Whistleblowing in the Dodd- Frank Era: The Perfect Storm February 2017 Renee Phillips Orrick (212) 506-5153 rphillips@orrick.com The Perfect Storm of Whistleblower Activity Massive statutory and regulatory changes in whistleblower protections and new monetary incentives More enforcement actions by prosecutors and regulators Dramatic changes in the interpretation of whistleblower protections encouraging more to come forward Invigorated Plaintiffs bar encouraging whistleblowers to come forward 2 1
The Legislative Front Sarbanes-Oxley enacted in 2002 Dodd-Frank amended Sarbanes-Oxley in 2010 Dodd-Frank also included new whistleblower provisions: Section 922: SEC whistleblower scheme Bounty provision Anti-retaliation provision Section 748: CFTC whistleblower scheme Bounty provision Anti-retaliation provision Section 1057: Consumer Financial Protection Anti-retaliation provision 3 The Legislative Front Procedures and remedies vary for anti-retaliation provisions: Statutes of limitations range from 180 days to 6-10 years. Some claims must be filed with the Department of Labor, OSHA; others may be filed directly in court. All causes of action provide for reinstatement, back pay (or 2X back pay), and attorneys fees, among other remedies. 4 2
The Centerpiece of Dodd-Frank Whistleblower Awards/Protections 5 Whistleblower Awards Whistleblowers who provide the SEC with original information derived from independent knowledge or analysis about violations of securities laws will be awarded a share of between 10% and 30% of monetary sanctions ultimately imposed by the Commission that exceed $1 million. Over $149,000,000 6 3
Whistleblower Complaints Received By the SEC 2012 2013 2014 2015 2016 3,001 3,238 3,620 3,923 4,218 40% since 2012 Source: U.S. Securities and Exchange Commission: Annual Report on the Dodd-Frank Whistleblower Program Fiscal Year 2016 (http://www.sec.gov/about/offices/owb/annual-report-2016.pdf) 7 Frequency of Whistleblower Tips in the United States 8 4
Over 10% of SEC Tips Are From Outside of the U.S. *Source: 2016 Annual Report on the Dodd-Frank Whistleblower Program 9 Certain Categories of Individuals Will Generally Not Qualify for a Bounty Attorneys who obtain the information in a privileged communication and/or in connection with the representation of a client, unless disclosure would otherwise be permitted pursuant to SEC rules or state attorney conduct rules New York County Officers, directors, trustees or partners of an entity if the information is reported to them Compliance or internal audit employees, or employees who work for firms retained to perform those services Employees of firms retained to conduct internal investigations Employees of public accounting firms who gain information during an audit Anyone who obtains the information by violating applicable federal or state criminal law Anyone who receives the information from someone not eligible, unless report is about that individual 10 5
Exceptions May Swallow the Rule Compliance and internal audit personnel, public accountants, officers, directors, trustees or partners of an entity could become whistleblowers for purposes of a bounty award if: the whistleblower believes disclosure may prevent substantial injury to the financial interest or property of the entity or investors; the whistleblower believes that the entity is engaging in conduct that will impede an investigation; or at least 120 days have elapsed since the whistleblower reported the information, or at least 120 days have elapsed since the whistleblower received it under circumstances indicating that management is already aware of the information. Even if ineligible for bounty, it is still covered by anti-retaliation provisions. 11 Awards invoking exceptions March 2, 2015: SEC paid whistleblower award to former company officer who reported fraud to the SEC. ($475,000-$575,000) First SEC whistleblower award to a corporate officer who informed the company of the conduct, and which failed to address the issue within 120 days. April 22, 2015: SEC announces $1.5 million whistleblower award to a compliance officer. (Second award to whistleblower with internal audit/compliance responsibilities.) 120-day rule didn t apply because the whistleblower reasonably believed that disclosure to the SEC was needed to prevent conduct likely to cause substantial injury to the financial interest or property of the entity or investors. 12 6
Profile of Whistleblower Award Recipients Almost 50% of award recipients were current and former employees Most claim to have reported internally first The rest: Company contractors or consultants, investors, professionals in same industry, personal relationships with targets 13 Whistleblower Retaliation 14 7
Whistleblower Retaliation (cont.) 15 Scope of Anti-Retaliation Protection Under Dodd-Frank Is internal reporting protected? Courts are split; SEC playing active role as amicus. See, e.g., Davies v. Broadcom Corp, 2015 WL 5545513 (C.D. Cal Sept 8, 2015) Former in-house counsel alleged terminated for reporting violations of FCPA internally Statute is clear in only covering whistleblowers who report to SEC Compare Asadi v. G.E. Energy (USA), LLC, 720 F.3d 620 (5th Cir. 2013) with Berman v. Neo@Ogilvy LLC, 810 F.3d 145 (2d Cir. 2015). Second Circuit and SEC view is that any reporting protected under SOX is protected under Dodd-Frank 16 8
SOX Whistleblower Protection Protects employees from retaliation for reporting (internally or externally) what they reasonably believe to be 1. mail fraud; 2. wire fraud; 3. bank fraud; 4. securities fraud; 5. violation of rule or regulation of the SEC; or 6. violation of federal law relating to fraud against shareholders. 17 Supreme Court Broadly Interprets SOX Lawson v. FMR LLC, 134 S. Ct. 1158 (Mar. 4, 2014) Held: SOX s protections apply to employees of contractors, and agents of public companies Temps, consultants, outsourced functions Includes legions of [outside] accountants and lawyers performing services for public companies Includes personal employees of officers or employees of public companies Housekeepers, gardeners, babysitters! Must reports have a nexus with work being done for the public company? Cases so far say yes. 18 9
What happens if a whistleblower misappropriates confidential company information? Vannoy v. Celanese Corp., 2008-SOX-64 (ARB Sept. 28, 2011) Vannoy allegedly took employee data including 1600 employee SSNs and sent it to his domestic partner s e-mail account. Claimed he took the data to provide to the IRS. He did provide some data (but not all) to the IRS. ARB held Vannoy engaged in protected activity. SOX is intended to protect all lawful conduct to disclose misconduct. Celanese did not prove to ARB s satisfaction that conduct was unlawful. There is a clear tension between a company s legitimate business policies protecting confidential information and the whistleblower bounty programs created by Congress to encourage whistleblowers to disclose confidential information in furtherance of enforcement of tax and securities laws. Vannoy s allegations must be viewed in light of these significant enforcement interests. 20 10
SEC Press Release 21 SEC Initiatives to Unmuzzle Employees From Reporting Externally Rule 21F-17(a): Companies may not take any action to impede an individual from communicating directly with the SEC about a potential securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement. Sean McKessy, former Head of SEC s OWB, repeatedly stated his office was actively looking for agreements (e.g., separation, confidentiality, etc.) that could have the effect of impeding reporting to the SEC, such as requirements that individuals first disclose complaints to employer prior to filing with SEC. if we find that kind of language, not only are we going to go after the companies, we are going to go after the lawyers who drafted it [w]e have powers to eliminate the ability of lawyers to practice before the Commission. 22 11
SEC Makes Good on Its Enforcement Threats February 2015: SEC s Office of the Whistleblower opens a broad sweep investigation, In the Matter of Certain Non-Disclosure Agreements, sending a broad document requests to a number of companies for all of their employment agreements, severance agreements and release of claim agreements, as well as all policies and handbooks relating to confidentiality, going back to August 2011 (effective date of DF regulations). SEC routinely reviewing company Form 8Ks for problematic provisions in executive agreements. Balance between having strong employment agreements and policies that protect legitimate confidentiality interests and not becoming a target. 23 SEC Pushes the Envelope: BlueLinx and Health Net Actions August 2016: SEC brought cease and desist proceedings under Rule 21F-17. BlueLinx Holdings Inc. (Aug. 10, 2016) and Health Net, Inc. (Aug. 16, 2016) Companies simultaneously settled for $265K and $340K respectively. BlueLinx bounty waiver language: Employee further acknowledges and agrees that nothing in this Agreement prevents Employee from filing a charge with the Equal Employment Opportunity Commission, the National Labor Relations Board, the Occupational Safety and Health Administration, the Securities and Exchange Commission or any other administrative agency if applicable law requires that Employee be permitted to do so; however, Employee understands and agrees that Employee is waiving the right to any monetary recovery in connection with any such complaint or charge that Employee may file with an administrative agency. (Emphasis added.) First time that the SEC explicitly held bounty waiver unenforceable. 24 12
BlueLinx: Other Impeding Provisions Employee has not and in the future will not use or disclose to any third party Confidential Information, unless compelled by law and after notice to BlueLinx. [The employee shall] hold in a fiduciary capacity for the benefit of the Company [ ] all Confidential Information. For a period of two years, following the [employee s] Termination Date, Executive shall not, without the prior written consent of the Company or as may otherwise be required by law or legal process, communicate or divulge Confidential Information. SEC Holds: Needed to expressly exempt the Commission. Language forced those employees to choose between identifying themselves to the company as whistleblowers or potentially losing their severance pay and benefits. 25 BlueLinx: SEC-Blessed Language Protected Rights. Employee understands that nothing contained in this Agreement limits Employee s ability to file a charge or complaint with the Equal Employment Opportunity Commission, the National Labor Relations Board, the Occupational Safety and Health Administration, the Securities and Exchange Commission or any other federal, state or local governmental agency or commission ( Government Agencies ). Employee further understands that this Agreement does not limit Employee s ability to communicate with any Government Agencies or otherwise participate in any investigation or proceeding that may be conducted by any Government Agency, including providing documents or other information, without notice to the Company. This Agreement does not limit Employee s right to receive an award for information provided to any Government Agencies. (emphasis added) Do companies need to go this far? 26 13
Health Net In 2011, added language to agreements requiring employees to waive the right to file an application for award for original information submitted pursuant to Section 21F of the Securities Exchange Act of 1934. About 600 employees signed between 8/11 and 6/13. In June 2013, updated agreements and removed this language and instead stated: nothing in this Release precludes Employee from participating in any investigation or proceeding before any federal or state agency or governmental body... however, while Employee may file a charge, provide information, or participate in any investigation or proceeding, by signing this Release, Employee, to the maximum extent permitted by law... waives any right to any individual monetary recovery... in any proceeding brought based on any communication by Employee to any federal, state or local government agency or department. 27 Health Net (Cont d) SEC unaware of anyone actually impeded from communicating with the SEC SEC unaware of company taking action to enforce provision SEC holds: Both the 2011 and 2013 agreements violated Rule 21F-17 by directly targeting the SEC s whistleblower program by removing the critically important financial incentives that are intended to encourage persons to communicate directly with the Commission staff about possible securities law violations. Extremely expansive reading of the Rule: No direct targeting of SEC program No removal of financial incentives unless permitted by law Courts unlikely to agree with SEC, but issue not before the courts 28 14
In re SandRidge Energy, Inc. (Dec. 20. 2016) Separation agreements discovered through SEC filings provided that former employees could not: Voluntarily participate in government investigations; Use or disclose confidential information without Company consent (including to government agencies); Make statements or disparaging remarks regarding the Company, its officers, employees, etc., to any governmental entity or the media Also found SandRidge retaliated against employee for reporting concerns in calculation of oil and gas reserves for SEC reports. $1.4 million penalty 29 Ten Recommended Best Practices in the Wake of the Perfect Storm of Whistleblower Activity Employees are more likely to go to a regulator or pursue litigation if they get angry/frustrated with the firm because they feel: complaints would not be handled appropriately if made complaints are not taken seriously when made complaints are not dealt with promptly 30 15
Ten Recommended Best Practices in the Wake of the Perfect Storm 1. Make sure there are numerous avenues available to make complaints, including anonymous complaints: managers, HR, compliance, telephone hotline, website, etc. 2. Do not attempt to identify an anonymous whistleblower. 3. Train managers on how to properly deal with complaints: Thank ee for bringing it forward. Tell ee take complaint seriously. Tell ee complaint will be investigated and company has a robust compliance program Tell ee company has a no retaliation policy, and if ee feels retaliated against, report it to HR immediately. 31 Ten Recommended Best Practices In the Wake of the Perfect Storm (cont.) 4. Preserve the privilege. 5. Inform the Audit Committee where allegations may be serious. 6. Assign an HR representative to the whistleblower during the investigation who will: occasionally report on status make sure ee does not feel retaliation review any management decisions before they occur to make sure no retaliation communicate with ee re conclusions of investigation 32 16
Ten Recommended Best Practices in the Wake of the Perfect Storm (cont.) 7. Legal should consider tracking all complaints (whether to Legal, HR, Compliance, etc.) in a single system. Patterns can demonstrate issues where individual minor complaints may not seem serious. 8. Periodic compliance questionnaires Within the last 6 months, have you observed potential violations of a, b, or c laws. Requires time consuming administration but can be well worth it. Must triage complaints and handle serious complaints quickly. 33 Ten Recommended Best Practices in the Wake of the Perfect Storm (cont.) 9. Critically review employee handbooks, codes of conduct, confidentiality agreements, offer letters, release agreements, etc. Need carve out language making clear communications with SEC and other regulators are not chilled in any way. To extent any provisions could be read otherwise, need to include or refer to carve out. This includes: Future monetary waivers Non-disclosure of confidential information Non-disparagement of company Failure to notify company of regulator inquiry Representation by employee that no charges or complaints are pending or if they are, will withdraw them 10. Review third party vendor practices (consultants, auditors, hotline administrators) to ensure they too provide optimal protection. 34 17
18