Maintaining Whistleblower Confidentiality Required Under SOX
An employee complains to HR that required accounting procedures are not being followed. You take immediate steps to respond: you notify the audit committee and several of the employee’s co-workers in the accounting department, telling them that this employee has complained of improper accounting practices and that an investigation is being conducted and directing them to retain potentially relevant documents. You have done the right thing by responding since you are obligated to comply with the Sarbanes-Oxley Act (SOX) and investigate a report of questionable accounting practices, as well as to be diligent in meeting your company’s document retention obligations. However, according to a recent ruling by the Administrative Review Board (ARB) of the U.S. Department of Labor (DOL), you have potentially retaliated against the employee under SOX by breaching her confidentiality.
In its decision, the ARB held that SOX provides greater protections to corporate whistleblowers than Title VII of the Civil Rights Act provides to employees who complain of discrimination. The ARB determined that "adverse action" under SOX is substantially broader than the meaning of the same term under Title VII, finding that an employer’s disclosure of a whistleblower’s identity was an adverse action. This employee-friendly decision reflects the DOL’s trend of expanding employees’ workplace rights and establishing broader protections for SOX whistleblowers.
The Facts
Anthony Menendez worked as a director of technical accounting research and training for his company. Upon review of certain financial statements, Menendez raised concerns about the company’s accounting practices with his supervisor, the Chief Accounting Officer, and later with the VP of Financial Controls, who told him to contact the company’s Audit Committee under SOX. Menendez then confidentially reported to the Securities and Exchange Commission (SEC) that the company, with knowledge of its external auditor, was "engaging in ‘questionable’ accounting practices with respect to revenue recognition." Several months later, Menendez emailed the Audit Committee to report his belief that the company’s revenue recognition and joint venture accounting practices violated general accounting principles. Despite the company’s policy assuring confidentiality, the email was forwarded to the company’s General Counsel and Chief Financial Officer, who in turn sent it to other executives and an external auditor. Soon thereafter, the SEC informed the company that it was initiating an investigation. The General Counsel then notified company management officials that the SEC had opened an investigation, instructed them to preserve and retain certain documents and information, and identified Menendez as the complainant.
Following the revelation of Menendez’s identity as a whistleblower, his co-workers and outside auditors (with whom he had worked closely) avoided communications with him. Menendez ultimately requested and was granted six months paid leave. While Menendez was on leave, the SEC and Audit Committee completed their investigations, concluding that his complaints had no merit. The company then directed Menendez to return to work. The day before he was scheduled to return to work, Menendez resigned. He then filed a complaint with the DOL under the whistleblower protection provision of SOX, alleging that the company retaliated against him because he complained to the Audit Committee and the SEC.
The Findings
A DOL Administrative Law Judge (ALJ) found that Menendez engaged in protected activity under SOX but dismissed his complaint because he failed to prove that the company had taken any adverse action against him, analyzing "adverse action" under Title VII’s interpretation of the term. On appeal, the ARB overturned the ALJ’s conclusion and concluded that the company’s breach of Menendez’s confidentiality was, in fact, an adverse action.
Examining the statutory language and legislative intent of SOX, the ARB held that, because SOX explicitly prohibits non-tangible activity, the term "adverse action" is "not limited to economic or employment-related activities" and should be construed to "prohibit a very broad spectrum of adverse action against SOX whistleblowers." The ARB reasoned that whistleblowers are one of the most valuable sources for internal reporting of corporate misconduct and found that allowing an employer to reveal the identity of an employee who reports questionable accounting or auditing practices would chill whistleblower activity and undermine SOX’s overall purpose.
The company argued, and the ALJ agreed, that the people who received the communication learning of Menendez’s identity would likely have already known he was the complainant. However, the ARB determined that because SOX requires publically-traded companies to establish procedures for the confidential and anonymous submission of concerns regarding questionable accounting matters, Menendez’s right to confidentiality was a "term and condition" of employment and that breach of such confidentiality (i.e., the act of disclosing the complainant’s identity) is an adverse action. The ARB also determined that isolation and loss of professional advancement opportunities were not separate adverse actions but instead were "fallout, inextricably connected to the disclosure of Menendez’s identity" that could be considered in measuring Menendez’s potential damages.
The Lesson After Menendez
Under this standard, publicly traded companies should exercise extreme caution when contemplating actions that could have a detrimental effect on an employee who has raised a SOX whistleblower complaint. Otherwise, the employer could be found to have engaged in an adverse action, even if those actions do not detrimentally affect the employee’s wages, benefits, or status with the company (such as termination, demotion, discipline, and pay decreases), as adverse action has been traditionally defined. As this case points out, the mere disclosure of the whistleblower’s identity constitutes an adverse action under SOX.
Notably, an employer’s duty to protect the confidentiality of a whistleblower’s identity causes some obvious tension with a company’s document preservation obligations in SOX cases. Numerous individuals, including the audit committee, company executives and officials, and external auditors and consultants, must be notified of the SOX claim to ensure preservation of relevant documents. However, this must be done in a manner that does not disclose the identity of the whistleblower.
In light of Menendez, publicly traded companies should: (i) review and update policies protecting the identity of whistleblowers, ensuring that they comply with SOX’s mandate to establish procedures for the confidential and anonymous reporting by employees; (ii) consider training employees who could potentially receive reports from whistleblowers to carefully comply with such policies and not disclose the identity of the whistleblower; (iii) in issuing document retention notices, notify only those individuals who possess potentially relevant materials and who need to know of the company’s obligation to preserve such information; and (iv) keep confidential the identity of the complainant. Indeed, not only can civil liability be imposed on employers who breach a whistleblower’s confidentiality, but, based on a recent decision by the Seventh Circuit Court of Appeals, employers and individual managers may face potential criminal liability under the Racketeer Influenced and Corrupt Organizations Act (RICO) if their actions are viewed as retaliation against a complainant under SOX.