Companies that experience a cyber breach face several immediate and difficult challenges: quickly getting a handle on the scope of the breach, making sure that the intruder is out of their system, remediating any vulnerability, assessing what data was accessed (if any), deciding whether to reach out to law enforcement, determining whether any mandatory notification obligations have been triggered, and weighing whether to make any voluntary notification to regulators, customers, investors, etc. One thing companies should consider adding to that list is potential whistleblowers.
The Sarbanes-Oxley Act (“SOX”), 18 U.S.C. § 1514A, protects whistleblowers when they disclose information they reasonably believe to relate to alleged mail, wire, bank, or securities fraud, or violations of SEC rules and regulations. When a publicly-traded company experiences a major cyber event, but delays notification (as has been alleged against Equifax), a whistleblower could alert the SEC to that fact in an effort to claim a reward under the SEC’s whistleblower program.Read more here.