On May 25, 2011, in a 3-2 vote, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) approved its final rules (“Whistleblower Rules”) to implement the whistleblower award program of Section 21F of the Securities Exchange Act of 1934, which was added by Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”). The Whistleblower Rules establish the standards and procedures the SEC will apply in awarding whistleblowers monetary compensation for providing tips about possible securities law violations that lead to successful SEC enforcement actions and make definitions which set the contours for protections of whistleblowers under the Dodd-Frank Act’s anti-retaliation provisions. The SEC’s press release is available here: SEC Adopts Rules to Establish Whistleblower Program. A copy of the adopting release and the Whistleblower Rules is available here: Final Rules.[1]
The Dodd-Frank Act requires that the Commission provide substantial financial incentives for individuals to provide information to the government regarding possible violations of the federal securities laws. Although the SEC attempted to ameliorate concerns that its previously proposed rules would cause employees to bypass internal compliance systems, it did not require employees to report internally first before coming to the SEC. As a result, there is little doubt that there will be an increase in external whistleblower activity. Indeed, the SEC has said that it expects to receive approximately 30,000 tips per year[2] and plaintiffs’ law firms have set up websites to attract whistleblower leads in the United States and abroad.
The Whistleblower Rules become effective 60 days after publication in the Federal Register; however, they will apply retroactively to all whistleblower tips made since July 21, 2010 (the date the Dodd-Frank Act was enacted) and affect a broad range of entities including public companies and their subsidiaries and affiliates, broker-dealers, investment advisers, investment companies, rating agencies, and hedge funds. Consequently, it is important that companies consider the impact of the Whistleblower Rules on their operations and revise their compliance policies and programs as appropriate.
This client alert provides an analysis of the key provisions of the Whistleblower Rules and suggests steps companies can consider to respond to the challenges posed by increased whistleblower activity and better assure that well-developed compliance programs continue to operate effectively.
I. Key Sections of the Whistleblower Rules
Eligibility for an award under the Whistleblower Rules generally can be summarized as follows: (i) a whistleblower, (ii) who voluntarily provides the SEC, (iii) with original information, (iv) that leads to a successful enforcement by the SEC that results in monetary sanctions of more than $1 million arising out of the same core facts, (v) is eligible for an award of 10 to 30 percent of any amounts recovered.
A. Definitions
Whistleblower. A whistleblower is defined as someone who, alone or jointly with others, “provides the Commission with information . . . [that] relates to a possible violation of the federal securities laws (including any rules or regulations thereunder) that has occurred, is ongoing, or is about to occur.”[3] The whistleblower must be an individual; a company or another entity is not eligible to be a whistleblower.[4] A whistleblower may remain anonymous when reporting possible violations to the SEC, but, to do so, must report through an attorney.[5]
Voluntary submission of information. All information must be “voluntarily” provided to the SEC.[6] Information is voluntarily provided if the information is provided before a request, inquiry, or demand was directed to the whistleblower personally or to his or her representative by the Commission, the Public Company Accounting Oversight Board or any self-regulatory organization, Congress, any other authority of the federal government, or a state Attorney General or another securities regulatory authority.[7] The addition in the final rules of the term “directed” is an attempt by the Commission to “narrow[] the types of requests that . . . may preclude a later whistleblower submission from being treated as ‘voluntary.'”[8] In a change from the proposed rules, a whistleblower is not precluded from an award because a governmental request for information was made to the office or function of the company where the whistleblower works or when the whistleblower possesses documents or information that fall within the scope of the request.[9]
The rules also provide that a submission will not be considered “voluntary” if the whistleblower is required to report the original information to the Commission as a result of a preexisting legal duty, a contractual duty that is owed to the Commission or one of the authorities noted above (such as a cooperation agreement with the Department of Justice), or a duty that arises out of a judicial or administrative order (such as independent monitors required by the Commission).[10]
Original information. All information provided must be original.[11] It must be based on the whistleblower’s independent knowledge or independent analysis, and must not already be known to the Commission, nor derived exclusively from “an allegation made in a judicial or administrative hearing, in a governmental report, hearing, audit, or investigation, or from the news media, unless the whistleblower is a source of the information.”[12] Original information includes only that information that is provided to the SEC for the first time after July 21, 2010, the date of the enactment of the Dodd-Frank Act.[13]
If the whistleblower provides the same information to an internal compliance program, the whistleblower will have a 120-day time period during which he or she can alert the SEC and still be considered to have provided original information as of the date the information was provided to the internal compliance program.[14] This is an extension of the 90-day time period in the proposed rules.[15]
The adopting release states that the 120-day “look-back” period is not intended as an implicit “deadline” for the completion of an internal investigation before a company self-reports the whistleblower complaint and its internal investigation to the Commission; nor is the 120-day period intended to suggest that an internal investigation must be completed before a company elects to self-report.[16] The release also notes that, depending on the facts and circumstances of the particular case, the SEC staff may receive information about the complaint and internal investigation and agree to await further results of the internal investigation before deciding its own course of action.[17] The SEC further indicates that, in “appropriate cases,” it may notify a company of its receipt of a whistleblower complaint and give the company an opportunity to investigate and report back to the Commission.[18]
B. Information Must Lead to a Successful Enforcement Action
A whistleblower provides original information that leads to a successful enforcement action in several situations: first, when the information was sufficiently specific, credible, and timely to cause the staff to commence an examination or open an investigation;[19] and second, the information may lead the staff to reopen an investigation, or inquire concerning different conduct as part of a current examination or investigation.[20] In both instances, an award may be made if the Commission brings a successful judicial or administrative action based on that information.[21] In contrast, when an examination or investigation was already underway, and the whistleblower’s submission “significantly contributed” to the success of the action, then the whistleblower also may be eligible for an award.[22] This expands the standard under the proposed rules which required the information to be essential to the success of the action and is intended to encourage more whistleblower tips.[23]
In addition, the SEC revised the proposed rules to provide that a whistleblower will be eligible for an award if he or she reports original information through a company’s internal legal or compliance reporting procedures before or at the same time it is reported to the Commission and the company then reports the information to the Commission.[24] Further, the Commission may attribute all the information provided by the company to the Commission to the whistleblower, whether or not originally reported by the whistleblower.[25] As a result, a whistleblower may get credit–and potentially a larger award–for any additional information that is generated by the company in its investigation.[26] This change is intended to provide additional incentives for whistleblowers to report internally.[27]
C. Payment of Award
The $1 million threshold can be met by civil money penalties, disgorgement payments, and prejudgment interest totaling more than $1 million.[28] For purposes of calculating whether monetary sanctions exceed $1 million, the final rules permit the aggregation of multiple cases that arise out of the same nucleus of operative facts as a single “action,” as well as related actions brought by other government agencies such as criminal prosecutions by the Department of Justice.[29] This is a change from the proposed rules under which only a single action would have been considered in determining whether the $1 million threshold had been met.[30] The SEC will not pay an award if an award already has been granted to the whistleblower by the U.S. Commodity Futures Trading Commission for the same action.[31]
D. Factors Impacting Amount of Award
The Whistleblower Rules give the Commission wide discretion in determining the amount of the award within the 10 percent minimum and the 30 percent maximum provided in the statute.[32] In determining the amount of an award, the SEC will consider:
- the significance of the information provided by a whistleblower to the success of the Commission action or related action;
- the degree of assistance provided by the whistleblower and any legal representatives of the whistleblower in the Commission action or related action(s), including timeliness, resources conserved, efforts undertaken by the whistleblower to mitigate harm, and any undue hardship suffered by the whistleblower;
- the programmatic interest of the Commission in deterring violations of the securities laws by making awards to whistleblowers who provide information that leads to the successful enforcement of such laws, including whether the award otherwise enhances the Commission’s ability to enforce the federal securities laws, protect investors, and encourage the submission of high quality information from whistleblowers; and
- whether the whistleblower participated in internal compliance systems and reported any violation internally, or assisted in any internal investigation.[33]
The Commission also will consider the following factors that could decreasethe amount of a whistleblower’s award:
- the personal culpability of the whistleblower;
- any unreasonable delay by the whistleblower in reporting the securities violations; and
- whether the whistleblower interfered with internal compliance and reporting systems.[34]
E. Exclusions from Eligibility to Receive an Award
1. Exclusions
The Whistleblower Rules exclude several categories of individuals from award eligibility subject to certain exceptions:
Principals. An officer, director, trustee, or partner of a company who receives information about the alleged misconduct from a company employee or from the company’s internal compliance process is excluded from receiving an award.[35] In explaining the scope of this exclusion, the SEC in the adopting release states that “including all supervisors at any level would create too sweeping an exclusion of persons who may be in a key position to learn about misconduct.”[36]
Attorneys and information obtained in connection with legal representation. Attorneys are not permitted to use information obtained from client engagements or attorney-client privileged information to make whistleblower claims themselves (unless disclosure of the information is permitted under SEC rules pertaining to the conduct of attorneys representing public companies or state bar rules).[37] The final rules provide that this exclusion applies to in-house attorneys who may be eligible for an award only to the extent that their disclosures are consistent with their ethical obligations and SEC rules.[38] Further, the exclusion for privileged information extends to non-attorneys who learn information through confidential attorney-client communications with company counsel.[39]
Compliance personnel. Employees whose principal duties include compliance or internal audit functions, or individuals retained by a company to perform compliance or audit functions, are not eligible for an award.[40] The final rules do not clearly extend the exclusions to other company employees involved in control or accounting functions, unless the Commission construes “compliance” to include accounting and financial reporting personnel.
Individuals retained to conduct inquiry. Individuals retained to conduct an inquiry or investigate possible law violations are not eligible for an award.[41]
Accountants. Employees and other persons associated with a public accounting firm who obtain information through an engagement required under the federal securities laws–such as a financial statement audit for a public company client, a broker-dealer annual audit, or an engagement for an investment adviser related to compliance with the custody rule–are not eligible for an award if that information relates to a violation by the engagement client or the client’s directors, officers, or other employees.[42] Also, public company auditors are ineligible for awards where the information was obtained through an audit of a company’s financial statements, and making a whistleblower submission would be contrary to the requirements for auditor reporting of potential illegal activity specified in Section 10A of the Exchange Act.[43]
Other exclusions. Information that was obtained in a way that is determined by a U.S. court to have violated federal or state criminal law also is excluded.[44] The rules further exclude foreign government officials, including employees of state-owned enterprises.[45] In order to prevent evasion of the rules, anyone who obtained their information from persons subject to the exclusions listed above are also excluded.[46]
2. Exceptions to exclusion from eligibility
The proposed rules created an exception for certain excluded individuals, stating that they may qualify as whistleblowers if they report the alleged violation to their compliance program but the company proceeds in “bad faith” or does not disclose the information to the SEC “within a reasonable time.”[47] This provision is narrowed under the final rules.
The final rules clarify that the exceptions do not apply to attorneys; they apply only to principals, compliance or internal audit personnel, individuals employed by or otherwise associated with a firm retained to conduct an inquiry or investigation into possible violations of law, and independent public accountants.[48] The final rules provide that an otherwise excluded whistleblower will be eligible for an award if he or she:
- has a reasonable basis to believe that disclosure is necessary to prevent the company from engaging in conduct that is likely to cause substantial financial injury to the company or investors;
- has a reasonable basis to believe the company is engaging in conduct that will impede an investigation of the misconduct; or
- at least 120 days have elapsed since the whistleblower provided the information through the company’s internal reporting system.[49]
F. Confidentiality.
In the adopting release, the Commission states it will not disclose information that could reasonably be expected to reveal the identity of the whistleblower, except under certain circumstances, such as when disclosure to a defendant is required in connection with a federal court or administrative action, or when the Commission determines that it is necessary to disclose the identity to the Department of Justice or other regulatory agency in order to advance the purposes of the Exchange Act or to protect investors.[50] The rules also require that anonymous whistleblowers be represented by an attorney who must certify that he or she has verified the whistleblower’s identity.[51]
G. Treatment of Culpable Individuals
The Whistleblower Rules do not grant amnesty to individuals who provide information to the SEC, and persons who are convicted of a criminal violation that is related to the Commission action cannot receive an award.[52] Moreover, in determining whether the required $1 million threshold has been satisfied for purposes of making the award, the SEC will exclude any monetary sanctions that the whistleblower is ordered to pay, or that are ordered against any company whose liability is based on conduct that the whistleblower directed, planned, or initiated.[53] The SEC states in the adopting release that it is seeking to prevent wrongdoers from financially benefitting from essentially blowing the whistle on their own misconduct.[54] Further, in determining whether the amount of the award should be decreased, the SEC may assess the culpability of the whistleblower.[55] On the other hand, the final rules do not categorically exclude culpable whistleblowers, as a number of commenters had urged.[56] The rules expressly contemplate that a whistleblower may be a participant in a securities fraud scheme or otherwise engage in other culpable conduct and still receive an award, albeit potentially smaller due to his or her own misconduct.
H. Staff Communications with Whistleblowers
The Whistleblower Rules authorize SEC staff to communicate directly with whistleblowers who are directors, officers, members, agents, or employees of a company that has counsel, without first seeking the consent of the company’s counsel.[57] In response to commenters who expressed concern that the rule will undermine the attorney-client privilege, the adopting release “emphasize[s] that nothing about this rule authorizes the staff to depart from the Commission’s existing procedures and practices when dealing with potential attorney-client privileged information.”[58]
I. Anti-Retaliation Protections
The Dodd-Frank Act significantly increased the employment rights of purported whistleblowers beyond those adopted in the Sarbanes-Oxley Act of 2002.[59] For the purposes of the anti-retaliation protections provided by Section 922 of the Dodd-Frank Act, an individual is a whistleblower if that individual possesses a reasonable belief that the information he or she is providing relates to a possible securities law violation that has occurred, is ongoing, or is about to occur, and he or she reports that information in accordance with the procedures delineated in the rules.[60] According to the adopting release, adding a “reasonable belief” requirement “strikes the appropriate balance between encouraging individuals to provide us with high-quality tips without fear of retaliation, on the one hand, while not encouraging bad faith or frivolous reports, or permitting abuse of the anti-retaliation protections, on the other.”[61]
Notably, the adopting release takes the position that, “[b]ecause the anti-retaliation provisions are codified within the Exchange Act,” the SEC has enforcement authority for violations by employers who retaliate against employees for making reports in accordance with Section 21F.[62] Note that this creates a significant potential for overlap and even conflict with jurisdiction already vested with the Department of Labor.
II. What Companies Should Do Now
The Whistleblower Rules will have a significant effect on many aspects of a company’s business and operations. Consequently, companies should review their compliance programs and assess whether revisions should be made. In particular, companies should review the following four critical components of an effective and robust compliance program: (1) a culture of compliance; (2) internal reporting procedures; (3) Human Resources procedures; and (4) internal investigation practices.
A. Establish a Culture of Compliance
A culture of compliance is important to prevent wrongdoing and misconduct from occurring and encouraging employees to report possible violations internally when they do occur. Creating an atmosphere in which employees understand that they are to rigorously adhere to the law, follow company rules and procedures, and report potential misconduct when they first become aware of it will significantly alleviate many of the issues raised by the Whistleblower Rules. In the event of an enforcement investigation, the company’s compliance culture and the efficacy of its compliance programs are also important determinants in whether a firm will be sanctioned and the nature of any sanction imposed.[63] There are several measures a company can take to foster a culture of compliance.
Encourage compliance at all levels. Consider whether your company has an environment that encourages compliance and internal reporting. Corporate culture is set from the top of the organization and senior management and the board of directors must demonstrate a commitment to compliance. Such a commitment empowers employees to prevent wrongdoing and encourages employees to speak to their supervisors or use other internal reporting systems when they first become aware of any possible misconduct.
Codes of conduct and training. Companies should review their codes of conduct to see if any changes are appropriate, particularly with respect to encouraging communications and the avenues provided for such communications. Companies should disseminate their codes of conduct to all employees and make them available online and in multiple languages, as appropriate. Employees should receive training on the code when they are first hired, and periodically thereafter, so that they are aware of the company’s compliance policies and procedures. In addition, companies should consider requiring employees to sign an annual certification stating they have read the code of conduct and received training. Annual training programs signal a high-level commitment to compliance issues, and requiring employees to sign an annual statement may impress upon employees that they are personally responsible for seeing that compliance policies are followed.
Require employees to report possible violations. As part of a culture of compliance, companies should require employees to promptly report all possible violations of the code of conduct and regularly remind employees of this requirement. As part of their annual certification that they have reviewed the code of conduct, companies also should consider having employees acknowledge that they are not aware of any potential violations of the code of conduct, including any federal securities laws, that have not already been reported to the company.
B. Internal Reporting Procedures
In response to concerns from the business community and others that the rules would incentivize employees to bypass internal compliances procedures to be first in line to collect a whistleblower award, the SEC revised the Whistleblower Rules, as discussed above, to provide greater incentives for employees to use internal compliance systems before going to the SEC. However, the Whistleblower Rules do not require employees to report possible violations internally and, despite these additional incentives, employees may bypass internal systems to maximize their chance of receiving an award. Consequently, companies should consider measures, such as the following, to further promote and encourage internal reporting:
Make internal reporting easy and accessible. Internal reporting should be made available to employees by providing several methods of reporting, such as toll-free hotlines, an office of the ombudsman, an anonymous email system, and websites that accept anonymous allegations, among other things. A company’s reporting mechanisms should be available 24 hours a day and in multiple languages for companies operating internationally or with foreign employees. In this regard, foreign nationals are eligible to receive awards under the Whistleblower Rules and plaintiffs’ firms have already set up websites soliciting whistleblower tips from foreign nationals. In countries where methods of anonymous reporting are restricted, companies may need to tailor their procedures to local requirements.
Companies should also consider benchmarking their internal reporting systems against those of similar companies in their industry. For example, companies should assess the number of reports they are receiving in comparison to other companies. If receiving appreciably fewer reports, companies should consider whether sufficient efforts are being made to inform employees of reporting procedures or whether there are other factors, such as fear of retaliation, that are causing fewer reports.
Communicate the importance of internal reporting. Companies should highlight the importance of compliance and internal reporting at all levels of the organization and continually communicate this message throughout the company. Creative ways to raise employee awareness of the importance of reporting compliance issues should be considered, including:
- Employee newsletters and electronic communications to highlight examples of internal reporting and the positive steps that have resulted.
- Recognition of employees that show exceptional commitment to compliance, including reporting possible violations to the company.
C. Human Resources Procedures
Human Resources departments will play a key role in promoting the use of internal compliance procedures and responding to whistleblower complaints. Human Resources also plays an important role in protecting whistleblowers and seeing that employment decisions are made without regard to any protected activity. They can also address employees’ personnel concerns before they spill over into whistleblowing activity.
Screening potential employees. Human Resources should screen prospective new hires to identify and properly vet any red flags, consistent with applicable federal and state laws.
Use compliance factors in employee evaluations. Companies should think of ways to incorporate adherence to the code of conduct, including the use of internal reporting procedures, into employee evaluations. This will provide positive incentives–as opposed to only disincentives–for employees to use compliance procedures. For example, companies should consider:
- Using an employee’s commitment to fostering a culture of ethics and accountability among the criteria used to evaluate performance. Employees that take additional compliance training programs, demonstrate leadership in compliance areas, and actively and candidly participate in investigations of misconduct should be recognized.
- Including the reporting of potential misconduct as a positive performance criterion.
Train managers to be receptive to employee concerns. Human Resources should evaluate the training programs currently provided to managers and supervisors on how to react and respond to employee reports of possible violations and add or revise new training programs if necessary. Many employees are likely to first approach a direct supervisor about potential misconduct. If these supervisors do not take these reports seriously and provide proper advice on how to handle and remediate the situation, as appropriate, employees are less likely to use internal compliance procedures.
Respond promptly to troubled working relationships. Many whistleblower cases arise out of working relationships in which an employee believes he or she is being treated unfairly by superiors. By promptly investigating and addressing these circumstances, Human Resources can reduce the likelihood that the employee will seek assistance outside of the company by making a whistleblower complaint.
Review existing whistleblower protections. Companies should review the procedures they currently have in place for dealing with known whistleblowers to make sure they comport with the anti-retaliation provisions and consider whether they should be revised. Adequate training should be provided to managers and supervisors on appropriate ways to deal with a whistleblower so that they do not run afoul of the anti-retaliation provisions.
Document decisions regarding whistleblowers. There may be instances where disciplinary action against a whistleblower is appropriate and warranted. For example, the whistleblower may have engaged in wrongdoing or has a history of poor performance. In the adopting release the SEC states that the anti-retaliation provisions of the Dodd-Frank Act “only prohibit[] adverse employment actions that are taken ‘because of’ any lawful act by the whistleblower to provide information; adverse employment actions taken for other reasons are not covered.”[64] Nevertheless, to reduce the likelihood of a successful retaliation claim, companies should document their investigation of a whistleblower and create a clear record that any adverse employment action is being taken for legitimate reasons. The identity of whistleblowers, when not anonymous, should be shared only on a need-to-know basis to reduce the potential for retaliation and to insulate managers from allegations that their regular supervisory activity was motivated by retaliatory animus. Counsel should be consultedbefore taking action against a whistleblower to make sure the company properly addresses any potential legal issues.
Revise exit interview forms and separation agreements and releases. It is important to obtain confirmation from departing employees that they have disclosed to the company any misconduct of which they are aware so that it can be addressed and remedied appropriately. Companies may want to include questions seeking this information in exit interviews, and to include representations by departing employees in separation agreements that they have made full and truthful disclosures about any misconduct of which they are aware. In addition, separation agreements should include acknowledgments of employee rights to file charges, provide truthful information, and otherwise assist governmental authorities so they are not misinterpreted as impeding these rights, while at the same time waiving individual relief to the maximum extent permitted.
Consider the impact on arbitration and other alternative dispute resolution procedures. In light of the Supreme Court’s recent decision in AT&T Mobility, LLC v. Concepcion, 563 U.S. __ (2011), there is a renewed interest among many companies in arbitration and other alternative dispute resolution programs. Companies should note, however, that certain claims, including whistleblower retaliation claims under the Dodd-Frank Act, cannot be included within pre-dispute arbitration agreements.
D. Internal Investigation Policies and Practices
Companies that do not have procedures already in place for investigating internal complaints should consider developing a system to quickly respond to allegations of impropriety. Even companies that do have such systems in place should review their procedures and assess whether changes should be made. Indeed, the Whistleblower Rules pose significant challenges to a company’s internal investigation procedures. Once receiving a tip, a company must act quickly as it has 120 days before an employee can report to the SEC without losing his or her “first in line” status. At the same time, the Whistleblower Rules require that companies be cautious and deliberative in how they conduct their investigations. Indeed, under the rules, an anonymous whistleblower may report the results and progress of the investigation to the SEC. Moreover, all employees involved in the investigation can potentially become whistleblowers in certain situations. With this in mind, companies should consider the following steps when conducting an investigation in the post-Whistleblower Rules era:
Have an investigative plan ready. Companies should consider a review of their current investigation procedures and create a plan in advance to respond to allegations of possible violations. The scope and nature of the investigation will depend on the type of allegations being made. Some allegations are more serious than others and will demand greater attention and resources. Companies should decide which employees or departments will be involved in different types of investigations and develop basic protocols that will be used in whistleblower investigations. In some cases, it may be important that the investigation be conducted by someone with an independent perspective, such as when there are allegations involving senior management, so as to give external confidence to the results of the investigation. Companies should consider identifying in advance the types of allegations they intend to use outside counsel to investigate, so the investigation can commence promptly. Public companies also should review the types of whistleblower complaints that they require to be promptly reported to the Audit Committee and determine whether any changes to these procedures are appropriate.
Apprise whistleblowers of the status of investigations. Whistleblowers who report internally have shown a commitment to the company and its compliance procedures. In addition, if a whistleblower is left wholly in the dark, he or she may assert to the Commission that the company’s internal investigation is inadequate. Thus, the company should consider apprising the internal whistleblower on the status and outcome of the investigation consistent with needs for confidentiality.
Employee interviews. An internal investigation is a fact-gathering exercise. Companies should avoid revealing specific allegations of wrongdoing and underlying facts that support the allegations during employee interviews, to the extent possible so as to avoid reputational injury to persons who have not, in fact, engaged in misconduct. Interviewers should always remember to remind employees not to reveal the existence of the investigation or the substance of the interview to anyone. Companies also should consider advising employees that the interview is being conducted as part of an internal investigation and that they have an obligation to be candid with the company.
Using counsel at interviews. All information obtained through a communication that is subject to the attorney-client privilege is not considered “original information,” and thus generally is not eligible for an award. Therefore, if appropriate to facilitate legal advice, companies should consider having an attorney conduct or participate in interviews. The SEC has stressed the importance of protecting the attorney-client privilege: “If an attorney in possession of the information would be precluded from recovering an award based on his or her submission, a non-attorney who learns this information through an attorney-client communication would be similarly disqualified.”[65] This exception does not apply if the privilege has been waived, and therefore companies should provide Upjohn warnings before all employee interviews to protect the privilege.[66]
Supplement policies regarding privileged and confidential information. The new rules appear to permit attorneys and others in possession of information protected by the company’s attorney-client privilege or the work product doctrine to disclose that information to the SEC under some circumstances. The rules provide for awards from reports made while an investigation is ongoing, creating added risk of disclosure of privileged information. In addition, it is foreseeable that whistleblowers will disclose confidential and proprietary business information to the government without corporate authorization. Corporations should consider taking steps to prevent the misuse of confidential information by third parties. Thus, a company may wish to advise the SEC that an employee’s disclosure of privileged information was unauthorized and is not a waiver by the company.
III. Implications of the Whistleblower Rules for Enforcement Practice
The Whistleblower Rules are intended to supplement the Commission’s ongoing efforts to encourage both individuals and companies to self-report and self-remediate securities law violations. The Commission previously has authorized the staff to enter into cooperation agreements with individuals, and to resolve cases with entities that self-report violations and undertake remedial measures through non-prosecution agreements and deferred prosecution agreements. Experience with qui tam lawsuits under the False Claims Act suggests that whistleblower claims may become an important source of SEC investigations and enforcement actions. For example, whistleblower claims have been central to several major government actions alleging health care fraud claims. It is uncertain how the Dodd-Frank Act and the new rules will affect the enforcement of the federal securities laws, but several observations are in order.
The self-reporting calculus may change. Historically, the Commission has said that it will consider lower sanctions or non-prosecution for companies who promptly self-report potential violations. A company which is investigating a possible violation must bear in mind the possibility that a whistleblower may seek to “win the race” to the SEC doors, which, in turn, may adversely affect the amount of “credit” the company may claim for itself.
Expect surprises.The rules provide that a whistleblower’s information may merit an award when the whistleblower provides information regarding new or additional possible violations that are not within the scope of an existing investigation. Often, when knowledge of a pending investigation is widespread within an organization, new and hitherto unidentified whistleblowers surface, raising new and unrelated issues. In addition, the whistleblower may be monitoring the company’s own investigative efforts and confidentially reporting to the SEC about it.
Protect the company’s privileges when interacting with the Commission. For several decades, practitioners have sought to enter into “limited waiver” agreements under which company counsel sought to provide privileged information and protected attorney work product to the Commission while maintaining the privilege or protection as to third parties. Courts have not always honored such limited waiver agreements. Nevertheless, companies who wish to cooperate and share the results of an internal investigation and the evidence collected can defend against a subsequent claim of waiver in a private civil action by carefully defining the scope of communications with the Commission, limiting the amount of attorney work product disclosed, and guarding against unauthorized disclosures of privileged information or attorney work product.
Assess public disclosure issues. Whistleblowers may raise issues that suggest that a company’s previous periodic reports or press releases are inaccurate. They also may identify previously unknown contingent liabilities. Companies will need to assess whistleblower claims and subsequent internal investigations to determine whether corrective or additional disclosures are appropriate.
Be mindful of how the whistleblower is treated. The Dodd-Frank Act provides significant protections to whistleblowers. In addition, the Commission itself now asserts that it has the authority to charge retaliation against a whistleblower as a separate and distinct violation of the securities laws. Accordingly, companies should proceed carefully when making employment decisions regarding individuals who may be whistleblowers.
IV. Conclusion
The Commission’s Whistleblower Rules present a challenge to all companies and regulated entities. The financial incentive to blow the whistle to the government will strain the most effective internal compliance programs. While the Commission has endeavored to encourage such programs, companies must be vigilant to establish and maintain a culture of integrity and openness.
[1] A copy of the SEC’s proposing release and proposed rules is available here: SEC Proposes New Whistleblower Program Under Dodd-Frank Act. Gibson Dunn’s client alert on the proposed rules is available here: U.S. SEC Proposes and Seeks Comment on New Dodd-Frank Whistleblower Rule.
[2] SEC Release for Proposed Rules Implementing the Whistleblower Provisions of Section 21F of Securities Exchange Act of 1934, November 3, 2010, at 96.
[3] Rule 21F-2(a)(1).
[4] Id.
[5] Rule 21F-9(c).
[6] Rule 21F-3(a)(1).
[7] Rule 21F-4(a).
[8] SEC Release for Rules Implementing the Whistleblower Provisions of Section 21F of Securities Exchange Act of 1934, May 25, 2011 (“Adopting Release”), at 30.
[9] Id. at 30-31.
[10] Rule 21F-4(a)(3).
[11] Rule 21F-3(a)(2).
[12] Rule 21F-4(b)(1).
[13] Rule 21F-4(b)(1)(iv).
[14] Rule 21F-4(b)(7).
[15] Adopting Release at 6.
[16] Adopting Release at 77.
[17] Id.
[18] Id. at 92.
[19] Rule 21F-4(c)(1).
[20] Id.
[21] Id.
[22] Rule 21F-4(c)(2).
[23] Adopting Release at 97-101.
[24] Rule 21F-4(c)(3).
[25] Adopting Release at 101-02.
[26] Id. at 101-03.
[27] Id.
[28] Rule 21F-4(e).
[29] Rule 21F-4(d); Rule 21F-3(b).
[30] Adopting Release at 6-7.
[31] Rule 21F-3(b)(3).
[32] Rule 21F-5.
[33] Rule 21F-6(a).
[34] Rule 21F-6(b).
[35] Rule 21F-4(b)(4)(iii)(A).
[36] Adopting Release at 71.
[37] Rule 21F-4(b)(4)(i), (ii). As explained in the adopting release, Commission Rule 17 C.F.R. § 205.3(d)(2) “permits attorneys representing issuers of securities to reveal to the Commission “confidential information related to the representation to the extent the attorney reasonably believes necessary” (1) to prevent the issuer from committing a material violation that is likely to cause substantial injury to the financial interest or property of the issuer or investors; (2) to prevent the issuer, in a Commission investigation or administrative proceeding, from committing perjury, suborning perjury, or committing any act that is likely to perpetrate a fraud upon the Commission; or (3) to rectify the consequences of a material violation by the issuer that caused, or may cause, substantial injury to the financial interest or property of the issuer or investors in the furtherance of which the attorney’s services were used.” Adopting Release at 56 n.119.
[38] Adopting Release at 59-60.
[39] Adopting Release at 59.
[40] Rule 21F-4(b)(4)(iii)(B).
[41] Rule 21F-4(b)(4)(iii)(C).
[42] Rule 21F-4(b)(4)(iii)(D).
[43] Rule 21F-8(c)(4).
[44] Rule 21F-4(b)(4)(iv).
[45] Rule 21F-8(c)(2).
[46] Rule 21F-8(c)(6).
[47] Adopting Release at 64.
[48] Rule 21F-4(b)(4)(v).
[49] Id.
[50] Rule 21F-7.
[51] Rule 21F-7(b).
[52] Rule 21F-15; Rule 21F-8(c)(3).
[53] Rule 21F-16.
[54] Adopting Release at 194.
[55] Rule 21F-6(b)(1).
[56] Adopting Release at 193.
[57] Rule 21F-17(b).
[58] Id.
[59] 18 U.S.C. § 1514A.
[60] Rule 21F-2(b)(1).
[61] Adopting Release at 16.
[62] Adopting Release at 18.
[63] The SEC has stated it will consider a company’s internal compliance programs and efforts to promptly investigate and disclose possible violations as a factor in determining sanctions in its so-called “Seaboard report” and subsequent releases on non-prosecution agreements and deferred prosecution agreements. See Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Exchange Act Release No. 44,969 (Oct. 23, 2001).
[64] Adopting Release at 19.
[65] Adopting Release at 59.
[66] The “Upjohn warning” takes its name from the Supreme Court case Upjohn Co. v. United States, 449 U.S. 383 (1981), in which the court held that communications between company counsel and employees are privileged, but the privilege is owned by the company and not the individual employee. The purpose of the warning is to remove any doubt that the lawyer speaking to the employee represents the company, and not the employee. The warning also makes it clear that only the company, and not the employee, can waive any privilege associated with the communication.