The Sarbanes-Oxley Act of 2002 contains two very different provisions addressing corporate "whistleblowers." This Update describes both:

    • the whistleblower procedures that audit committees must establish pursuant to Exchange Act Rule 10A-3 (mandated by Sarbanes-Oxley Section 301), and

    • the whistleblower protections provided by Title 18 of the U.S. Code (mandated by Sarbanes-Oxley Section 806).

Audit Committee Whistleblower Procedures

Rule 10A-3 of the Exchange Act directs NYSE, Nasdaq and other national securities exchanges or associations to require a listed company's audit committee to establish formal procedures for addressing complaints relating to accounting and auditing matters. Rule 10A-3 implements the new audit committee rule that the SEC adopted effective April 25, 2003. Listed companies must have these whistleblower procedures in place by the earlier of (a) their first annual meeting after January 15, 2004 or (b) October 31, 2004.

Specifically, audit committees must establish procedures for:

    • External complaints: receiving, retaining and treating complaints that the company receives (from any source) regarding accounting, internal accounting controls or auditing matters, and
    • Internal complaints: Providing a means (for example, through a 1-800 number) for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters.

Rule 10A-3 does not mandate specific procedures that audit committees must establish. The SEC, in its final rule release, expressly refused to adopt a "one-size-fits-all" approach, recognizing that procedures effective for a smaller issuer may be very different from those effective for large multi-national corporations. To state the obvious, the procedures that the audit committee adopts should "fit" the company, i.e., be procedures that the company will be able to comply with and that are proportionate to the company's circumstances. The audit committee should also ensure that the procedures are consistent with the company's overall ethics program, including the Sarbanes-Oxley mandated code of ethics and the code of conduct mandated by Nasdaq or the code of business conduct and ethics mandated by NYSE.

Recommendation: adopt general, not specific procedures. The whistleblower procedures should be general in nature and easy to understand and follow. The procedures do not need to be lengthy, but they should, at a minimum, address:

    • how to submit complaints, including how employees can submit anonymous complaints or concerns;
    • the scope of matters covered by the procedures and guidelines as to the content and detail of complaints;
    • how the company retains complaints;
    • who will handle complaints and the process for evaluating, investigating and resolving them; and
    • the role of the audit committee in reviewing and/or investigating complaints.

Practical Considerations

Who should receive and act on complaints?

Rule 10A-3 does not specify the person or persons who should receive and act on complaints. The SEC intentionally left this determination to the audit committee. We recommend that, depending on its circumstances, the company have one or more of the following parties be responsible for receiving and acting on complaints:

    • the audit committee or the chairman of the audit committee.
    • the company's general counsel, risk management department or human resources department.
    • an outside consultant or advisor.

Although the audit committee is charged with establishing the procedures, there is no requirement that the audit committee actually investigate complaints or otherwise administer the procedures. Nonetheless, the procedures should, at a minimum, provide that the audit committee be copied on all complaints and be informed of the outcome of investigations based on such complaints. Given the statutory mandate that the audit committee establish the procedures, it would be inadvisable for the audit committee to be completely disassociated from the actual review, evaluation or resolution of complaints.

How should the company provide for the anonymous submission of complaints?

Rule 10A-3 requires that the audit committee establish procedures for the confidential, anonymous submission of complaints by employees. The anonymous submission of complaints is easier said than done, because it requires a means by which employees can deliver complaints, either directly or indirectly, to the right person without revealing their identity. Companies may wish to use:

    • internal or third-party telephone hotlines, through which employees call to report complaints, which complaints are then transcribed and forwarded to the appropriate persons.
    • Web-based approaches, in which employees go to the Web site of a third-party provider to submit the complaint, submit the complaint on a secure Web page installed by the provider on the company's intranet, or e-mail the complaint to such provider.

For many smaller public companies, however, telephone hotlines and Web-based submission services might be unnecessarily formal or expensive. Such companies may choose to enlist time-honored methods such as confidential paper submission boxes placed in common areas. Regardless of how employees submit the anonymous complaints, the procedures should ensure that these complaints contain enough information and specificity to allow the company to act on the complaint, and should provide a means to follow up with the anonymous complainant if necessary.

Practical Tip 2

How should the company make employees and others aware of the procedures?

Although Rule 10A-3 does not set forth any requirement for dissemination or public disclosure of the procedures, we believe that implicit in the rule is a requirement that companies broadly disseminate the procedures, or at least the portions of the procedures that describe how to submit complaints. The logical places for such dissemination would be the company's corporate Web site and employee intranet. For companies without corporate Web sites or intranets, or with a large percentage of employees with limited access to computers, it may be necessary to post the procedures in company common areas. In addition, companies should incorporate the procedures into their employee manuals, and consider distributing the procedures in paper format to all existing employees and to new employees as part of the orientation process.

What should the audit committee do to put the procedures in place?

The audit committee and management should act now to begin implementing the procedures. Companies need to build in time to fully implement the procedures, which will involve:

    • drafting procedures that are tailored to the company's particular circumstances;
    • determining the persons or departments responsible for administering the procedures;
    • obtaining audit committee review and approval of the procedures;
    • hiring a third-party anonymous complaint submission provider, if necessary; and
    • disseminating the procedures to employees and making them widely available.

For a more general description of Rule 10A-3 and its other provisions, please see our Update entitled "SEC Issues Final Rule to Implement Audit Committee Requirements of Section 301 of Sarbanes-Oxley".

Whistleblower Protections Under Section 806 of the Sarbanes-Oxley Act

Sarbanes-Oxley not only requires that companies have whistleblower procedures in place, but also provides substantial protections to employee whistleblowers who report certain company misconduct. The Sarbanes-Oxley whistleblower protections are set forth in Section 806 of the Act. Section 806, which is currently in effect, applies to any employee who either:

    • files, testifies, participates in or otherwise assists in any proceeding relating to an alleged violation of the mail, wire, bank or securities laws; or
    • provides information or assists in an investigation regarding any conduct that the employee "reasonably believes" constitutes a violation of the mail, wire, bank or securities laws.

An employee is protected by Section 806 if he or she reports the information to, or the investigation is conducted by:

    • a federal regulatory or law enforcement agency;
    • any member or committee of Congress;
    • any person with supervisory authority over the employee; or
    • any other person who has "the authority to investigate, discover, or terminate misconduct."

Employees involved in any of Section 806's protected activities cannot be discharged, demoted, suspended, threatened, harassed or discriminated against as a result of that involvement. Civil remedies for violations of Section 806 include "all relief necessary to make the employee whole," such as back pay with interest and attorneys' fees.

Employees seeking relief under Section 806 must file a complaint with the Secretary of Labor. The Secretary of Labor has delegated authority for the enforcement of Section 806 to the Assistant Secretary for Occupational Safety and Health (OSHA). As a result, OSHA has full investigative and adjudicatory authority over Section 806 whistleblower claims.

In evaluating a whistleblower complaint, OSHA is required to dismiss the complaint without conducting an investigation, unless the complainant makes a "prima facie showing" that his or her whistleblowing activities constituted "a contributing factor" in the alleged unfavorable personnel action. Even if the complainant succeeds in making such a showing, OSHA cannot conduct an investigation "if the employer demonstrates, by clear and convincing evidence, that the employer would have taken the same unfavorable personnel action in the absence of that behavior."

OSHA determinations may be appealed. However, one unusual feature of the review process is that an OSHA decision may include an order requiring the employer to reinstate a discharged employee, effective immediately, despite the filing of an appeal.

Practical Considerations

Does Section 806 apply to conduct occurring prior to the statute's enactment?

This question should be easily answered by the courts. In Gilmore v. Parametric Tech. Corp., DOL ALJ, No. 2003-SOX-00001 (Feb. 6, 2003), the first reported decision interpreting Section 806, Associate Chief Administrative Law Judge Thomas M. Burke held that Congress did not intend for the statute to apply to conduct that occurred prior to the statute's enactment. Even though the complainant in that case was fired on July 17, 2002, less than two weeks before Congress enacted Sarbanes-Oxley, the court explained that applying the statute retroactively would be inappropriate since it "confers new and increased liability upon employers." It is still too early, however, to know whether courts will follow this analysis.

Does Section 806 apply to conduct unrelated to securities fraud?

Determining the type of conduct covered by the protections of Section 806 is more complicated. There is no question that Congress passed Sarbanes-Oxley in response to the public outrage at the massive accounting and corporate scandals involving companies such as Enron and WorldCom. Congress adopted the whistleblower provision specifically to protect employees who, like Enron Vice President Sherron Watkins, expose securities fraud that substantially and directly affects the investing public. As Congress has noted, groups supporting Sarbanes-Oxley, such as the National Whistleblower Center, the Government Accountability Project and Taxpayers Against Fraud, have referred to the Act as "the single most effective measure possible to prevent recurrences of the Enron debacle and similar threats to the nation's financial markets."

While Congress may have enacted Sarbanes-Oxley to deter large-scale securities fraud, employees may argue that Section 806 is not so limited. The whistleblower provision protects employees who report suspected violations of not only the securities laws, but also the mail and wire fraud statutes. The reference to these two statutes in Section 806 may lead employees to claim that the Act applies to reports of misconduct that has nothing to do with defrauding investors.

The mail and wire fraud statutes generally address any fraudulent activity that employs the mails or wires (such as telephone lines). The mail fraud statute requires a scheme to defraud, use of the United States mails in furtherance of the scheme and specific intent to deceive. A wire fraud violation is based on similar elements, except that a defendant must use the wires in furtherance of the fraudulent scheme, and the scheme must have "substantial interstate connections." Like most securities fraud violations, the existence of a mail or wire fraud violation depends on a finding that the conduct at issue is "material." However, unlike the securities laws, the mail and wire fraud laws do not necessarily require a showing that the conduct was material from the standpoint of investors. To the extent that a more liberal definition of materiality applies, employees may attempt to claim the benefits of Section 806 even though the misconduct they report is immaterial from the perspective of the company's financial reporting.

Because Sarbanes-Oxley was enacted so recently, courts have not yet had the opportunity to definitively interpret the scope of Section 806. The legislative history of Sarbanes-Oxley indicates that Congress did not intend for the whistleblower provision to reach every conceivable transgression that occurs in a company context. However, complainants may take advantage of the absence of judicial guidance on Section 806 and pursue claims that clearly contravene the spirit of the statute. Accordingly, employers should exercise caution when taking adverse employment action against an employee who reports any type of alleged fraud - not just that which may impact the company's financial reporting.

What types of adverse employment action does Section 806 prohibit?

If an employee provides information concerning conduct that he or she reasonably believes constitutes a violation covered by Section 806, the employer may not "discharge, demote, suspend, threaten, harass, or in any other manner discriminate against" the employee "in the terms and conditions of [his or her] employment." The terms "discharge," "demote" and "suspend" are easily defined and understood, but the meaning of the terms "threaten," "harass" or "discriminate" are less clear. Thus, employers need to be extra cautious when dealing with employees who may be involved in whistleblowing activities. To avoid a Section 806 violation, employers should, among other things, carefully document communications with, or about, such employees.

Employers can further the goals of Section 806 and at the same time mitigate the long-term risks of securities violations by making their employees feel that they can safely express their concerns about possible company wrongdoing without fear of retribution. Employers can do this by:

    • establishing an independent and reliable system for receiving and investigating employee assertions of misconduct, which incorporates, or supplements, the audit committee's mandated whistleblower procedures described above;
    • reminding employees that the company takes compliance with federal securities laws and company policy seriously; and
    • reassuring employees that the company will make reasonable efforts to ensure that it thoroughly addresses and explores employee concerns and that it will not retaliate against employees based on their assistance or involvement in any subsequent company investigation.

Employers will not be able to predict every type of circumstance that may give rise to a Section 806 violation. However, by conveying a message that they value employee input, and have established reliable, objective systems through which they can act on that input, employers may at least be able to minimize their exposure.

Text of Final Rule and Statute

This Update is intended only as a summary of the SEC's rules and the Sarbanes-Oxley Act. You can find the full text of the final rule regarding the Section 301 whistleblower procedures at http://www.sec.gov/rules/final/33-8220.htm. You can find discussion of other recent laws and regulations of interest to public companies on our website.


Sign up for the latest legal news and insights  >