Employers attempting to manage corporate compliance programs while balancing privacy concerns and whistleblower protections might find a certain irony, perhaps empathy, in the Obama administration's recent petition for U.S. Supreme Court review of a whistleblower case that it lost. Given the government's policy orientation, however, any optimism might be misplaced.
In its request for review of the U.S. Court of Appeals for the Federal Circuit's decision in MacLean v. Department of Homeland Security, 714 F.3d 1301 (Fed. Cir. 2013), the government urges that it should not be subject to a narrow reading of the Aviation and Transportation Security Act that would bar its discharge of a Transportation Security Administration ("TSA") air marshal for his disclosures to an MSNBC reporter about the "suspension of overnight missions during a hijacking alert [that] created a danger to the flying public," believed by him to be "inconsistent with what ‘the law mandated.'"
As relevant to the government's position, the Whistleblower Protection Act broadly protects individuals from adverse personnel actions if they make qualifying disclosures of information, inside or outside their employing governmental agencies, that:
the [government] employee or applicant reasonably believes evidences—
any violation of any law, rule, or regulation, or
gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety, if such disclosure is not specifically prohibited by law and if such information is not specifically required by Executive order to be kept secret in the interest of national defense or the conduct of foreign affairs . . . .
5 U.S.C. § 2302(b)(8).
Petitioning for Supreme Court review, the Solicitor General raised one argument of immediate familiarity to employers met with whistleblower considerations and another available only by analogy. Specifically, the Solicitor General argued that the Federal Circuit's decision:
"seriously undermines the effectiveness of the congressionally mandated SSI [sensitive security information] regime," [and]
"invites individual federal employees to make disclosures that will threaten public safety."
(Petition at 11). While TSA public interest and security concerns may be of a magnitude not customary outside the government setting, most businesses and organizations consider their confidential information and trade secrets analogous to governmental SSI, and judicial or administrative permissiveness with respect to employee breaches of confidentiality a threat to both the integrity of their compliance programs and their legitimate, protectable interests in confidentiality. Yet, wearing a different hat, the government as the enforcer of certain laws has been very active in encouraging informants to disclose their employers' confidential information and has made it increasingly easy to do so anonymously.
* * * * * *
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 ("Dodd-Frank") established a whistleblower bounty program. Under that program, individuals who voluntarily provide the U.S. Securities and Exchange Commission ("SEC") or Commodity Futures Trading Commission ("CFTC") original information that leads to an enforcement action resulting in monetary sanctions greater than $1 million are entitled to an award of between 10 and 30 percent of the total sanctions collected. Claims can easily be submitted online through the SEC and CFTC websites. Significantly, whistleblowers are not required to use the internal complaint procedures established pursuant to the Sarbanes-Oxley Act ("SOX") before reporting alleged wrongdoing directly to the SEC or CFTC, although they may still be encouraged to so do. Employers may not "impede" employees from speaking directly to those agencies, such as through confidentiality policies or provisions in separation agreements. It remains uncertain how broadly "impede" is defined; whether, for example, it applies only to explicit restrictions or whether it can be stretched to cover any actions by the employer that would arguably chill employees' exercise of their protected right to report alleged wrongdoing directly to the SEC or CFTC.
The government has made it increasingly easy for employees to bypass their employers' internal reporting mechanisms. Employees can provide tips regarding alleged wrongdoing and apply for bounty awards to the SEC or CFTC under Dodd-Frank via the Internet. It is as easy as filling out a prepared form online and clicking "send." Further, last December, the U.S. Department of Labor announced that whistleblowers covered by any one of 22 statutes administered by the Occupational Safety and Health Administration ("OSHA")—which includes whistleblower retaliation complaints under Section 806 of SOX—can now file complaints online. Section 806 of SOX affords protection to employees who have allegedly suffered an adverse action because they complained, externally or even just to their supervisor, that the company has committed a violation of various fraud statutes (mail fraud, wire fraud, bank fraud, and securities fraud), or a violation of any rule or regulation of the SEC, or any provision of federal law relating to fraud against shareholders. The online form provides employees with an additional and, for many, easier way to file a retaliation complaint to commence OSHA's investigative process. Previously, employees had to mail a complaint, or visit or call an OSHA office. But the speed, efficiency, and familiarity of the Internet creates the possibility that some employees who might not otherwise have filed complaints will now do so.
Today, it would be an exceptional organization that is not somehow subject to whistleblower considerations. This is truer than ever in light of the Supreme Court's March 4, 2014, decision in Lawson v. FMR LLC, No. 12–3 (2014),in which the Court held that SOX protects from whistleblower retaliation the employees of private companies that contract with public companies that are directly covered by SOX. Moreover, there are many different and potentially applicable federal and state whistleblower laws beyond SOX and Dodd-Frank. Even if an organization is not covered by an applicable federal or state whistleblowing statute, many organizations have established corporate compliance and whistleblowing policies and procedures. Especially since the enactment of SOX in 2002 and the newer challenges posed by Dodd-Frank, however, organizations have wrestled with the tension between (i) implementing and maintaining effective compliance programs, with inducements for internal reporting and obligations to appropriately address reports, and (ii) competing disincentives of potential personal agendas or the lure of financial windfall, by way of bounty awards or otherwise, that may motivate individuals possessing confidential information to report it outside the organization instead of within it.
As the Administrative Review Board has recognized in a case brought pursuant to the whistleblower protections of SOX, "[t]here is a clear tension between a company's legitimate business policies protecting confidential information and the whistleblower bounty programs created by Congress to encourage whistleblowers to disclose confidential company information in furtherance of enforcement of tax and securities laws." Vannoy v. Celanese Corp., ARB Case No. 09-118 (Sept. 28, 2011). In Vannoy, the Administrative Review Board held that an evidentiary hearing was necessary to determine whether an employee's misappropriation of 1,600 employee social security numbers, in clear violation of company policy, in order to facilitate a whistleblower complaint to the Internal Revenue Service was the type of non-public, insider information that was protected from disclosure by SOX.
It is not uncommon for statutes to expressly authorize and protect internal reporting, but they tend to do so co-equally with authorized or circumscribed external reporting. So, it remains an employee option to report through a designated corporate compliance channel or to a statutorily prescribed or allowed outsider. Most statutes do not adopt the affirmative gatekeeping that is seen in New Jersey's Conscientious Employee Protection Act ("CEPA"). Under CEPA, absent reasonable certainty that the activity, policy, or practice is known to one or more supervisors, or absent reasonable fear of physical harm as a result of the disclosure and an emergency situation, relief for disclosure to a public body is not available unless the whistleblowing employee (i) gave the employer written notice of the subject activity, policy, or practice, and (ii) afforded the employer a reasonable opportunity to correct the activity, policy, or practice.
Further, recent developments reflect an increasingly whistleblower-friendly landscape even for those employees who choose to use only internal reporting channels. Although there is currently a split in authority among the federal courts on this issue, several decisions in the Southern District of New York have held that a Dodd-Frank whistleblower is protected even if his whistleblowing is not to the SEC (as the statute seems to require by its definition of the term "whistleblower"), but rather, only to the employee's supervisor or manager, as SOX allows. If this view prevails, it would effectively mean that anything that violates SOX's anti-retaliation provisions also violates Dodd-Frank, and that employees arguably would be free to pursue identical claims simultaneously in federal court and through the administrative complaint procedures set forth in SOX.
* * * * * *
It is not certain what impact, if any, the MacLean decision will have on this whistleblowing infrastructure. The Supreme Court might decline to review the Federal Circuit's decision, or, even if it grants review, it could affirm the decision of the appellate court. If, however, the Supreme Court grants review of the MacLean decision and reverses it, it may provide new hope and new arguments for private-sector employers seeking to strike a more favorable balance than the government was previously willing to strike between "a company's legitimate business policies protecting confidential information and the whistleblower bounty programs created by Congress." The government, of course, will argue that public safety concerns are sui generus to the program at issue or to other matters of national security, and that any argument seeking to draw an analogy is irrelevant. Nevertheless, there is an obvious contrast between the position that government is taking as an employer and the position that it has taken as an enforcer.
What Employers Should Do Now
Review existing reporting and disclosure policies and policies against retaliation in order to confirm that they encourage internal reporting, while ensuring that such policies do not impede employees from reporting externally to the government.
Review existing separation agreements to determine whether they contain improper waivers or provisions (such as confidentiality, cooperation, and non-disparagement) that could be construed as preventing or impeding employees' rights under Dodd-Frank or SOX.
Have employees confirm in their separation agreements that they are not aware of any wrongdoing or improper activities that they have not previously reported to the company.
Review existing policies and agreements regarding confidential, proprietary, and trade secret information to ensure that they are clear about the scope of protected business information and the steps taken to protect it from disclosure.
Train managers to identify whistleblower complaints and to be sensitive to employee comments that might later be considered to have been whistleblower complaints in order to ensure that such complaints are handled properly.
Train employees regarding existing internal complaint procedures to maximize employee awareness.