On July 13, 2022, the United States Court of Appeals for the First Circuit ruled that the whistleblower protections contained in Section 806 of the Sarbanes-Oxley Act (SOX) do not apply to employees who report potential violations of the Foreign Corrupt Practices Act (FCPA). The ruling in Baker v. Smith & Wesson, Inc., 40 F.4th 43 (1st Cir. 2022) is the second recent decision narrowing the important whistleblower protections of the Act, coming on the heels of a recent Award in the 9th Circuit. While these decisions are significant and will likely generate further litigation as whistleblowers seek to avoid the impact, the practical effects for future whistleblower cases are likely to be limited as there may be workarounds. Regardless, we would not expect any change in the need for companies to maintain robust compliance programs that incentivize internal reporting by employees.
SOX Whistleblower Protections
Whistleblower protections are central to the suite of SOX oversight reforms, encouraging and protecting individual reports of potentially fraudulent conduct. SOX contains a number of whistleblower protections. For example, Section 301 of the Act sets out requirements for internal procedures employers must use to receive and process whistleblower complaints regarding accounting or auditing matters. Section 1107 criminalizes any retaliatory actions where a whistleblower has provided “truthful information” concerning the commission of a Federal offense to a law enforcement officer.
The most commonly invoked whistleblower protections in SOX are those in Section 806, which protects whistleblowers who report certain kinds of fraudulent activity internally from retaliation by their employer. Section 806, codified as 18 U.S.C. § 1514A, grants whistleblowers, under certain conditions, a civil cause of action to recover compensatory and other damages resulting from retaliation. Section 806 provides these protections as long as the reported activity falls within one of three statutory categories: the report must (1) concern a rule or regulation of the U.S. Securities & Exchange Commission (SEC); (2) concern a violation of mail fraud, wire fraud, bank fraud, or securities fraud statutes, or (3) concern a provision of Federal law relating to fraud against shareholders. Such protections are intended to work hand in hand with other provisions of SOX which require organizations to build out internal procedures for compliance and incentivize executive leadership to ensure that their firm is acting within the bounds of the law. Whistleblowers are particularly important in first detecting and reporting violations of the FCPA, which frequently stem from the conduct of remote subsidiary or affiliate entities or are carried out via schemes that endeavor to avoid corporate reporting or accounting programs. Section 806 has been understood as an important protection to incentivize this internal reporting.
First and Ninth Circuits: Reporting FCPA Violations Not Protected Under SOX
Recently, an appeal of large jury award in a civil action in the Northern District of California limited the protections in Section 806 that apply to whistleblowers in the FCPA context. In Wadler v. Bio-Rad Labs., Inc., 916 F.3d 1176 (9th Cir. 2019), Wadler, Bio-Rad’s former general counsel, internally reported potential violations of the FCPA, and was fired as a result. The jury returned an $11 million award for Wadler based on instructions that identified the FCPA was a “rule or regulation of the SEC” for purposes of the whistleblower protections in Section 806. Bio-Rad appealed the jury’s decision.
On appeal, the Ninth Circuit ruled that the jury instructions were incorrect because the relevant text of Section 806 unambiguously limited whistleblower protections to “administrative rules and regulations” of the SEC, not a statute like the FCPA. The Ninth Circuit did not address whether Section 806 protections could apply to the reporting of an FCPA violation if the report (1) identified a violation of mail, wire, bank or securities fraud statutes or (2) concerned a provision of Federal law relating to fraud against shareholders. The Ninth Circuit also rejected Wadler’s policy argument that the Section 806 whistleblower protections should be applied broadly based on SOX’s remedial purpose of protecting employees, explaining that the plain language of Section 806 did not require consideration of such arguments. The Ninth Circuit ultimately upheld the verdict—and the $11 million award–in Wadler’s favor on independent state law grounds. Still, the decision questioned whether Section 806’s whistleblower protections applied to reporting of FCPA violations.
In Smith & Wesson, the First Circuit was squarely faced with precisely the same question as the Wadler Court—whether reports of potential FCPA violations are protected as potential violations of a “rule or regulation of the SEC.” The Court held that they do not. Plaintiff Baker conceded that the FCPA is not one of the fraud statutes listed in Section 806—i.e. mail, wire, bank, or securities fraud—and is not a “provision of Federal law relating to fraud against shareholders.” He argued only that the FCPA, is a “rule or regulation of the Securities and Exchange Commission.” The First Circuit agreed with the Ninth Circuit’s decision in Wadler and held that the FCPA is not such a rule or regulation of the SEC, and therefore, the whistleblower protections of Section 806 do not apply. Like the Ninth Circuit, the First Circuit concluded that the plain language of Section 806 precludes any interpretation that would include the FCPA and therefore, policy and legislative history arguments need not be considered. As such, a whistleblower’s internal report of potential FCPA violations does not receive the protections of Section 806 of the Act.
Despite being the second Court of Appeals to narrow the scope of Section 806, the First Circuit’s decision may have limited impact on SOX whistleblower cases in the long run. First, other reform legislation–including but not limited to Dodd-Frank–has resulted in additional protections of, and rewards for, employees who report on illegal conduct that is likely to capture some whistleblowing that falls outside the newly-narrowed ambit of SOX protections. Moreover, the two cases described above shared an unusual feature in that the alleged FCPA violations were characterized only as violations of a “rule or regulation of the SEC.” With this avenue apparently foreclosed, plaintiffs will likely be able to re-cast the FCPA violations as also violations of mail, wire, bank, or securities fraud, or will point to internal controls lapses leading to the violations as a “fraud against shareholders”—requiring only a minor recharacterization of the allegations to permit them fall within the scope of the Act. With no indication that the Department of Justice and the SEC will be slowing FCPA enforcement in the near term, companies should tread cautiously in considering any changes to compliance programs in response to these decisions. As part of any evaluation of a company’s compliance culture, DOJ and the SEC will continue to expect companies to encourage reporting and not to retaliate. Effective internal reporting – which in turn depends on having viable channels by which reports are made, and on individuals willing to make such reports – remains a fundamental component of any compliance program, as it is an essential prerequisite to a company being in a position to investigate and remediate potential violations and thereby avoid or mitigate potential penalties.