Firing an employee who steals confidential information, including the Social Security numbers of fellow employees, from the company's computer system wouldn't seem to be a risky proposition, particularly if he had signed a confidentiality agreement.

But in a decision that stunned employment defense lawyers, the Labor Department's Administrative Review Board (ARB) recently said an employee who took such information to support a whistleblower report may be protected from retaliation under the Sarbanes-Oxley Act (SOX). The ARB reversed an administrative law judge (ALJ) who granted summary judgment on the grounds that the company had legitimate, nonretaliatory reasons for the termination.

“The fact that they reversed summary judgment is aggressive and shows how far the ARB is willing to go to give the benefit of the doubt to employees,” says Daniel Westman, a partner at Morrison Foerster.

In its Sept. 28, 2011, decision in Vannoy v. Celanese Corp., the ARB said that SOX's anti-retaliation provision protects employees who report alleged wrongdoing to the Internal Revenue Service (IRS) as well as the Securities and Exchange Commission (SEC) and other agencies that enforce securities laws. It also reiterated its position that the employee does not need to allege shareholder fraud to obtain protection.

“SOX's intent was to protect people exposing shareholder fraud,” says Edward Ellis, a Littler Mendelson shareholder. “The ARB took an expansive reading of the statutory language and said it could be a report to any agency involving any fraud,” in this case, alleged tax fraud.

But the most startling finding was the board's assertion that the theft of confidential personal and business information may be protected activity, depending on the circumstances of the theft. Although the employee admitted to violating the company confidentiality policy and that his actions may have violated the Computer Fraud and Abuse Act, the board remanded the case to the ALJ to determine whether the company unlawfully retaliated against him.

Firing Offense

The case involves actions by Matthew Vannoy, a program administrator in Celanese Corp.'s employee expense reimbursement system. In February 2007, he filed an internal complaint asserting that abuse of the company's reimbursement system and misuse of corporate credit cards posed a financial risk to the company. Shortly thereafter, unbeknownst to the company, he retained an attorney to represent him in submitting information to the IRS Whistleblower Rewards Program. Employees who provide information through the program are eligible to collect up to 30 percent of whatever the IRS collects as a result.

While investigating complaints that Vannoy's communications with employees over expense account issues were confrontational, complaints that continued after he had been counseled to refer any difficult situations to a supervisor, the company suspended Vannoy with pay. His supervisor also decided to review Vannoy's sent emails to determine if he had continued to send inappropriate messages after the warning.

In the course of this review, the company found that Vannoy had sent a document containing 1,600 unique Social Security numbers of current and former Celanese employees to his domestic partner's personal computer. He was terminated in January 2008 for violating the company's confidentiality policy. The company turned information about the theft over to police, but no charges were filed.

Confidentiality Concerns

In a deposition for his retaliation case, Vannoy admitted that he was aware of the confidential nature of the information and had signed the company's confidentiality policy. He also said the information he turned over to the IRS included confidential business information, as well as the Social Security numbers.

“Here's why this decision is so concerning: You have a situation where an employee knowingly and intentionally violated a very clear company policy,” says Steven Pearlman, a partner at Seyfarth Shaw. “Companies have confidentiality policies for very legitimate reasons. There are real risks. What if the information was marketing plans for the next generation of business? If a competitor got access, it could cost the company irreparable damage, but the ARB appears to think that is not that big a deal.”

The ARB did acknowledge the tension between a legitimate company confidentiality program and whistleblower bounty programs, such as one recently implemented under the Dodd-Frank Act, that bar companies from enforcing confidentiality agreements to prevent whistleblowers from disclosing information to authorities, Pearlman adds.

But Westman notes that the decision did not focus on another tension inherent in whistleblower bounty programs—the incentive for employees to take confidential information to outside authorities rather than working to resolve the issues internally.

“This guy was personally motivated by money to take these documents outside the company,” Westman says. “The ARB is going out of its way to talk about the SEC and IRS bounty programs as good things, not pointing out that it conflicted the loyalty of this fellow and caused him to engage in a data breach.”

Loaded Dice

In remanding the case, the ARB directed the ALJ to conduct a hearing to determine whether the information Vannoy gave the IRS was the kind of “original information” Congress intended to protect when it passed SOX. It also called for a ruling on whether the “method of transfer” was protected “lawful” conduct under SOX, noting that Vannoy had not been prosecuted. Calling out the fact that Vannoy wasn't charged “is loading the dice for the ALJ, as far as I am concerned,” Pearlman says.

But Ellis emphasizes that the ARB did not say all theft of employer information to support a whistleblower claim is protected.

“They stop short of condoning criminal activity,” he says. “In this case they mention that the guy wasn't prosecuted, but it is not clear if they mean that to be the litmus test [of whether a whistleblower's action is lawful].”

While this case may ultimately be decided in favor of the company, it is a “bad omen” for employers, Westman says, particularly taken in context with other decisions by the ARB in the past year since appointees of Secretary of Labor Hilda Solis have controlled the board.

“Corporate counsel need to take whistleblower cases very seriously these days, because the ARB is really looking out for employees,” he says.

Firing an employee who steals confidential information, including the Social Security numbers of fellow employees, from the company's computer system wouldn't seem to be a risky proposition, particularly if he had signed a confidentiality agreement.

But in a decision that stunned employment defense lawyers, the Labor Department's Administrative Review Board (ARB) recently said an employee who took such information to support a whistleblower report may be protected from retaliation under the Sarbanes-Oxley Act (SOX). The ARB reversed an administrative law judge (ALJ) who granted summary judgment on the grounds that the company had legitimate, nonretaliatory reasons for the termination.

“The fact that they reversed summary judgment is aggressive and shows how far the ARB is willing to go to give the benefit of the doubt to employees,” says Daniel Westman, a partner at Morrison Foerster.

In its Sept. 28, 2011, decision in Vannoy v. Celanese Corp., the ARB said that SOX's anti-retaliation provision protects employees who report alleged wrongdoing to the Internal Revenue Service (IRS) as well as the Securities and Exchange Commission (SEC) and other agencies that enforce securities laws. It also reiterated its position that the employee does not need to allege shareholder fraud to obtain protection.

“SOX's intent was to protect people exposing shareholder fraud,” says Edward Ellis, a Littler Mendelson shareholder. “The ARB took an expansive reading of the statutory language and said it could be a report to any agency involving any fraud,” in this case, alleged tax fraud.

But the most startling finding was the board's assertion that the theft of confidential personal and business information may be protected activity, depending on the circumstances of the theft. Although the employee admitted to violating the company confidentiality policy and that his actions may have violated the Computer Fraud and Abuse Act, the board remanded the case to the ALJ to determine whether the company unlawfully retaliated against him.

Firing Offense

The case involves actions by Matthew Vannoy, a program administrator in Celanese Corp.'s employee expense reimbursement system. In February 2007, he filed an internal complaint asserting that abuse of the company's reimbursement system and misuse of corporate credit cards posed a financial risk to the company. Shortly thereafter, unbeknownst to the company, he retained an attorney to represent him in submitting information to the IRS Whistleblower Rewards Program. Employees who provide information through the program are eligible to collect up to 30 percent of whatever the IRS collects as a result.

While investigating complaints that Vannoy's communications with employees over expense account issues were confrontational, complaints that continued after he had been counseled to refer any difficult situations to a supervisor, the company suspended Vannoy with pay. His supervisor also decided to review Vannoy's sent emails to determine if he had continued to send inappropriate messages after the warning.

In the course of this review, the company found that Vannoy had sent a document containing 1,600 unique Social Security numbers of current and former Celanese employees to his domestic partner's personal computer. He was terminated in January 2008 for violating the company's confidentiality policy. The company turned information about the theft over to police, but no charges were filed.

Confidentiality Concerns

In a deposition for his retaliation case, Vannoy admitted that he was aware of the confidential nature of the information and had signed the company's confidentiality policy. He also said the information he turned over to the IRS included confidential business information, as well as the Social Security numbers.

“Here's why this decision is so concerning: You have a situation where an employee knowingly and intentionally violated a very clear company policy,” says Steven Pearlman, a partner at Seyfarth Shaw. “Companies have confidentiality policies for very legitimate reasons. There are real risks. What if the information was marketing plans for the next generation of business? If a competitor got access, it could cost the company irreparable damage, but the ARB appears to think that is not that big a deal.”

The ARB did acknowledge the tension between a legitimate company confidentiality program and whistleblower bounty programs, such as one recently implemented under the Dodd-Frank Act, that bar companies from enforcing confidentiality agreements to prevent whistleblowers from disclosing information to authorities, Pearlman adds.

But Westman notes that the decision did not focus on another tension inherent in whistleblower bounty programs—the incentive for employees to take confidential information to outside authorities rather than working to resolve the issues internally.

“This guy was personally motivated by money to take these documents outside the company,” Westman says. “The ARB is going out of its way to talk about the SEC and IRS bounty programs as good things, not pointing out that it conflicted the loyalty of this fellow and caused him to engage in a data breach.”

Loaded Dice

In remanding the case, the ARB directed the ALJ to conduct a hearing to determine whether the information Vannoy gave the IRS was the kind of “original information” Congress intended to protect when it passed SOX. It also called for a ruling on whether the “method of transfer” was protected “lawful” conduct under SOX, noting that Vannoy had not been prosecuted. Calling out the fact that Vannoy wasn't charged “is loading the dice for the ALJ, as far as I am concerned,” Pearlman says.

But Ellis emphasizes that the ARB did not say all theft of employer information to support a whistleblower claim is protected.

“They stop short of condoning criminal activity,” he says. “In this case they mention that the guy wasn't prosecuted, but it is not clear if they mean that to be the litmus test [of whether a whistleblower's action is lawful].”

While this case may ultimately be decided in favor of the company, it is a “bad omen” for employers, Westman says, particularly taken in context with other decisions by the ARB in the past year since appointees of Secretary of Labor Hilda Solis have controlled the board.

“Corporate counsel need to take whistleblower cases very seriously these days, because the ARB is really looking out for employees,” he says.