Does SOX protect whistleblowers who steal confidential information?
Firing a thieving employee could be deemed retaliation.
December 31, 2011 at 07:00 PM
18 minute read
Firing an employee who steals confidential information, including the Social Security numbers of fellow employees, from the company's computer system wouldn't seem to be a risky proposition, particularly if he had signed a confidentiality agreement.
But in a decision that stunned employment defense lawyers, the Labor Department's Administrative Review Board (ARB) recently said an employee who took such information to support a whistleblower report may be protected from retaliation under the Sarbanes-Oxley Act (SOX). The ARB reversed an administrative law judge (ALJ) who granted summary judgment on the grounds that the company had legitimate, nonretaliatory reasons for the termination.
“The fact that they reversed summary judgment is aggressive and shows how far the ARB is willing to go to give the benefit of the doubt to employees,” says Daniel Westman, a partner at Morrison Foerster.
In its Sept. 28, 2011, decision in Vannoy v. Celanese Corp., the ARB said that SOX's anti-retaliation provision protects employees who report alleged wrongdoing to the Internal Revenue Service (IRS) as well as the Securities and Exchange Commission (SEC) and other agencies that enforce securities laws. It also reiterated its position that the employee does not need to allege shareholder fraud to obtain protection.
“SOX's intent was to protect people exposing shareholder fraud,” says Edward Ellis, a Littler Mendelson shareholder. “The ARB took an expansive reading of the statutory language and said it could be a report to any agency involving any fraud,” in this case, alleged tax fraud.
But the most startling finding was the board's assertion that the theft of confidential personal and business information may be protected activity, depending on the circumstances of the theft. Although the employee admitted to violating the company confidentiality policy and that his actions may have violated the Computer Fraud and Abuse Act, the board remanded the case to the ALJ to determine whether the company unlawfully retaliated against him.
Firing Offense
The case involves actions by Matthew Vannoy, a program administrator in Celanese Corp.'s employee expense reimbursement system. In February 2007, he filed an internal complaint asserting that abuse of the company's reimbursement system and misuse of corporate credit cards posed a financial risk to the company. Shortly thereafter, unbeknownst to the company, he retained an attorney to represent him in submitting information to the IRS Whistleblower Rewards Program. Employees who provide information through the program are eligible to collect up to 30 percent of whatever the IRS collects as a result.
While investigating complaints that Vannoy's communications with employees over expense account issues were confrontational, complaints that continued after he had been counseled to refer any difficult situations to a supervisor, the company suspended Vannoy with pay. His supervisor also decided to review Vannoy's sent emails to determine if he had continued to send inappropriate messages after the warning.
In the course of this review, the company found that Vannoy had sent a document containing 1,600 unique Social Security numbers of current and former Celanese employees to his domestic partner's personal computer. He was terminated in January 2008 for violating the company's confidentiality policy. The company turned information about the theft over to police, but no charges were filed.
Confidentiality Concerns
In a deposition for his retaliation case, Vannoy admitted that he was aware of the confidential nature of the information and had signed the company's confidentiality policy. He also said the information he turned over to the IRS included confidential business information, as well as the Social Security numbers.
“Here's why this decision is so concerning: You have a situation where an employee knowingly and intentionally violated a very clear company policy,” says Steven Pearlman, a partner at Seyfarth Shaw. “Companies have confidentiality policies for very legitimate reasons. There are real risks. What if the information was marketing plans for the next generation of business? If a competitor got access, it could cost the company irreparable damage, but the ARB appears to think that is not that big a deal.”
The ARB did acknowledge the tension between a legitimate company confidentiality program and whistleblower bounty programs, such as one recently implemented under the Dodd-Frank Act, that bar companies from enforcing confidentiality agreements to prevent whistleblowers from disclosing information to authorities, Pearlman adds.
But Westman notes that the decision did not focus on another tension inherent in whistleblower bounty programs—the incentive for employees to take confidential information to outside authorities rather than working to resolve the issues internally.
“This guy was personally motivated by money to take these documents outside the company,” Westman says. “The ARB is going out of its way to talk about the SEC and IRS bounty programs as good things, not pointing out that it conflicted the loyalty of this fellow and caused him to engage in a data breach.”
Loaded Dice
In remanding the case, the ARB directed the ALJ to conduct a hearing to determine whether the information Vannoy gave the IRS was the kind of “original information” Congress intended to protect when it passed SOX. It also called for a ruling on whether the “method of transfer” was protected “lawful” conduct under SOX, noting that Vannoy had not been prosecuted. Calling out the fact that Vannoy wasn't charged “is loading the dice for the ALJ, as far as I am concerned,” Pearlman says.
But Ellis emphasizes that the ARB did not say all theft of employer information to support a whistleblower claim is protected.
“They stop short of condoning criminal activity,” he says. “In this case they mention that the guy wasn't prosecuted, but it is not clear if they mean that to be the litmus test [of whether a whistleblower's action is lawful].”
While this case may ultimately be decided in favor of the company, it is a “bad omen” for employers, Westman says, particularly taken in context with other decisions by the ARB in the past year since appointees of Secretary of Labor Hilda Solis have controlled the board.
“Corporate counsel need to take whistleblower cases very seriously these days, because the ARB is really looking out for employees,” he says.
Firing an employee who steals confidential information, including the Social Security numbers of fellow employees, from the company's computer system wouldn't seem to be a risky proposition, particularly if he had signed a confidentiality agreement.
But in a decision that stunned employment defense lawyers, the Labor Department's Administrative Review Board (ARB) recently said an employee who took such information to support a whistleblower report may be protected from retaliation under the Sarbanes-Oxley Act (SOX). The ARB reversed an administrative law judge (ALJ) who granted summary judgment on the grounds that the company had legitimate, nonretaliatory reasons for the termination.
“The fact that they reversed summary judgment is aggressive and shows how far the ARB is willing to go to give the benefit of the doubt to employees,” says Daniel Westman, a partner at
In its Sept. 28, 2011, decision in Vannoy v. Celanese Corp., the ARB said that SOX's anti-retaliation provision protects employees who report alleged wrongdoing to the Internal Revenue Service (IRS) as well as the Securities and Exchange Commission (SEC) and other agencies that enforce securities laws. It also reiterated its position that the employee does not need to allege shareholder fraud to obtain protection.
“SOX's intent was to protect people exposing shareholder fraud,” says Edward Ellis, a
But the most startling finding was the board's assertion that the theft of confidential personal and business information may be protected activity, depending on the circumstances of the theft. Although the employee admitted to violating the company confidentiality policy and that his actions may have violated the Computer Fraud and Abuse Act, the board remanded the case to the ALJ to determine whether the company unlawfully retaliated against him.
Firing Offense
The case involves actions by Matthew Vannoy, a program administrator in Celanese Corp.'s employee expense reimbursement system. In February 2007, he filed an internal complaint asserting that abuse of the company's reimbursement system and misuse of corporate credit cards posed a financial risk to the company. Shortly thereafter, unbeknownst to the company, he retained an attorney to represent him in submitting information to the IRS Whistleblower Rewards Program. Employees who provide information through the program are eligible to collect up to 30 percent of whatever the IRS collects as a result.
While investigating complaints that Vannoy's communications with employees over expense account issues were confrontational, complaints that continued after he had been counseled to refer any difficult situations to a supervisor, the company suspended Vannoy with pay. His supervisor also decided to review Vannoy's sent emails to determine if he had continued to send inappropriate messages after the warning.
In the course of this review, the company found that Vannoy had sent a document containing 1,600 unique Social Security numbers of current and former Celanese employees to his domestic partner's personal computer. He was terminated in January 2008 for violating the company's confidentiality policy. The company turned information about the theft over to police, but no charges were filed.
Confidentiality Concerns
In a deposition for his retaliation case, Vannoy admitted that he was aware of the confidential nature of the information and had signed the company's confidentiality policy. He also said the information he turned over to the IRS included confidential business information, as well as the Social Security numbers.
“Here's why this decision is so concerning: You have a situation where an employee knowingly and intentionally violated a very clear company policy,” says Steven Pearlman, a partner at
The ARB did acknowledge the tension between a legitimate company confidentiality program and whistleblower bounty programs, such as one recently implemented under the Dodd-Frank Act, that bar companies from enforcing confidentiality agreements to prevent whistleblowers from disclosing information to authorities, Pearlman adds.
But Westman notes that the decision did not focus on another tension inherent in whistleblower bounty programs—the incentive for employees to take confidential information to outside authorities rather than working to resolve the issues internally.
“This guy was personally motivated by money to take these documents outside the company,” Westman says. “The ARB is going out of its way to talk about the SEC and IRS bounty programs as good things, not pointing out that it conflicted the loyalty of this fellow and caused him to engage in a data breach.”
Loaded Dice
In remanding the case, the ARB directed the ALJ to conduct a hearing to determine whether the information Vannoy gave the IRS was the kind of “original information” Congress intended to protect when it passed SOX. It also called for a ruling on whether the “method of transfer” was protected “lawful” conduct under SOX, noting that Vannoy had not been prosecuted. Calling out the fact that Vannoy wasn't charged “is loading the dice for the ALJ, as far as I am concerned,” Pearlman says.
But Ellis emphasizes that the ARB did not say all theft of employer information to support a whistleblower claim is protected.
“They stop short of condoning criminal activity,” he says. “In this case they mention that the guy wasn't prosecuted, but it is not clear if they mean that to be the litmus test [of whether a whistleblower's action is lawful].”
While this case may ultimately be decided in favor of the company, it is a “bad omen” for employers, Westman says, particularly taken in context with other decisions by the ARB in the past year since appointees of Secretary of Labor Hilda Solis have controlled the board.
“Corporate counsel need to take whistleblower cases very seriously these days, because the ARB is really looking out for employees,” he says.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllWhy Seemingly Simple Off-Channel Communication Rules Still Vex Finance Industry
5 minute readTrending Stories
- 1The Law Firm Disrupted: Playing the Talent Game to Win
- 2Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 3BD Settles Thousands of Bard Hernia Mesh Lawsuits
- 4GlaxoSmithKline Settles Most Zantac Lawsuits for $2.2B
- 5A&O Shearman Adopts 3-Level Lockstep Pay Model Amid Shift to All-Equity Partnership
Who Got The Work
Blank Rome partner Andrew T. Hambelton has stepped in to defend Fragrancenet.com in a pending trademark infringement lawsuit. The case, filed Aug. 29 in New York Southern District Court by the Blakely Law Group, targets the defendants for allegedly selling counterfeit fragrance products. The case, assigned to U.S. District Judge Lorna G. Schofield, is 1:24-cv-06521, Abercrombie & Fitch Trading Co. v. Quester (US) Enterprises, Inc. et al.
Who Got The Work
Davis Polk & Wardwell partners Mari Grace and Edmund Polubinski III have entered appearances for Australia-based Bitcoin-mining company Iris Energy and other defendants in a pending securities class action. The action, filed Oct. 7 in New York Eastern District Court by the Rosen Law Firm, contends that the defendants concealed the inadequacy of the company's site in Childress County, Texas, including it being 'ill-equipped' and unable to operate the company's proprietary design. The case, assigned to U.S. District Judge Peggy Kuo, is 1:24-cv-07046, Williams-Israel v. Iris Energy Limited et al.
Who Got The Work
Ryan S. Stippich of Reinhart Boerner Van Deuren has entered an appearance for biopharmaceutical company Veru Inc. and other defendants in a pending shareholder derivative lawsuit. The action, filed Sept. 30 in Wisconsin Western District Court by the Brown Law Firm on behalf of June Ovadias, accuses the defendant of failing to disclose that small sample sizes and other issues rendered it unlikely that the FDA would grant Emergency Use Authorization for the cancer drug candidate sabizabulin as a potential treatment for COVID-19. The case, assigned to U.S. District Judge William M. Conley, is 3:24-cv-00676, Ovadias, June v. Steiner, Mitchell et al.
Who Got The Work
Holland & Knight partners Cynthia A. Gierhart and Thomas Willcox Brooke have entered appearances for Pakistani American Political Action Committee and Rao Kamran Ali in a pending trademark infringement lawsuit. The action, filed Sept. 24 in District of Columbia District Court by Jackson Walker on behalf of Pakistani American Public Affairs Committee, accuses the defendants of using a mark that's confusingly similar to the plaintiff's 'Pak-Pac' marks without authorization. The case, assigned to U.S. District Judge Randolph D. Moss, is 1:24-cv-02727, Pakistani American Public Affairs Committee v. Pakistani American Political Action Committee et al.
Who Got The Work
Lauren M. Rosenberg and Yonatan Even of Cravath, Swaine & Moore have stepped in to represent Israel-based Oddity Tech Ltd. in a pending securities class action. The case, filed Aug. 30 in New York Southern District Court by Pomerantz LLP and Holzer & Holzer, contends that the defendant made materially misleading statements regarding the capability of Oddity's AI technology and ongoing civil litigation, resulting in the artifical inflation of the market price of Oddity's securities. The case, assigned to U.S. District Judge Margaret M. Garnett, is 1:24-cv-06571, Hoare v. Oddity Tech Ltd. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250