By Alexis H. Ronickher, a partner in the law firm of Katz, Marshall & Banks, LLP, a whistleblower and employment law firm that represents employees.
Hackers and cyber criminals are targeting pharmaceutical and biotech companies at ever increasing rates. These companies are choice marks because they are a treasure trove of valuable digital data—filled with proprietary information about patented drugs, pharmaceutical advances and technology, and personal information belonging to patients.
The 2017 Merck breach shows just how crippling these attacks can be. In June 2017, Merck fell victim to NotPetya, a malware attack believed to be sponsored by the Russian intelligence agency, that locked up most if not all of Merck’s computers and servers. The result was devastating. The attack stopped work at the company for weeks, temporarily shut down a vaccine factory, and resulted in a reported $1.3 billion in losses and costs for the company.
While not as catastrophic, other cyberattacks demonstrate just how widespread the problem is in the pharmaceutical and biotech industries. In 2019, Charles River Laboratories, a biopharma company, disclosed that a highly sophisticated, well-resourced intruder harvested data from around 1% of its clients that included the identity of the therapeutic targets of its clients and other potentially valuable data. Roche and Bayer also confirmed that they were impacted by cyberattacks believed to be tied to the Chinese government, although neither company reported the loss of sensitive data. Even during the COVID-19 pandemic, leading cybercrime gangs have refused to halt attacks on pharmaceutical companies even while promising to halt attacks on the rest of the healthcare industry.
Retaliation Fears Can Chill Reports
One of the most effective ways for companies to shore up their cybersecurity posture and avoid a devastating data breach is for employees to identify and report cybersecurity vulnerabilities. Employees are less likely to report cybersecurity problems if they view the report as at best futile, or at worst dangerous. According to a recent study by HR Acuity, a third of employees who identified inappropriate, illegal, or unethical behavior declined to report it. The top reasons cited for not coming forward were not trusting that the matter would be handled appropriately and fear of retaliation.
This fear of retaliation will be an even stronger deterrent now that the country faces unprecedented levels of unemployment due to the pandemic. At a time when millions of Americans simultaneously face unemployment, even the most stalwart cybersecurity professionals may choose to stay quiet rather than jeopardize their jobs.
Legal Protections for Cybersecurity Whistleblowers
For workers to feel empowered to report concerns they identify, they must understand the legal protections available to them. This is particularly true for workers in the pharmaceutical and biotech industries, which have had such a public history of whistleblower retaliation.
Like many other types of pharma whistleblowing, there is no federal statute specifically designed to protect cybersecurity whistleblowers. Instead, there is a patchwork of federal and state laws that together can protect whistleblowers from retaliation when their reports about data security concerns implicate certain industries or laws.
There are over half a dozen federal and state laws that provide protections to workers in the cybersecurity space—which are detailed in the Cybersecurity Whistleblower Protections Guide. Two avenues of relief are the most likely to protect pharmaceutical and biotech cybersecurity whistleblowers who face retaliation: the Sarbanes-Oxley Act (SOX) and state anti-retaliation laws.
Broadly speaking, SOX prohibits employers from retaliating against employees of publicly traded companies or their contractors who report fraud or violations of rules and regulations promulgated by the U.S. Securities and Exchange Commission (SEC). A company may commit fraud in the context of cybersecurity by, for instance, materially misrepresenting its cybersecurity capabilities or vulnerabilities to clients, customers, investors, or regulators.
The SEC has repeatedly made clear by issuing guidance documents in 2011 and 2018 that publicly traded companies have cybersecurity obligations under federal securities laws. Among other obligations, public companies are required to disclose to investors material information about cybersecurity risks and cyber incidents. This means that companies not only must inform investors when they have experienced a cyberattack but must also notify investors when a circumstance exists that exposes the company to a meaningful risk of such an attack. For example, if a publicly traded pharmaceutical company learns that its data has been hacked—like Charles River Labs did in 2019—it likely needs to disclose that incident to investors. If a company did not disclose or lied about the nature, size, or scope of the attack, a whistleblower may engage in SOX-protected activity by reporting, either internally or to an appropriate governmental authority, that her employer was covering up or mischaracterizing the cyberattack.
Another form of cybersecurity-related fraud occurs when a company materially misrepresents its cybersecurity posture to clients or customers to secure contracts or business opportunities. An example is a publicly traded pharmaceutical or biotech company that misrepresents the robustness of its cybersecurity posture to secure a joint venture with another company. A whistleblower who reported such fraudulent representations also may have engaged in SOX-protected activity.
In the SOX context, “materiality” is an important concept for whistleblowers to bear in mind. Courts are likely to find that single-employee violations of cybersecurity rules or policies are not sufficiently “material” – i.e., important – to constitute violations of the relevant statutes and regulations. As a result, a whistleblower who reports that her coworker emailed a file to his personal email address is unlikely to garner protections under the whistleblower laws. Rather, issues that are likely to be material to investors and regulators are those that are either systemic in nature or known to company leadership and highly impactful.
The second avenue for relief is state wrongful discharge and anti-retaliation laws. While state employment laws vary widely, some states have passed laws that provide broad protections from retaliation when an employee reports a violation of federal or state law. Even in states without these statutory whistleblower laws, many courts have created a cause of action to protect employees who are terminated for some reason that violates “public policy.” The breadth of what constitutes a “public policy” for the purposes of a wrongful discharge claim is inconsistent among the states. Courts in many states, however, have found that an employer violates public policy when it terminates an employee because that employee reported a violation of the law. Such claims of wrongful termination in violation of public policy have the potential to extend what constitutes “protected activity” – i.e., activity for which an employee is protected from retaliation – to reports of a wide array of federal and state statutes and regulations.
As just one example, the Health Insurance Portability and Accountability Act, better known as HIPAA, is a federal law that protects health information. The law does not provide a right of action for an employee who is terminated for reporting HIPAA violations to sue in court. Nevertheless, both New Jersey and California law protects employees from retaliation for blowing the whistle on violations of both state and federal law. An employee in either of those states may have a claim for retaliation if she finds herself demoted or terminated for reporting that the pharmaceutical company she worked for had failed to adequately safeguard protected health information.
How to Safely Blow the Whistle
When blowing the whistle about cybersecurity vulnerabilities and breaches, it is critical for an employee to frame her reports in a way that implicates a legal violation that will garner legal protections from subsequent retaliation. It is not the time to beat around the bush or leave it to the reader to understand that the whistleblower is concerned about legal violations. If the whistleblower is concerned that the company is engaged in fraud, she should expressly say so. If she is concerned that the company’s cybersecurity vulnerabilities are jeopardizing the protected health information (PHI) of clinical participants in violation of HIPAA, she needs to expressly say so. It can be scary and uncomfortable to be so direct, but it will provide more protection than if the whistleblower only raises the cybersecurity problem without connecting it to any potential illegalities.
Putting the report in writing can provide valuable proof of protected activity. Employers frequently defend themselves against retaliation claims by arguing that the employee never reported legal violations, but rather reported a standard IT problem, complained about a business decision, or merely advocated for an alternative approach. Putting the report in writing weakens that defense. It is critical that the tone of the report be professional and that the whistleblower make the report to someone who can address the problem, such as a supervisor or a compliance officer. Reports to coworkers will generally be insufficient to provide legal protection. It is also important to remember that under some laws, a whistleblower is protected only if she reports the problem externally to law enforcement or other appropriate government officials.
A whistleblower also needs to tread carefully when taking company documents or data to substantiate a violation of the law. Doing so can backfire and jeopardize the whistleblower’s legal protections or could even result in criminal prosecution. A whistleblower can generally review documents to which she has access in the normal course of business, but if she searches through a document, computer server, or even a filing cabinet that she does not have a right to access, she may be giving the company a non-retaliatory basis for terminating her. A whistleblower may also be tempted to retain incriminating company documents if the company discharges the whistleblower after she has blown the whistle. The law governing such conduct is unsettled, so it is best for a whistleblower to consult with a whistleblower attorney about retaining such company documents.
Whistleblower Reward Programs
Pharma cybersecurity whistleblowers also should be aware that the SEC administers a whistleblower program that provides rewards to whistleblowers who submit information about violations of the securities laws. In 2018, the SEC settled with Altaba, formerly Yahoo!, for $35 million based on the company’s misleading investors by failing to disclose one of the world’s largest data breaches. Under the SEC whistleblower program, a whistleblower with information about similar misconduct could submit that information and be eligible for a reward of 10 to 30% of the recovered monies provided there were monetary sanctions that totaled more than $1 million. More information on this and other whistleblower rewards programs can be found in the Guide linked above.
Given the patchwork coverage for cybersecurity whistleblowers, an employee who finds herself considering blowing the whistle about cybersecurity, whether internally or externally, should seek experienced legal representation as soon as possible. If a whistleblower consults with a knowledgeable attorney prior to blowing the whistle, the attorney can advise the whistleblower on which, if any, whistleblower laws might protect her and what she must do to ensure she qualifies for protection.
Legal representation is even more critical if the whistleblower is terminated. The whistleblower should not sign a severance agreement prior to discussing her case with a knowledgeable attorney. Such an agreement will almost surely release all claims the whistleblower has against her employer, and depending on the facts of the case, the whistleblower may have a strong claim for more compensation than the employer initially has offered.