The SolarWinds hack has become the latest harsh reminder that federal law should protect cybersecurity whistleblowers against retaliation. The breach could be among the worst on record, and the full extent of the damage is not yet known. And news reports suggest that SolarWinds management failed to heed warnings about cybersecurity risks back in 2017.
Many data breaches could be prevented if employees were empowered to report vulnerabilities and press for remediation without fear of reprisal. In light of this, though it already has a crowded agenda, the 117th Congress should promptly enact robust protections for cybersecurity whistleblowers.
Information security and data privacy whistleblowers are often in a position to identify and remedy vulnerabilities—and therefore prevent breaches—if only decision makers would act on their concerns. In our practice representing cybersecurity whistleblowers, we find that chief information security officers (CISOs) and other information security professionals too often encounter indifference or retaliation when they raise concerns. It is no surprise, then, that information security professionals are sometimes reticent to press their concerns.
The SolarWinds breach is illustrative. In December, news broke that hackers had exploited the company’s software to breach the internal networks of at least 200 SolarWinds customers, including federal agencies. Years before, the company’s security adviser, Ian Thornton-Trump, disclosed detailed information security concerns to SolarWinds management. When management was unresponsive, Thornton-Trump felt compelled to resign.
We need conscientious and thorough professionals like Thornton-Trump to push their employers to resolve information security vulnerabilities or data privacy noncompliance. At minimum, would-be whistleblowers should be protected from retaliation for having the courage to come forward.
Federal Law Is Lacking
However, no federal law currently protects cybersecurity whistleblowers. Some existing whistleblower protection laws provide inadequate, limited protection, such as the Sarbanes-Oxley Act’s protection for disclosures about securities fraud (e.g., a public company failing to disclose a data breach) or False Claims Act protection for disclosures about fraud on the government (e.g., a company knowingly selling the government vulnerable software).
But all too often, cybersecurity whistleblowers fall through gaps in the existing patchwork of whistleblower protection laws. For example, in an unpublished decision issued in the summer of 2020, the U.S. Court of Appeals for the Third Circuit held that the Sarbanes-Oxley Act’s whistleblower protection provision does not protect disclosures about information security vulnerabilities.
In that case, the employee identified and pressed for the resolution of concerns about access authorization and server stability. At trial, he argued that he reasonably believed those concerns evidenced an undisclosed material weakness in internal controls and could have led to inaccurate financial reporting, in violation of SEC rules. The court disagreed, reasoning that the employee’s disclosures did not relate to any of the enumerated laws within the ambit of Sarbanes-Oxley Act protected conduct.
In another example, in December, a Department of Labor administrative law judge ruled against an employee who brought a whistleblower retaliation claim under the Sarbanes-Oxley Act based on his reports of various data privacy and cybersecurity concerns. The judge held the employee failed to show his information security concerns “could form the basis of a violation or potential violation of a law, rule, or regulation enumerated” in the law’s whistleblower protection provision.
These cases are fact dependent and similar disclosures could be protected under different circumstances. However, these decisions underscore why a specific cybersecurity whistleblower protection law is urgently needed, especially in light of the current heightened public information security crisis and the pivotal role that whistleblowers can play in preventing cyberattacks.
Thankfully, Congress does not have to start from scratch. Federal legislators have proposed no fewer than seven data privacy bills, including Sen. Maria Cantwell’s (D-Wash.) Consumer Online Privacy Rights Act (COPRA). COPRA is a great bill in no small part because it provides a strong whistleblower protection provision consistent with recommendations we have made for several years to protect data privacy and cybersecurity whistleblowers.
The bill would achieve that objective by protecting the disclosure of information relating to what the whistleblower reasonably believes to be a violation of any provision of COPRA, including disclosures about information security practices.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Dallas Hammer is a principal at Zuckerman Law and leads the firm’s cybersecurity whistleblower practice. He routinely represents CISOs and other information security professionals in cybersecurity and data privacy whistleblower matters.
Jason Zuckerman is a principal at Zuckerman Law in Washington, D.C., where he litigates whistleblower retaliation claims and represents whistleblowers in whistleblower rewards matters at the SEC, CFTC, IRS, and DOJ.