Protecting whistleblowers: Sarbanes-Oxley’s “Protected Activity” requirement

Responding to bogus defense attempts to unduly narrow the scope of SOX-protected activity

David M. deRubertis
2014 June

In December 2001, Enron filed the then-largest Chapter 11 bankruptcy in United States history. Enron’s collapse was the result of widespread accounting malfeasance. Among other things, Enron – with knowledge and approval of its accountants, auditors and lawyers – “had used thousands of off-the-books entities to overstate corporate profits, understate corporate debt and inflate Enron’s stock price.” (Committee Reports of 107th Congress (2001-2002), Senate Report 107-146, at 2.) As Congress held hearings to investigate what led to Enron’s collapse, one of the many disturbing findings was that corporate whistleblowers lacked any legal protection in certain states:

In a variety of instances when corporate employees at both Enron and Anderson [Enron’s outside auditing firm] attempted to report or “blow the whistle” on fraud, they were discouraged at nearly every turn. For instance, a shocking e-mail responds to a request for legal advice after a senior Enron employee, Sherron Watkins, tried to report accounting irregularities at the highest levels of the company in late August 2001. The outside lawyers counseled Enron, in pertinent part, as follows:

You asked that I include in this communication a summary of the possible risks associated with discharging (or constructively discharging) employees who report allegations of improper accounting practices: 1. Texas law does not currently protect corporate whistleblowers. The Supreme Court has twice declined to create a cause of action for whistleblowers who are discharged....

In other words, after this high level employee at Enron reported improper accounting practices, Enron did not consider firing Anderson; rather, the company sought advice on the legality of discharging the whistleblower. Of course, Enron’s lawyers would claim that they merely provided their client with accurate legal advice – there is no protection for corporate whistleblowers under Texas law. In the end, Ms. Watkins did not report the matter to the authorities until after she had been subpoenaed, and after “tons” of documents had been destroyed.

(Id. at 4-5.)

Congress was troubled by the fact that “[c]orporate employees who report fraud are subject to the patchwork and vagaries of current state laws” such that “a whistleblowing employee in one state may be far more vulnerable to retaliation than a fellow employee in another state who takes the same actions.” (Id. at 10.) It found that “[t]his is a significant deficiency because often, in complex fraud prosecutions, these insiders are the only firsthand witnesses to the fraud” and “the only people who can testify as to ‘who knew what, and when,’ crucial questions....” (Ibid.) In part to address this gaping hole of protection provided by state law, Congress passed and, on July 30, 2002, President George W. Bush signed into law, the Corporate and Criminal Fraud Accountability Act of 2002, commonly known as the Sarbanes-Oxley Act of 2002 (“SOX”).

SOX’s Section 806 protects employees of publicly traded companies or employees of their private contractors or subcontractors from retaliation for making disclosures of reasonably believed violations of certain enumerated fraud or securities laws. (18 U.S.C. §1514A; Lawson v. FMR, LLC (2014) 134 S.Ct. 1158, 1161 [Section 806’s anti-retaliation provisions protect employees of private contractors or subcontractors who serve public companies].) SOX’s whistleblower anti-retaliation provisions state that covered employers may not “discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee in the terms and conditions of employment because of any lawful act done by the employee”:

... (1) to provide information, cause information to be provided, or otherwise assist in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of sections 1341, 1343, 1344, or 1348, any rule or regulation of the Securities and Exchange Commission, or any provision of Federal Law relating to fraud against shareholders, when the information or assistance is provided to or the investigation is conducted by –

(A) a Federal regulatory or law enforcement agency;

(B) any Member of Congress or any committee of Congress; or

(C) a person with supervisory authority over the employee (or such other person working for the employer who has the authority to investigate, discover, or terminate misconduct); or

(2) to file, cause to be filed, testify, participate in, or otherwise assist in a proceeding filed or about to be filed (with any knowledge of the employer) relating to an alleged violation of section 1341, 1343, 1344, or 1348, any rule or regulation of the Securities and Exchange Commission, or any provision of Federal law relating to fraud against shareholders.

(18 U.S.C. § 1514A(a)(1), (2).)

Thus, in addition to providing an anti-retaliation provision for participating in an official investigation or one about to be filed, SOX also protects against retaliation for internal disclosures made directly to the employer relating to six enumerated categories of potential violations: (1) mail fraud under section 1341; (2) wire fraud under section 1343; (3) bank fraud under section 1344; (4) securities fraud under section 1348; (5) any rule or regulation of the Securities and Exchange Commission (“SEC”); or (6) any provision of federal law relating to fraud against shareholders. (Van Asdale v. International Game Tech. (9th Cir. 2009) 577 F.3d 989, 996.)

When SOX was passed, corporate whistleblowers took a sigh of relief. But, unfortunately, in the years that followed, some courts and administrative law judges began to interpret SOX’s protected activity provisions so narrowly as to defeat the robust protections that Congress intended to provide corporate whistleblowers. This article will discuss some of these decisions and offer tips on how to handle them.

The basic requirements of SOX’s protected activity prong

SOX does not require that the concerns disclosed by the whistleblower were actually illegal. Instead, “[t]o encourage disclosure, Congress chose statutory language which ensures that ‘an employee’s reasonable but mistaken belief that an employer engaged in conduct that constitutes a violation [of a SOX enumerated statute or rule] is protected.’” (Van Asdale, supra, 577 F.3d at 1001 [italics added].)

The “reasonable belief” standard has both an objective and a subjective component. (Van Asdale, supra, 577 F.3d at 1000.) “Objective reasonableness is evaluated based upon the knowledge available to a reasonable person with the same training and experience.” (Prioleau v. Sikorsky Aircraft Corp. (Nov. 9, 2011) ARB No. 10-060; 2011 WL 6122422, *6.) The subjective component requires that the whistleblower actually held “a subjective belief that the conduct being reported violated a listed law.” (Van Asdale, supra, 577 F.3d at 1000.)

Countering defense attempts to unduly narrow the scope of SOX-protected activity

Proof of an “existing” as opposed to “future” or “potential” violation

One common defense strategy to try to unduly narrow SOX’s protected activity provision is to assert that the whistleblower must have a reasonable belief of an existing violation, rather than a reasonable concern that a violation may happen in the future. Taken to its extreme, the employer argues that if the whistleblower’s disclosure stopped the potential violation from occurring, it was not a report of an existing violation and is not protected. Under this reasoning, successful whistleblowing that actually prevents a violation from occurring is not protected. As contrary as this result is to the SOX policy of encouraging internal reporting to deter violations from occurring, decisions requiring proof of an existing violation seem at first blush to lend support to this position. (See e.g., Livingston v. Wyeth, Inc. (4th Cir. 2008) 520 F.3d 344, 352; Walton v. Nova Info. Sys. (E.D. Tenn. Apr. 11, 2008) No. 3:06-CV-292; 2008 WL 1751525, **8-9.)

Livingston illustrates these decisions. There, the whistleblower disclosed that his employer was going to miss an internal deadline for implementing a compliance procedure required by federal law relating to its manufacturing processes. (Livingston, supra, 520 F.3d at 346-347.) Previously, the company had suffered negative regulatory action taken against it for non-compliance with the required manufacturing processes and, consequently, entered into a consent decree with the Food and Drug Administration (“FDA”). The whistleblower reported internally that: the company was going to miss the deadline for implementing the compliance procedure; this failure would render it at risk for similar regulatory action as occurred in the past; failing to disclose these facts to shareholders or auditors would be misleading; and management sent a message that it intended to hide these facts from auditors. (Id. at 347-349.)

The company conducted an internal investigation which concluded that no violation occurred – partly because the company did meet the compliance deadline that the whistleblower believed would not be met. The Fourth Circuit held that the whistleblower’s reports were not protected because “the statute requires Livingston to have held a reasonable belief about an existing violation, inasmuch as the violation requirement is stated in the present tense: a plaintiff’s complaint must be ‘regarding any conduct which [he] reasonably believes constitutes a violation of [the relevant laws].’” (Id. at 352 [original italics].) The appellate court stated that to satisfy the “existing violation” requirement it was imposing, the “reasonable belief that a violation has occurred or is in progress” cannot be based on “a belief that a violation is about to happen upon some future contingency.” (Ibid.) The court reasoned that the disclosures were not of an “existing violation” be-cause they presumed future contingencies would need to occur before an actual violation had occurred. (Id. at 353-356.)

There are fundamental problems with the reasoning of cases like Livingston: “Requiring an employee to essentially prove the existence of fraud before suggesting the need for an investigation would hardly be consistent with Congress’s goal of encouraging disclosure.” (Van Asdale, supra, 577 F.3d at 1002.) Rather, a key policy underlying SOX’s anti-retaliation provision is encouraging corporate insiders to disclose reasonably suspected impending violations to prevent (and, if it already began, to contain or stop) the violation. But if the whistle cannot be blown until the violation has already begun to occur, the corporate insider cannot safely report the potential impending violation to stop it in its tracks. This remedial statute cannot be given such a narrow construction – particularly one that defeats key statutory policies. (Morefield, supra, 2004 WL 5030303 at *2 [“[I]t does not serve the purposes or policies of the act to take too pinched a view of this remedial statute when it comes to protecting those in an organization who can address the concerns Congress sought to correct.”].)

Fortunately, other courts and the Administrative Review Board (“ARB”) (the administrative agency with final decision-making authority in SOX cases pursued administratively) have rejected the flawed logic of cases like Livingston. (Smith v. Corning, Inc. (W.D. N.Y. 2007) 496 F.Supp.2d 244; Sylvester v. Parexel Int’l LLC (ARB May 25, 2011) ARB Case No. 07-123, ALJ Case Nos. 2007-SOX-39, 2007-SOX-42, 2011 WL 2165854; Van Asdale, supra, 577 F.3d at 1002.)

In Smith, the employer asserted that the employee’s disclosures were not SOX-protected because they “only pertain to the potential for fraud occurring in the future.” (Smith, supra, 496 F.Supp.2d at 249.) According to the employer, “Smith alleges that he reported supposed concerns about future risks; as opposed to present fraudulent violations.” (Ibid.) The employer argued that “[t]here is a crucial distinction [for SOX-protected activity purposes] between conduct that is alleged to be fraud and conduct that is alleged to place the employer at greater risk.” (Ibid.) Rejecting the employer’s position, the court declined to impose a requirement that the employee prove that the disclosure related to an existing violation, finding instead that the allegations that the conduct reported “would have resulted in the issuance of incorrect quarterly reports” to the SEC if not corrected was sufficient to establish SOX-protected activity. (Id. at 248-249.)

Likewise, in Sylvester, the ARB directly rejected the rationale of the Livingston line of cases. There, the administrative law judge (“ALJ”) had held that “‘until enforcement action is taken,’ allegations that Parexel engaged in fraud ‘are speculative and deemed insufficiently material to [Parexel’s] financial picture to form a basis for securities fraud or to affect shareholder investment decisions.’” (Sylvester, supra, 2011 WL 2165854 at *13.) The ARB emphatically rejected this standard finding that the ALJ erred by requiring that the whistleblower allege that “an illegal act had already taken place” by the time of the internal disclosures:

A whistleblower concerning a violation about to be committed is protected as long as the employee reasonably believes that the violation is likely to happen. Such a belief must be grounded in facts known to the employee, but the employee need not wait until a law has actually been broken to safely register his or her concern. (Ibid.)

As a reasonable construction of the statute by the agency charged with enforcing it which is faithful to the policies underlying SOX, Sylvester should be given deference under Chevron U.S.A, Inc. v. Natural Resources Defense Council, Inc. (1984) 467 U.S. 837.

The “definitively and specifically” standard

Many corporate insiders realize that “something is going wrong” or that the employer is engaging in practices the employee suspects are improper, but the employee either lacks knowledge of the specific law being violated or describes the violation in general (non-technical or legally specific) terms. Given these and other realities, another common defense approach is to assert that the disclosure must “‘definitively and specifically’ relate to one of the listed categories of fraud or securities violation under 18 U.S.C. § 1514A(a)(1).” (Van Asdale, supra, 577 F.3d at 996-997.) From this, the employer argues that the employee’s disclosures were insufficiently clear and specific to alert the employer to a SOX-concern. The “definitively and specifically” standard requires the whistleblower to “show that his communications to his employer definitively and specifically relate to one of the laws listed in § 1514A.” (Day v. Staples, Inc. (1st Cir. 2009) 555 F.3d 42, 55; see also Harp v. Charter Communications, Inc. (7th Cir. 2009) 558 F.3d 722, 725.) Taken to its extreme, employers will argue that if the disclosure is not excruciatingly specific – even legalistic – in either pointing out the law being violated or, at least, giving proof of all facts that would establish an actual violation of one of the enumerated laws (rather than a reasonable belief a violation was occurring even in the absence of concrete evidence on each element required to establish the violation), then the employee’s disclosure is not protected.

There are two responses to this tactic.

• First, the better-reasoned and more current cases reject this “definitively and specifically” standard, the genesis of which was the ARB’s decision in Platone v. FLYi, Inc. (ARB Sept. 29, 2006) ARB Case No. 04-154, 2003-SOX-27, at *2. After Platone, the ARB reversed itself and rejected Platone’s “definitely and specifically” requirement as having “evolved into an inappropriate test” which “is often applied too strictly.” (Sylvester, supra, 2011 WL 2165854 at *15.) According to Sylvester, the “definitively and specifically” test of Platone has created “a heightened evidentiary standard espoused in case law but absent from the SOX itself.” (Ibid.) Thus, since Sylvester, the ARB has consistently rejected it. (Mara v. Sempra Energy Trading, LLC (ARB June 28, 2011) ARB Case No. 10-051, 2009-SOX-18 at **8-10; Inman v. Fannie Mae (ARB June 28, 2011) ARB Case No. 08-060, 2007-SOX-47 at *7.)

Despite this clear reversal by the ARB, employers in California inevitably note that the Ninth Circuit embraced the “definitively and specifically” standard in Van Asdale and assert that district courts within the Ninth Circuit are thus bound by it. (Van Asdale, supra, 577 F.3d at 996-997.) But a closer reading of Van Asdale disproves this view. Van Asdale noted that the genesis of the “definitively and specifically” standard was the ARB’s decision in Platone, that three other circuits’ courts of appeal that considered the issue followed the ARB’s interpretation and, thus, Van Asdale “similarly defer[red] to the ARB’s reasonable interpretation of the statute...” (Van Asdale, supra, 577 F.3d at 996-997.) Because Van Asdale adopted this standard by granting Chevron deference to the ARB’s reasonable administrative construction of the statute, the ARB’s reversal of its position should likewise be accepted by the Ninth Circuit: “In Sylvester, the ARB abandoned the ‘definitive and specific’ standard announced in Platone. ... We conclude the ARB’s rejection of Platone’s ‘definitive and specific’ standard is entitled to Chevron deference.” (Wiest v. Lynch (3rd Cir. 2013) 710 F.3d 121, 129 & 131.)

• Second, if the court nonetheless feels bound by Van Asdale and requires that the employee’s disclosure “definitively and specifically” relate to one of the enumerated violations, this does not mean that the employee must have specifically identified what law was being violated or used any legal “buzzwords.” Van Asdale rejected the argument that the disclosure must use the word “fraud” or other similar words:

To be sure, Brown testified that she did not believe Shawn used the words “fraud,” “fraud on shareholders,” or “stock fraud” and she could only say that Shawn “may have” used the term “Sarbanes-Oxley” or “SOX”; the record similarly contains no evidence that Shawn used any such language in his conversation with Pennington. However, as the Fourth Circuit has recognized, “[a]n employee need not cite a code section he believes was violated” to trigger the protections of §1514A.

(Welch, 536 F.3d at 276 (internal quotation marks omitted).) (Van Asdale, 577 F.3d at 997; see also Day, supra, 555 F.3d at 56 [employee “need not reference a specific statute”].)

Thus, even if the “definitively and specifically” standard is applied, the disclosure “need not have specifically identified the law or regulations” believed to have been violated; rather, it “must be specific in relation to a given practice, condition, directive, or event.” (Tice v. Bristol-Myers Squibb Co. (ALJ Apr. 26, 2006) 2006-SOX-20 at *17.) Stated differently, the key question is whether the facts disclosed would sufficiently alert the employer to the fact that what was being disclosed was a potential SOX issue, not whether the employee clearly identified and described all necessary facts to state a violation or identified the particular violation or underlying legal theory.

Reporting as part of one’s regular job duties

Another attempt to unduly narrow SOX’s protected activity provisions is to assert that an employee who makes a disclosure as part of carrying out his or her job duties does not engage in SOX-protected activity. Initially, some administrative law judges had accepted this defense argument. (See e.g., Andrews v. ING N. Am. Ins. Corp. (ALJ Jan. 8, 2009) 2005-SOX-50, 2005-SOX-51; Williams-Wilson v. NDC Health Corp. (ALJ Jan. 31, 2007) 2005-SOX-97.) The irony of these rulings is that they would mean that those who are most likely to have inside corporate information about SOX-related violations (e.g., controllers, accountants, financial executives, etc.) would fall outside of SOX’s protection if they reported SOX violations. That is, the very individuals SOX most likely was enacted to protect would fall outside of its protection. Fortunately, the ARB has since clarified that disclosures made as part of doing one’s regular job duties can be SOX-protected. (Robinson v. Morgan Stanley (ARB Jan. 10, 2010) ARB Case No. 07-070, ALJ Case No. 2005-SOX-44, at 13-14.) In Robinson, the ARB held that section 1514A does not require “that an employee’s report or complaint about a potential violation must involve actions outside the complainant’s assigned duties.” (Robinson, supra, ARB Case No. 07-070 at 13-14.)

Predicating a SOX claim on reports of violations, or attempted violations, of internal accounting controls

SOX’s fifth and sixth enumerated violations are reasonably suspected violations of “any rule or regulation of the Securities and Exchange Commission, or any provision of Federal Law relating to fraud against shareholders....” (18 U.S.C. §1514A(a)(1).) Both the rules and regulations of the SEC, and federal law relating to fraud against shareholders, require that publicly traded companies devise, maintain and follow internal accounting controls. (15 U.S.C. §78m(b)(2)(B); 17 C.F.R. §240.13a-15(f).) Federal law also makes it unlawful to try to “knowingly circumvent or knowingly fail to implement a system of internal accounting controls or knowingly falsify any book, record, or account described in paragraph 2.” (15 U.S.C. § 78m(b)(3)(5).)

Another way to ensure appropriately broad anti-retaliation protection under SOX – consistent with Congressional intent – is to consider whether the conduct reported was an actual or attempted internal control violation. Courts and the ARB consistently recognize that disclosures of violations, or attempted violations of internal controls, may constitute SOX-protected activity. (See e.g., Collins v. Beazer Homes USA, Inc. (N.D. Georgia 2004) 334 F.Supp.2d 1365, 1377 [SOX-protected activity based on disclosures alleging “attempts to circumvent the company’s system of internal accounting controls” which “state a violation of Section 13 of the Exchange Act.”]; Bishop v. PCS Admin (N.D. Ill. May 23, 2006) No. 05-C-5683, 2006 WL 1460032, **8-9 [disclosure of attempt to violate internal control may constitute SOX-protected activity]; Feldman v. Law Enforcement Associates Corp. (E.D. N.C. 2011) 779 F.Supp.2d 472, 492; Hemphill v. Celanese Corp. (5th Cir. 2011) 430 Fed.Appx. 341, 344 fn. 3; Smith, 496 F.Supp.2d at 248-250; Sequeira v. KB Home (S.D. Tex. 2009) 716 F.Supp.2d 539, 554; Morefield v. Exelon Services, Inc. (Jan. 28, 2004) 2004-SOX-2; 2004 WL 5030303, *6; Klopfenstein v. PCC Flow Technologies Holdings, Inc. (May 31, 2006) ARB No. 04-149; 2006 WL 3246904, *12; Leznik v. Nektar Therapeutics, Inc. (Nov. 16, 2007) 2006-SOX-93; 2007 WL 5596626, **6-7; Mallory v. JPMorgan Chase & Co. (Nov. 20, 2009) 2009-SOX-29; 2009 WL 6470454, *30.)

Internal controls are defined as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.” (Committee of Sponsoring Organizations of the Treadway Commission – Internal Control – Integrated Framework [May 2013], at 3.) Given the broad definition of what constitutes an internal control, and the wide range of subjects typically covered by a company’s internal controls, SOX’s protection of disclosures of reasonably perceived actual or attempted violations of internal controls renders its anti-retaliation protection very broad – as it should be given SOX’s status as a remedial statute. (Morefield, supra, 2004 WL 5030303 at *2.)

Collins illustrates the point. There, the plaintiff, a director of marketing, reported internally that her division was overpaying a vendor’s invoices based on a personal relationship between the vendor and another employee, that management was violating employee commission plans by overpaying sales agents who were their friends, and that there were suspected kickbacks as to another vendor. (Collins, 334 F.Supp.2d at 1376-1377.) The plaintiff asserted that “these disclosures [were] protected because they allege attempts to circumvent the company’s system of internal accounting controls and therefore state a violation of Section 13 of the Exchange Act.” (Id. at 1377.) The court held that, while “the connection of Plaintiff’s complaints to the substantive law protected in Sarbanes-Oxley is less than direct,” her complaints “detailed violations of the company’s internal accounting controls” so that “reasonable jurors could find by a preponderance of the evidence that Plaintiff engaged in protected activity” under SOX. (Id. at 1377-1378.)


SOX cases can be very compelling cases. Given the turmoil corporate financial and accounting malfeasance has caused to our economy, juries are sympathetic to financial or accounting whistleblower claims. Given the rightful fear employers have of these cases reaching juries, they have tried to reduce the scope of protection provided by this law in disregard of the policies and purposes of the law. To ensure SOX continues to be the robust warrior against corporate fraud and financial or accounting misfeasance, the whistleblower’s counsel must be prepared to address the various tactics used by the employer’s counsel to try to improperly reduce the scope of SOX’s protection.

David M. deRubertis David M. deRubertis

David M. deRubertis, the principal of The deRubertis Law Firm, APC, tries employment cases statewide including as “eve of trial” trial counsel. He is a recipient of CELA’s Joe Posner Award, a member of ABOTA, a CAALA Trial Lawyer of the Year nominee, consistently a Top 100 SuperLawyer, and, in 2014, was a CLAY Award recipient and Best Lawyers’ “Lawyer of the Year - Employment Law - Individuals.” He serves on the Boards of Governors of CAALA, CELA and CAOC. deRubertis was lead trial counsel in Zulfer v. Playboy Enterprises, Inc., the largest jury verdict in history in a Sarbanes-Oxley retaliation case.

Copyright © 2024 by the author.
For reprint permission, contact the publisher: Advocate Magazine