Employers increasingly face the difficult scenario of employees who misappropriate company data in the pursuit of whistleblower claims alleging misconduct by the employer. Such cases can present a complex mix of regulatory, cybersecurity, and employment issues. These issues were front and center in a recent whistleblower case pitting a bank against its former internal auditor, who engaged in computer-facilitated misappropriation of the bank’s confidential information allegedly to support whistleblower conduct.
The U.S. District Court for the Southern District of California recently declined to summarily adjudicate whether the employee’s confidentiality agreement precluded any whistleblower affirmative defense based on the employee’s alleged violation of computer fraud, contract, and tort laws. The whistleblower laws in question included the Bank Secrecy Act, Sarbanes-Oxley, Dodd-Frank, and the California Labor Code.
In Erhart v. Bofi Holding, plaintiff Charles Matthew Erhart filed a whistleblower complaint against his employer, Bank of the Internet (BofI), alleging BofI retaliated against him for reporting unlawful conduct to the government. BofI, in turn, filed a complaint, alleging that Erhart breached his employee confidentiality agreement by misappropriating confidential data relating to his employer and its clients and disseminating that data to the government, family members, and the national press.
Erhart illustrates the complex and practical problems faced by employers dealing with employees who engage in conduct that would otherwise constitute computer fraud, intellectual property theft, breaches of employment-related agreements and policies, and related tort claims under the mantle of “whistleblower.” A key issue in the case was whether Erhart would be entitled to pursue his retaliation claims before a jury or would be precluded from doing so as a matter of law given his computer-facilitated theft of confidential information.
BofI hired Erhart as an internal auditor in 2013 and required him to execute a confidentiality agreement to safeguard the information BofI treated as proprietary and confidential (including banking information, communications with regulators, internal audit findings, and the personal information of BofI employees and customers). When performing his audits, Erhart discovered what he believed was wrongdoing in relation to responding to a subpoena from the Securities and Exchange Commission (SEC) and dealing with a certain loan customer. Erhart shared these concerns, and others, with the SEC and BofI’s primary regulator, the Department of the Treasury’s Office of the Comptroller of the Currency (OCC).
Erhart sued BofI, claiming that it violated federal and state law by retaliating against him for reporting unlawful conduct to the government. The retaliatory conduct allegedly included a downgrade in his performance rating that adversely impacted his bonus. The next day, the national media published an article about the lawsuit, and BofI’s shares plummeted. BofI quickly countersued under state and federal law, alleging that Erhart had published confidential company information and deleted hundreds of files from his company-issued laptop. The two suits were consolidated.
BofI’s countersuit alleged a set of facts that are becoming increasingly common, given the ease with which employees may use technology to appropriate employer information—Erhart used his personal Gmail account to email files containing confidential BofI information, including customer Social Security numbers and bank account information, to himself and to his mother. According to BofI, he printed copies of BofI’s documents containing customer bank account information and downloaded BofI files including supervisory communications from the OCC to his personal computer and to a personal USB drive; he accessed electronic data on his girlfriend’s computer; and he disclosed confidential information in his publicly filed whistleblower complaint and is alleged to have passed the complaint to the press.
Erhart responded by relying on various affirmative defenses based on the whistleblower provisions found in various state and federal statutes, regulations, and rules. BofI filed a motion for summary adjudication of Erhart’s affirmative defenses, arguing Erhart’s defenses failed because his conduct was not protected whistleblower activity.
The court held that Erhart’s reliance on the whistleblower provisions as an affirmative defense was tantamount to alleging that enforcement of his confidentiality agreement with BofI would violate public policy. Relying on principles of contract interpretation, the court analyzed whether the public policy interests in the enforcement of the confidentiality agreement outweighed the interest against the enforcement of the contract (the public policy exception). Among the interests present in favor of enforcement, the court cited California’s longstanding policy of respecting and promoting the freedom of private parties to contract, the significant government interests in promoting the legal protection of trade secrets (including business information that did not qualify for trade secret protection), and the data privacy protection of banking institutions’ clients. On the other hand, the court also looked to federal and state statutes, regulations, and rules—including Sarbanes-Oxley and the Dodd-Frank Act—that reflect a “strong public policy in favor of protecting whistleblowers.”
Among the interests present in favor of enforcement, the court cited California’s longstanding policy of respecting and promoting the freedom of private parties to contract, the significant government interests in promoting the legal protection of trade secrets (including business information that did not qualify for trade secret protection), and the data privacy protection of banking institutions’ clients. On the other hand, the court also looked to federal and state statutes, regulations, and rules—including Sarbanes-Oxley and the Dodd-Frank Act—that reflect a “strong public policy in favor of protecting whistleblowers.”
The court attempted to balance the interests in enforcement and against the specific conduct Erhart sought to shield by reliance on the whistleblower protection provisions. For instance, the court found that as to Erhart’s communications with the OCC and the SEC, the public policy in favor of whistleblower protection clearly outweighed the enforcement of the agreement, thus rendering the confidentiality agreement unenforceable as to this conduct. On the other hand, as to Erhart’s alleged disclosure to the media, the court held that “leaks to the media are not protected” conduct under the various whistleblower protection provisions cited by Erhart. Thus, if the facts at trial demonstrated that Erhart passed information to the press (which Erhart denied), the whistleblower defenses would not preclude liability for a breach of the confidentiality agreement.
As for the misappropriation and dissemination of BofI’s confidential information in the publicly filed whistleblower complaint, the court held that the public policy exception applied—thereby making the confidentially agreement unenforceable—if:
the removal of the documents and disclosure of such information contained in those documents in the complaint was reasonably necessary to support his allegations of wrongdoing; and
he did not engage in the “wholesale stripping” of confidential company documents and his appropriation and disclosure was not “vast and indiscriminate.”
Finally, as for Erhart’s emailing and downloading of BofI’s confidential data to accounts and devices under his and his family members’ control, the court held that the public policy exception would apply if a jury were to determine that Erhart’s conduct was necessary to protect relevant information from what he reasonably perceived was a risk of destruction. Even though Erhart had sent an email to his mother containing a spreadsheet containing bank customers’ Social Security numbers (conduct that may constitute a “data breach” under various state and federal laws), he alleged that doing so was necessary to prevent bank management from deleting or altering the information. He further alleged that he reasonably feared such misconduct, because bank management had accessed his work laptop remotely and senior managers had made hostile comments about his auditing activities. The court viewed this as sufficient to create a jury issue.
Employers can best protect themselves from liability and legitimate whistleblowers from retaliation by employing some basic technical and legal controls. First, employers should have well-documented and disseminated whistleblower notices and procedures. Because public policy considerations and whistleblower protections may render confidentiality provisions unenforceable, effective and secure methods for employees to air their grievances internally may reduce the chance that a given employee will become so dissatisfied that he begins to misappropriate data. A reference to such a grievance process in the confidentially agreement also may address the public policy interests in enforcing confidentiality agreements while also respecting the public policy interests in protecting whistleblowers. In fact, certain statutes (like the Defend Trade Secrets Act of 2016) may only be used by employers to protect their confidential information if they adequately notify employees of whistleblower protections.
Second, employers should have clear policies relating to technology use (devices, communications, internet services, etc.), the protection of confidential information, and employee separation. Third, employers should utilize technical safeguards that make it more difficult for employees to engage in the most common forms of data misappropriation. Examples include data loss prevention and digital rights management tools, mobile device management apps, security information and event management software, internet activity monitoring, and whitelisting/blacklisting of internet applications.