President and Chief Strategy Officer, NAVEX Global
The Supreme Court in Lawson vs FMR, LLC (delivered March 4, 2014, after a 6-3 vote) has ruled that employees of private companies engaged by public companies are covered by the whistleblower protections of Sarbanes-Oxley Act of 2002 (SOX).
In Lawson, two employees of FMR, LLC (a private employer contracted with by publicly traded mutual funds) claimed they were retaliated against by their employer after raising issues of fraud. They filed for whistleblower protection under SOX. FMR responded by claiming that their employees were not protected by SOX from firing or retaliation because SOX applied only to claims brought by employees of public companies.
A Seminal Shift in Coverage
SOX was enacted largely in response to shareholder fraud at a publicly traded company, Enron. SOX included a provision to protect whistleblowers from retaliation to encourage reporting of fraud. No one ever argued that these protections did not apply to employees of public companies. In fact as pointed out by dissenting U.S. Supreme Court Justice Sonia Sotomayor, the name of the pertinent SOX section was “Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud.” For years it was a widely held position that this whistleblower protection applied solely to employees of the 5,000 or so companies with publicly traded securities in the U.S. Lawson changes that position entirely. The decision’s seminal shift in SOX coverage opens up the potential for more claims brought by employees of the third parties of private companies who have been engaged by public companies.
What’s the Practical Impact on Exposure?
The true size of this potential new universe of protected claimants is still uncertain. Depending on your position, you either think that there will be an overwhelming rush by accountants, law firms and even in the most extreme cases, babysitters (as argued in the dissenting opinion of Justice Sotomayor) to bring retaliation claims. Or, you believe it will be “business as usual.” Much of this final debate may hinge on an undecided question about the types of claims protected and whether or not, as many allege, they are limited to shareholder fraud. But one thing is clear. Public and private companies alike must now take greater care with how whistleblowers are handled after a report has been filed.
A Reminder that Risk Continues to Escalate Through the Use of Third Parties
While the full impact of the decision on the number and subject matter of whistleblower claims remains to be seen, there is another critical take-away from Lawson: The use of all third parties puts the engaging party at higher risk of fines, litigation and damage to reputation. Whether in the form of liability for direct, unlawful acts such as bribery or quality failures, or liability for the consequences of retaliation, all third parties need to be evaluated for the potential risk to the enterprise, private and public. This argues in favor of universal but proportional due diligence, especially data driven technology solutions, as well as strong policies, training and further monitoring and auditing of third parties.
The Importance of Effective Reporting Channels
In light of this opinion, an additional area of heightened concern for all employers should be the need to ensure that the company has an effective, well-communicated hotline for employees to report misconduct, along with a robust case management system to centralize, manage and resolve those reports – whether brought through the hotline, or another avenue, including management and HR. This is not just a requirement or best practice for publicly traded companies. It is a universal need. More than just collecting reports of misconduct, employers should ensure that reports are being promptly investigated and actually resolved. This concern is illustrated in the results of NAVEX Global’s just published 2014 Hotline Benchmarking Report. From the NAVEX Global website, “the Report’s findings showed that the number of days it is taking organizations to close a reported case has gone from 30 days in 2008 to 36 days in 2013. Questions on accounting, auditing and financial reporting took an average of 46 days to close…”
“Every additional day an employee is left wondering whether their concern has been taken seriously represents a risk to the organization,” said Carrie Penman, chief compliance officer and senior vice president of advisory services at NAVEX Global. “An ongoing increase in case closure time is a red flag; organizations need to ensure they have sufficient and properly trained resources available to manage the increasing volume of reports in the coming year. The trend is especially notable given that under some regulatory provisions for external reporting and whistleblower awards, an organization may have limited time to complete an internal investigation.”
Lawson Reminds Us of the Ongoing Challenges Around Whistleblowing and Retaliation
The whistleblower risk to companies is clearly increasing. Even with overall workplace misconduct on the decline according to a recent study from the Ethics Resource Center (ERC), retaliation bucks the trend, continuing to rise at an alarming pace. This syncs up with NAVEX Global’s own proprietary data (based on the largest database of reported incidents in the world) where overall report volume has increased substantially over the past three years.
Lawson demonstrates continued support for expanding the protections for whistleblowers. Experienced compliance specialists, executives, attorneys and others who address the reduction of risk or exploit its vulnerabilities should take proactive steps to identify whistleblower risks and implement or enhance current plans to address them. Bringing the impact of Lawson to the attention of the top ranks of an organization is also critical – executive management, the C-Suite and the Board. It’s a decision worthy of everyone’s attention.
Find out more about how businesses can protect themselves by downloading our SOX Whistleblower Protection Toolkit for Private Businesses.