You are a Chief Information Security Officer (CISO) at a major multinational corporation.

The company’s security controls are seriously lacking.

Employees are sharing passwords and sharing sensitive client data across unsecured networks.

You start raising red flags but are ignored.

You raise the decibel level and senior management starts seeing you as the problem.

You are let go.

What recourse do you have?

Companies that ignore and retaliate against employees who address cybersecurity vulnerabilities are facing increased liability resulting from a new breed of whistleblower claims – cyber whistleblowing.

That’s according to Zuckerman Law’s Dallas Hammer.

Hammer has carved out a niche practice representing cybersecurity whistleblowers.

Cybersecurity whistleblowing has garnered little attention in the press. That’s primarily because corporations are settling the cases behind closed doors.

Hammer himself has settled about a dozen such cases. And he estimates that there may be more than a hundred such cases that have been settled in the last few years.

Are there any reported cases out there on cybersecurity whistleblowing?

“There are a few,” Hammer told Corporate Crime Reporter in an interview last week. “One is a case in 2011 called Prioleau. That case is about an employee who raised cybersecurity concerns about two policies that contradicted each other. He raised those  through his chain of command. He was ignored and experienced retaliation. The question was whether blowing the whistle on these cybersecurity issues qualified for protection under the Sarbanes Oxley Act, which was originally passed with more of a focus on corporate and audit fraud.”

“The Administrative Review Board of the Department of Labor found that such a disclosure was in fact protected.”

“When you ask — do we have reported cybersecurity cases — the answer is no. These types of cases had been ad hoc determinations. They were not looking at the cybersecurity aspects, but looking at the facts of the case. We are now seeing an awareness of these cybersecurity issues. And these issues can fall within the protection of the statutes.”

Do you have any cases that will be made public and make some news?

“No, because that’s where we are right now. I am not a management side lawyer. Management side also sees this theory as viable and sees the convergence of the law in this area. So far, I have experienced a willingness on the other side to settle these claims early on.”

You mean corporations are willing to settle these cases?

“Exactly.”

Have you settled any cases?

“I have settled them all.”

How many have you settled?

“In the neighborhood of a dozen.”

None of them have been made public?

“That’s correct. They have all been pre-filing settlements.”

You can’t be the only lawyer settling these cases. So maybe there have been a hundred settled cases that have received no public notice?

“That is probably a fair estimation — if not more.”

When will one of these cases go public?

“Well that’s the thing. The management side recognizes this theory as a viable theory. Cases settle when the facts are good — 90 percent of the time. The only time cases will go to trial will be if there is a fundamental disagreement about liability, whether liability is going to attach, or how much should be paid in damages. The fact that corporations are willing to settle these cases shows that they recognize that these are meritorious claims.

“You are not likely to see a claim go to trial until there is a bad breakdown between the parties about the value of the claim, or more likely there is going to be some aspect of this theory that will be challenged.”

“These corporations know that if they are found liable against a whistleblower who disclosed very serious cybersecurity issues and that lead to the exposure of the client’s and customer’s confidential information, that is going to have a negative impact on their business. So, it’s probably going to take a big breakdown in negotiations or in the view of the case before we see anything like this go to trial.”

What percentage of your practice is cybersecurity whistleblowing?

“It’s still in the minority — maybe 20 percent at any given time. But it has been increasing over the last year.”

Given that these cases are not publicized, how do cybersecurity executives find you?

“That’s why I like to do interviews to get the word out about these issues. Often, cybersecurity executives don’t think they are protected. It is not widely publicized. Often, my clients don’t know they have rights. They are looking to find out what their rights are. It’s important that we do outreach.”

There was a story last week about Chinese hackers who hacked into major American corporate law firms. They tried to get into a number of law firms, but only succeeded getting into two law firms I believe.

“It makes you wonder. Despite the prominence of this issue, so many businesses across all industries are just woefully behind in this area, as are many government agencies. It’s an issue where I would not be surprised at all. I would love to be a fly on the wall there. But I have no insight into that case.”

Obviously, the Democratic National Committee was exposed. Do you have any DNC clients?

“I can’t acknowledge whether I have any DNC clients or not.”

How close have you come to going to trial on these cases?

“Typically speaking, when we have come close to litigation it has been about the value of the claim, not the theory of liability. And that is one thing that is interesting to me. I have had some pushback as to whether a particular disclosure is going to be covered, whether it meets the criteria. As far as the overall premise that cybersecurity issues can be covered under these laws because they touch on issues regulated by the securities laws, I haven’t seen much pushback on that at all.”

Are you dealing with major American corporations?

“All across the board. Medium sized firms all the way up to multinational corporations.”

What drew your interest to cybersecurity?

“I have always been very interested in information technology as a general matter. I do a little bit of programming as a hobby. I was personally affected by the Target hack, as many people were. I was shocked at the dearth of explicit protections for people trying to come forward and try and stop these problems before we get to a mega breach.”

“What we have seen in other contexts — for example, fraud on the government in general — is that when people start to listen to whistleblowers, it does help fix the problem. It brings a new set of eyes — eyes that are in a position to know things that outside regulators do not know, that the public at large does not know. It helps fix the problem. When I saw this gap between the law and these emerging issues, that’s when I started to take notice.”

[For the complete q/a format Interview with Dallas Hammer, see 31 Corporate Crime Reporter 2(14), Monday January 9, 2017, print edition only.]