The Cybersecurity Threat: Compliance and the Role of Whistleblowers

In today’s technologically dependent world, concerns about cybersecurity, data breaches, and compromised personal information infiltrate the news almost daily. The Securities and Exchange Commission (SEC) has recently emerged as a regulator that is keenly focused on cybersecurity, specifically with respect to encouraging disclosures in this arena by regulated entities. Although the SEC has issued non-binding “guidance” to help companies navigate their reporting obligations in this sector, the agency lacks binding cybersecurity disclosure regulations as they pertain generally to public companies. Given that the SEC has already relied on such guidance in threatening enforcement actions, reporting companies are increasingly pressured for compliance in this arena. This Article addresses the importance of establishing effective internal reporting channels and other internal compliance mechanisms in meeting the SEC’s expectations and highlights the role of “cybersecurity whistleblowers,” specifically those reporting internally, in building the type of improved corporate culture necessary to discover and remediate cybersecurity risks. Cybersecurity whistleblowers, like all whistleblowers, commonly experience retaliation for their efforts. Despite the SEC’s commitment to providing whistleblowers retaliation protections through statutes like the Sarbanes-Oxley and Dodd-Frank Acts, the absence of binding cybersecurity regulations translates into a direct problem for cybersecurity whistleblowers, because their reports are likely to fall outside the scope of “protected activity” enumerated under these statutes. This Article discusses this gap in protections in light of the SEC’s heightened cybersecurity focus, the feasibility of SEC adoption of binding cybersecurity disclosure regulations, and the broad contributions of whistleblowers to compliance systems generally

Conflicted Counselors: Retaliation Protections for Attorney-Whistleblowers in an Inconsistent Regulatory Regime

Attorneys, especially in-house counsel, are subject to retaliation by employers in much the same way as traditional whistleblowers, often experiencing retaliation and loss of livelihood for reporting instances of wrongdoing involving their clients. Although attorney-whistleblowing undoubtedly invokes ethical concerns, attorneys who appear and practice before the Securities and Exchange Commission (SEC) are required by federal law to act as internal whistleblowers under the Sarbanes-Oxley Act (SOX) and report evidence of material violations of the law within the organizations that they represent. An attorney\u27s failure to comply with these obligations will result in SEC-imposed civil penalties and disciplinary action

The Regulation of Lawyers in Compliance

The field of compliance has exploded in interest, attention, and growth over recent years. It has emerged as a popular career path for those trained in the law, giving rise to an influx of job opportunities for new law school graduates and seasoned attorneys alike. Additionally, compliance has tightened the essential interplay between business and law. Numerous compliance officers hold J.D. degrees and many also serve simultaneously as both an organization’s chief compliance officer and general counsel, thereby muddying the lines between which service constitutes the “practice of law,” requiring adherence to professional rules of responsibility, or non-legal work, where such rules would typically not be applicable. This Article will analyze these important distinctions, as well as the lack of regulatory guidance for lawyers in the compliance function, by viewing the discussion largely through the lens of an often-unnoticed ethical rule—the American Bar Association’s Model Rule 5.7—which requires lawyers to comply with the full range of professional conduct rules even when they are providing a non-legal “law-related service.” This Article will argue that the compliance function is a near-precise fit for this rule and will propose reform to the current regulatory model to ensure that the interests of lawyers, as well as the recipients of their services, are protected to the most fruitful extent possible in today’s compliance-driven era. While placing this examination in the context of current scholarly debate that challenges traditional “zealous advocate” models of attorney representation, this Article will claim that, without adequate and clear regulatory reform to establish guidelines for behavior, lawyers in compliance functions risk heightened personal liability due to potential ethical violations from their respective jurisdictions of admission

The Cybersecurity Threat: Compliance and the Role of Whistleblowers

In today’s technologically dependent world, concerns about cybersecurity, data breaches, and compromised personal information infiltrate the news almost daily. The Securities and Exchange Commission (SEC) has recently emerged as a regulator that is keenly focused on cybersecurity, specifically with respect to encouraging disclosures in this arena by regulated entities. Although the SEC has issued non-binding “guidance” to help companies navigate their reporting obligations in this sector, the agency lacks binding cybersecurity disclosure regulations as they pertain generally to public companies. Given that the SEC has already relied on such guidance in threatening enforcement actions, reporting companies are increasingly pressured for compliance in this arena. This Article addresses the importance of establishing effective internal reporting channels and other internal compliance mechanisms in meeting the SEC’s expectations and highlights the role of “cybersecurity whistleblowers,” specifically those reporting internally, in building the type of improved corporate culture necessary to discover and remediate cybersecurity risks. Cybersecurity whistleblowers, like all whistleblowers, commonly experience retaliation for their efforts. Despite the SEC’s commitment to providing whistleblowers retaliation protections through statutes like the Sarbanes-Oxley and Dodd-Frank Acts, the absence of binding cybersecurity regulations translates into a direct problem for cybersecurity whistleblowers, because their reports are likely to fall outside the scope of “protected activity” enumerated under these statutes. This Article discusses this gap in protections in light of the SEC’s heightened cybersecurity focus, the feasibility of SEC adoption of binding cybersecurity disclosure regulations, and the broad contributions of whistleblowers to compliance systems generally

Compliance Officers: Personal Liability, Protections, and Posture

This Symposium Article will explore the evolving nature of the regulatory and enforcement landscape as it pertains to compliance officers, specifically regarding their susceptibility to personal liability. It will examine the posture of compliance officers in three contexts: i) as a possible target for enforcement activity by regulators; ii) as a quasi-professional subject to a current regime of “non-regulation”; and iii) as an employee in need of ample whistleblower protections, each of which create implications for a compliance officer’s risk of personal liability and protections as a constituent of the organization monitored. After considering the current guidance surrounding enforcement activity against chief compliance officers by regulatory agencies like the Securities and Exchange Commission (SEC) and Financial Crimes Enforcement Network (FinCEN), this Article will examine the lack of professional regulation of compliance officers and the various ways in which this poses liability risks, especially in instances where a compliance officer’s work overlaps with that of other regulated professions. Finally, this Article will analyze whistleblowing law developments interpreting the Dodd-Frank Act, particularly through the lens of how such developments affect compliance officers as potential employee-whistleblowers navigating issues of workplace culture and pressures from management

Whistleblowing in the Compliance Era

International events over the last year have propelled theimportance of whistleblowers to the forefront. It is increasinglyevident that whistleblowers provide immense value to society.Yet, for years, whistleblowers have been victims of retaliation,commonly experiencing threats, discrimination, andemployment termination due to their reporting. Against thebackdrop of a society heavily defined by compliance-focusedinitiatives—where organizations and industries constructrobust compliance programs, internal policies, and codes ofconduct—this Article highlights a significant gap in legalprotections for would-be whistleblowers. While complianceinitiatives demonstrate that active self-regulation isincreasingly a staple of organizational governance, this Articlepinpoints the problems that arise when such initiatives extendbeyond applicable legal thresholds for retaliation protection.This over-extension leaves vulnerable employees and potentialwhistleblowers without legal recourse following adverseemployment actions, even if they comply with their employers’ internal policies and compliance programs. We examine thisgap in legal protections in the context of compliance initiativesin three domains: equal employment opportunity and sexualharassment; securities fraud; and anti-corruption. We thencompare these initiatives with the legal and regulatorycompliance postures under Title VII of the Civil Rights Act of1964, the Dodd–Frank Wall Street Reform and ConsumerProtection Act, and the Foreign Corrupt Practices Act,respectively, to illustrate how most compliance initiatives failto mirror the retaliation protections under those statutes. Toremedy this gap in protections, we propose complementarysolutions under contract and tort law frameworks, coupledwith soft law initiatives

Global, regional, and national disability-adjusted life-years (DALYs) for 333 diseases and injuries and healthy life expectancy (HALE) for 195 countries and territories, 1990–2016: a systematic analysis for the Global Burden of Disease Study 2016

BACKGROUND: Measurement of changes in health across locations is useful to compare and contrast changing epidemiological patterns against health system performance and identify specific needs for resource allocation in research, policy development, and programme decision making. Using the Global Burden of Diseases, Injuries, and Risk Factors Study 2016, we drew from two widely used summary measures to monitor such changes in population health: disability-adjusted life-years (DALYs) and healthy life expectancy (HALE). We used these measures to track trends and benchmark progress compared with expected trends on the basis of the Socio-demographic Index (SDI). METHODS: We used results from the Global Burden of Diseases, Injuries, and Risk Factors Study 2016 for all-cause mortality, cause-specific mortality, and non-fatal disease burden to derive HALE and DALYs by sex for 195 countries and territories from 1990 to 2016. We calculated DALYs by summing years of life lost and years of life lived with disability for each location, age group, sex, and year. We estimated HALE using age-specific death rates and years of life lived with disability per capita. We explored how DALYs and HALE differed from expected trends when compared with the SDI: the geometric mean of income per person, educational attainment in the population older than age 15 years, and total fertility rate. FINDINGS: The highest globally observed HALE at birth for both women and men was in Singapore, at 75·2 years (95% uncertainty interval 71·9-78·6) for females and 72·0 years (68·8-75·1) for males. The lowest for females was in the Central African Republic (45·6 years [42·0-49·5]) and for males was in Lesotho (41·5 years [39·0-44·0]). From 1990 to 2016, global HALE increased by an average of 6·24 years (5·97-6·48) for both sexes combined. Global HALE increased by 6·04 years (5·74-6·27) for males and 6·49 years (6·08-6·77) for females, whereas HALE at age 65 years increased by 1·78 years (1·61-1·93) for males and 1·96 years (1·69-2·13) for females. Total global DALYs remained largely unchanged from 1990 to 2016 (-2·3% [-5·9 to 0·9]), with decreases in communicable, maternal, neonatal, and nutritional (CMNN) disease DALYs offset by increased DALYs due to non-communicable diseases (NCDs). The exemplars, calculated as the five lowest ratios of observed to expected age-standardised DALY rates in 2016, were Nicaragua, Costa Rica, the Maldives, Peru, and Israel. The leading three causes of DALYs globally were ischaemic heart disease, cerebrovascular disease, and lower respiratory infections, comprising 16·1% of all DALYs. Total DALYs and age-standardised DALY rates due to most CMNN causes decreased from 1990 to 2016. Conversely, the total DALY burden rose for most NCDs; however, age-standardised DALY rates due to NCDs declined globally. INTERPRETATION: At a global level, DALYs and HALE continue to show improvements. At the same time, we observe that many populations are facing growing functional health loss. Rising SDI was associated with increases in cumulative years of life lived with disability and decreases in CMNN DALYs offset by increased NCD DALYs. Relative compression of morbidity highlights the importance of continued health interventions, which has changed in most locations in pace with the gross domestic product per person, education, and family planning. The analysis of DALYs and HALE and their relationship to SDI represents a robust framework with which to benchmark location-specific health performance. Country-specific drivers of disease burden, particularly for causes with higher-than-expected DALYs, should inform health policies, health system improvement initiatives, targeted prevention efforts, and development assistance for health, including financial and research investments for all countries, regardless of their level of sociodemographic development. The presence of countries that substantially outperform others suggests the need for increased scrutiny for proven examples of best practices, which can help to extend gains, whereas the presence of underperforming countries suggests the need for devotion of extra attention to health systems that need more robust support. FUNDING: Bill & Melinda Gates Foundation