cyber-fraud initiative which “utilize[s] the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.”

Potential violations of the FCA relating to cybersecurity include failing to maintain or update cybersecurity policies as agreed upon in a contract, hiding breaches or covering up breaches while under government contract and failing to store files on secure (and encrypted) networks or environments.

In a news release announcing the initiative, the DOJ notes that the FCA “includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation.”

Under this qui tam provision, whistleblowers whose disclosure leads to a successful FCA enforcement action are eligible to receive between 15% and 30% of the settlement.

Since the FCA’s qui tam provisions were modernized in 1986, the FCA has been America’s No. 1 anti-fraud law, leading to the recovery of over $70 billion in taxpayer funds from fraudsters, of which more than $50 billion stemmed from whistleblower cases.

A recent FCA settlement highlights the role of whistleblowers in supporting the initiative. On Oct. 22, Penn State University agreed to pay $1.3 million to settle FCA allegations that it failed to comply with cybersecurity requirements in 15 contracts or subcontracts with the Department of Defense (DoD) or NASA.

According to the DOJ, Penn State “submitted cybersecurity assessment scores to DoD that reflected it had not implemented certain controls, but misrepresented the dates by which it would implement them and did not pursue plans of action to do so.”

The DOJ further alleged that “in performing certain of the contracts and subcontracts Penn State did not use an external cloud service provider that met DoD’s security requirements for covered defense information.”

The case stemmed from a qui tam whistleblower lawsuit filed by Matthew Decker, the former chief information officer for Penn State’s Applied Research Laboratory, and Decker is set to receive a $250,000 share of the settlement amount.

Compliance

Seeking to Incentivize Voluntary Disclosure, DOJ Rolls Out New Whistleblower Pilot Program

by Gina Castellano, Jeffrey Clark and Martin Weinstein

August 20, 2024

Program includes caps on monetary rewards whistleblowers can receive

Read moreDetails

SEC cybersecurity whistleblowing

The SEC has increased its focus on internal control and disclosure requirements relating to cybersecurity threats and incidents, adopting a new rule in 2023 “requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” outgoing SEC Chair Gary Gensler has said. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

In 2024, the SEC announced a number of enforcement actions relating to cybersecurity. In June, it announced that R.R. Donnelley & Sons Company, a global provider of business communication and marketing services, agreed to pay over $2 million to settle charges that it failed to meet disclosure and internal control requirements relating to cybersecurity incidents and alerts in late 2021.

According to the SEC, the company “failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions and failed to carefully assess and respond to alerts of unusual activity in a timely manner.”

In August, the SEC announced settled charges against New York-based registered transfer agent Equiniti Trust Company “for failing to assure that client securities and funds were protected against theft or misuse.” According to the SEC, “those failures led to the loss of more than $6.6 million of client funds as a result of two separate cyber intrusions in 2022 and 2023.”

“[The company] failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique C. Winkler, director of the SEC’s San Francisco regional office. “As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”

Under the SEC whistleblower program, which was established with the passage of the Dodd-Frank Act in 2010, individuals may anonymously report potential securities fraud to the SEC. Whistleblowers who voluntarily provide original information that leads to a successful enforcement action are eligible to receive a monetary award of 10% to 30% of the funds collected in the action.

The SEC whistleblower program has emerged as a critical part of the commission’s enforcement efforts, resulting in over $6 billion in sanctions as of Fiscal Year 2022.