New rules under SOX
Protected activity under SOX
Employees assisting authorities and employers in detecting fraud
SOX's application to contractors and subcontractors of publicly held companies
Exposure of whistleblower's identity was 'adverse action'
Extraterritorial application of SOX


Section 806 of the Sarbanes-Oxley Act 2002 (SOX) protects employees of public companies who 'blow the whistle' by reporting conduct that they reasonably believe constitutes a violation of federal law relating to financial, securities or shareholder fraud.

Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which was enacted in 2010, requires the Securities and Exchange Commission (SEC) to establish a new whistleblower programme that will pay awards to whistleblowers who provide the SEC with information about violations of securities laws that lead to a successful enforcement action resulting in monetary sanctions exceeding $1 million.

Section 922 of the Dodd-Frank Act also provides protection to whistleblowers by prohibiting retaliation by employers against individuals who provide information to the SEC regarding potential securities violations. The anti-retaliation protections authorise civil causes of action to address adverse employment actions taken against a whistleblower employee because that employee made a report to the SEC.

Below is a summary of key provisions of regulations issued by the Department of Labour and recent decisions concerning SOX.

New rules under SOX

Sections 922 and 929A of the Dodd-Frank Act amended SOX in 2010 by:

  • adding provisions that extended the statute of limitations for filing a complaint with the Department of Labour's Occupational Safety and Health Administration (OSHA) from 90 to 180 days;
  • clarifying that employees who bring claims under SOX have a right to a jury trial;
  • prohibiting the waiver of any rights or remedies provided for whistleblowers under SOX; and
  • invalidating pre-dispute arbitration agreements with regard to SOX claims.

In addition, the Dodd-Frank Act expanded SOX coverage to include employees of "nationally recognized statistical rating organization[s]", as well as employees of subsidiaries or affiliates of publicly traded companies where that subsidiary's financial information is included in the consolidated financial statements of the company.

OSHA's revised interim final regulations under SOX include the following new provisions:

  • Aggrieved employees will have 180 days to file a complaint with OSHA – an increase of the 90-day filing period previously provided under SOX. The new rule also provides that SOX complaints can be made orally or in writing, in any language and (with the employee's consent) may be filed by any person on the employee's behalf. Previously, complaints had to be submitted in writing.
  • During OSHA's investigation of the complaint, once the complainant demonstrates by a "preponderance of the evidence" that protected activity resulted in an adverse action, the burden of proof shifts to the respondent-employer. To avoid liability, the employer must prove by "clear and convincing evidence" (a heavier burden) that it would have made the same decision absent the protected activity. OSHA must dismiss a whistleblower claim under SOX if either:
    • the complainant fails to demonstrate that the protected activity was a contributing factor in the adverse action; or
    • the employer rebuts the complainant's proof by providing clear and convincing evidence that it would have taken the same adverse action absent the protected activity.
  • The prior SOX regulations provided that reinstatement would not be ordered where the respondent establishes that the complainant is a security risk. The new regulations removed that provision based on OSHA's belief that the determination of whether reinstatement is appropriate should be based on the facts of each case and relevant case law. OSHA has commented that, where appropriate, the agency may order "economic reinstatement" instead of preliminary reinstatement, meaning that the complainant receives the same pay and benefits as before termination, without actually returning to work.

Protected activity under SOX

Section 806 of SOX prohibits retaliation against an employee who reports any conduct the employee "reasonably believes constitutes a violation" of:

  • federal criminal law provisions prohibiting mail, wire or bank fraud;
  • any of SEC's rules or regulations; or
  • any provision of federal law relating to fraud against shareholders.(1)

To qualify as having engaged in 'protected activity' under SOX, a whistleblower must establish by a preponderance of the evidence that he or she had a reasonable belief that the acts complained of violated the laws specified in SOX.

In Wiest v Lynch(2) a federal court rejected a SOX claim made by a former employee of Tyco Electronics Corporation, holding that the plaintiff failed to establish that he held an objectively reasonable belief that the complained of conduct constituted shareholder fraud or a violation of one of the statutes or rules enumerated by SOX. The plaintiff relied on the Department of Labour Arbitration Review Board's decision in Sylvester v Parexel Int'l LLC,(3) which rejected the evidentiary standard requiring that complainants "definitively and specifically" describe a violation of one or more of the laws enumerated in SOX.

Instead, the Sylvester decision ruled that SOX protection is available so long as the employee provides information that he or she reasonably believes relates to a violation of one of the laws identified in Section 806 of SOX. In Wiest the court ruled that the Sylvester decision – a board decision – was not binding authority on a federal district court. The court also held that even if it were binding precedent, the Sylvester case would not change its conclusion that the plaintiff failed in his complaint to plead facts reflecting a reasonable belief that his communications regarding tax treatment of certain company expenses "related – in any way, definitively and specifically, or otherwise – to shareholder fraud of a violation of one of the statutes or rules listed in § 1514A".

Employees assisting authorities and employers in detecting fraud

In Vannoy v Celanese Corp(4) the board decided that an employer's interest in protecting its confidential information did not necessarily trump a SOX claimant's use of such information in furtherance of enforcement of tax and securities laws. After suspecting abuse of company funds, the complainant filed an internal complaint alleging misuse of funds under Celanese's business conduct policy, as well as a disclosure under the Internal Revenue Service (IRS) Whistleblower Rewards Programme. The complainant attached to the complaint company documents relating to confidential employee information, including 1,600 of Celanese's employees' social security numbers, which he had emailed to his personal email account. Celanese terminated him for violation of the company's confidentiality policy.

Reiterating its holding in Sylvester that an employee need not complain specifically about shareholder fraud to state a claim under SOX, the board determined that the complainant had engaged in protected activity. The board concluded that his complaints concerning Celanese's business practices, assertions as to misstated financial records and shortcomings in the company's accounting controls supported the reasonableness of his belief that the company was engaging in accounting misconduct in violation of SOX.

The board also reversed the determination of the administrative law judge that reporting to the IRS does not constitute a complaint to "a federal regulatory or law enforcement agency" as contemplated by Section 1514A of Title 18 of the United States Code. The board held that such a restriction was contrary to Congressional intent, and that SOX's whistleblower protection provisions did not limit the agencies to which a complainant can report information.

Finally, the board held that whether the complainant's appropriation of confidential company documents was 'protected activity' depended on whether it provided 'original information' that Congress intended to protect under the SEC bounty programme. Thus, the board remanded the case to the administrative law judge for a hearing on whether:

  • the confidential information taken by the complainant was 'original information' that Congress intended to protect under the IRS Whistleblower Programme and the Dodd-Frank Act; and
  • the manner of the transfer of the information was protected under SOX.

The board emphasised that the SOX legislative history suggests that Congress intended to protect "lawful acts to disclose information or otherwise assist criminal investigators, federal regulators, Congress, supervisors..or parties in a judicial proceeding in detecting and stopping fraud".

SOX's application to contractors and subcontractors of publicly held companies

Liability under SOX may attach not only to a publicly traded employer, but also to agents of such entity.(5) In Lawson v FMR LLC(6) two former employees of Fidelity Investments – investment advisers for the Fidelity family of mutual funds – brought claims under SOX. The named defendants were privately owned organisations that provided management and administrative functions for the operation of the mutual funds, which are publicly held companies supervised by a board of trustees and without any employees. The court decided that SOX did not apply to the defendants. Noting that the language of Section 806 bars "publicly traded companies...or any officer, employee, contractor, subcontractor or agent of such company" from retaliating "against any employee", the court decided that 'employee' means only an employee of the publicly traded company itself. The court based its decision on statements of congressional intent in SOX and even the section's title - "Protection for Employees of Publicly Traded Companies who Provide Evidence of Fraud".

Exposure of whistleblower's identity was 'adverse action'

The board recently held that a former Halliburton employee was subjected to an adverse action under SOX when the company disclosed in emails his identity as the employee who submitted accounting practice complaints to the SEC and an internal audit committee.(7) Section 301 of SOX requires that audit committees of issuers listed on US exchanges establish procedures for confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. Halliburton's assistant general counsel forwarded Menendez's audit committee complaint to Halliburton's general counsel and its chief financial officer. The chief financial officer then revealed his identity as a whistleblower to, among others, the subjects of the complaint. The complainant alleged that his co-workers began to avoid him, the company's auditors refused to interact with him and his responsibilities were reduced, prompting his resignation.

The board refused to limit 'adverse action' to tangible job consequences, holding that complainant's right to confidentiality was a term and condition of his employment. Rather, it adopted the standard used under Title VII – whether the activity would dissuade a reasonable employee from engaging in protected activity – and held in this case that a reasonable person in the complainant's position would be deterred from filing a confidential disclosure regarding misconduct if there existed the prospect that his identity would be revealed to the people implicated in the alleged misconduct.

Extraterritorial application of SOX

In Villanueva v Core Labs NV(8) the board rejected a former employee's SOX claim on the grounds that SOX does not apply extraterritorially. Villanueva involved a non-US citizen working in Bogota for a Colombian company, who alleged that he was denied a raise and fired after he complained about a tax evasion scheme that violated Colombian laws. The complainant named his employer's parent company – a Netherlands company whose securities are registered under the Securities Exchange Act and are publicly traded on the New York Stock Exchange. The opinion identified the factors that should be assessed in determining whether a complainant's claim would require extraterritorial application of SOX:

  • the location of the protected activity;
  • the location of the job and the company/employer;
  • the location of the retaliatory act; and
  • the nationality of the laws allegedly violated.

The board based its decision in this case on the facts that the alleged fraud involved two foreign companies and a perceived failure to comply with foreign tax law.

For further information on this topic please contact Kevin B Leblang or Robert N Holtzman at Kramer Levin Naftalis & Frankel LLP by telephone (+1 212 715 9100), fax (+1 212 715 8000) or email ([email protected] or [email protected]).


(1) 18 USC § 1514A(a)(1).

(2) 2011 WL 5572608 (ED Pa, November 16 2011).

(3) DOL ARB No 07-123 (May 25 2011).

(4) DOL ARB 09-118 (September 28 2011).

(5) 18 USC § 1514A(a).

(6) 2012 WL 335647 (1st Cir, February 3 2012).

(7) Menendez v Halliburton Inc, DOL ARB 09-002, 09-003 (September 13 2011).

(8) DOL ARB 09–108 (December 22 2011).