Misleading or Incomplete Cybersecurity Disclosures
The whistleblower protection provision of the Sarbanes-Oxley Act provides robust protection to cybersecurity whistleblowers, and indeed some SOX whistleblowers have achieved substantial recoveries.
Leading whistleblower law firm Zuckerman Law has issued a guide to the SOX whistleblower protection law: Sarbanes-Oxley Whistleblower Protection: Robust Protection for Corporate Whistleblowers. The guide summarizes SOX whistleblower protections and offers concrete tips for corporate whistleblowers based on lessons learned during years of litigating SOX whistleblower cases.
The goal of the guide is to arm corporate whistleblowers with the knowledge to effectively combat whistleblower retaliation, avoid the pitfalls that can weaken a SOX whistleblower case, and formulate an effective strategy to obtain the maximum recovery.
Whistleblower attorney Dallas Hammer is a leading cybersecurity whistleblower attorney and has helped whistleblowers disclose significant wrongdoing concerning cybersecurity, information security, and data privacy. He has also written extensively about protections for cybersecurity whistleblowers, including the following publications:
- The Rise of Cybersecurity Whistleblowing, NYU Law Compliance & Enforcement Blog (December 2016)
- Cybersecurity Whistleblowing: What Employees at Public Companies Should Know Before Reporting Information Security Concerns, ISSA Journal (June 2016)
- Effective Cybersecurity and Data Protection Legislation Should Protect Whistleblowers, NYU Law Compliance & Enforcement Blog (May 2019)
Hammer explained that raising concerns about cybersecurity issues qualifies for protection under the Sarbanes-Oxley whistleblower law: He cited as an example the Prioleau whistleblower case: “That case is about an employee who raised cybersecurity concerns about two policies that contradicted each other. He raised those through his chain of command. He was ignored and experienced retaliation. The question was whether blowing the whistle on these cybersecurity issues qualified for protection under the Sarbanes Oxley Act, which was originally passed with more of a focus on corporate and audit fraud. The Administrative Review Board of the Department of Labor found that such a disclosure was in fact protected.”