September 2, 2021. The Securities and Exchange Commission recently announced several sanctions against financial services firms whose cybersecurity breaches resulted in personal information exposure for thousands of employees and clients of those eight firms. Due to deficiencies in the cybersecurity policies at these firms, unauthorized third parties were able to gain access to firm email accounts and expose Personally Identifying Information (PII). Besides failing to follow security procedures to protect email accounts in the first place, a group of firms failed to timely notify affected parties. Another group of investment advisory firms promptly notified affected customers but did not implement cybersecurity countermeasures until almost two years after the incident. The third advisory firm had a mere 15 email accounts breached which affected almost 5,000 customers, and they also failed to timely implement procedures to prevent further incidents. The SEC levied total penalties of $750,000 against the firms, with commentary that planning to implement security measures is not a substitute for actually implementing security measures in order to protect consumers’ information.
Cybersecurity-related fraud is another area where we should expect to see enhanced False Claims Act activity. With the growing threat of cyberattacks, federal agencies are increasingly focused on the importance of robust cybersecurity protections. Where such protections are a material requirement of payment or participation under a government program or contract, the knowing failure to include such protections could give rise to False Claims Act liability. Whistleblowers who successfully report such cybersecurity fraud can expect to receive at least 15% of the government’s recovery.
Appreciating that “cyber threats pose a significant and increasing risk to our national security, our economic security, and our personal security,” the Department is Justice is focused on “developing the next generation of prosecutors with the training and experience necessary to combat the next generation of cyber threats.”
Before cybersecurity incidents grow to the point of requiring legal intervention, whistleblowers can help protect the government and consumers by reporting deficiencies in cybersecurity procedures. The SEC Whistleblower Reward Program “strongly encourage[s] the public (including whistleblowers) to submit any tips, complaints, and referrals (TCRs).”
Tycko & Zavareei LLP Partner and whistleblower attorney Renée Brooker will be moderating a panel on the topic of “The False Claims Act as a Weapon against Cybersecurity Breaches” at the February 2022 Federal Bar Association Qui Tam Section Annual Conference.
If you would like to report cybersecurity-related fraud, you can contact attorneys at Tycko & Zavareei LLP. Eva Gunasekera and Renée Brooker are former officials of the United States Department of Justice and prosecuted whistleblower cases under the False Claims Act. Renée served as Assistant Director at the United States Department of Justice, the office that supervises False Claims Act cases in all 94 United States District Courts. Eva was the Senior Counsel for Health Care Fraud. Eva and Renée now represent whistleblowers. For a free consultation, you can contact Renée at firstname.lastname@example.org (tel.: 202-417-3664) or contact Eva Gunasekera at email@example.com. You can also go to Tycko & Zavareei LLP’s website for whistleblowers to learn more at https://www.fraudfighters.net/.