Act Now Advisory: As Defendant, Obama Administration Takes Narrower View of Whistleblower Protections Than as Enforcer - Will This Facilitate Litigation Success for Private Employers?

by Epstein Becker & Green

Employers attempting to manage corporate compliance programs while balancing privacy concerns and whistleblower protections might find a certain irony, perhaps empathy, in the Obama administration's recent petition for U.S. Supreme Court review of a whistleblower case that it lost. Given the government's policy orientation, however, any optimism might be misplaced.

In its request for review of the U.S. Court of Appeals for the Federal Circuit's decision in MacLean v. Department of Homeland Security, 714 F.3d 1301 (Fed. Cir. 2013), the government urges that it should not be subject to a narrow reading of the Aviation and Transportation Security Act that would bar its discharge of a Transportation Security Administration ("TSA") air marshal for his disclosures to an MSNBC reporter about the "suspension of overnight missions during a hijacking alert [that] created a danger to the flying public," believed by him to be "inconsistent with what ‘the law mandated.'"

As relevant to the government's position, the Whistleblower Protection Act broadly protects individuals from adverse personnel actions if they make qualifying disclosures of information, inside or outside their employing governmental agencies, that:

the [government] employee or applicant reasonably believes evidences—

  1. any violation of any law, rule, or regulation, or
  2. gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety, if such disclosure is not specifically prohibited by law and if such information is not specifically required by Executive order to be kept secret in the interest of national defense or the conduct of foreign affairs . . . .

5 U.S.C. § 2302(b)(8).

Petitioning for Supreme Court review, the Solicitor General raised one argument of immediate familiarity to employers met with whistleblower considerations and another available only by analogy. Specifically, the Solicitor General argued that the Federal Circuit's decision:

  1. "seriously undermines the effectiveness of the congressionally mandated SSI [sensitive security information] regime," [and]
  2. "invites individual federal employees to make disclosures that will threaten public safety."

(Petition at 11). While TSA public interest and security concerns may be of a magnitude not customary outside the government setting, most businesses and organizations consider their confidential information and trade secrets analogous to governmental SSI, and judicial or administrative permissiveness with respect to employee breaches of confidentiality a threat to both the integrity of their compliance programs and their legitimate, protectable interests in confidentiality. Yet, wearing a different hat, the government as the enforcer of certain laws has been very active in encouraging informants to disclose their employers' confidential information and has made it increasingly easy to do so anonymously.

* * * * * *

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 ("Dodd-Frank") established a whistleblower bounty program. Under that program, individuals who voluntarily provide the U.S. Securities and Exchange Commission ("SEC") or Commodity Futures Trading Commission ("CFTC") original information that leads to an enforcement action resulting in monetary sanctions greater than $1 million are entitled to an award of between 10 and 30 percent of the total sanctions collected. Claims can easily be submitted online through the SEC and CFTC websites. Significantly, whistleblowers are not required to use the internal complaint procedures established pursuant to the Sarbanes-Oxley Act ("SOX") before reporting alleged wrongdoing directly to the SEC or CFTC, although they may still be encouraged to so do. Employers may not "impede" employees from speaking directly to those agencies, such as through confidentiality policies or provisions in separation agreements. It remains uncertain how broadly "impede" is defined; whether, for example, it applies only to explicit restrictions or whether it can be stretched to cover any actions by the employer that would arguably chill employees' exercise of their protected right to report alleged wrongdoing directly to the SEC or CFTC.

The government has made it increasingly easy for employees to bypass their employers' internal reporting mechanisms. Employees can provide tips regarding alleged wrongdoing and apply for bounty awards to the SEC or CFTC under Dodd-Frank via the Internet. It is as easy as filling out a prepared form online and clicking "send." Further, last December, the U.S. Department of Labor announced that whistleblowers covered by any one of 22 statutes administered by the Occupational Safety and Health Administration ("OSHA")—which includes whistleblower retaliation complaints under Section 806 of SOX—can now file complaints online. Section 806 of SOX affords protection to employees who have allegedly suffered an adverse action because they complained, externally or even just to their supervisor, that the company has committed a violation of various fraud statutes (mail fraud, wire fraud, bank fraud, and securities fraud), or a violation of any rule or regulation of the SEC, or any provision of federal law relating to fraud against shareholders. The online form provides employees with an additional and, for many, easier way to file a retaliation complaint to commence OSHA's investigative process. Previously, employees had to mail a complaint, or visit or call an OSHA office. But the speed, efficiency, and familiarity of the Internet creates the possibility that some employees who might not otherwise have filed complaints will now do so.

Today, it would be an exceptional organization that is not somehow subject to whistleblower considerations. This is truer than ever in light of the Supreme Court's March 4, 2014, decision in Lawson v. FMR LLC, No. 12–3 (2014),in which the Court held that SOX protects from whistleblower retaliation the employees of private companies that contract with public companies that are directly covered by SOX. Moreover, there are many different and potentially applicable federal and state whistleblower laws beyond SOX and Dodd-Frank. Even if an organization is not covered by an applicable federal or state whistleblowing statute, many organizations have established corporate compliance and whistleblowing policies and procedures. Especially since the enactment of SOX in 2002 and the newer challenges posed by Dodd-Frank, however, organizations have wrestled with the tension between (i) implementing and maintaining effective compliance programs, with inducements for internal reporting and obligations to appropriately address reports, and (ii) competing disincentives of potential personal agendas or the lure of financial windfall, by way of bounty awards or otherwise, that may motivate individuals possessing confidential information to report it outside the organization instead of within it.

As the Administrative Review Board has recognized in a case brought pursuant to the whistleblower protections of SOX, "[t]here is a clear tension between a company's legitimate business policies protecting confidential information and the whistleblower bounty programs created by Congress to encourage whistleblowers to disclose confidential company information in furtherance of enforcement of tax and securities laws." Vannoy v. Celanese Corp., ARB Case No. 09-118 (Sept. 28, 2011). In Vannoy, the Administrative Review Board held that an evidentiary hearing was necessary to determine whether an employee's misappropriation of 1,600 employee social security numbers, in clear violation of company policy, in order to facilitate a whistleblower complaint to the Internal Revenue Service was the type of non-public, insider information that was protected from disclosure by SOX.

It is not uncommon for statutes to expressly authorize and protect internal reporting, but they tend to do so co-equally with authorized or circumscribed external reporting. So, it remains an employee option to report through a designated corporate compliance channel or to a statutorily prescribed or allowed outsider. Most statutes do not adopt the affirmative gatekeeping that is seen in New Jersey's Conscientious Employee Protection Act ("CEPA"). Under CEPA, absent reasonable certainty that the activity, policy, or practice is known to one or more supervisors, or absent reasonable fear of physical harm as a result of the disclosure and an emergency situation, relief for disclosure to a public body is not available unless the whistleblowing employee (i) gave the employer written notice of the subject activity, policy, or practice, and (ii) afforded the employer a reasonable opportunity to correct the activity, policy, or practice.

Further, recent developments reflect an increasingly whistleblower-friendly landscape even for those employees who choose to use only internal reporting channels. Although there is currently a split in authority among the federal courts on this issue, several decisions in the Southern District of New York have held that a Dodd-Frank whistleblower is protected even if his whistleblowing is not to the SEC (as the statute seems to require by its definition of the term "whistleblower"), but rather, only to the employee's supervisor or manager, as SOX allows. If this view prevails, it would effectively mean that anything that violates SOX's anti-retaliation provisions also violates Dodd-Frank, and that employees arguably would be free to pursue identical claims simultaneously in federal court and through the administrative complaint procedures set forth in SOX.

* * * * * *

It is not certain what impact, if any, the MacLean decision will have on this whistleblowing infrastructure. The Supreme Court might decline to review the Federal Circuit's decision, or, even if it grants review, it could affirm the decision of the appellate court. If, however, the Supreme Court grants review of the MacLean decision and reverses it, it may provide new hope and new arguments for private-sector employers seeking to strike a more favorable balance than the government was previously willing to strike between "a company's legitimate business policies protecting confidential information and the whistleblower bounty programs created by Congress." The government, of course, will argue that public safety concerns are sui generus to the program at issue or to other matters of national security, and that any argument seeking to draw an analogy is irrelevant. Nevertheless, there is an obvious contrast between the position that government is taking as an employer and the position that it has taken as an enforcer.

What Employers Should Do Now

  • Review existing reporting and disclosure policies and policies against retaliation in order to confirm that they encourage internal reporting, while ensuring that such policies do not impede employees from reporting externally to the government.
  • Review existing separation agreements to determine whether they contain improper waivers or provisions (such as confidentiality, cooperation, and non-disparagement) that could be construed as preventing or impeding employees' rights under Dodd-Frank or SOX.
  • Have employees confirm in their separation agreements that they are not aware of any wrongdoing or improper activities that they have not previously reported to the company.
  • Review existing policies and agreements regarding confidential, proprietary, and trade secret information to ensure that they are clear about the scope of protected business information and the steps taken to protect it from disclosure.
  • Train managers to identify whistleblower complaints and to be sensitive to employee comments that might later be considered to have been whistleblower complaints in order to ensure that such complaints are handled properly.
  • Train employees regarding existing internal complaint procedures to maximize employee awareness.

Written by:

Epstein Becker & Green

Epstein Becker & Green on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.