Going Rogue

Edward Snowden, who fled to the Soviet Union after his unauthorized disclosure of sensitive U.S. intelligence information, is not your typical whistleblower. 

The headline-grabbing 30-year-old former contractor with the National Security Agency (NSA) in Hawaii is not a disgruntled employee who called attention to a potential wrongdoing in the workplace and suffered what he believed to be retaliation by his employer. He is not alleging that his then-employer, the government consulting giant Booz Allen Hamilton, engaged in activities that defrauded the government. Charges like those, brought under the federal False Claims Act, could trigger an investigation of his complaints and a potential whistleblower, or qui tam, lawsuit that could result in a huge financial settlement for Snowden.

His disclosures—although without question damaging to U.S. intelligence-gathering efforts, politically embarrassing and diplomatically disastrous—do not appear to involve illegal actions by the government. Instead, Snowden is facing allegations that he committed crimes by leaking detailed information on classified government intelligence operations. In all likelihood he will either be deported to the United States to face prosecution or live a far-from-glamorous existence in whatever country grants him permanent asylum.

More traditional whistleblowers can find protection under a myriad of state and federal laws, but Snowden will not benefit from any of them. In traditional whistleblower cases, companies that are damaged could be insured under directors and officers, employment practices liability or fiduciary liability policies. But it is unclear whether commercial insurance coverage would apply if Booz Allen Hamilton ends up in lawsuits as a result of Snowden’s actions.

The insurance and legal communities generally agree that the government is not likely to use the False Claims Act to go after Booz Allen Hamilton for damages. For that sort of lawsuit to succeed, the government would have to prove that Booz Allen failed to ensure its employees were properly screened, as contractually obligated. According to news reports, Booz Allen was a subcontractor for U.S. Investigations Services (USIS), a contractor which the government hired to conduct the NSA security clearance granted to Snowden.

However, as a publicly traded company, Booz Allen could face action by stockholders if its stock prices are adversely affected by the Snowden case or if its business—almost exclusively government contracting—suffers. Such legal action and any potential settlement might well fall under the company’s D&O policy, but the loss of business per se would not be covered.

“Booz Allen could potentially suffer a loss of government contracts to the degree the government loses confidence in their internal controls, information security, employee discretion, and so on, but Booz Allen’s economic damages resulting from this loss of contracts would not typically be covered by insurance,” says John Rafferty, executive vice president of the Executive Assurance, Healthcare and Professional Liability division of Arch Insurance Group.

For its part, Booz Allen Hamilton has sought to distance itself as far and as quickly as possible from the whole Snowden affair. During a conference call with analysts on July 31 to discuss first-quarter 2014 earnings, CEO Ralph Shrader said Snowden, who absconded with three laptops packed with classified documents, had worked for the company only briefly and “was not a Booz Allen person.”

“The most significant news of the past quarter was the abhorrent actions of former employee Edward Snowden, who had worked at Booz Allen for less than 10 weeks,” Shrader said. “I spoke to all of our employees at a town hall meeting the week following his announcement that he had leaked highly sensitive national security information. I’d like to share with you something I said to our people that day. I told our employees Mr. Snowden was on our payroll for a short period of time, but he was not a Booz Allen person and he did not share our values. We cannot and will not let him define us.

“In that regard, we continue to do everything possible to support our clients’ mission and the United States government’s law enforcement investigation. Within the firm, we’re being vigilant and are supporting our employees, especially those working with the intelligence community.”

Whistleblower cases have become more common in recent years due to provisions in the Sarbanes-Oxley and Dodd-Frank laws that encourage employees of publicly held companies to report corporate fraud and mismanagement to government agencies. The False Claims Act, which dates to the Civil War, is now the government’s most effective tool to fight fraud against the government. In 2012 alone, whistleblower cases under the False Claims Act amounted to $125 million in settlements to the government and to whistleblowers who provided tips that led to the prosecution of those cases. That figure includes a record $104 million paid to an employee of a Swiss bank who provided information on Americans hiding money overseas in foreign banks.

Any such lawsuit would probably be defended under the company’s D&O insurance policy, industry experts say, and depending on how the policy was written, it could cover judgments as well.

“The passage of Dodd-Frank expanded the whistleblower protections initially enacted in 2002 with Sarbanes-Oxley,” says Shanda Davis, D&O product lead at Travelers. “It can provide a bounty for whistleblowers who provide high-quality tips that result in a settlement, so now there is an incentive for employees to report violations. Dodd-Frank does not require the employee to report it internally first. He or she can go directly to the SEC [Securities and Exchange Commission] with the complaints.”

Davis says the industry “has been waiting to see if this is going to result in an increase in enforcement actions.” So far, that has not been the case, but the SEC reported receiving more than 3,000 complaints in 2012.

“Whether that will result in more SEC investigations of publicly traded companies remains to be seen, but we’re certainly monitoring it because the exposure is there,” Davis says. “That is the big question mark out there.”

Mike Kosednar, assistant vice president and product manager for private company management liability at The Hartford, says any company involved in government contracts has a “very real” whistleblower exposure. Although the risk is widely understood in government contracting circles, Kosednar says, “it is surprising how many companies don’t realize that.”

D&O coverage also would be involved if a publicly traded company’s shareholders filed a lawsuit alleging the company and its stock prices were damaged due to whistleblower lawsuits. Shareholders could also claim the company breached its fiduciary duties if it violated the Foreign Corrupt Practices Act. This summer, high-ranking executives of the British drug giant GlaxoSmithKline were accused of using travel agencies to launder money and funnel bribes to doctors, hospitals, medical associations, foundations and government officials in China.

Although these cases make headlines, the fastest-growing area of whistleblower cases is employees who claim their employers unjustly retaliated against them after they lodged complaints and filed lawsuits.

“The biggest issue from a whistleblower standpoint is clearly under employment practices liability,” says Michael Schraer, vice president and global employment practices liability manager for Chubb Group. “An employee who has an issue with an employer, actual or not, comes forward, and the outcome is, generally speaking, retaliatory action by the employer. It can involve workplace harassment, termination, denial of benefits or promotion. That doesn’t mean every retaliatory charge is tied to whistle-blowing, but I think the fact that the EEOC [Equal Employment Opportunity Commission] is seeing more whistle-blowing claims is one of the contributing factors.”

Employees often sue companies that engage in retaliatory action—or even those unjustly accused of it. That is when the company’s EPLI coverage comes into play. Yet Kosednar says a surprising number of potential buyers of EPLI policies do not buy them. “Because they don’t view themselves as bad people,” he says. “They overlook the fact that they can be sued even if they did nothing wrong, and it is expensive to prove they did nothing wrong. So even those who believe they’re good guys should have this coverage.”

Steve Ventre, vice president and manager of the management liability and surety department for Cincinnati Insurance Cos., says his company’s primary management liability focus is on not-for-profit organizations and privately held companies, so whistle-blowing actions under Sarbanes-Oxley or Dodd-Frank are not as great a concern. Yet, Ventre says, “We have seen an increase in whistle-blowing claims relating to employment liability practices.”

The third type of whistleblower claim, involving a company’s fiduciary liability coverage, occurs when an employee accuses a company of improperly handling employee benefit plans. The Department of Labor and the IRS oversee most employee benefit plans, and both agencies investigate whistleblower complaints raised by employees or former employees. “It has been an issue since ERISA laws were introduced in the 1970s, but the exposure is increasing as more companies make changes to their benefit plans that don’t always favor the employee,” Kosednar says. “That potentially causes disgruntlement, which can lead to allegations, true or otherwise, about plans not being administered properly or terms not being followed.”

Although the Snowden case does not fall into the usual areas of coverage for companies facing exposure as a result of whistleblower actions, another area of commercial insurance could be involved before the last chapter of the Snowden saga is written. It is possible that the government, facing unfathomable expenses to redesign its computer systems and security protocols to protect against another such leak, might go after Booz Allen Hamilton to recover some of those costs.

Albert R. “Skip” Counselman, chairman and CEO of RCM&D, says cyber liability insurance has only been around for about a decade. “It is a new form, a scripted form, and it is only something that people have been paying attention to for the last five years or so,” Counselman says.

Cyber liability policies offer both first-party and third-party coverage. First-party coverage would be triggered if, for example, a company’s computer system was hacked but no one sued. Third-party coverage would be triggered when someone files a lawsuit against the company as a result of the hacking—a customer, for example, whose private information might have been compromised in a hacking case.

Typically, Counselman says, a company buys cyber liability coverage to protect against the cost of notifying customers when the computer system is breached and sensitive information, such as healthcare or credit card files, is compromised.

“So companies are thinking about what it will cost to notify 12,000 customers, and they might buy a few million dollars worth of coverage, maybe $5 million to $10 million,” he says. “They probably are not thinking about the huge things like what Edward Snowden might cost in having to rewrite program and that sort of thing.”

Counselman estimates than 5% of companies currently purchase such coverage, but he predicts cyber liability coverage will grow because of the publicity surrounding the Snowden case and other reports of computer hacking. Ken Goldstein, vice president and worldwide cyber security manager for Chubb, says cyber liability coverage is more common in the United States than in the rest of the world because U.S. companies operate under tougher laws and regulations requiring them to notify customers affected by a breach of computer security. In Canada, for example, Alberta is the only province that has a mandatory notification requirement.

From a coverage standpoint, Goldstein says, a company may be responsible for a rogue employee or vendor that does something wrong or is negligent in keeping confidential information secure.

“They have to maintain robust contractual and training-related safeguards in place with regard to vendors and employees, and part of that process includes protecting information appropriately,” Goldstein says.

Malicious and criminal attacks (which include both a criminal and insider element) are now the cause of 37% of global and 41% of U.S. data breaches, according to a “Cost of Data Breach Study,” a survey of 277 organizations in nine countries released in June by the Symantec Corp. and the Ponemon Institute. The dollar value of such damage can be huge. Among U.S. companies, the study found the impact of such security breaches could be as high as $188 a person.
“It cuts across companies of all size,” Goldstein says. “People need to wake up and think about this. They need to protect the company and spend the appropriate IT dollars. These events are going to happen.”