Employment Partner & Co-chair of Orrick’s Whistleblowing Task Force Renee Phillips, and Cybersecurity & Data Privacy Associate Shea Leitch, recently authored an article in Corporate Counsel magazine titled “Cybersecurity Whistleblowing Is Murkier Than You May Think.”
The article covers the emerging issue of cybersecurity whistleblowing and discusses scenarios in which cybersecurity whistleblowers can step forward. In addition, the authors touch on best practices for companies when addressing internal complaints and how to mitigate potential scrutiny from regulatory agencies. To read the full article, please click here.
Two recent events may spur a rise in the number of high quality whistleblower tips filed with the SEC. First, on August 30, 2016, the SEC announced that it had awarded a $22.4 million bounty to a former Monsanto financial executive, whose report of alleged accounting fraud led to the company’s $80 million settlement with the SEC in February. This recent award brings the total amount paid out to whistleblowers by the SEC since the inception of the bounty program in 2011 up to $107 million, more than half of which has been paid out in 2016 alone. This most recent award follows a string of seven and eight-figure awards in 2016, most notably topping a $17 million bounty in June 2016, and is second in size only to a September 2014 award of $30 million. The $22.4 million award represents approximately 28% of Monsanto’s $80 million payment, just shy of the 30% award cap established for recoveries exceeding $1 million.
OSHA’s San Francisco region, which includes California, Nevada, and Arizona, launched a new pilot program on August 1, 2016 that would allow complainants, under certain circumstances, to ask OSHA to cease its investigation and issue findings for an ALJ to consider. The program is an effort to process cases more quickly in the region. To qualify for expedited treatment, the investigator must first interview the complainant, allow the respondent the opportunity to submit its position statement and meet with OSHA and present statements from witnesses if so desired, and allow the complainant an opportunity to respond to the respondent’s submission.
Today, the SEC announced that an Atlanta-based company, BlueLinx Holdings, is settling charges that its severance agreements contained provisions that it in its view might impede employees from communicating directly with the SEC about possible securities law violations. The company has agreed to pay a $265,000 sanction and to engage in other corrective actions as described below.
The specific provision at issue provided:
- Employee further acknowledges and agrees that nothing in this Agreement prevents Employee from filing a charge with…the Equal Employment Opportunity Commission, the National Labor Relations Board, the Occupational Safety and Health Administration, the Securities and Exchange Commission or any other administrative agency if applicable law requires that Employee be permitted to do so; however, Employee understands and agrees that Employee is waiving the right to any monetary recovery in connection with any such complaint or charge that Employee may file with an administrative agency. (Emphasis added.)
With respect to this bounty waiver, the Commission stated that “by requiring its departing employees to forgo any monetary recovery in connection with providing information to the Commission, BlueLinx removed the critically important financial incentives that are intended to encourage persons to communicate directly with the Commission staff about possible securities law violations.”
Last week, Germany’s Financial Supervisory Authority (BaFin) unveiled a centralized platform for receiving whistleblower complaints, including anonymous complaints, of alleged violations of supervisory provisions within the financial sector. The move appears to represent a shift in German ideology toward a more favorable view of anonymous reporting, which for many years was discouraged in Germany and more broadly in the EU due to the risk of “organized systems of denouncement.” Under the new program, whistleblowers may submit reports in writing (on paper or electronically), by phone (with or without recording the conversation), or verbally. BaFin’s press release announcing the program states that it will make the anonymity of whistleblowers a “top priority,” and that it will not pass on the identity of whistleblowers to third parties. The program is “aimed at person with a special knowledge of a company’s internal affairs – for example because they are employed there or have some other contractual relationship or relationship of trust with the company.”
BaFin was required to implement this new platform due to an amendment to the German Act on Financial Services Supervision. Notably, the Act only applies to the financial services sector, not including external accountants, tax consultants and attorneys. It provides that employees working in the financial services sector may not be held liable for reporting potential or actual breaches of law under either employment law or criminal law, unless the report was false or grossly negligent.
Last Friday, the SEC announced a whistleblower award of more than $3.5 million to an employee whose tip advanced an SEC investigation into the whistleblower’s company. According to the Order, while the information the whistleblower provided did not cause the SEC to open a new line of inquiry, the information “significantly contributed” to the SEC’s ongoing investigation by focusing the Commission on a particular issue and providing the agency with additional settlement leverage during its negotiations with the company.
The Ontario Securities Commission (“OSC”), Canada’s largest securities regulator, has proposed establishing its own whistleblower program for individuals to report suspected securities fraud, marking Canada’s first foray into establishing such a system.
With the rise of the cybersecurity whistleblower, there is a growing trend of whistleblower-initiated regulatory investigations. In this Law360 article, Orrick attorneys Renee Phillips, Aravind Swaminathan, and Shea Leitch examine the DOJ’s investigation, prompted by a cybersecurity whistleblower, into whether Tiversa Holding Corp. provided false information to the Federal Trade Commission about data breaches at companies that declined to purchase its data protection services. The article discusses what companies can do to protect themselves against this growing risk.
The Department of Labor’s Administrative Review Board (“ARB”) recently upheld an order finding a semiconductor company had constructively discharged a manager who complained the company’s bonus plan violated state wage and hour laws, and in doing so, broadly interpreted the protections offered under the Sarbanes-Oxley Act (“SOX” or “Act”).
Relevant firms in the UK have until March 7, 2016 to appoint a “whistleblowers’ champion,” who then has until September 7, 2016 to oversee their firm’s readiness for the new whistleblowing regime.
The new whistleblowing regime: why make the change?
Since the 2013 Parliamentary Commission on Banking Standards recommendations were published in the UK, the Financial Conduct Authority (“FCA”) has been examining ways to ensure that individuals working in financial services feel able and encouraged to speak up when they have concerns to avoid the same financial scandals of the past.