The Securities and Exchange Commission recently announced several sanctions against financial services firms whose cybersecurity breaches resulted in personal information exposure for thousands of employees and clients of those eight firms. Due to deficiencies in the cybersecurity policies at these firms, unauthorized third parties were able to gain access to firm email accounts and expose Personally Identifying Information (PII). Besides failing to follow security procedures to protect email accounts in the first place, a group of firms failed to timely notify affected parties. Another group of investment advisory firms promptly notified affected customers but did not implement cybersecurity countermeasures until almost two years after the incident. The third advisory firm had a mere 15 email accounts breached which affected almost 5,000 customers, and they also failed to timely implement procedures to prevent further incidents. The SEC levied total penalties of $750,000 against the firms, with commentary that planning to implement security measures is not a substitute for actually implementing security measures in order to protect consumers’ information.
Cybersecurity-related fraud is another area where we should expect to see enhanced False Claims Act activity. With the growing threat of cyberattacks, federal agencies are increasingly focused on the importance of robust cybersecurity protections. Where such protections are a material requirement of payment or participation under a government program or contract, the knowing failure to include such protections could give rise to False Claims Act liability. Whistleblowers who successfully report such cybersecurity fraud can expect to receive at least 15% of the government’s recovery.
Appreciating that “cyber threats pose a significant and increasing risk to our national security, our economic security, and our personal security,” the Department is Justice is focused on “developing the next generation of prosecutors with the training and experience necessary to combat the next generation of cyber threats.”
Before cybersecurity incidents grow to the point of requiring legal intervention, whistleblowers can help protect the government and consumers by reporting deficiencies in cybersecurity procedures. The SEC Whistleblower Reward Program “strongly encourage[s] the public (including whistleblowers) to submit any tips, complaints, and referrals (TCRs).”