Over the second half of 2015, the U.S. Securities and Exchange Commission (SEC) began to demonstrate an increasing level of interest in cybersecurity issues, as lapses in companies’ security protections have exposed consumers to large-scale violations of personal data. In this post, we’ll take a look forward at the issues that will concern cybersecurity whistleblowers in 2016 by taking a look back at some of the key developments we wrote about in 2015.

The SEC Announces Its First Cybersecurity Enforcement Action

In this August blog post, Katz, Marshall & Banks partner Alexis Ronickher examined the SEC’s first announced enforcement action involving cybersecurity. The matter involved an elaborate insider-trading scheme wherein hackers provided stolen corporate earnings announcements to traders who then used the non-public information to place trades. The SEC estimated that the scheme generated more than $100 million in illegal profits. The blog post also outlined the SEC’s increasing focus on cybersecurity over the years since 2011, when the SEC first issued guidance emphasizing that public companies must disclose material cybersecurity risks and incidents in their SEC filings.

Cybersecurity Whistleblowers Might Be Protected Under the Law

In this article published in Corporate Compliance Insights, Katz, Marshall & Banks partners Debra Katz and Alexis Ronickher discussed the multiple “mega breaches” of corporations and government agencies that occurred throughout 2015 and offered possibilities as to why the cybersecurity issues leading to these hacks were not adequately addressed. They also outlined how cybersecurity problems could lead to violations triggering the involvement of the SEC and what steps companies might take to avoid these problems. They also described how blowing the whistle on suspected cybersecurity issues could constitute protected activity under various state and federal statutes.

SEC Fines Investment Firm for Inadequate Cybersecurity

This blog post discussed the SEC’s decision to fine investment advisor R.T. Jones Capital Equities Management Inc. $75,000 for its lack of cybersecurity protections, which ultimately allowed hackers to access the personal data of about 100,000 people in 2013. The breach, which traced back to mainland China, was possible in part because the company failed to implement elementary safety features, such as data encryption and the use of a firewall. The SEC determined that these failings violated the “safeguards rule” of the 1933 Securities Act, which requires registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. The company agreed to pay the fine and to cease any further violations of the Act by beefing up its cybersecurity measures.

SEC Continues Focus on Cybersecurity with Second Round of Examinations

This October post discussed the SEC’s announcement of the second leg of its examination of the securities industry’s cybersecurity policies. The SEC announced that the purpose of this second round of examinations was to better understand the cybersecurity safeguards currently in place at securities firms and encourage better compliance practices. The examinations follow the Commission’s preliminary investigation, which found that a majority of broker-dealers experience cyberattacks, even though most had written policies to prevent such issues already in place. The SEC’s announcement likely signifies a more focused effort on the part of the SEC to enforce higher cybersecurity standards in the securities industry in the future.

Feds Pursue Non-Publicly Traded Company for Lax Cybersecurity

In this November blog post, Katz, Marshall & Banks partner Alexis Ronickher discussed how a cable company’s recent agreement to pay $595,000 to resolve an FCC investigation into a data breach related to cybersecurity whistleblowers in two ways. First, it shows that lax cybersecurity and a company’s failure to adequately protect customer data do not have to culminate in a mega breach to violate federal law. Second, it demonstrates that the federal government’s focus on cybersecurity is not limited to publicly traded companies.  

Looking Ahead at Cybersecurity Whistleblower Issues

As the above developments reflect, cybersecurity continued to be a hot-button issue for companies and consumers alike in 2015. We believe this trend will continue in 2016. The following are some of our predictions for cybersecurity issue in the new year.  

  • Multiple federal and state agencies will continue to be engaged in policing company’s data security efforts and failures. 
  • With these expanding governmental efforts, cybersecurity whistleblowers facing retaliation will have stronger legal claims. 
  • Companies who lash out at whistleblowers raising cybersecurity issues will be doing so at the risk of both serious data breaches and a retaliation lawsuit.