#Whistleblowing – Former Twitter employee claiming cyber vulnerabilities & the million-dollar bounties potentially up for grabs

Exposed from within - we look to Twitter’s recent whistleblower experience to gain insight to the modern risks facing companies in the new social media age - noting evolving IT infrastructure, increased employee access to data as well as international bounty incentives for whistleblowers.

With the high-profile Twitter whistleblower claims presently dominating social media we are reminded of the importance of internal stakeholder management when it comes to ensuring businesses don’t subject themselves to cyber vulnerability risk. With employees and/or other stakeholders having access to significant sensitive data, the warnings are clear - organisations should be ensuring they have appropriate cyber security and data management in place, taking into account the type and volume of personal information (and proprietary information) they process and the means by which they process it. In addition to having to publicly report certain data breaches, suffering complaints and regulators own motion investigations, the risk (and impact) of internal whistleblowers should never be underestimated.

Australian businesses should be mindful of the recent increasing interest of Australian regulators including ASIC, APRA and the ACCC, in addition to the ongoing oversight of the OAIC where personal information is involved. Increasingly these government regulators are targeting lax cyber security for enforcement measures, most notably seen from ASIC in August 2021 when it commenced proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI), an Australian Financial Services (AFS) licence holder, for failing to have adequate cyber security systems in breach of its core obligations as an AFS licensee.

It is clear that a message is being sent to organisations in relation to cyber practices by the key regulators and this has been further bolstered by the amendments made to the Security of Critical Infrastructure Act 2018 (Cth), requiring mandatory reporting of significant cyber events in as short as 12 hours after becoming aware of them. It is therefore more imperative than ever for entities to remain prepared and have adequate strategies in place when such an incident occurs.   

Noting these developments in Australia and the recent high-profile Twitter whistleblower claims currently on foot in the US, we believe it is only a matter of time before we see a rise in whistleblower activism in Australia relating to cyber security, data protection and risk management. 

Outline of the Twitter whistleblower’s claim

Previously employed as Head of Security and reporting directly to the CEO, the Twitter whistleblower alleges that there are significant cyber vulnerabilities within the publicly listed company. These claims have been made with the assistance of Whistleblower Aid, a non-for-profit legal organisation based in the United States (US)[1]

A report of some 200-pages was provided by Whistleblower Aid to US government agencies and congressional committees, including the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Department of Justice. As a result, the FTC could investigate these claims, impose fines and potentially even find individual Twitter executives to be liable if a probe confirms they were responsible for the security lapses. Of course, this may also lead to shareholder claims for any loss of share value if a cyber incident ‘caused’ these losses which should have been prevented in the ordinary course.  

The term ‘whistleblower’ is known generally as a person who informs on an entity perceived to be engaging in an unlawful or immoral activity. In various legal jurisdictions around the world, like in the U.S, being a ‘whistleblower’ allows access to protections and sometimes even financial incentives such as ‘bounties’ for disclosures (discussed below).

U.S Bounty Whistleblower Incentives

Employees, customers and third-party vendors are increasingly taking an interest in cyber vulnerabilities, with growing concern of the harmful potential for improperly stored or badly secured data. Specifically, there is growing concern about ‘bad actors’ accessing this data due to insecure organisational cyber security practises in addition to an increasing number and value of ‘bounty’ programs.

Financial information such as credit card details, government identification documents and medical data are often targeted by these bad actors. This information is considered low hanging fruit and generally can be used to perpetuate financial fraud, identity theft as well as money laundering activities. As businesses grow rapidly, including the international footprint, we are seeing how cyber incidents attract regulatory scrutiny from foreign jurisdictions, despite the physical location of an employee or office being in Australia.

Specifically of interest are U.S publicly listed companies that may fall under laws relating to the SEC.  Significant bounty incentives exist under U.S law to encourage whistleblower activity. Of note, the SEC states directly on its website that:

The Commission is authorized by Congress to provide monetary awards to eligible individuals who come forward with high-quality original information that leads to a Commission enforcement action in which over $1,000,000 in sanctions is ordered. The range for awards is between 10% and 30% of the money collected.2

Historically the SEC’s purpose is to protect investors and maintain order in fair and efficient markets to create an environment of public trust. More than ever cyber vulnerabilities threaten the above as online infrastructure becomes, for most businesses, a necessary tool to exist and operate. It has been reported by news sources that the SEC has awarded more than $1 billion to nearly 300 whistleblowers since 2012.[3] Businesses with poor cyber security reliant on questionable legacy systems must clearly assess this ongoing regulatory risk (i.e whistleblowers seeking to earn a sizeable bounty).

The Twitter example is among the first of what we expect will be many such incidences of high profile whistleblower actions exposing the alleged insufficiency of cyber security and data protection of their organisations.

As employees are able to download significant volumes of data and share information faster than ever, it is a pertinent reminder for employers to prioritise the management of internal stakeholders, data storage and cyber security (in addition to getting their cyber security and data protection settings right). Correspondingly, for whistleblowers, it remains essential to take appropriate steps prior to making reports to ensure adequate protection is available within the applicable jurisdiction.

The Australian Position

In Australia, recent developments sought to introduce better frameworks around whistle-blowing protections. Although the intention was to encourage whistleblowing, the current laws in place are yet to incentivise the same level of activism as seen overseas. However, it is important to note that Australian laws focus on protection and allow for confidential reports to be made to regulatory bodies. Without highly visible bounties, it is difficult to assess the whistleblowing activity that is taking place in Australia.

Similar to Australia, New Zealand has also taken recent interest in enhancing Whistleblower protections, with the introduction of the Protected Disclosures (Protection of Whistleblowers) Act 2022.

In Australia the description of an eligible whistleblower in relation to business is found within PART 9.4AAA of the Corporations Act 2001 (Cth) (Corporations Act).4 Key elements to fulfil this eligibility criteria include:

• relationship to an entity;
• subject of disclosure;
• manner in which disclosure is made; and
• the reasonableness of such action.5

As an example, an eligible whistleblower in Australia could include a former employee of a financial institution making a disclosure to ASIC on reasonable grounds in relation to misconduct such as breaches to the Corporations Act.  

If a person meets the eligibility criteria specified in the Corporations Act, compensation (i.e rather than a bounty) can be awarded if the whistleblower faces detriment, including:     

• dismissal;
• harm of injury – including psychological harm;
• alteration of an employee's position or duties to their disadvantage;
• discrimination between an employee and other employees of the same employer;
• harassment or intimidation;
• damage to a person's property;
• damage to a person's reputation;
• damage to a person's business or financial position;
• any other damage to a person.6

Comparative to the U.S, Australian whistleblower laws do little (if anything) to encourage or incentivise a thriving whistleblower culture. Noting a preference to avoid financial detriment to the individual whistleblower rather than to financially incentivise their actions. That said, with the recent amendments to whistleblower laws in 2019,7 requiring eligible entities to have mandatory whistleblowing policies in place, as well as new laws in New Zealand, perhaps in time we may see a further encouragement of robust whistleblowing activity in the APAC region in line with our American counterparts. Especially if independent groups are established to support whistleblowers.    

Although cyber risks are not specifically mentioned in the Corporations Act as a subject of misconduct reportable by whistleblowers – increasingly cyber vulnerabilities are being called out as an essential part of the wider risk management required by financial institutions. For example, this is seen in recent case law developments in ASIC v RI Advice Group Pty Ltd,8 where RI Advice Group (a financial institution) was ordered to pay $750,000 to ASIC due to insufficient cyber security practices in breach of their core obligations under the AFSL. Section 912A of the Corporations Act states that a financial institution must, among other things:

1. do all things necessary to ensure financial services are provided efficiently, honestly and fairly;9 and
    
2. have adequate risk management systems (i.e including in respect of cyber security) in place.[10]

Accordingly, with growing awareness around cyber security and vulnerabilities, employees remain key allies as well as potential vulnerabilities (including as potential whistleblowers) in managing cyber risk. As the law develops, we continue to see clear messaging by regulators that consequences will arise from persistent cyber incompetence/failure to meet an appropriate standard of cyber security.

What does all this mean for Australian businesses?

As technology evolves risks continue to change. Virtual infrastructure increasingly becomes a source of value as well as a potential liability. The cost of inferior cyber crisis management is frequently underestimated, with devasting consequences in practice to reputation, customers and business relationships and bottom lines. It is imperative for entities to remain on the front foot of legal developments and have an incident response plan (implemented and drilled on) and a good risk management framework in place prior to needing them. A fire-drill done after the fire does little to prevent catastrophe and the same often applies with cyber incidents. Noting the scale of cyber incidents can often rapidly expand at an alarming rate. 

To assist with rapid response and containment of cyber related legal disputes, Australian businesses must prepare for a variety of cyber related scenarios to ensure processes are in place for rapid response. As an added benefit, putting appropriate measures in place for both pre and post incident remediation may also reduce the likelihood of whistleblowers.

“What to do now”

Questions every business should ask themselves include:

1. Who has access to sensitive data in my organisation and how is this data stored/managed?
2. What would happen to my services, customers or vendors if this data was locked, deleted or disrupted in some way?
3. What cost to the business would this disruption have (financially and reputationally) and how would this cost multiply over time?
4. Which stakeholders would be affected by cyber interruptions and which vendor contracts might this affect?
5. Are any of my clients, customers or vendors related to or include government bodies and do I have a plan in place to comply with standard notification requirements often found in government contracts?
6. Do I need to notify any government regulator or comply with mandatory reporting?
7. Do I need to notify individuals of any incident involving their sensitive personal information?
8. What deadlines exist for such notifications?
9. What consequences will happen to my business if these obligations have not been complied with?
10. Who do I need assistance from to manage stakeholder communications while maintaining the day-to-day tasks of my business?  

Finally, and after all that, the overarching business question is, if addressing all these items and implementing appropriate cyber security measures (pre and post incident) will not only enhance our reputation and build a competitive advantage but, given the increasing amount of actions and fines by regulators, will this ultimately save us money?

How can we help?

Clyde & Co’s Technology & Media Team has unparalleled and specialised expertise across the privacy, cyber and broader technology and media practice areas. It also houses the largest dedicated and market leading privacy and cyber incident response practice across Australia and New Zealand. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors and international borders, including advising on some of the most high-profile disputes and class actions commenced in Australia.

The firm's tech, cyber, privacy and media practice provides an end-to-end risk solution for clients. From advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation through to regulatory investigations, dispute resolution, litigated proceedings (plaintiff and defendant), recoveries and third-party claims (including class action litigation), the team assists its clients, inclusive of corporate clients, insurers, insureds and brokers across the full spectrum of legal services within this core practice area.

For more information, please contact Alec Christie, John Moran, Reece Corbett- Wilkins, Richard Berkahn, or Chris Mclaughlin.