Internal Compliance Solutions For Mitigating SEC Whistleblower Litigation: The Best Defense Is A Good Offense, Contributed by Steven A. Tyrrell and Brianna N. Benfield, Weil, Gotshal & Manges LLP
On August 12, 2011, the Securities and Exchange Commission’s (SEC) new Regulation 21F, mandated by Section 922(a) of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank), became effective.1 Under the new regulation, a whistleblower who voluntarily provides the SEC with original information and whose information leads to a successful enforcement action resulting in monetary sanctions of more than $1 million may be awarded 10 to 30 percent of any amounts recovered by the SEC in a civil, judicial, or administrative action.2 The statute also includes an anti-retaliation provision intended to protect whistleblowers from adverse employment actions related to their whistle-blowing activity.3
SEC bounties for whistleblowers were previously only available in successful insider-trading enforcement actions resulting from whistleblower tips. Under the new rules, the SEC may provide bounties for information related to any violation of the federal securities laws, including the Foreign Corrupt Practices Act.4 Eligible whistleblowers may also receive cash awards based on monetary sanctions collected by other regulatory or law enforcement authorities in related actions, including fines and penalties imposed in federal criminal prosecutions brought by the Department of Justice (DOJ).5 Moreover, whistleblowers that succeed in retaliation cases may be entitled to reinstatement with the same level of seniority, double back pay with interest, and reimbursement for litigation fees.6
The prospect of lottery-like awards, similar to those occasionally awarded in False Claims Act cases, may prove too sweet an enticement for some employees to pass up. Moreover, companies face greater risk of reprisal by disgruntled, underperforming, and dismissed workers seeking protection, or claiming retaliation, based on their status as “whistleblowers.” The confluence of these two trends, against the backdrop of an increasingly difficult and competitive business landscape, is certain to present challenges for companies and their counsel. This article aims to provide practical guidance on how companies can employ internal compliance solutions to mitigate their exposure to investigations and litigation involving whistleblowers. Part I of this article provides an introduction to the new whistleblower rules, and Part II sets forth proactive steps companies can take both before and after being confronted with whistleblower claims in order to minimize the risk and impact of government investigations and enforcement actions, private litigation, and retaliation claims.
The Framework of the New Whistleblower Provisions
The whistleblower program, including enforcement of the anti-retaliation provisions, is implemented by the newly created SEC Office of the Whistleblower, within the Division of Enforcement.7 The legal framework for the whistleblower program is set forth below.
Criteria for Eligibility
Subject to certain enumerated exceptions, a whistleblower can be any natural individual (not a corporation), or two or more individuals.8 An officer, director, or auditor may qualify as a whistleblower if he or she reports a violation after at least 120 days have elapsed since the company’s audit committee, or similar gatekeeper, received information about a possible violation of the securities laws and the company has not disclosed the alleged wrongdoing to the SEC.9 Unfortunately for companies that are the target of a whistleblower complaint, the SEC may not disclose information that could reasonably be expected to reveal the identity of a whistleblower.10
To be eligible for an award, a whistleblower must provide the SEC with “original information,” defined in the statute as information derived from the whistleblower’s “independent knowledge” or “independent analysis” and not information that has already been provided to the SEC by another source.11 A whistleblower need not have direct, first-hand knowledge of possible violations; rather, the whistleblower may have learned of the wrongdoing from a third party, or from other independent experiences, communications, and observations in professional or social settings. Information cannot, however, be obtained from judicial or administrative hearings; government reports, audits, hearings or investigations; the news media; or information obtained through a violation of a criminal law.12 Further, eligible “original information” cannot be obtained from conversations protected by the attorney-client privilege or in connection with the representation of a client, unless otherwise permitted by relevant state bar ethics rules.
To be eligible for an award, the whistleblower must have provided the original information “voluntarily.”13 Thus, a whistleblower will not be eligible for an award if he or she has already received a request for the same information from a self-regulatory organization, the Public Company Accounting Oversight Board, Congress, any federal agency, state attorney general, or a securities regulatory authority.
The original information also must have “led to” a successful enforcement action.14 Information will be deemed to satisfy this requirement where it is “sufficiently specific, credible and timely” to cause the SEC to begin a new investigation, to reopen a closed investigation, or to inquire about different conduct under a current investigation and where the SEC brings a successful action based in whole or in part on the conduct identified by the whistleblower.15 Information regarding potential violations already being investigated by the SEC will be deemed to have led to a successful enforcement action where the information “significantly contributed” to the success of the SEC action, such as by allowing the SEC to bring a successful action in less time, with significantly fewer resources, or with additional successful claims or defendants.16
Notably, awards under the new whistleblower program are not contingent on whistleblowers reporting violations internally first; however, the statute contains various provisions designed to encourage internal reporting. If the whistleblower reports to the SEC an allegation that he or she previously reported internally, the SEC will look back to the date that the whistleblower internally reported, and, if it is within 120 days of the date that the individual reported the allegations to the SEC, the SEC will use the date of internal reporting to determine the whistleblower’s eligibility for an award vis a vis any other whistleblowers that have approached the SEC regarding the same allegations within the 120-day period. This so-called “120-day look-back period” ensures that a whistleblower is not penalized for reporting internally before approaching the SEC.
To provide additional incentive for whistleblowers to report internally first, the regulations provide that the size of the award available to a whistleblower varies depending, in part, on whether or not the whistleblower reported the allegations internally before reporting to the SEC, and whether the whistleblower assisted with, or hindered, any internal investigation of the allegations.17 Larger awards may be available to those that assisted with internal investigations, and awards may be reduced or eliminated where a whistleblower hinders an internal investigation.
Additionally, if a whistleblower reports internally first, or simultaneously reports internally and to the SEC, and the company later self-reports or provides the SEC with information resulting from an internal investigation of the whistleblower’s allegations, all of the information subsequently provided by the company to the SEC is credited to the whistleblower as “original information.”18 This rule applies even if the information provided by the company is beyond the scope of the whistleblower’s initial tip, thereby making the whistleblower potentially eligible to receive a higher recovery than he would have obtained if he had not reported internally and allowed the company to conduct its own investigation.
The new whistleblower rules include broad anti-retaliation provisions designed to protect employees from adverse employment actions taken in response to the employee’s whistle-blowing activity.19 Specifically, employees are protected from discharge, demotion, suspension, threats, harassment, or discrimination because of certain actions protected by the statute,20 including: (1) providing information to the SEC; (2) participating in an investigation or action undertaken by the SEC based on the whistleblower’s report; or (3) making disclosures required or protected by the Sarbanes-Oxley Act of 2002 (“SOX”) or any other law, rule, or regulation subject to the jurisdiction of the SEC.21
A whistleblower may claim retaliation whether or not the SEC investigated the whistleblower’s complaint or brought an enforcement action resulting in an award to the employee. To qualify as a “whistleblower” under the anti-retaliation provisions, an individual must only show that he had a “reasonable belief” that the information he provided to the SEC related to a possible securities law violation that either had occurred, was occurring, or was about to occur. A “reasonable belief” is established where (1) the employee had a “subjectively genuine belief that the information demonstrates a possible violation” and (2) the belief itself is objectively reasonable, meaning that it is one that a “similarly situated employee might reasonably possess.”22 Further, in a recent case in the Southern District of New York, the court held that a whistleblower plaintiff in a retaliation action need not have personally made the disclosure to the SEC; rather, all employees cooperating in an internal investigation of a matter may be protected under the Act where the results of the investigation are provided to the SEC.23
If a whistleblower experiences one of the adverse employment actions enumerated above, he may bring a cause of action in federal court directly, or the SEC may bring an action to enforce the statute’s anti-retaliation provisions.24 These enforcement options are broader than those available under SOX and the False Claims Act, which require a complainant to first file a complaint with the Departments of Labor and Justice, respectively. Moreover, the statute of limitations for bringing a retaliation claim under Dodd-Frank is six years, which is considerably longer than the 180-day limitations period for filing retaliation complaints under SOX.25
Internal Compliance Solutions for Mitigating Whistleblower Litigation
Whistleblower” litigation generally may comprise investigations or litigation in two related contexts: (1) enforcement actions brought by the SEC and/or DOJ for federal securities law violations brought to light by a whistleblower; and (2) actions brought by the SEC or the whistleblower alleging that the whistleblower was retaliated against for engaging in whistle-blowing activity. As described below, companies can take proactive steps to mitigate their exposure in both of these areas. Moreover, if litigation results in spite of a company’s best-efforts to encourage employees to report allegations of misconduct internally, the actions the company took to prevent litigation will also be useful in successfully concluding the investigation and litigation in an efficient and cost-effective manner. Practical steps companies can take to prevent and respond to whistleblower litigation include the following:
It is critically important that employees understand and have confidence in the fairness and effectiveness of internal compliance procedures for reporting allegations of misconduct. It is certain that plaintiffs’ attorneys will aggressively advertise to encourage and entice employee-whistleblowers. But, companies have superior access to their employees and, in most cases, a higher level of trust and respect with them. Companies should get ahead of advertisements promising huge payoffs and provide their employees and other third-party agents and contracting partners with understandable and accurate information regarding the new whistleblower laws. Such education should also ensure that employees are aware of the benefits of internal reporting, as a matter of company policy and under the whistleblower statute.
Establish and Promote Reporting Mechanisms
Educating employees about the new whistleblower law is likely to increase the number of reports a company receives. If not already in place, companies must carefully develop internal policies and procedures for handling whistleblower reports. An important factor in encouraging employees to report internally is to ensure that internal reporting mechanisms are user-friendly and easy to understand. Companies must create a clear message – for example, on the company internal website – about when, where, how, and to whom internal reporting can take place and how reports will be handled. Messages to employees about what should be reported should be drafted broadly enough to encourage reports of any issues that could potentially result in a securities enforcement action or retaliation claim. 26
Preserving the anonymity of whistleblowers and confidentiality of whistleblower complaints also encourages internal reporting and protects against retaliation, as well as the appearance of retaliation. Therefore, many companies opt to use a 24-hour hotline which employees can use to make anonymous reports of suspected violations to a neutral party. If implementing such a hotline, however, companies should be mindful of privacy and data protection laws that may prevent recording telephone calls.
Respond to Complaints
Another effective way to encourage employees to report internally, and to detect any potential violations promptly, is by responding to whistleblower tips in earnest. Employees must know that matters that are reported internally are taken seriously and addressed. Companies should establish strong and clear procedures for investigating credible allegations promptly and thoroughly. Given the statute’s 120-day look-back period, time is of the essence, as a whistleblower is likely to report to the SEC on the 120th day – or sooner – to protect his place in line to recover any resulting award.
Response procedures should include mechanisms for logging, evaluating, investigating, and signing off on reports, and advising complainants about the disposition of complaints. Procedures should further include protocols regarding who should be notified of complaints and procedures for addressing high-priority, time-sensitive complaints. Companies should be wary of applying a “materiality” standard in evaluating the merits of a complaint, as the SEC has specifically rejected such a filter with respect to Regulation 21F. Further, complaints should not be ignored simply because they appear on their face to relate to issues other than violations of the federal securities laws. Depending on the level of the employee, he or she may not have a detailed understanding of the securities laws, but may have noticed other indicia of wrongdoing that ultimately reveals a securities law violation. Moreover, handling all allegations of misconduct in a professional manner will promote employee confidence in internal procedures at all levels of the company
Keep the Whistleblower in the Loop
Keeping whistleblowers apprised of the company’s response to an internally-reported allegation is important for several reasons. Acknowledging receipt of the complaint and providing general updates about efforts to address it should give employees faith in the internal reporting system and encourage future internal reporting. Companies encountering anonymous whistleblower reports may consider establishing a system whereby compliance personnel can post a message to the whistleblower on a secured website explaining what steps the company is taking in response to the tip and providing the whistleblower with information on who he can contact if he so chooses.
If the whistleblower knows that the company is taking appropriate action in response to the complaint, he may be less likely to rush to report it to the SEC. Moreover, establishing a dialogue with the whistleblower may result in the whistleblower telling the company when he is going to report to the SEC. Finally, informing the whistleblower that the company has taken corrective action in response to a complaint may deter the whistleblower from approaching the SEC at all. Similarly, in the case of complaints that lack merit, explaining to the whistleblower that a complaint has been investigated and does not rise to the level of a federal securities law violation, or does not satisfy the requirements for recovery under the SEC’s whistleblower program, may prevent whistleblowers from approaching the SEC with frivolous complaints.
Document Results of Investigations
As the SEC has previously indicated, thorough documentation of compliance procedures is a key component of an effective internal compliance program. If it is determined that a complaint is unsubstantiated, the company nonetheless should create a detailed, objective report explaining how and why that conclusion was reached. Such documentation can be used in the event the employee ultimately approaches the SEC and therefore should include detailed records of the nature and scope of the investigation and the involvement, where appropriate, of the audit committee or board, as well as outside counsel. A company should be prepared to walk enforcement authorities through the issues outlined in its internal findings or to provide them with a written summary of the issues and investigation. Such steps may result in a quick resolution of any SEC investigation without the need for further investigation, negotiation or litigation; however, companies should be aware that the SEC may not agree with the company’s assessment of a complaint because the whistleblower may have given documents or information to the SEC, which the company may not possess.
Self-Report Where Appropriate
If a company’s internal investigation finds credible evidence of a serious securities law violation, the company should strongly consider self-reporting such a violation to the SEC and/or DOJ. As the SEC has previously articulated, a company will be rewarded for self-reporting and for cooperating with SEC investigations.27 Similarly, DOJ policy provides that voluntary disclosure of wrongdoing is a mitigating factor that prosecutors consider in deciding whether and to what extent to pursue a criminal matter against a company.28 If a company believes that the issues are serious and credible, but it has not yet been able to reach any definitive conclusions about the allegations, there is a strong argument that the company should make some disclosure to the SEC, with the caveat that the investigation is ongoing. As noted above, whistleblowers are likely to approach the SEC within 120 days of reporting the matter internally, thereby exposing companies to the risk that the whistleblower will get to shape the SEC’s view of the facts and potentially precluding the company from any reward for self-reporting. Preemptive disclosure avoids placing the company in a defensive, “catch-up” posture. Indeed, the SEC has advised companies to self-report before investigations are complete.29
Self-reporting before an investigation is complete should not be automatic, however. Assuming there is no legal obligation to disclose, a number of factors should be considered and analyzed in weighing if and when to report. This includes, but is not limited to, the following: (1) the gravity and materiality of the initial allegation, including whether senior management and/or board members are involved; (2) the degree to which an initial inquiry indicates problematic conduct; (3) uncertainty as to whether or when the whistleblower will make a report to the SEC or DOJ; (4) the nature and extent of the potential monetary and non-monetary benefits from the disclosure in the event the matter is pursued by the SEC and/or DOJ; and (5) the reputational costs and benefits of disclosure.
Handle Whistleblowers with Care
To prevent retaliation or the perception of retaliation, directors, executives, managers, Human Resources, and compliance personnel should be refreshed as to the conduct that may constitute retaliation under Dodd-Frank and SOX. If possible, the whistleblower’s identity should not be revealed to the employee’s supervisors or to other persons higher up in the management chain, and steps should be taken to shield those managers from the investigation. Such steps should be carefully documented to show the company’s efforts to prevent any retaliatory conduct. Indeed, at the time of first contact with a whistleblower, the whistleblower should be assured that every effort will be made to keep his report anonymous, that the company will not tolerate retaliation, and that any form of retaliation should be reported to the company so it can be addressed immediately. This communication also should be documented.
If the need arises to take adverse employment action as to a whistleblower, it is crucial that human resources and legal staff be consulted at every step along the way. Human resources and legal staff should satisfy themselves that any such adverse employment action is being taken for non-retaliatory reasons, including ensuring that other similarly-situated employees are being treated in a similar fashion. The new anti-retaliation provisions do not prohibit taking adverse employment actions against a whistleblower for any reasons not covered by the statute. Therefore, companies must document every step taken to address employees who are being terminated, disciplined, or demoted for reasons other than retaliation, such as poor performance. Human resources and legal staff should also be consulted with respect to any decisions involving compensation, performance reviews, and promotions in order to avoid any claims that whistleblowers are being treated less favorably because they spoke up about potential violations. Those made aware of a whistleblower’s conduct should also be cognizant of subtle inequities in how the whistleblower is treated, such as not being invited to a client or networking event. It may also be useful to establish direct lines of communications between whistleblowers and human resources so that whistleblowers can immediately raise any situations in which they perceive that they are being treated inappropriately.
At times, there may be a risk that an individual may have reported an alleged securities law violation to the SEC and the individual’s employer has no idea the employee is a whistleblower. While one would hope that the company’s lack of knowledge about the individual’s whistleblower status would negate any charges of retaliation, it is nevertheless important to investigate whether an employee is a whistleblower before taking any adverse action against him and to maintain careful documentation regarding the individual’s whistleblower status and steps taken to ensure that retaliation is not taking place.
Establish, Review, and Update Compliance Procedures
Prevention is the best medicine, and the best way to mitigate the potential impact of whistleblower litigation is to prevent underlying securities law violations in the first place. Companies should review internal compliance programs and audit procedures to ensure that they meet current standards set forth in the U.S. Sentencing Guidelines for Business Organizations;30 DOJ and SEC policy statements; and relevant corporate legislation, including Dodd-Frank and SOX. International standards, such as those promulgated by the Organization for Economic Cooperation and Development (OECD), may also provide relevant guidance.31 Policies should be reviewed broadly to determine whether they relate to or implicate potential federal securities law violations (e.g., procedures regarding treatment of confidential business information and foreign and domestic anti-bribery provisions).
Compliance programs should also include policies and procedures prohibiting retaliation, and such human-resources procedures should be harmonized with those prohibiting securities laws violations in order to appropriately prevent all types of litigation that could potentially ensue from the new whistleblower laws. Finally, employees should receive regular training regarding internal compliance policies and procedures, and such policies should be updated at regular intervals, particularly as the SEC whistleblower program moves forward and additional guidance becomes available.
Foster a Culture of Compliance
Another means of preventing securities law violations in the first place, and encouraging internal reporting when violations do occur, is to create an overall culture of compliance. Such culture should be shaped by the “tone from the top,” i.e., through the Board of Directors, CEO, and other members of top management emphasizing the importance of compliance, and that everyone in the company shares in this responsibility and should take pride in the company’s successes in this area. The SEC’s Adopting Release specifically notes that in determining what approach to take with respect to a corporate target, the SEC may consider “the company’s existing culture related to corporate governance” and “the company’s internal compliance programs, including what role, if any, internal compliance had in bringing the information to management’s or the Commission’s attention.”32
The SEC’s new whistleblower rules undoubtedly create an environment in which a public company’s employees, former employees, and other business partners who are aware of allegations of misconduct within the company have a strong financial incentive to report that information to the SEC. A company’s best line of defense against the threat of potential government investigations and enforcement actions, private civil litigation, and claims of retaliation is a good offense in the internal compliance arena. Companies should promote a strong culture of compliance that encourages employees to report allegations of misconduct internally, instills confidence in them in the internal processes, and protects them against retaliation. At the same time, internal policies and procedures should provide a clear roadmap for investigating allegations of wrongdoing and creating a clear record of an investigation’s results and, if appropriate, any remedial action. Throughout this process, companies also must carefully consider when and if voluntary disclosure to the authorities is warranted. Finally, companies should regularly review existing internal compliance and audit policies and procedures designed to prevent and detect wrongdoing in the first place and, when appropriate and necessary, should enhance those policies and procedures.
Steven A. Tyrrell is co-chair of Weil, Gotshal & Manges’ White Collar Defense and Investigations Group and focuses his practice on white collar criminal defense, regulatory enforcement matters, and internal investigations. Mr. Tyrrell previously served as Chief of the U.S. Department of Justice’s Fraud Section from 2006 through 2010. Brianna Benfield is an associate in Weil, Gotshal & Manges’ Complex Commercial Litigation Group and focuses her practice on securities enforcement matters, white collar criminal defense, and internal investigations.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
© 2011 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.