On May 25, 2011, the SEC released its proposed final rules for whistleblowers, as required by the Dodd Frank Act. The SEC's 305-page release addresses and resolves numerous issues raised in the rulemaking process. This Alert focuses on two issues of particular significance to our clients: (i) defining which individuals qualify as "whistleblowers" protected from retaliation under Dodd Frank, and (ii) whether the SEC requires employees to first comply with a corporation's internal compliance policies before "blowing" the whistle externally.  

To qualify for the anti-retaliation protections under Dodd Frank, Rule 21F-2 defines an individual as a whistleblower if (i) he possesses a reasonable belief that the information he is providing relates to a possible securities law violation that has occurred, is ongoing, or is about to occur, and (ii) he reports that information in the manner prescribed by Dodd Frank and the SEC rules. As a result, the categories of individual employees who might qualify for whistleblower protection may be surprisingly broad, and they may be difficult to identify. The key provision requires that an employee possess a "reasonable belief" that he is providing information relating to a "possible" securities law violation. The SEC explains that the "reasonable belief" standard requires that the employee (i) hold a subjectively genuine belief that the information reveals a possible violation, and (ii) this belief is one that a similarly situated employee might reasonably possess.

Although potentially at variance with the statutory text, under the SEC rule, it may be difficult for a company even to identify who has reported possible violations as a whistleblower, as it protects not just whistleblowers who report possible violations to the SEC, but also to (i) a federal regulatory or law enforcement agency, (ii) any member or committee of Congress, or (iii) a person with supervisory authority over the employee, or "such other person working for the employer who has authority to investigate, discover, or terminate misconduct." This last provision will present special challenges for HR professionals. In many organizations it may be difficult to know or determine if any particular employee has reported a possible securities violation to a "person with supervisory authority" or authority to "terminate misconduct." Additional training for HR personnel to help them identify securities issues, targeted HR policies, and documentation procedures may be required just so larger organizations can identify the employees who report "possible" violations.  

The most contentious issue raised in the SEC's rulemaking was the concern that the SEC rules may effectively gut the role of internal compliance. The SEC received numerous comments advocating a requirement that whistleblowers exhaust internal compliance procedures before reporting "out" to the SEC or other agencies. At the end of the day, the SEC rejected any such requirement, choosing to leave it to the discretion of the whistleblower whether to go straight to enforcement agencies. Instead of an exhaustion requirement, the SEC opted to provide three incentives to "encourage" whistleblowers to work through internal compliance policies when appropriate.

First, the final rules lengthen the period of time in which a whistleblower can wait before coming to the SEC after reporting internally. Whistleblowers will get credit for the original date they reported to their company as long as they notify the SEC within 120 days. This flexibility may allow corporations to address and resolve some internallyreported concerns within the 120 day time frame, thus avoiding any report to the SEC.

Second, when considering the amount of an award, the SEC will consider how much a whistleblower has participated in or interfered with the internal compliance process.  

Finally, the SEC will give credit to a whistleblower whose company passes the information along to the Commission. Under this provision, all of the information provided by the company to the SEC will be attributed to the whistleblower, which means that the whistleblower will get credit, and potentially a much greater award, for any additional information generated by the company in its internal investigation. However, this provision only applies when the whistleblower also reports to the SEC within 120 days of reporting internally. Because this important feature may not be known to potential whistleblowers, companies should consider whether to inform employees about this feature of Dodd Frank (among others), to incentivize them to report internally before going to the SEC.

These are just two examples of the significant risks and challenges in Dodd Frank's whistleblower rules. Orrick is available to provide comprehensive advice on the requirements and risks created by Dodd Frank, and the procedures and protections companies should consider to ensure compliance with the SEC's rules and to stay clear of whistleblower liabilities. At a minimum, every public company should fully evaluate its internal compliance procedures for compliance with Dodd Frank, and should consider adopting specific procedures, which may in some circumstances include information to be provided to persons who may be whistleblowers, about Dodd Frank, their rights, and the company's policies and procedures.