News about whistleblowers has been prominent once again during the first half of 2014, both in legal circles and in the mainstream media.  Several events have reinforced the importance of whistleblowing in the minds of judges, journalists, regulators, and the public. This article examines best practices in the management of whistleblowers and internal corporate reporting systems in light of recent developments underscoring the importance of maintaining and monitoring robust whistleblower policies and protections.

Recent Developments

Edward Snowden has now cemented his status as the world’s best known whistleblower.  Nearly a year after he leaked thousands of classified documents, Snowden continues to command attention with his pro-privacy activism.  His notoriety reached new heights in April 2014 when both the U.K.’s Guardian newspaper and the Washington Post received Pulitzer prizes for breaking his story.  Due in part to Mr. Snowden’s notoriety, public awareness of whistleblowing, and the media’s interest in it, have never been higher.

The whistleblower program run by the U.S. Securities and Exchange Commission (“SEC”) was introduced by the Dodd-Frank Act in 2010.  The program incentivizes whistleblowers to take allegations to the SEC by offering a financial reward to anyone who reports original information resulting in more than $1 million in sanctions being recovered by the Commission.

The first whistleblower under the SEC program to receive a payout collected $50,000 anonymously in August 2012.  Almost two years later, in April 2014, the SEC paid out another $150,000 to the same unidentified whistleblower (after additional fines were collected in the case).  The SEC’s Office of the Whistleblower has now issued payments totaling more than $14 million.  In light of this significant amount, remitted in a relatively short amount of time, incentives for whistleblowers to the SEC have predictably increased.

On March 4, 2014, in Lawson v. FMR LLC, the Supreme Court expanded the scope of whistleblower protections under the Sarbanes-Oxley Act (“SOX”).  SOX protects whistleblowers against retaliation by imposing criminal penalties against employers who harass or fire employees for reporting suspicious activity.  In Lawson, two former employees of privately owned investment companies claimed that their employer retaliated against them for reporting improper registration statements and accounting practices.  The Supreme Court held that SOX protects whistleblowers who work for privately-owned contractors hired by publicly listed companies. Before Lawson, SOX was widely understood to protect only those whistleblowers employed directly by a publicly listed company.  The Lawson decision will therefore affect many companies that previously considered themselves outside of the SOX regime.  (For more about the Lawson case and its practical implications, please see the Baker & McKenzie article on the case, which can be found here.)

Notwithstanding increased whistleblower activity and press coverage, some companies continue to pursue inadequate or even illegal responses to internal whistleblowers. For example, lawyers for a whistleblower in a current high-profile case have alleged that a company’s former subsidiary required its employees to sign a “secrecy statement” – a confidentiality agreement prohibiting them from telling government investigators about fraud or wrongdoing at the company.  The subsidiary allegedly threatened employees with disciplinary action for violating this agreement. The whistleblower has filed suit in U.S. District Court, alleging that that such agreements violate the laws designed to protect whistleblowers (and to prevent obstruction of justice).

This case is not the first time that an agreement attempting to impede whistleblowing has faced scrutiny.  In fact, the SEC has frequently cautioned employers about dissuading potential whistleblowers from reporting outside the company.  During an interview with The American Lawyer in December 2012, the SEC’s Whistleblower Chief, Sean McKessy, declared these types of agreements “forbidden.”  McKessy said that the SEC is actively pursuing allegations involving companies that inhibit employees’ rights to report misconduct.  In March 2014, McKessy repeated his pledge to take action against any entity that employs such a policy (and an attorney who writes it).

In this context, now is a good time to revisit best practices for implementing an effective whistleblower program by creating a robust reporting system and responding appropriately when reports are filed.

Best Practice for Whistleblower Programs

1.     Internal Whistleblowing in Context

Whistleblowers choose the manner of their disclosure in two important ways:  first, they decide when to report; and second, they decide to whom they report.  It serves a company’s best interests to encourage whistleblowers to report early and to report within the company. Reporting early allows the company to react quickly when potential issues arise and deal with them effectively to prevent or limit the resulting damage.  A report directed internally in the first instance also gives the company an opportunity to thoroughly investigate and remediate issues before the matter comes to the attention of law enforcement or a relevant regulatory agency.

Whistleblowers may take longer to report information to the company if they are confused about how to make a report, or if they think the report will not be taken seriously, or if they fear that they could face discrimination, demotion, penalty, or other adverse consequences as a result of coming forward. Furthermore, some cultures historically distrust whistleblowers. In such places, without the proper support, whistleblowers may choose never to come forward at all.

Internal reporting systems must contend with the incentives offered by government regulators, such as the Dodd Frank reward system used by the SEC, or other regimes that offer leniency for whistleblowers who were themselves involved in illegal activity. While companies may be unable to offer millions of dollars, they can offer other incentives to whistleblowers that may result in the identification and remediation of significant problems.  Although corporate politics can be complicated and whistleblowers may face tension from colleagues caught up in internal investigations, the benefits of the information should be shared internally to the greatest extent possible so that colleagues realize the need for, and benefits of, transparency within the organization.

Companies should strive to implement simple and effective systems that incentivize early internal reporting.  Robust reporting systems provide secure and accessible channels through which employees and others can raise concerns and report suspicious circumstances in confidence, without fear of reprisal.

2.     Company Reporting Systems

Effective reporting systems typically share three key characteristics.  First, reports should remain secure and confidential at all times. Companies should identify particular individuals responsible for processing reports and ensure that reports are not disclosed to anyone outside of this group except in accordance with a defined protocol.  Second, the system should be user-friendly and easy to access for all potential whistleblowers.  Employees should not be discouraged from reporting misconduct merely because the system is hard to find or complicated to use.  Third, the reporting system should operate independently from regular internal business reporting channels. Employees may be unlikely to report misconduct through regular channels if their immediate superiors were involved in the alleged misconduct. Employees also may fear that their reports will not remain confidential or that they will suffer retaliation as a result of coming forward through normal reporting lines.

Fortunately, companies generally have wide latitude in deciding how to set up their reporting systems, subject to certain legal requirements (discussed below).  Companies should therefore tailor the scope and function of their systems to fit their own needs and business models. Companies may consider several options to optimize the effectiveness of their systems, including who is allowed to access the system, what types of misconduct the system manages, and whether to allow anonymous reporting.  Allowing anonymous reporting will often make potential whistleblowers feel more comfortable and secure in coming forward.  However, handling anonymous reports is often more complex because they can be harder to verify and investigate.

For some companies, an effective reporting system may be as simple as establishing a dedicated email account and telephone number monitored by the compliance team. For others, such a minimalist system may not be sufficient (or permissible under local law).

Companies should make these important decisions about their reporting systems by weighing the benefits of encouraging more whistleblowers to come forward against the expenses of a larger and more complex structure -- and companies must do this against the backdrop of the their overall risk profile, including any history of corporate wrongdoing.

Many companies engage an independent third-party “hotline” vendor to manage whistleblower reporting.  Hotline vendors can offer several potential benefits – many of them specialize in providing the technology for accessible and effective telephone, email, and internet reporting systems, and can tailor their services to meet individual company needs in the countries of operation.  Whistleblowers (whether employees, third parties, or members of the public) also may feel more comfortable reporting misconduct to an independent vendor than through internal processes (which they might fear is controlled by those at the company about which they wish to make a report).

3.     Legal Requirements

Companies should remain mindful of any reporting system requirements imposed by local law where the system is operated. For example, SOX requires companies traded publicly in the United States to provide a mechanism for anonymous reporting and to implement various anti-retaliation measures.

This approach may not, however, be appropriate in all jurisdictions. Companies should consider other relevant laws that may affect their reporting systems by imposing additional requirements or restrictions on a company’s ability to gather information.  For example, data privacy laws, particularly in Europe, may limit a company’s ability to collect, store, and transfer personal information through the reporting system. Some countries limit or even prohibit anonymous hotlines.

4.     Training and Education

After setting up a reporting system, the company should communicate with its employees and any third-parties to whom the system will be available about how the system works and when to use it.  Employees are unlikely to use a system that they cannot find or cannot operate, so companies must strive to train and educate their employees about the system and its importance. Companies should then provide clear guidance on the purpose of the system and how it can be used.  They should also clarify that no employee will suffer demotion, penalty, or other adverse consequences as a result of submitting a report.  Lastly, companies should set a positive tone of respect and encouragement for employees who are willing to come forward and report potential misconduct, emphasizing the fact that credible reports will ultimately benefit, rather than harm, the company.

5.     “No Retaliation”

Companies must not retaliate in any way against employees who submit reports of misconduct in good faith, regardless of whether the report is submitted internally or to a regulatory agency.  Most whistleblower laws prohibit companies from retaliating against whistleblowers and impose strict penalties for any adverse consequences resulting from an employee’s decision to report misconduct.  Furthermore, actively retaliating against employees (or tolerating such a practice) is counterproductive to the company’s goal of maintaining an effective reporting system, as fear of retaliation will discourage employees from submitting reports internally.

Accordingly, companies should include and enforce an explicit “no retaliation” policy as part of its reporting system. Companies should ensure that employees are aware of this policy and that supervisors are trained on how to react when an employee submits a report. Disciplinary action should be taken (up to and including termination) against any employee who retaliates against a whistleblower.

6.     Responding to Reports

Companies should respond quickly and appropriately to allegations of unethical behavior that are brought to their attention.  To do this, companies should develop a mechanism to verify credible whistleblower reports in a timely fashion.  When a report is submitted, it should be promptly analyzed by a reviewer who is knowledgeable about the details of the company’s compliance program, relevant internal processes, and the pertinent law.  Each report should then be filtered into one of three categories:

The first category is for reports that generally do not require the company’s attention because they are irrelevant, spurious, or otherwise lack credibility.  The more open a company’s reporting system, the more of these reports the company is likely to receive. Such reports should be logged and tracked, but they might not require follow-up action.

The second category is for reports relating to issues that would typically be handled by another company department. Proper training can help ensure that employees and third parties understand the true purpose of a company’s whistleblower reporting system, which will thereby empower them to direct unrelated matters to the appropriate company division (e.g., paycheck errors to Human Resources or product complaints to Product Quality Control).  Likewise, employees or hotline vendors managing a company’s whistleblower system should be trained to conduct intake on any concerns and transfer unrelated reports to the appropriate department within the company.

The third category is for reports credibly alleging relevant misconduct. These reports warrant a prompt corporate inquiry. Specific details on how to initiate an appropriate inquiry in response to a whistleblower report are outside the scope of this article, but the effective management of the whistleblower and his or her complaint can be crucial to the success of any inquiry.  Subject to local laws and the whistleblower’s consent, an important first step in any internal inquiry will likely involve contacting the whistleblower to clarify the report and ascertain further details about the allegation(s).

7.     Monitoring and Auditing the System

Reporting systems allow companies to effectively monitor instances of misconduct that occur in the course of their business.  Analyzing reports made through the system can be one way of monitoring the effectiveness of the compliance program as a whole.  For example, an increase in the number of reports received is often a positive indication – i.e., one that demonstrates employees are informed about the system and empowered to identify and report concerns when they see them (which signifies that the compliance program is working).

Finally, companies should endeavor to monitor the reporting system itself.  Active monitoring allows the company to continually improve the system.  Monitoring activities may include regular supervision of the system’s operation, interviews with employees or supervisors, inspections of the reports submitted through the system, and analysis of any trends.  Companies should also seek to learn whether employees are adequately informed about the system, whether the company’s leadership and culture support internal reporting of misconduct, and whether the system is effectively capturing actual instances of wrongdoing. (The operation of the system may also need to be modified from time to time to take into account changes in local law.)  Companies can then use this information to optimize the scope and parameters of their reporting systems.