The United States government has placed whistleblowers at the epicenter of the emerging cyberspace battle. There is no question that the battle is ramping up, with new threats every day. Just this week, President Biden issued a warning to the private sector to strengthen its cyber-defenses in response to the growing threat of the Russian government issuing cyberattacks against U.S. companies in retaliation for U.S. sanctions placed on Russia after its invasion of Ukraine. The President noted that “[t]he magnitude of Russia’s cyber capacity is fairly consequential and it’s coming.”
Lax cybersecurity protocols pose a dire threat to critical infrastructure, trade secrets, and financial data in the United States. The banking industry saw a 1318% increase in ransomware attacks in 2021, cloud-based attacks increased by 630% between January and April 2020, and Cybersecurity Ventures expects that global cybercrime costs will grow to $10.5 trillion by 2025.
In this environment, insider information is invaluable, and whistleblower programs have become instrumental to the Government’s enforcement efforts. The Department of Justice (DOJ), the Securities and Exchange Commission (SEC), and the Office of the Comptroller of the Currency (OCC) have established whistleblower programs, and the Federal Trade Commission (FTC) has recently proposed its own. Each of these agencies has vowed to monitor cybersecurity more vigilantly.
First, in October 2021, DOJ announced the Civil-Cyber Fraud Initiative to fight cybercrimes using the False Claims Act. In announcing the initiative, Deputy Attorney General Lisa Monaco stated “[t]he Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation.” Following the announcement, attorneys from DOJ have expressly called on whistleblowers to assist the government in rooting out cyber-fraud, noting that the initiative is an attempt by DOJ “to conduct outreach and training to encourage…relators’ counsel…to bring [DOJ] good cases that DOJ can pursue.”
While the initiative is recent, the Government has had strict cybersecurity guidelines for over a decade. In 2012, the General Services Administration established the FedRAMP program which requires government cloud service providers to continuously monitor their systems to detect any attacks or potential attacks and to mitigate high-risk vulnerabilities within 30 days. Similarly, in November 2020, the Department of Defense promulgated DFARS 252.204-7019, requiring contractors to complete a cybersecurity self-assessment before receiving new Department of Defense contracts. These material regulations are incorporated into many Government contracts. Consequently, a contractor’s failure to implement these policies is a violation of the False Claims Act.
Second, the SEC has enforced against lax cybersecurity policies and procedures for years. In September 2015, the SEC settled charges that R.T. Jones violated Rule 30(a) of Regulation S-P, the “safeguards rule,” when it failed to adopt written policies and procedures to adequately protect customer information. More recently, in August 2021, the SEC sanctioned eight firms for violating the safeguards rule related to similar failures to protect customers’ personally identifiable information.
In addition, in February 2022, the SEC proposed new rules related to cybersecurity risk management applicable to registered investment advisers, registered investment companies and business development companies. The proposed rules require that registered funds disclose in their registration statement any significant cybersecurity incidents within the last two fiscal years, notify the Commission within 48 hours of discovering a significant cybersecurity incident, and require the board of directors approve all cybersecurity policies and procedures.
Third, the OCC collaborated with the Federal Deposit Insurance Corporation and the Board of Governors of the Federal Reserve System to issue a final rule whereby, beginning in April 2022, banking organizations must notify its primary federal regulator of “computer-security incidents” that rise to a “notification event,” within 36 hours.
Finally, in October 2021, the FTC adopted changes to its own “safeguards rule” to include more specific criteria for how financial institutions must keep customer information secure, including limiting who can access consumer data and using encryption.
These programs and rules allow whistleblowers to illuminate areas that are often inaccessible to outsiders and law enforcement.
 For example, the court in U.S. ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 2:15-CV-02245, Dkt. No. 155 (E.D. Cal. Feb. 1, 2022), denied summary judgment on relator’s promissory fraud claim when “defendants made false statements regarding [its] cybersecurity status by not disclosing the full extent of [its] noncompliance with the DFARS and NASA FARS clauses.” Id. at p. 10.