Protecting Your Company’s Assets as Whistleblowing Rises

Origins of Whistleblower Laws

Modern-day whistleblowing is rooted in the much older qui tam action, which dates back to 13th-century England. The False Claims Act (FCA), 31 U.S.C. § 3729 et seq., codified the modern qui tam action in which a private citizen, called a relator or whistleblower, may bring a lawsuit on behalf of himself or herself and the United States and collect a portion of the government’s recovery. The archetypal qui tam action was filed by an employee of a government contractor who discovered that her employer falsely billed the government.

The number of high-profile whistleblowers and the government protections afforded to them have steadily increased since the 1980s. The Dodd-Frank whistleblower provisions are the most recent examples of this increased protection, which affects both corporations and potential whistleblowers by giving people an incentive to approach the government and by protecting whistleblowers from employment retaliation. But the level of protection Dodd-Frank grants to whistleblowers is still unsettled and has already led to conflicting interpretations in key areas.

The first half of the Dodd-Frank whistleblower provisions create incentives for employees to become whistleblowers by tempting them with the possibility of large rewards paid by the SEC—recently reaching as high as $30 million. SEC rules permit whistleblowers to claim a reward even if they report the issue internally before talking to regulators, so long as they report to the SEC within 120 days of the initial inside report. 17 C.F.R. § 240.21F-4(b)(7). The statute and SEC rules require the SEC to pay out a reward to individuals who provide information to the government that leads to a successful enforcement action. To be eligible for an award under Dodd-Frank, the SEC’s action must net at least $1 million and the individual must voluntarily submit original information. Id. § 240.21F-10(a). “Voluntary submission” means that the whistleblower isn’t under a duty to disclose the information to the SEC in the first place, such as by a subpoena. Id. § 240.21F-4(a).

The SEC defines “original information” as information the whistleblower knows independently of a government investigation, news story, or other widely available news source. Id. § 240.21F-4(b). Information subject to attorney-client privilege is not considered “original information” for purposes of an award. Id. § 240.21F-4(b)(4)(i). It is important to note that Dodd-Frank does not give employees free rein over the employer to ferret out “original information” to support a suspected violation of securities laws. A whistleblower is only protected from retaliation for “lawful act[s] done by the whistleblower.” 15 U.S.C. § 78u-6(h)(1)(A). However, this will not necessarily stop a whistleblower from purloining a company’s trade secrets or other confidential data. SEC rules do prohibit whistleblowers from using information obtained in violation of a criminal law, but a judicial determination is required. 17 C.F.R. § 240.21F-4(b)(4)(iv).

The amounts of the awards paid to whistleblowers have increased dramatically since Dodd-Frank’s first payout of $50,000 in 2012. The next year, the SEC awarded a whistleblower $14 million for a tip that led to the recovery of “substantial investor funds.” In September 2014, it paid a foreign tipster a whopping $30 million and would have paid more but for the claimant’s delay. See Exchange Act Release No. 73174 (Sept. 22, 2014), available at www.sec.gov/rules/other/2014/34-73174.pdf.

These dramatic increases show the seriousness with which the SEC views the whistleblower award as a tool to catch bad actors, and they signal to all potential whistleblowers that the SEC will make it worthwhile to come forward. One commentator said that “[i]f you can imagine Wall Street as the American Old West and the [SEC] as the local sheriff, then the SEC’s new bounty program is the equivalent of nailing up reward signs all over town that read: ‘Wanted: Dead or Alive.’” Matt A. Vega, Beyond Incentives: Making Corporate Whistleblowing Moral in the New Era of Dodd-Frank Act “Bounty Hunting,” 45 Conn. L. Rev. 483, 483 (2012).

Anti-Retaliatory Provision

The second half of the Dodd-Frank whistleblower statute is its anti-retaliation provision, the contours of which are still significantly unsettled. Retaliation under Dodd-Frank consists of discharging, demoting, suspending, threatening, harassing, or discriminating against a whistleblower in the terms and conditions of employment because of any lawful act. If an employer is found to have retaliated against a whistleblower in violation of Dodd-Frank, the whistleblower is entitled to reinstatement with seniority rights, double back pay with interest, litigation costs, expert witness fees, and reasonable attorney fees. Id. § 78u-6(h)(1)(C).

The SEC can fine companies for retaliation. See 15 U.S.C. § 78u. In the first case of its kind, the SEC fined a hedge fund after it demoted its head trader for reporting possible securities law violations to the SEC. See In re Paradigm Capital Mgmt., Inc. & Candice King Weir, File No. 3-15930, Exchange Act Release No. 34-72393, 2014 SEC LEXIS 2104 (June 16, 2014). In Paradigm, the trader informed the SEC that Paradigm was engaging in principal transactions without providing effective disclosure. Paradigm then retaliated against him and, in doing so, created a playbook for what not to do when a company discovers it has a whistleblower. According to the SEC, the firm relieved the trader of his day-to-day trading and supervisory responsibilities and instructed him to work off-site. A few days later, it allowed him back to work but not in his old job. While his compensation remained the same, he was ordered to review 1,900 pages of trading data to identify other potential wrongdoing by the firm. Not surprisingly, he quit. The SEC eventually fined Paradigm $2.2 million for its retaliation and other securities violations, and awarded the tipster $600,000.

Employees can also sue for retaliation. While the Sarbanes-Oxley Act (SOX) requires employees to file an administrative action first (18 U.S.C. § 1514A), Dodd-Frank permits whistleblowers to file retaliation suits in federal district court (15 U.S.C. § 78u-6(h)(1)(B)(i)). To prevail, a plaintiff must show that (1) he or she reported an alleged violation to the SEC or, depending on the circuit, another entity, or internally to management; (2) he or she was retaliated against for reporting the alleged violation; (3) the disclosure of the alleged violation was made pursuant to a rule, law, or regulation subject to the SEC’s jurisdiction; and (4) the disclosure was required or protected by that rule, law, or regulation within the SEC’s jurisdiction. See, e.g., Genberg v. Porter, 935 F. Supp. 2d 1094, 1105 (D. Colo. 2013), aff’d in part and dismissed in part, 566 F. App’x 719 (10th Cir. 2014).

The SEC contemplates that courts will use the McDonnell Douglas burden-shifting test used for decades in employment discrimination cases to analyze retaliation under the Dodd-Frank Act program. Securities Whistleblower Incentives and Protections, File No. S7-33-10, Exchange Act Release No. 34-64545, 2011 SEC LEXIS 1816 n.41 (May 25, 2011) (quoting McDonnell Douglas Corp. v. Green, 411 U.S. 792 (1973)). Under that test, (1) the employee must make a prima facie case of retaliation; (2) the burden then shifts to the employer to articulate a legitimate, non-retaliatory reason for its employment decision; after which (3) the burden shifts to the employee to show that the proffered legitimate reason is in fact a pretext and that the job action was the result of the defendant’s retaliatory animus. Id.

The law narrowly defines “whistleblower” as someone who gives information to the SEC. 15 U.S.C. § 78u-6(h)(1)(A). Some portions of the statute protect only those who tip off the SEC; however, another subsection seems to cover people who provide information to third parties as long as the information is based on an SEC rule: “[Whistleblowers are protected] in making disclosures that are required or protected under the Sarbanes-Oxley Act of 2002 . . . and any other law, rule, or regulation subject to the jurisdiction of the Commission.” 15 U.S.C. § 78u-6(h)(1)(A)(iii).

In 2011, the SEC attempted to resolve the confusion by taking the broader view and adopting a rule granting protection to people who report violations of securities laws or SEC regulations, not merely to the SEC but also to their employers or other law enforcement entities. See 17 C.F.R. § 240.21F-2.

Dodd-Frank in Practice

Courts, however, have disagreed on whether to honor the SEC’s expansive interpretation of the statute. In Asadi v. G.E. Energy (USA), L.L.C., the Fifth Circuit read the statute as restrictively as possible. See 720 F.3d 620 (5th Cir. 2013). Asadi was a dual citizen of Iraq and United States working for General Electric in Jordan. While in Jordan, Asadi discovered G.E. practices he believed violated the Foreign Corrupt Practices Act. Asadi reported these issues and promptly got a negative performance review, was pressured to resign, and was eventually fired.

The Fifth Circuit found that the anti-retaliation provisions in the whistleblower statute did not protect Asadi because, while he may have blown the whistle on issues of “law, rule, or regulation” overseen by the SEC, he never reported to the SEC. Nor did the SEC’s expansive rule, 17 C.F.R. § 240.21F-2, require a different result. Congress’s intent was clear as to who could claim protection under the statute, the court held, so there was no gap for the SEC to fill through rulemaking. See 720 F.3d at 630. According to the Fifth Circuit, the more restrictive view is also consistent with the purpose of the law and does not render any statutory language superfluous. Id. at 629–30. At least two district courts outside the Fifth Circuit have followed this strict interpretation. See Lutzeier v. Citigroup Inc., 2015 U.S. Dist. LEXIS 28231 (E.D. Mo. Mar. 2, 2015); Berman v. Neo@Ogilvy LLC, 2014 U.S. Dist. LEXIS 168840 (S.D.N.Y. Dec. 5, 2014).

But other courts have enforced the SEC rule and extended Dodd-Frank’s protections to whistleblowers who did not report to the agency. See, e.g., Bussing v. COR Clearing, LLC, 20 F. Supp. 3d 719 (D. Neb. 2014). Bussing began when the Financial Industry Regulatory Authority (FINRA) began investigating COR Securities Holdings, Inc., for possible Bank Secrecy Act, anti–money laundering, and financial reporting violations. See 20 F. Supp. 3d at 723–24. Prior to the FINRA investigation, COR hired Bussing to implement a change of control plan to fix earlier regulatory mishaps. As Bussing prepared COR’s response to the FINRA requests, she reported to COR management that it had continued to violate the Bank Secrecy Act and anti–money laundering regulations. Id. at 724. Displeased with Bussing’s findings, COR told her to stop responding to FINRA. Bussing refused and instead cooperated with it. COR then fired her for cause. Id. at 724–25.

The U.S. District Court for the District of Nebraska held that Bussing qualified for anti-retaliation protection under the Dodd-Frank whistleblower statute even though she never reported her concerns to the SEC. The court strongly disagreed with Asadi’s restrictive formulation of the term “whistleblower,” holding that Congress intended to encourage internal reporting of possible violations before they are reported to the SEC. It expressly rejected the Asadi court’s construction of the anti-retaliation statute in favor of inclusiveness, setting up what will become a hotly debated issue in the coming years. See id.; Somers v. Digital Realty Trust, Inc., No. C-14-5180 EMC, 2015 U.S. Dist. LEXIS 97132 (N.D. Cal. July 22, 2015).

Of course, “an ounce of prevention is worth a pound of cure.” Beyond understanding the new world of retaliation claims, litigators should help clients prevent them. The best way to do this is to set effective workplace policies in advance. Companies that establish a written policy, share it with employees, and follow that policy are less likely to be seen as retaliating against whistleblowers for disclosing the firm’s internal information.

Proprietary Data Policy

At a minimum, a company’s policies should include guidelines as to who—both inside and outside—has access to confidential and trade secret information; how to keep such information confidential from those who should not have access to it; and clear consequences for violating the policy. Ideally, an effective proprietary data policy includes five elements.

First, companies should clearly identify what they consider to be confidential or trade secret information. Most states have adopted the definition set forth in section 1(4) of the Uniform Trade Secrets Act. While trade secrets are often protected under state law, other confidential information may be protected by contract.

Second, companies should put this information in writing, provide it to all employees when hired, and require written confirmation of receipt from the employee. Such policies can be framed as a confidentiality or nondisclosure agreement. The agreements should require employees with access to confidential or trade secret information to follow specific guidelines to keep it confidential. However, companies should ensure that agreements cannot be construed as prohibiting employees from communicating information to the SEC and other government entities.

Third, companies should keep confidential information separate from nonconfidential information. This will make it easier to ensure confidential information stays that way and that only the appropriate people have access to it.

Fourth, companies should secure digital and physical information through the use of passwords, encrypted files, firewalls, and prohibitions on downloading to personal computers or media. This way, if a breach occurs, it will be easier to identify the source of the breach.

Finally, companies should routinely remind employees of the policy and enforce it by implementing systems to monitor the access, use, and disclosure of confidential and trade secret information. If a company does this, it may learn that an employee is gathering confidential information off-site in violation of its policies before the employee has even reported any suspicions. If the company takes action at this point, it cannot be accused of retaliation, given that the employee hasn’t blown the whistle and may not be gathering data to do so.

The next step to prevent retaliation claims is to launch an investigation and disciplinary procedure so that when the company becomes aware of breaches, it has concrete steps to follow in taking the appropriate action, if any, against the employee. A company should also establish guidelines for conducting investigations once a whistleblower reports violations of the law. In particular, managers, human resources staff, and in-house counsel should know what to say and do if they receive information that a confidentiality procedure or policy has been breached or a whistleblower has been identified.

Ideally, the company should hire an experienced and independent investigatory team, secure and control information and information sources, understand and respect the attorney-client privilege and work-product doctrine, and complete the investigation as quickly as possible.

Using experienced investigators and securing information flow make it less likely that any internal encounters will be misperceived as intimidation or coercion of witnesses.

Correctly recognizing allowable privileges permits the company to seek legal advice without fear of having conversations used against it. See, e.g., In re Kellogg Brown & Root, Inc., 756 F.3d 754, 757 (D.C. Cir. 2014) (internal investigation was protected by attorney-client privilege when directed by lawyers, though conducted by non-legal personnel, where a primary purpose is to obtain legal advice). Hiring outside counsel creates a stronger argument for application of the privilege because in-house counsel may often be considered a business advisor whose conversations are subject to disclosure. SEC v. Snyder, 292 F. App’x 391, 406 (5th Cir. 2008) (recognizing that reliance on attorney’s or accountant’s advice could negate intent in securities fraud cases); but see Paradigm, 2014 SEC LEXIS 2104 (June 16, 2014) (holding that reliance on counsel’s advice insufficient to combat clear evidence of retaliation).

Finally, completing internal investigations as quickly as possible allows the company to more quickly determine its course of action to head off an impending investigation or cooperate with authorities early on to minimize liability.

During the course of the investigation, the employee’s role should be kept as uniform and unchanged as possible, unless a new role is clearly outlined in the policy and routinely implemented. Any change in the employee’s duties could be perceived as a demotion and, therefore, retaliation. Any investigation should be documented, and any disciplinary action taken should not deviate from actions clearly outlined in the data policy.

Once the company has completed its investigation, it should take action against the employee in a manner consistent with the company’s policies, the employee’s contract, and company practice. Regardless of whether the disciplinary action against the whistleblower is a reprimand, reassignment, demotion, termination, or anything else, it must be consistent with the way other employees are treated. If the company follows this closely, the whistleblower will have difficulty proving the discipline was retaliation for whistleblowing rather than for violating data policies. Compare, e.g., Cooney v. Bob Evans Farms, Inc., 645 F. Supp. 2d 620, 632 (E.D. Mich. 2009), aff’d, 395 F. App’x 176 (6th Cir. 2010) (dismissing retaliation claims where plaintiff was fired two days after alleged protected activity, finding “protected activity” occurred after disciplinary review was already in progress and would take three days under company policy), with Smith v. Xerox Corp., 371 F. App’x 514, 520 (5th Cir. 2010) (finding sufficient evidence of retaliation where employer failed to follow its own policies of documentation prior to disciplinary action and terminated employee for minor infractions contrary to treatment of other employees who had not engaged in protected activity).

Despite the best policies, a company can still face that surprise email about a whistleblower who disclosed confidential information. The key to avoiding, or succeeding in, a retaliation or obstruction suit is to get the company to focus on securing its information rather than on the consequences of the leak, such as a subsequent government investigation.

For example, one court found that a company did not violate any public policies because its breach of contract claim against the employee wasn’t based on documents the whistleblower disclosed to the Federal Aviation Administration but was limited to seeking return of its confidential documents still in the whistleblower’s possession. See Woods v. Boeing Co., 2013 U.S. Dist. LEXIS 136543 at *3–4 (D.S.C. Sept. 23, 2013). As the court put it, “public policy does not authorize disgruntled employees to pilfer a wheelbarrow full of an employer’s proprietary documents in violation of their contract merely because they intend to file suit against their employer.” Id. (quotation omitted).

Damage Control

A company should create a log of information it believes has been misappropriated. The employer should directly address the whistleblower and ask that the information be returned. If the company does not know who the whistleblower is, it should conduct an audit and ask all relevant employees to return any confidential information that has been disseminated or kept against the company’s policies.

In the ideal situation, the whistleblower or other employees will return everything. The company should make a log of what’s turned in to ensure complete collection and require employees to sign acknowledgments that they have returned all information, including any hard or electronic copies, in their possession. The company should also request a list of third parties who received the information, excluding government entities, to ensure nothing lands in the hands of competitors. This request should exclude disclosures to government entities to avoid being seen as infringing the whistleblower’s right to remain anonymous. See Request for Rulemaking Petition and the Issuance of a Policy Statement Regarding Certain Aspects of the Dodd-Frank Whistleblower Program (File No. 4-677), ¶ 19 (July 18, 2014).

Of course, in many cases a whistleblower won’t simply return misappropriated information. What then? The company can sue the whistleblower to reclaim its confidential information, or sue the government to maintain the confidentiality of disclosed documents.

Crucially, filing a lawsuit in and of itself is not retaliation—unless there is no reason to believe the employee misappropriated trade secrets or confidential information. This is true even if the company ultimately loses the case. See, e.g., DeGuelle v. Camilli, 2012 U.S. Dist. LEXIS 74389 (E.D. Wis. May 29, 2012) (citing Prof’l Real Estate Investors v. Columbia Pictures Indus., 508 U.S. 49, 60–61 n.5 (1993)). The company can seek relief under a number of legal theories as long as the case excludes information disclosed to the government.

If the information the whistleblower took or disclosed was a trade secret under state law, the company can bring a misappropriation suit. To succeed on a trade secrets misappropriation claim, a company must demonstrate that it possessed a trade secret and that the whistleblower used that trade secret in breach of an agreement, confidence, or duty; disclosed the trade secret without consent; or acquired the trade secret by improper means. See, e.g., Schanfield v. Sojitz Corp. of Am., 663 F. Supp. 2d 305, 349–50 (S.D.N.Y. 2009). In some states, a misappropriation claim may preempt other state law claims, so attorneys should choose their theories wisely.

If the whistleblower signed a nondisclosure agreement or other contract protecting company information, the company could also bring suit under a breach of contract theory. See, e.g., JDS Uniphase Corp. v. Jennings, 473 F. Supp. 2d 697 (E.D. Va. 2007). Absent a contract, the company could sue for replevin or conversion.

Finally, if the whistleblower obtained or disseminated the information using a computer, data processor, data storage facility, or communications facility that is “used in or affect[s] interstate or foreign commerce or communication,” the company can pursue a claim under the Computer Fraud and Abuse Act (CFAA). See 18 U.S.C. § 1030. The CFAA creates a private cause of action against one who “intentionally accesses a computer without authorization or exceeds authorized access” to obtain information. See id. There is a circuit split as to whether a violation of a company policy is sufficient to file suit under the CFAA. The Third, Fifth, and Eleventh Circuits say it is, while the Ninth disagrees. Regardless of the legal theory presented, the company may be able to seek an injunction, declaratory judgment, or monetary damages. Id.

As an alternative to pursuing the whistleblower, the company can seek protection of its documents from the government through a reverse Freedom of Information Act (FOIA) claim. “[T]rade secrets and commercial or financial information [that are] . . . privileged or confidential” are not subject to disclosure under FOIA. 5 U.S.C. § 552(b)(4). Because the government entity is required to notify a company before its information is released in response to a FOIA request, the company will have the opportunity to intervene and seek protection over its proprietary and trade secret information. See Exec. Order No. 12,600, Predisclosure Notification Procedures for Confidential Commercial Information, 52 Fed. Reg. 23,781 (June 23, 1987). However, this is a less-than-ideal method of protecting proprietary information because, even if the case succeeds, there is no guarantee the information will not be disclosed by the whistleblower or pursuant to congressional privilege.

Obstruction

Through all of this, litigators must ensure that their clients don’t obstruct government investigations. Once an SEC investigation starts, companies should be careful as they investigate internally. Protecting the company from an obstruction charge is similar to protecting it from a retaliation charge—consistently applied and well-written policies are key.

Because many obstruction charges are based on missing or altered data, the company needs basic guidelines on company data and information. This should include rules on data retention and destruction. An information policy may also include restrictions on usage of email accounts and devices for company operations. When a company has a data policy in place and deletes documents under that policy before learning about or anticipating a government investigation, it negates the intent element of any obstruction charge. At the same time, the company should have litigation hold procedures in place so it can appropriately suspend any data deletion policies after learning of an investigation.

The SEC may take action against a company for enforcing confidentiality agreements against whistleblowers. See 17 C.F.R. § 240.21F-17(a) (“No person may take any action to impede an individual from communicating directly with the Commission . . . including enforcing, or threatening to enforce, a confidentiality agreement[.]”). Thus, while confidentiality and nondisclosure agreements should be carefully tailored to protect the company’s information, they should not go so far as to prohibit or dissuade employees from reporting wrongdoing to the government. Nor should they reward employees for failing to report to the government.

In addition to Dodd-Frank obstruction charges, the SEC or DOJ may charge a company or its counsel with obstruction of justice under 18 U.S.C. §§ 1501 et seq. Section 1510 prohibits the use of “bribery to obstruct, delay, or prevent the communication of information relating to a violation of any criminal statute of the United States by any person to a criminal investigator.” 18 U.S.C. § 1510. Based on some plaintiffs’ organizations’ interpretation of confidentiality agreements as “general employment provisions presented as job prerequisites . . . [requiring employees to] forgo a severance payment or other benefits in order to retain their statutory rights,” an employer could be charged with bribery under § 1510 for enforcing such agreements. See Dodd-Frank Whistleblower Program Request for Rulemaking Petition, supra, ¶ 20.

Section 1505 prohibits hindering any SEC investigation from the instant it begins at the commission. The provision covers a wide range of activities, most notably falsely testifying, submitting false documents, and altering or concealing documents that will be used in an agency investigation. See 18 U.S.C. § 1505. The government must plead facts showing that the defendant acted with the intent to influence pending agency proceedings. See United States v. Perraud, 672 F. Supp. 2d 1328 (S.D. Fla. 2009).

Although the SOX anti-retaliation provisions are found in Chapter 73, the SEC lacks authority to file obstruction charges against a company for retaliation specifically under SOX. See 18 U.S.C. § 1514A. However, the SEC or Department of Justice may bring claims against a company it believes has retaliated against a whistleblower under 18 U.S.C. §§ 1512–1514, which prohibit tampering with, retaliating against, or harassing a witness or informant. Section 1512 also prohibits a range of activities, from persuading a witness to withhold evidence to the destruction of documents. In particular, courts have read section 1512(c) broadly, to encompass everything from lying on interrogatories to deleting text message conversations.

Finally, 18 U.S.C. § 1519 prohibits knowingly destroying or altering any kind of document to “influence the investigation” of an agency or department. The provision has broad reach: The defendant doesn’t have to know an investigation is pending to incur liability; he or she only has to modify a document with the intent to influence an investigation sometime in the future. Still, at least one court limited section 1519 where the defendant, the vice president and associate general counsel of GlaxoSmithKline, relied on the advice of outside counsel in handling a Food and Drug Administration (FDA) investigation. See United States v. Stevens, 771 F. Supp. 2d 556 (D. Md. 2011). In Stevens, the defendant responded to an FDA investigation but, according to regulators, withheld relevant information and made false statements. Yet, her reliance on the advice of counsel negated any wrongful intent. Id. at 561–62.

As whistleblower rewards increase and public sentiment leans against corporations, whistleblowers will become more prevalent. The scope of whistleblower provisions under Dodd-Frank will continue to evolve as courts decide more cases in the coming months and years. Companies have a legitimate business and competitive interest in protecting trade secret and other confidential information. And while they should be ever mindful of Dodd-Frank’s anti-retaliation provisions and the obstruction statutes, companies are not without means to recapture misappropriated information.