SOX Gone Wild: Misappropriation and Transmission of Confidential Company/Employee Data to the Government Protected under SOX


A whistleblower who took sensitive company data from his employer and turned it over to the IRS has won his retaliation claim at the Department of Labor under the Sarbanes-Oxley Act’s (“SOX”) whistleblower protection provisions. In Vannoy v. Celanese Corp., ALJ Case No. 2008-SOX-00064, ARB Case No. 09-118 (ALJ July 24, 2013), an Administrative Law Judge was presented with the question of whether Vannoy’s removal of highly sensitive company data and transmission of that data to the IRS constituted protected activity under SOX. Vannoy, who was formerly employed as the administrator of Celanese’s corporate credit card program, first allegedly complained internally that the company “misstated their financial records and underestimated their required tax burden potentially in millions.” Vannoy sought legal counsel and eventually reported the company’s alleged accounting misconduct to the IRS. 

Vannoy’s Disclosures to IRS Covered under SOX

The ALJ determined that Vannoy had “alleged accounting discrepancies that he reasonably believed related to noncompliance with federal securities laws and fraud generally.” The ALJ stated, “[w]hile Vannoy may not have asserted a claim of shareholder fraud specifically, under SOX he need not do so to sustain his claim of a SOX violation.” Vannoy’s complaints regarding the company’s accounting practices made both internally and to the IRS were sufficient to support the reasonableness of his belief that the company was engaging in misconduct that constituted a SOX-enumerated violation.

In so holding, the ALJ dismissed the company’s argument that Vannoy’s actions did not constitute protected activity because he acted unlawfully or wrongfully by transferring documents containing Personally Identifiable Information (“PII”), including employee social security numbers, outside of the company. The ALJ noted that the ARB “recognized the conflict that exists between a company’s legitimate business interest in protecting confidential information and the potential need for such information that has arisen as a result of the whistleblower bounty programs created by Congress and that incentivizes the disclosure of confidential company information in furtherance of enforcement of tax and securities laws.” The ALJ found that Vannoy’s sole purpose in removing confidential data from Celanese was to support his whistleblower complaints. Because “all such actions were taken in full support” of his internal and IRS complaints, Vannoy’s actions constituted protected activity for purposes of SOX.

Vannoy’s Protected Activity a Contributing Factor in His Termination

The ALJ further held that Vannoy’s protected activity was a contributing factor in his termination, and rejected Celanese’s contention that it would have terminated Vannoy even in the absence of the protected activity because of his misappropriation and disclosure of confidential company data.

Celanese Ordered to Pay Damages

The ALJ ordered Celanese to pay approximately $271,000 in back pay, with interest, $25,000 in emotional distress damages, over $84,000 in front pay, and costs and expenses including reasonable attorneys fees. The ALJ noted that reinstatement is the preferred remedy in SOX cases, but held that Vannoy could not be reinstated because Celanese had transferred the operations he used to perform overseas.

Troubling Implications for Employers

The ALJ’s decision in Vannoy is just the latest in a string of highly troubling SOX decisions that has emerged from the Department of Labor in the last two years, and creates enormous challenges for companies who attempt to safeguard their confidential Company and employee information. Companies have a critical interest in preventing the removal and disclosure of their confidential and proprietary information, and often have broad policies in place to prohibit such conduct. However, if an employee removes such data solely for the purpose of making a whistleblower complaint, it may be deemed protected activity such that a resulting termination could be held unlawful. Adding to the difficulty, companies will often have no way to know whether an employee has removed such data solely in furtherance of a whistleblower complaint. Employees may not be required to reveal such information to their employers, as anonymous reporting is protected under SOX and Dodd-Frank. This puts companies in an untenable position: either allow their confidential information to be put at risk, or risk a whistleblower retaliation lawsuit. Employers should exercise extreme caution in this area and should consider revisiting and clarifying their confidentiality policies in light of the Vannoy decision.