Tag: Whistleblower

North American Securities Administrators Association Proposes Model State Whistleblower Rewards Legislation

The North American Securities Administrators Association (NASAA) announced it released for public comment a proposed model law to help states incentivize individuals to come forward to report suspected wrongful violations of state securities laws and to protect whistleblowers.  According to NASAA President and Chief of the New Jersey Bureau of Securities Christopher W. Gerold, “The intent of this model legislation is to incentivize individuals who have knowledge of potential securities law violations to report it to state regulators in the interest of investor protection . . . [i]nformation from those with knowledge of securities law violations is a valuable enforcement tool to help regulators detect financial fraud and wrongdoing.”

The SEC whistleblower program that Congress created about 10 years ago in the Dodd-Frank Act has proven effective in combatting securities fraud and protecting investors.  Since the inception of the program, the SEC has paid more than $450 million in awards to whistleblowers.  SEC enforcement actions associated with those awards have resulted in sanctions totaling more than $2 billion.  Whistleblower awards can range from 10 percent to 30 percent of the monetary sanctions collected when the sanctions exceed $1 million.

Proposed Model State Securities Whistleblower Rewards Legislation

The proposed state whistleblower rewards legislation is modeled on the Dodd-Frank Act’s SEC whistleblower rewards provisions. Some of the key features include:

  • A whistleblower could obtain 10 to 30% of the monetary sanctions collected in any related administrative or judicial action stemming from original information that the whistleblower voluntarily provides to a state securities regulator.
  • Factors that would determine the award percentage include:
    • the significance of the original information provided by the whistleblower to the success of the administrative or judicial action;
    • the degree of assistance provided by the whistleblower in connection with the administrative or judicial action; and
    • the programmatic interest of the [Securities Administrator] in deterring violations of the securities laws by making awards to whistleblowers who provide original information that leads to the successful enforcement of such laws.
  • Information that could reasonably be expected to reveal the identity of a whistleblower would be exempt from public disclosure.
  • There are approximately 11 categories of whistleblowers that would be ineligible to receive an award, including (1) a whistleblower convicted of a felony in connection with the administrative or judicial action for which the whistleblower otherwise could receive an award; (2) a whistleblower who acquires the original information through the performance of an audit of financial statements required under the securities laws; (3) a whistleblower who knowingly or recklessly makes a false, fictitious, or fraudulent statement or misrepresentation as part of, or in connection with, the original information provided or the administrative or judicial proceeding for which the original information was provided; and (4) a whistleblower who has a legal duty to report the original information.

The model legislation also includes a whistleblower protection provision that would prohibit an employer from terminating, discharging, demoting, suspending, threatening, harassing, directly or indirectly, or in any other manner retaliating against, a whistleblower because of any lawful act done by the whistleblower:

  • in providing information to the [Securities Division] in accordance with this Act;
  • in initiating, testifying in, or assisting in any investigation or administrative or judicial action based upon or related to such information; or
  • in making disclosures that are required or protected under the Sarbanes-Oxley Act of 2002 (15 U.S.C. 7201 et seq.); the Securities Act of 1933 (15 U.S.C. 77a et seq.); the Securities Exchange Act of 1934 (15 U.S.C. 78a et seq.); 18 U.S.C. 1513(e); any other law, rule, or regulation subject to the jurisdiction of the Securities and Exchange Commission; or [the Securities Act of this State] or a rule adopted thereunder.

Remedies for a whistleblower prevailing in a retaliation claim include:

  • reinstatement with the same compensation, fringe benefits, and seniority status that the individual would have had, but for the retaliation;
  • two (2) times the amount of back pay otherwise owed to the individual, with interest;
  • compensation for litigation costs, expert witness fees, and reasonable attorneys’ fees;
  • actual damages; or
  • any combination of these remedies.

Role of State Securities Regulators

Although the SEC is the primary securities market regulator and enforces federal securities laws, state securities regulators enforce “blue sky” laws designed to protect investors against fraudulent sales practices and activities that fall outside of the SEC’s jurisdiction, e.g., offerings that are not required to be registered with the SEC.  Most of the state securities laws are based on the Uniform Securities Act, which is intended to prevent the fraudulent sale of securities to investors.

Securities law enforcement at the state level plays a vital role in protecting investors.  According to the NASAA’s 2018 Enforcement Report, in 2017 state securities regulators received 7,988 complaints, took 2,105 enforcement actions, and ordered $486 million returned to investors. Incentivizing whistleblowers to report securities fraud could significantly enhance the ability of state securities regulators to protect investors.

The proposed model act is open for public comment through June 30, 2020.

© 2020 Zuckerman Law

For more on securities laws, see the National Law Review Securities & SEC law section.

How Business Owners Can Watch For Fraud

Fraud can quickly take down a successful business, or at the very least create significant issues for you to deal with. As a business owner, it’s important that you know how to watch for fraudulent activities by your employees. Here are a few tips for approaching the subject in your business:

Be careful who you hire

Preventing fraud begins before you even hire your employees. As you work through the selection process, be sure to investigate your potential hires, especially those who deal with finances. You can use a background check, credit report and social media check to look for any red flags.

Protect your business with anti-fraud policies

You should always have company policies in place that state that fraud is not accepted and that includes specific procedures to help prevent and deal with fraud.

Consistent analysis

Use data analysis to double-check the transactions of your business. This can help catch any errors or possible instances of fraud.

Educate your employees

Though you may have the definition of fraud and your stance against it in your company policies, that doesn’t mean that your employees are aware. Especially for new hires, create fraud education and training for them to complete.

Make it easy for whistleblowers to come forward

Create a company culture that is honest and open. This can help draw employees who are willing to call out fraud when they see it. Create procedures that allow whistleblowers to feel safe coming forward and reporting misconduct.

Watch for red flags

As an employer, it’s important to keep an eye on your employees. You have a unique opportunity to spot red flags like employees that live beyond their means or have significant financial struggles.

Don’t let any suspicious activity slide. Be sure to quickly and thoroughly address anything that you notice that could be indicative of fraud.

© 2020 by Raymond Law Group LLC.

Veterans Affairs Case Offers Clarification on WPA Burden of Proof

In Sistek v. Dep’t of Veterans Affairs, 955 F.3d 948, 954 (Fed. Cir. 2020), the Federal Circuit clarified a federal whistleblower’s burden of proving retaliation when the discrimination he alleges is not specifically identified as a prohibited personnel action in the Whistleblower Protection Act of 1989 (“WPA”), 5 U.S.C. § 2302(b)(8). The WPA protects federal employees who disclose evidence of illegal or improper government activities. Under the WPA, an agency may not take or threaten to take certain personnel actions because of a protected disclosure by an employee.

This blog reviews the elements of a WPA claim, then discusses how Sistek affects these proof requirements when the retaliation consists, in part, of subjecting the employee to an internal investigation.

Background on the Whistleblower Protection Act

To state a claim under WPA, an employee must allege that (1) there was a disclosure or activity protected under the WPA; (2) there was a personnel action authorized for relief under the WPA; and (3) the protected disclosure or activity was a contributing factor to the personnel action. See 5 U.S.C. § 1221(e)(1). If the appellant makes out a prima facie case, the agency is given an opportunity to prove, by clear and convincing evidence, that it would have taken the same personnel action in the absence of the protected disclosure. 5 U.S.C. § 1221(e)(2); see Fellhoelter v. Department of Agriculture, 568 F.3d 965, 970–71 (Fed. Cir. 2009). The WPA is a “remedial statute,” and its terms are to be construed “broadly.” Weed v. Soc. Sec. Admin., 113 M.S.P.R. 221, 227 (2010). See also Fishbein v. Dep’t of Health & Human Servs., 102 M.S.P.R. 4, 8 (2006) (“Because the WPA is remedial legislation, the Board will construe its provisions liberally to embrace all cases fairly within its scope, so as to effectuate the purpose of the Act.”).

A. Protected Disclosures

An employee engages in a protected disclosure when he or she makes a formal or informal communication of information that he or she reasonably believes evidences “any violation of any law, rule, or regulation” or “gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health and safety.” 5 U.S.C. § 2302(b)(8)(A). The WPA also protects disclosures that an employee reasonably believes are evidence of censorship related to research, analysis, or technical information that the employee believes is, or will cause, either a “violation of law, rule or regulation” or “gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety.” Pub. L. No. 112-199, sec. 110, 126 Stat. 1465 (Nov. 27, 2012). Protected disclosures include those made to a supervisor or to a person who participated in the activity that was the subject of the disclosure, as well as those made “during the normal course of duties of an employee.” Id.; Day v. Dep’t of Homeland Sec., 119 M.S.P.R. 589, 599 (2013).

The WPA defines a “disclosure” very broadly. See 5 U.S.C. § 2302(a)(2)(D) (“‘disclosure’ means a formal or informal communication or transmission”). The relevant inquiry is whether an employee “reasonably believed” that the disclosure evinces a violation of any law, rule, or regulation; gross mismanagement; gross waste of funds; abuse of authority, or; a substantial and specific danger to public health or safety. See, e.g., Miller v. Dep’t of Homeland Sec., 2009 WL 1445346 (M.S.P.B. May 4, 2009) (employee’s criticisms of new policies were protected disclosures under WPA because he reasonably believed that these policy changes would pose a substantial and specific danger to public safety).

B. Personnel Action

Under the Whistleblower Protection Act, a “personnel action” may refer to:

  1. an appointment;

  2. a promotion;
  3. an action under chapter 75 of this title or other disciplinary or corrective action;
  4. a detail, transfer, or reassignment;
  5. a reinstatement;
  6. a restoration;
  7. a reemployment;
  8. a performance evaluation under chapter 43 of this title or under title 38;
  9. a decision concerning pay, benefits, or awards, or concerning education or training if the education or training may reasonably be expected to lead to an appointment, promotion, performance evaluation, or other action described in this subparagraph;
  10. a decision to order psychiatric testing or examination;
  11. the implementation or enforcement of any nondisclosure policy, form, or agreement; and
  12. any other significant change in duties, responsibilities, or working conditions;
  13. 5 USCA § 2302(a)(2)(A). The list is comprehensive, and covers a wide swath of adverse personnel actions.

C. Contributing Factor

Under the “knowledge/timing test,” an individual may demonstrate that a protected disclosure was a contributing factor to a personnel action through circumstantial evidence, such as evidence that the official taking the personnel action knew of the whistleblowing disclosure and took the personnel action within a period of time such that a reasonable person could conclude that the disclosure was a contributing factor in the personnel action. See Atkinson v. Dep’t of State, 107 M.S.P.R. 136, 141 (2007) (citing 5 U.S.C. § 1221(e)(1)).

However, whistleblowing activities may still be a contributing factor in the taking or failure to take a personnel action, even absent evidence that the deciding official had knowledge of the whistleblowing activities. See Dorney v. Dep’t of Army, 117 M.S.P.R. 480, 485–86 (2012). If the deciding official was influenced by one with knowledge of the whistleblowing activities, then such activities may be a contributing factor to personnel actions under the WPA. Id.

Sistek v. Dep’t of Veterans Affairs

A. Facts and Procedural History

Between 2012 and 2014, Leonard Sistek, Jr., then-director at the Department of Veterans Affairs (“VA”), disclosed information to agency staff, one of his supervisors, and the VA’s Office of the Inspector General (“OIG”) about inappropriate financial practice within the VA. Shortly thereafter, his supervisor appointed an Administrative Investigation Board (“AIB”) to investigate unrelated misconduct within the organization. His supervisor formally added Mr. Sistek as a subject of the investigation.

The AIB investigation found that the management team, which included Mr. Sistek, failed to report allegations about an inappropriate sexual relationship between two other staff members, and it recommended that Mr. Sistek receive “an admonishment or reprimand.” Consistent with the recommendation, Mr. Sistek’s supervisor issued a letter of reprimand in August 2014. In January 2015, without explanation, Mr. Sistek’s second-level supervisor rescinded the letter of reprimand and expunged it from Mr. Sistek’s record. In March 2015, the OIG confirmed that the concerns previously raised by Mr. Sistek were justified, and that the VA had violated appropriations law and used funds in unauthorized ways.

Mr. Sistek filed a complaint with the U.S. Office of Special Counsel (“OSC”), alleging whistleblower reprisal. After OSC issued a closure letter, Mr. Sistek filed an individual right of action appeal.

The Administrative Judge (“AJ”), considered whether the investigation and resulting letter of reprimand constituted prohibited personnel actions. The AJ determined that a retaliatory investigation is not a personnel action under the WPA and declined to order corrective action in favor of Mr. Sistek. See Sistek v. Dep’t of Veterans Affairs, 2018 MSPB LEXIS 3010 (M.S.P.B. Aug. 8, 2018). The AJ’s initial decision became the final decision of the MSPB, and Mr. Sistek petitioned the Federal Circuit for review.

B. The Federal Circuit’s Finding of Harmless Error

The Federal Circuit affirmed the Board’s decision. First, it reasoned that the WPA’s list of eleven specific personnel actions does not mention a “retaliatory investigation,” or indeed, “any investigation at all.” Sistek v. Dep’t of Veterans Affairs, 955 F.3d 948, 954 (Fed. Cir. 2020). Second, the court found that the investigation against Mr. Sistek did not significantly alter his job or working conditions, and thus did not fall within the last catchall provision of the WPA’s list of personnel actions. “[I]nvestigations may qualify as personnel actions ‘if they result in a significant change in job duties, responsibilities, or working conditions.’” Sistek, 955 F.3d at 955 (quoting S. Rep. No. 112-155, at 20 (2012)). The court elaborated that in certain circumstances, “an investigation alone could constitute a significant change in working condition,” or “a retaliatory investigation could contribute toward the creation of a hostile work environment that is actionable as a significant change in working conditions.” Id. In such circumstances, a retaliatory investigation would be a qualifying personnel action under the WPA. The Sistek Court held, however, that the investigation did not establish a significant change in working conditions because Mr. Sistek was interviewed once, did not offer evidence of a hostile work environment, and the resulting letter of reprimand was later rescinded and expunged. See id. at 956.

Third, the court considered Mr. Sistek’s effort to bring his claim within the rationale of controlling precedent on retaliatory investigations. See Russell v. Dep’t of Justice, 76 M.S.P.R. 317 (1997). In Russell, a whistleblower disclosed misconduct by two of his superiors, after which, one of the superiors initiated an investigation of the whistleblower’s conduct, resulting in disciplinary charges against the whistleblower and the whistleblower’s demotion. Id. at 321. The Board held that the agency investigation was evidence of prohibited retaliation because the investigation was “so closely related to the personnel action that it could have been a pretext for gathering evidence to retaliate, and the agency [did] not show by clear and convincing evidence that the evidence would have been gathered absent the protected disclosure.” Id. at 324. “That the investigation itself is conducted in a fair and impartial manner, or that certain acts of misconduct are discovered during the investigation, does not relieve an agency of its obligation to demonstrate by clear and convincing evidence that it would have taken the same personnel action in the absence of the protected disclosure.” Id. (citing 5 U.S.C. § 1221(e)(2)). In other words, if an agency investigation leads to an adverse personnel action, that investigation—coupled with the ensuing personnel action—is prohibited retaliation, unless the agency can demonstrate that it would have commenced the same investigation and taken the same personnel action absent the protected disclosure. “To here hold otherwise would sanction the use of a purely retaliatory tool, selective investigations.” Id. at 325.

The Sistek court acknowledged that Russell is “the Board’s foundational decision in this area,” and that the drafters of the Whistleblower Protection Enhancement Act (“WPEA”), Pub. L. No. 112-199, 126 Stat. 1465 (2012), intended that Russell would remain “governing law.” Sistek, 955 F.3d at 955. Applying Russell, the Sistek court found that the Board erred by failing to consider Mr. Sistek’s allegedly retaliatory investigation as part of its evaluation of the letter of reprimand. See id. at 957. Applying Russell, the VA’s investigation into Mr. Sistek was “so closely related” to the letter of reprimand “that it could have been a pretext for gathering evidence to retaliate.” Russell, 76 M.S.P.R. at 324. By “fail[ing] to apply Russell in evaluating the letter of reprimand,” the Board committed error. Sistek, 955 F.3d at 957.

Regardless, the Sistek Court held that the Board’s error was harmless. Id. The Court distinguished the present facts from the facts of Russell “because here there is no evidence that the official who initiated the allegedly retaliatory investigation had knowledge of any protected disclosures.” Id. The Court held that the supervisor who initiated the investigation lacked both actual and constructive knowledge of Mr. Sistek’s protected disclosures, and further, Mr. Sistek did not allege such knowledge. By failing to allege knowledge, Mr. Sistek could not demonstrate that his protected disclosure was a contributing factor to the alleged personnel action. In other words, even if the investigation and letter of reprimand were an adverse action, the WPA claim would have nonetheless failed because Mr. Sistek did not present sufficient evidence that his whistleblowing was a contributing factor in his adverse action.

Significance of Sistek

Sistek reaffirmed the holding of Russell, that a retaliatory investigation may be a prohibited personnel action if it leads to a significant change in job duties, responsibilities or working conditions; if it creates a hostile working environment, or; if it is “closely related” to a personnel action under the WPA. If Mr. Sistek had demonstrated facts to meet the knowledge/timing causation test, then the Court would have remanded the case to the Board to consider whether the investigation and letter together were qualifying personnel actions. And Russell would mandate that the answer is yes.

Further, if an employee can demonstrate that an investigation was undertaken in retaliation for a protected disclosure, the WPA provides that the Board may order corrective action that includes “fees, costs, or damages reasonably incurred due to an agency investigation” that is “commenced, expanded, or extended in retaliation” for a protected disclosure or activity—i.e., a retaliatory investigation. 5 U.S.C. §§ 1214(h), 1221(g)(4).

“So long as a protected disclosure is a contributing factor to the contested personnel action, and the agency cannot prove its affirmative defense, no harm can come to the whistleblower.” Marano v. Dep’t of Justice, 2 F.3d 1137, 1142 (Fed. Cir. 1993). The WPA thus continues to protect federal whistleblowers from retaliatory investigations, and Sistek merely provides a cautionary note about establishing the causation element of such a claim.

© Katz, Marshall & Banks, LLP
For more on whistleblower protections, see the National Law Review Criminal Law & Business Crimes section.

Court Rules That Whistleblower Must Face Trial On Former Employer’s Claims

Life is not necessarily all skittles and beer for whistleblowers.  Sometimes, they are sued by the very companies on which they blew the whistle.  Such is the case in the ongoing case of Erhart v. Bofi Holding, Inc., 2020 U.S. Dist. LEXIS 57137.  Judge Cynthia Bashant limns the background facts as follows:

“Charles Erhart was an internal auditor for BofI Federal Bank. After Erhart discovered conduct he believed to be wrongful, he reported it to BofI’s principal regulator. BofI responded by allegedly defaming and terminating him. Erhart then filed this lawsuit for whistleblower retaliation under state and federal law. The next morning, The New York Times published an article summarizing the lawsuit’s allegations—causing BofI’s stock price to plummet. The Bank quickly commenced a countersuit against Erhart claiming he committed fraud, breached his duty of loyalty, and violated state and federal anti-hacking statutes. The Court consolidated BofI’s countersuit with Erhart’s whistleblower-retaliation action.”

In the cited decision, Judge Bashant grants in parts and denies in part Erhart’s and Bofi’s motions for summary adjudication.  The ruling is lengthy and tackles a variety of issues, some of which I hope to address in future posts.  Nonetheless, a key point for whistleblowers is that Judge Bashant is allowing Bofi’s claims against Erhart to proceed to trial, albeit on a limited basis.

When “Whistleblower” First Became Figurative

Recently, I endeavored to identify the first figurative use of the term “whistleblower” in a reported California opinion.  I was surprised that earliest case dates to the presidency of Ronald Reagan.  Interestingly, the Court addresses the very tension at the heart of Erhart:

“There is a great public interest in the truthful revelation of wrongdoing, and in protecting the ‘whistleblower’ from retaliation; there is very little public interest in protecting the source of false accusations of wrongdoing.”

Mitchell v. Superior Court, 37 Cal. 3d 268, 283, 690 P.2d 625, 634, 208 Cal. Rptr. 152, 161 (1984).  Many cases dating back to the mid 19th Century mention the blowing of whistles, but the references are to actual, not figurative, whistles.

© 2010-2020 Allen Matkins Leck Gamble Mallory & Natsis LLP

For more on whistleblowers, see the National Law Review Litigation & Trial Practice Section.

Bipartisan Group of Senators Asks Trump to Explain Reasoning for Firing IC Watchdog

Yesterday, Senator Charles Grassley (R-IA) and a bipartisan group of senators sent a letter to President Trump asking for more details regarding the firing of Intelligence Community Inspector General (IC IG) Michael Atkinson. Atkinson was responsible for alerting Congress to the whistleblower complaint that led to Trump’s impeachment.

Grassley, who serves as chairman of the Senate Whistleblower Protection Caucus, argued that Trump provided insignificant reasons for firing the government watchdog.

“Congressional intent is clear that an expression of lost confidence, without further explanation, is not sufficient to fulfill the requirements of the statute. This is in large part because Congress intended that inspectors general only be removed when there is clear evidence of wrongdoing or failure to perform the duties of the office, and not for reasons unrelated to their performance, to help preserve IG independence.”

Trump announced the termination of Atkinson on Friday, citing a lack of “confidence in the appointees serving as inspectors general.” In remarks the following day, Trump defended the decision stating, Atkinson “did a terrible job, absolutely terrible.” He also said Atkinson “took a fake report and gave it to Congress.”

The Senators stressed that “all inspectors general (IG) are designed to fulfill a dual role, reporting to both the President and Congress, to secure efficient, robust, and independent agency oversight.”

The Senators allege that the administration by-passed Congress’s “opportunity for an appropriate dialogue” “by placing the IG on 30 days of administrative leave and naming an acting replacement.”

The Senators ask that President Trump provide a detailed explanation of the removal of Inspector General Atkinson no later than April 13, 2020. And to also explain appointing an acting official before the end of the 30-day notice period comports with statutory requirements.

The day after his termination was made public, Atkinson described how he “faithfully discharged” his duties as “an independent and impartial Inspector General” in a statement encouraging other government whistleblowers to speak up.

Seven other senators signed the letter.

Read the Senator’s letter to President Trump.

Copyright Kohn, Kohn & Colapinto, LLP 2020. All Rights Reserved.
ARTICLE BY Mary Jane Wilmoth of Kohn, Kohn & Colapinto

Ben Kostyack also contributed to this article.

Cybersecurity Whistleblower Protections for Employees of Federal Contractors and Grantees

For information security professionals, identifying cybersecurity vulnerabilities is often part of the job.  That is no less the case when the job involves a contract or grant with the U.S. government.

Information security and data privacy requirements have become a priority at federal agencies.  These requirements extend to federal contractors because of their access to government data.  Often, cybersecurity professionals are the first to identify non-compliance with these requirements.  As high-profile data breaches have become more common, those who report violations of cybersecurity and data privacy requirements often experience retaliation and seek legal protection.

Reporting non-compliance or misconduct in the workplace can be necessary, but it can also be daunting.  It is important for cybersecurity whistleblowers to know their legal rights when disclosing such concerns to management or a federal agency.

In many cases, federal law protects cybersecurity whistleblowers who work for federal contractors or grantees.  This post provides an overview of those protections.

What cybersecurity requirements apply to federal contractors?

Federal contractors are subject to data privacy and information security requirements.

The Federal Information Security Management Act (“FISMA”) creates information security requirements for federal agencies to minimize risk to the U.S. government’s data.  FISMA also applies these requirements to state agencies administering federal programs and private business contracting with the federal government.  Federal acquisition regulations codify the cybersecurity and data privacy requirements applicable to federal contractors.  E.g., 48 C.F.R. §§ 252.204-7008, 7012 (providing for cybersecurity standards in contracts with the U.S. Department of Defense); 48 C.F.R. § 52.204-21 (outlining basic procedures for contractors to safeguard information processed, stored, or transmitted under a federal contract).  

Pursuant to the FISMA Implementation Project, the National Institute of Standards and Technology (“NIST”) produces security standards and guidelines to ensure compliance with FISMA.  Key principles of FISMA compliance include a systemic approach to the data that results in baseline controls, a risk assessment procedure to refine controls, and implementation of controls.  A security plan must document the controls.  Those managing the information must also assess the controls’ effectiveness.  NIST also focuses its standards on determining enterprise risk, information system authorization, and ongoing monitoring of security controls.

Essential standards established by NIST include FIPS 199, FIPS 200, and the NIST 800 series.  Core FISMA requirements include:

  • Federal contractors must keep an inventory of all of an organization’s information systems.
  • Contractors must identify the integration between information systems and other systems in the network.
  • Contractors must categorize information and information systems according to risk. This prioritizes security for the most sensitive information and systems.  See “Standards for Security Categorization of Federal Information and Information Systems” FIPS 199.
  • Contractors must have a current information security plan that covers controls, cybersecurity policies, and planned improvements.
  • Contractors must consider an organization’s particular needs and systems and then identify, implement, and document adequate information security controls. See NIST SP 800-53 (identifying suggested cybersecurity controls).
  • Contractors must assess information security risks. See NIST SP 800-30 (recommending that an organization assess risks at the organizational level, the business process level, and the information system level).
  • Contractors must conduct annual reviews to ensure that information security risks are minimal.

In addition to generally-applicable standards, individual contracts may create other cybersecurity or data privacy requirements for a government contractor.  Such requirements are prevalent when the contractor provides information security products or services for the government.

What protections exist for cybersecurity whistleblowers who work for federal contractors?

Federal law contains whistleblower protection provisions that may prohibit employers from retaliating against whistleblowers who report cybersecurity or data privacy concerns.  See Defense Contractor Whistleblower Protection Act, 10 U.S.C. § 2409; False Claims Act, 31 U.S.C. § 3730(h); NDAA Whistleblower Protection Law, 41 U.S.C. § 4712.  These laws protect a broad range of conduct.

Protected conduct under these laws includes:

  • Efforts to stop false claims to the government;
  • Lawful acts in furtherance of an action alleging false claims to the government; and
  • Disclosures of gross mismanagement, gross waste, abuse of authority, or a violation of law, rule, or regulation related to a federal contract or grant. Id.

These provisions have wide coverage.  They protect any employee of any private sector employer that is a contractor or grantee of the federal government.  In some cases, even the employer’s contractors and agents are protected.

An employer’s non-compliance with information security requirements could breach the employer’s contractual obligations to the federal government and violate federal law and regulation.  Thus, whistleblowers who report cybersecurity or data privacy concerns related to a federal contract or grant may be protected from employment retaliation.

What is the burden to establish unlawful retaliation for reporting cybersecurity concerns?

Exact requirements vary, but an employee typically establishes unlawful retaliation by proving that (1) the employee engaged in conduct that is protected by statute, and (2) the protected conduct to some degree caused a negative employment action.  See, e.g., 10 U.S.C. § 2409(c)(6) (incorporating burden of proof from 5 U.S.C. § 1221(e)); 41 U.S.C. § 4712(c)(6) (same); 31 U.S.C. § 3730(h)(1).  

Under some of the applicable protections, an employee need prove only that the protected conduct played any role whatsoever in the employer’s decision to take the challenged employment action.  See 10 U.S.C. § 2409; 41 U.S.C. § 4712.

What damages or remedies can a cybersecurity whistleblower recover for retaliation?

The relief available depends on which laws apply to the particular case.  Remedies may include an amount equal to double an employee’s lost wages, as well as reinstatement or front pay.  In some cases, a whistleblower may also recover uncapped compensatory damages for harms like emotional distress and reputational damage.  Additionally, a prevailing plaintiff can recover reasonable attorneys’ fees and costs.

Recently, a jury awarded a defense contractor whistleblower $1 million in compensatory damages.  The whistleblower proved that the employer more than likely retaliated by demoting him after he reported issues with tests related to a federal contract, according to the jury.  Specifically, the whistleblower alleged he reported and opposed management’s directive to misrepresent the completion status of testing procedures.

In a recent case under the False Claims Act, a whistleblower received more than $2.5 million for retaliation she suffered after internally reporting off-label promotion for a drug outside its FDA-approved use.  The False Claims Act protects employees from retaliation who blow the whistle on fraud against the government, including those who blow the whistle internally to a government contractor or grantee.

Do any court cases address whether cybersecurity whistleblowers are protected?

Yes.  Judges and juries have applied these laws to protect cybersecurity whistleblowers.

For example, in United States ex rel. Glenn v. Cisco Systems, Inc., defendant Cisco Systems settled for $8.6 million in what is likely the first successful cybersecurity case brought under the False Claims Act.  The plaintiff/relator James Glenn worked for Cisco and internally reported serious cybersecurity deficiencies in a video surveillance system, soon after which he was fired.  Cisco had sold the surveillance systems to various federal government entities, including the Department of Homeland Security, FEMA, the Secret Service, NASA, and all branches of the military.  After monitoring Cisco’s public pronouncements regarding the system and confirming the company had not solved the problems or reported vulnerabilities to customers, Glenn contacted the FBI.  Multiple states joined in the complaint and brought claims under state laws.

While the case did not proceed to litigation, Glenn received nearly $2 million of the settlement, and the federal government’s attention to the issue proves that cybersecurity and data privacy are of utmost importance.

Surely, as more of our lives and businesses move online, the government will place increased importance on contractors and grantees following data security and privacy requirements and disclosing known vulnerabilities.  Cybersecurity whistleblowers working for government contractors play an important part in revealing these vulnerabilities and keeping the federal government secure.  Still, these whistleblowers may experience retaliation after blowing the whistle internally at their place of work.

How can employees enforce these protections from retaliation?

Employees generally have the right to bring claims of unlawful retaliation for cybersecurity or data privacy whistleblowing in federal court.  However, some claims limit that right to whistleblowers who first exhaust all their administrative remedies.  For example, in some cases whistleblowers will first need to pursue relief from the Office of Inspector General of the relevant federal agency.  Additionally, cybersecurity whistleblower claims are subject to strict deadlines.  See, e.g., 31 U.S. Code § 3730; 10 U.S.C. § 2409; 41 U.S.C. § 4712.

© 2020 Zuckerman Law

SEC Investigating Cyberattacks Used to Find Secret Company Mergers

SEC Investigating Cyberattacks and Insider Trading

According to Reuters, the Securities and Exchange Commission (SEC) is investigating hacks of email accounts of associates and executives that reveal information on potential mergers. The hackers use a technique known as phishing where they craft emails that trick recipients into logging into malicious websites to steal their email logins. These hacks pose a threat because fraudsters can easily use the information to engage in insider trading.

The group, known as FIN4, allegedly targeted a list of 60 companies in biotechnology, medical instruments, hospital equipment, and drugs. Fireeye reported these cyberattacks in February 2014 and found that they were performed to “obtain an edge on the stock trading.” This will continue to be a problem as more businesses move over to cloud computing, which could lead to a significant increase in data breaches.

The SEC’s Office of Compliance Inspections and Examinations released a report on observations relating to cybersecurity and best practices by financial market participants. The observations are offered as guidelines for firms considering how to improve their cybersecurity preparedness and response procedures. The intent is to highlight specific examples of cybersecurity and operational resiliency practices and controls that firms are taking to safeguard against threats, and how they respond in the event of a breach. The SEC “encourages organizations to review their practices, policies, and procedures with respect to cybersecurity and operational resiliency.” Cybersecurity and Resiliency Observations report.

New Technology & Whistleblower Tips Root Out Insider Trading

The SEC relies on technological developments to accomplish its enforcement goals, including identifying and pursuing insider trading cases. In FY 2018, the SEC implemented a Consolidated Audit Trail, intended to enhance, centralize, and update the regulatory data infrastructure available to market regulators. Once fully implemented, the Consolidated Audit Trail will give regulators quicker access to all trade and order data, facilitating the detection of illegal trading practices, such as insider trading.

In addition to technology, the SEC has increasingly relied on whistleblower tips to identify and halt insider trading. Whistleblowers have been instrumental to expose fraud and expose insider trading secrets.

SEC Rewards Whistleblowers for Exposing Insider Trading 

Under the SEC Whistleblower Program, whistleblower are eligible to receive a reward if their original information about insider trading leads to a successful enforcement action with total monetary sanctions of more than $1 million. A whistleblower may receive an award of between 10 to 30 percent of the total monetary sanctions collected. If represented by counsel, a whistleblower may submit a tip anonymously to the SEC.

© 2020 Zuckerman Law

For more on SEC Insider Trading enforcement, see the National Law Review Criminal Law and Business Crimes section.

Are Culpable Whistleblowers Eligible to Receive SEC Whistleblower Awards?

Yes. In many circumstances, culpable whistleblowers are eligible to receive SEC whistleblowers awards (see limitations below). The final rules of the SEC Whistleblower Program recognize that culpable whistleblowers enhance the SEC’s ability to detect violations of the federal securities laws, increase the effectiveness and efficiency of the SEC’s investigations, and provide critical evidence for the SEC’s enforcement actions. In fact, a speech by the former Director of the SEC’s Division of Enforcement highlighted the importance of culpable whistleblowers to the agency’s enforcement efforts:

Finally, I want to say a word about participants in wrongdoing and their ability to be whistleblowers. It is important for participants in misconduct to understand that, in many circumstances, they are eligible for awards and we would like to hear from them. Obviously, culpable insiders with first-hand knowledge of misconduct can provide valuable information and assistance in identifying participants in, transactions relating to, and proceeds of, fraudulent schemes. And, while there are safeguards built into the program to ensure that whistleblowers do not profit from their own misconduct…culpable whistleblowers can still get paid for eligible information they report that falls outside of these limitations.

SEC Whistleblower Awards to Culpable Whistleblowers

The SEC Whistleblower Program’s decision to work with, and award, culpable whistleblowers has proven to be effective in enabling the SEC to discover fraud and protect investors. To date, the SEC has issued several awards to whistleblowers who had some culpability in the violations, including:

  • On August 30, 2016, the SEC announced a $22 million award to a whistleblower who helped the agency “halt a well-hidden fraud” at the company where the whistleblower worked. The accompanying order states that the Commission considered several factors mitigating the whistleblower’s culpability in determining the appropriate percentage, but the whistleblower did not financially benefit from the misconduct.
  • On July 27, 2017, the SEC announced a $1.7 million award to a whistleblower who helped the Commission stop a “serious, multi-year fraud that would have otherwise been difficult to detect.” There were a few mitigating factors in the Commission’s determination of the whistleblower’s final award, including the fact that the whistleblower did not comply with one of the SEC’s rules, an omission which normally requires an award denial. The order stated that “certain unusual circumstances” governed this case, thus the Commission decided to waive that requirement. In determining the award amount, the Commission considered, too, the fact that the whistleblower unreasonably delayed in reporting and ultimately bore “some, albeit limited, culpability” in the fraud.
  • On September 14, 2018, the SEC announced it had reduced a whistleblower’s award to $1.5 million because the Commission found that the whistleblower unreasonably delayed in reporting the fraud, the whistleblower “received a significant and direct financial benefit,” and was culpable in the scheme. The order further details these determining factors, and explains that the whistleblower waited more than a year after learning of the facts to report the fraud and reported to the Commission only after learning of the ongoing investigation.

See additional SEC whistleblower cases that have resulted in multi-million dollar awards.

Limitations on SEC Whistleblower Awards to Culpable Whistleblowers

While the SEC has been clear that it welcomes information from culpable whistleblowers, the SEC Whistleblower Program has specific rules that could disqualify certain whistleblowers from receiving SEC whistleblower awards. In addition, the program has rules that could limit the size of a culpable whistleblower’s future SEC whistleblower award. Importantly, whistleblowers who are concerned about potential liability should consult with experienced SEC whistleblower attorneys before reporting information to the SEC Office of the Whistleblower. Once information is submitted to the SEC, it cannot be withdrawn.

Whistleblowers Cannot Be Convicted of a Criminal Violation

The SEC Office of the Whistleblower will not issue awards to whistleblowers who are convicted of a criminal violation in relation to an action for which they would otherwise be eligible for an award. Moreover, the SEC Whistleblower Program does not provide amnesty to whistleblowers who provide information to the SEC. The fact that a whistleblower reports information to the SEC and assists in an SEC investigation and enforcement action does not preclude the SEC from bringing an action against the whistleblower based upon their own conduct in connection with violations of the federal securities laws. If such an action is determined to be appropriate, however, the SEC will take the whistleblower’s cooperation into consideration. As noted in the speech of the former Director of the SEC’s Division of Enforcement: “There are also other potential benefits for culpable whistleblowers — in appropriate circumstances, we will take their cooperation under the whistleblower program and in our investigation into consideration in deciding what remedies, if any, are appropriate in any action we determine should be brought against the whistleblowers for their role in the scheme.”

Culpable Whistleblowers Cannot Benefit from Their Own Misconduct

Under the SEC Whistleblower Program, the SEC will issue awards to whistleblowers who provide original information that leads to enforcement actions with total monetary sanctions in excess of $1 million. A whistleblower may receive an award of between 10-30 percent of the monetary sanctions collected. Since 2011, the SEC Whistleblower Office has issued nearly $400 million in awards to whistleblowers. The largest SEC whistleblower awards to date are a $50 million award, a $39 million award, and a $37 million award.

While the SEC is permitted to issue awards to culpable whistleblowers, the rules of the SEC Whistleblower Program do not allow whistleblowers to benefit from their own misconduct. Specifically, for purposes of determining whether the $1 million threshold has been satisfied or calculating the amount of an award, the SEC will not count any monetary sanctions that the whistleblower is ordered to pay or that are ordered to be paid against any entity whose liability is based substantially on conduct that the whistleblower directed, planned, or initiated.

Culpability May Decrease the Size of an Award

In determining the percentage of monetary sanctions to award a whistleblower, the SEC considers various factors that may increase or decrease the size of a whistleblower’s award. One of the factors that may decrease the size of an award is the whistleblower’s culpability in the securities law violation. When making this determination, the SEC may consider the following factors:

  • the whistleblower’s position or responsibility at the time the violations occurred;
  • if the whistleblower acted with scienter, both generally and in relation to others who participated in the violations;
  • if the whistleblower is a recidivist;
  • the egregiousness of the fraud committed by the whistleblower;
  • whether the whistleblower financially benefitted from the scheme; and
  • whether the whistleblower knowingly interfered with the SEC’s investigation.

Notably, while culpability may reduce a whistleblower’s award percentage, any whistleblower who qualifies for an award under the SEC Whistleblower Program – including culpable whistleblowers – will receive at least 10% of the monetary sanctions collected in the enforcement action.

© 2020 Zuckerman Law

For more on whistleblower rules, see the National Law Review Securities & SEC laws section.

Who Must Protect the Ukraine-Trump Whistleblower?

Op-Ed From Stephen M. Kohn of the National Whistleblower Center

As the impeachment proceedings heat-up, and calls for the Ukraine whistleblower to be identified increase, there remains a fundamental question:  Who has the legal responsibility to protect this whistleblower?  The answer will surprise you!

There are very few laws mandating what the President, as part of his required and mandatory job duties, must perform.   Guaranteeing that employees who make protected disclosures under the  Intelligence Community Whistleblower Protection Act (“ICWPA”) are fully protected is one of them.  The Ukraine whistleblower is a a federal employee covered under the ICWPA.  He or she made a protected disclosure under the ICWPA.  Thus, it is up to President Trump to fully and completely protect this individual.  Here’s why:  The ICWPA directs that [t]he President shall provide for the enforcement of the [Act].” It is as clear and simple as that.  The President “shall” “enforce” the whistleblower law that makes it illegal to retaliate against intelligence community whistleblowers.

Every intelligence community whistleblower, whether they be a Democrat, Republican or Independent, is entitled to the same protection from the President.  In the case of the Ukraine whistleblower, the law does not permit the political implications of the whistleblower’s disclosure to have any impact on the mandatory duty of President Trump to fully “enforce” that whistleblower’s right to be free from any retaliation.  The President is required to put his biases or self-interest aside and defend the right of intelligence community whistleblowers to report abuses of authority.  This includes wherever those abuses are committed, including the Oval Office. Under the ICWPA the buck stops with President Trump, impeached or not.

Unlike other whistleblower laws which give the federal courts or independent agencies, like the Merit Systems Protection Board or the Department of Labor, the authority to protect whistleblowers, the ICWPA places that solemn duty directly on the shoulders of the President.  It is the unique legal responsibility of the President.  The President must ensure that the identity of the intelligence community whistleblowers who file  complaints with the Inspector General pursuant to the Inspector General Act, are fully protected.  It is the President who must ensure that every person within the executive branch of government protect the job security of ICWPA whistleblowers.  It is the obligation of the President to punish those who fail to do so.

The ICWPA anti-retaliation law is not limited simply to preventing whistleblowers from being fired.  The law defines the types of “adverse action” the President must shield whistleblowers from, including  “any change in working conditions.”   In the case of the Ukrainian “quid pro quo” whistleblower, the catastrophic impact on the whistleblower’s ability to perform his or her job duties that would be triggered by violating his right to confidentiality is obvious.  This would include undermining his or her ability to work oversees, be promoted to a covert agent (if not one already), or effectively interact with employees in the White House.

Furthermore, breaching the confidentiality of whistleblowers is well established as an “adverse action” under whistleblower law.  Federal courts and administrative agencies as divergent as the SEC and Department of Labor have ruled that revealing the name of a whistleblower is an adverse action.  Anyone with experience working with whistleblowers knows that once their identity is revealed, their working conditions will never be the same, and they will have a target on their back for the rest of their careers.

The procedures applicable to the Ukraine whistleblower actually informed the whistleblower, in writing, that he or she could file a confidential complaint to the Inspector General.   The actual form submitted guaranteed this right.  Once the complaint was filed and accepted by the Inspector General, the whistleblower protections afforded under the ICWPA kicked in.  As a matter of law, it became President Trump’s obligation to “enforce” the ICWPA and ensure that the Ukraine whistleblower suffer no retaliation. It became the President’s non-discretionary duty to ensure the whistleblower suffered no harm.   This may be hard to believe, but the law is the law.

Given the highly public attacks on the whistleblower emanating from the White House it is now incumbent upon President Trump to instruct all employees within the federal government to comply with the ICWPA.  He must take steps to have his Congressional supporters, “stand down” and stop their continued drum beat to “out” the whistleblower.  Regardless of where you stand on impeachment, the President must enforce the requirements of the ICWPA and protect the whistleblower.

When Donald Trump signed onto the job of President, protecting intelligence community whistleblowers became one of his few mandatory job duties.  Like other employees who work for the taxpayers, he many not like all of his required jobs.  Like other employees he may find some parts of his job difficult or distasteful.  But he has no discretion in this matter.  It is a requirement.  He must ensure that the whistleblower is not retaliated against, that the whistleblower’s identity remains confidential, and that the whistleblower can continue in his or her career, free from stigma.    He must hold those who retaliate accountable.  That is part of the job he wanted.  That is the job he must perform.

Copyright Kohn, Kohn & Colapinto, LLP 2019. All Rights Reserved.

Qui Tam Defendants’ Presentations to Government During Investigation Unprotected from Discovery in Other Lawsuits, Federal District Court Ruled

In a recent decision, a federal district court judge ruled that a defendant’s presentations to the Department of Justice, made during the course of the Department’s investigation of a pending False Claims Act qui tam lawsuit, are not protected from discovery by the whistleblower who brought that lawsuit. The case is the United States and State of California ex rel. Higgins v. Boston Scientific Corp., 11-cv-2453 (D. Minn. Aug. 28, 2019), and was decided by Judge Joan Ericksen.

The relator (the term for the whistleblower in a False Claims Act lawsuit), Higgins, alleged that Boston Scientific made certain false certifications relating to the company’s defibrillators, thereby causing physicians to submit false claims for payment relating to the use of those devices. As is usual in qui tam cases, after filing the lawsuit, the Department of Justice opened an investigation and requested documents (known as a “civil investigative demand” under the False Claims Act) to Boston Scientific. The company turned over documents to the Department, but then also created and made “presentations” to the government. While the court’s decision does not describe those “presentations,” presumably they were slideshows or other materials, put together by Boston Scientific’s lawyers, to try to convince the Department of Justice to shut down the investigation or to decline intervention in the lawsuit.

Unscrupulous companies have found many different ways to take advantage of vital government programs. The False Claims Act is an essential weapon in the fight against government programs fraud since it was first enacted during the Civil War to combat war profiteering. The system often depends on whistleblowers telling their story with the help of an experienced False Claims Act attorney.

These private citizens bring qui tam (whistleblower) lawsuits under the False Claims Act (“FCA”), which allows them to act on behalf of the U.S. government in exposing government programs fraud committed by companies serving the federal government. Under the FCA, relators (fraud whistleblowers) receive a portion of the money that has been recovered by the government, known as the relator’s share.

After the government declined intervention in the case, Higgins decided to pursue the case on his own (which a relator is permitted to do), and he served a document request on Boston Scientific demanding production of any such presentations. Boston Scientific did not want to turn over the materials and therefore raised four separate legal objections. It was those objections that Judge Ericksen addressed in her opinion.

First, Boston Scientific objected to turning over the presentations because they were akin to “settlement negotiations” with the government, and thus not “relevant” to relator’s lawsuit. The court, however, ruled that although settlement negotiations might not be admissible at trial, they were still subject to discovery by Higgins because “they were related to his claims about the medical devices at issue.”

Second, Boston Scientific objected because “public policy” required protection of the presentations, arguing that “the government will not be able to settle False Claims Act cases if a defendant’s presentations to the government could later be revealed to relators.” Judge Erickson, however, found nothing in the False Claims Act that supported this position. While the government might not be able to turn over such presentations under certain circumstances, nothing in the statute prevented Boston Scientific from turning them over to relator.

Third, Boston Scientific claimed an “expectation of confidentiality” in the presentations, citing a 1977 decision by the Eight Circuit Court of Appeals. Judge Erickson rejected that contention, finding that the earlier Circuit Court decision related to attorney-client privilege, but not to the work product doctrine. Because the materials that Boston Scientific had provided to the Department of Justice were not covered by attorney-client privilege, the company’s only argument was “work product,” and that argument was not sufficient to support its claimed “expectation of confidentiality.”

Finally, Boston Scientific argued that the work product doctrine itself protected the presentations from disclosure. Judge Erickson easily disposed of that argument, noting that work product protection “is waived by intentional disclosure to an adversary,” and that the government was indeed Boston Scientific’s “adversary,” even though the Department of Justice later declined to intervene in the case.

The court’s decision was correct. Although Boston Scientific’s attorneys came up with several creative arguments in an attempt to protect the “presentations” from discovery, none of them had any merit. Although a defendant in a False Claims Act case is free to communicate with the Department of Justice, the defendant cannot assume that those communications will remain secret, particularly from the relator who has brought the very lawsuit under investigation by the Department. The relator is entitled to know about those communications, especially if they are relevant to the merits of the relator’s case (which they almost always will be). Accordingly, Judge Erickson reached the correct result and established useful precedent on this recurring issue.

© 2019 by Tycko & Zavareei LLP

For more on qui tam cases, see the National Law Review Litigation / Trial Practice page.