Misappropriation of Confidential Information or Legitimate Whistleblowing?

There is an obvious tension between the desire to encourage employees to come forward with information necessary to report and expose fraud and the recognition that certain company information is truly private and confidential and should remain so. A recent decision from the U.S. Department of Labor Administrative Review Board further complicates the issue.

Celanese Corporation, an international publicly traded corporation, hired Matthew Vannoy to catalog and reconcile employee expense reimbursement submissions. In 2007, Vannoy filed an internal compliant about employees misusing company credit cards; around the same time, he began talking to an attorney about Celanese’s business practices with respect to its employee credit card-use program. Vannoy then filed a claim with the IRS Whistleblower Rewards Program, and he provided documents to the IRS that included Celanese proprietary and confidential information. A few months later, Vannoy’s supervisor began conducting an investigation into his email communications with employee cardholders and found that he sent a document containing 1,600 social security numbers of Celanese employees to a personal e-mail account. Vannoy was suspended without pay and ultimately terminated.

Section 806 of the Sarbanes-Oxley Act protects employees of publicly traded companies from retaliation for engaging in protected activity. Vannoy filed a complaint with the Occupational Safety & Health Administration (OSHA), claiming that Celanese violated the Sarbanes-Oxley Act by terminating him, and he requested a hearing before an administrative law judge. The administrative law judge granted Celanese summary judgment, based in part on its finding that Vannoy did not suffer an adverse employment action as a result of his protected activity because he was terminated due to his misappropriation of employee information in violation of company policy.

The board reversed. It noted that, under the Securities and Exchange Commission (SEC) whistleblower program, a whistleblower is entitled to an award if he or she provides original information to the SEC, defined as information derived from the independent knowledge and analysis of the whistleblower. Thus, the board noted that Congress had anticipated that whistleblowers would provide insider information to the SEC relating to fraud and, in fact, a newly issued SEC rule prohibited employers from enforcing confidentiality agreements to prevent whistleblower employees from cooperation with the SEC.

In closing, the board stated:

“The IRS whistleblower bounty program Vannoy used, like the SEC program recently established, reflects Congressional recognition of the notable contributions to law enforcement provided by whistleblowers with non-public, inside information. Vannoy’s allegations must be viewed in light of these significant enforcement interests. Evidence of record supports Vannoy’s allegations that he procured employee data in 2005 and in 2007 as part of his efforts to facilitate his complaint with the IRS as to Celanese’s accounting practices. In doing so he sent confidential information by e-mail and created compact discs containing confidential information concerning Celanese employees without the company’s permission. . . . Thus the crucial question for the ALJ to resolve with a hearing on remand is whether the information that Vannoy procured from the company is the kind of ‘original information’ that Congress intended be protected under either the IRS or SEC whistleblower programs, and whether the manner of the transfer of information was protected activity within the scope of SOX.”

Depending on how the administrative law judge rules, employees will be able to make use of confidential or protected company information without fear of being terminated or prosecuted to support their whistleblower claims. But where should the line be drawn? Would you be ok with your personal information (social security number, home addresses, names of children) being disclosed by a whistleblower?

Comment