The Southern District of Florida recently denied a Rule 12(b)(6) motion to dismiss a former employee’s Sarbanes-Oxley and Dodd-Frank whistleblower retaliation claims, finding that the plaintiff sufficiently alleged that she had an objectively reasonable belief regarding alleged securities violations. Thomas v. Tyco Int’l Mgmt. Co., LLC, No. 16-cv-80501 (Mar. 31, 2017). This case is noteworthy because it takes an expansive view of the scope of protected activity under SOX with respect to complaints involving internal controls and data security.

Background. Plaintiff was a former Manager of Financial Reporting for the Company. She allegedly learned during her employment that an applicant for a manager position misrepresented her educational qualifications in her resume. Additionally, she allegedly believed that the applicant did not have sufficient training in generally accepted accounting principles (“GAAP”). According to her complaint, despite raising these concerns with her direct supervisor, the Company hired the applicant for the new manager position. Plaintiff claimed that the new manager was responsible for reporting $4 billion per year to the Company’s headquarters and ultimately to the SEC. Plaintiff also allegedly began doubting the reliability of a new monthly “tie-out” process the Company used to ensure that the financial data in the Company’s ledger system was consistent with the consolidated financial data reported to the SEC. In December 2013, Plaintiff filed a complaint with the internal ombudsman regarding the new manager’s credentials and the tie-out process. The ombudsman found no wrongdoing. In March 2014, Plaintiff filed a whistleblower retaliation complaint with OSHA. In May 2014, her employment was terminated on the grounds that she allegedly improperly accessed another employee’s records.

Rulings. Plaintiff filed suit under SOX and Dodd-Frank in the Southern District of Florida under Dodd-Frank and SOX, claiming she was retaliated against for protected whistleblowing. The Company moved to dismiss pursuant to Rule 12(b)(6). The court denied the motion for the following reasons.

A. SOX Retaliation Claim

The court found that Plaintiff’s internal complaints regarding the new manager’s qualifications represented broader concerns about internal controls, rather than just personnel issues. The court found that Plaintiff may have had a reasonable belief that the Company violated securities law due to the fact that the new manager possessed a significant amount of responsibility for financial reporting and her alleged lack of appropriate credentials could have put the accuracy of that reporting at risk. Additionally, the court concluded that Plaintiff’s claim based upon the monthly tie-out process was sufficiently pleaded. The court rejected the Company’s argument that the Complaint related only to breaches of internal policy by noting that the allegations “show that Plaintiff complained about the lack of data security, the lack of an appropriate approval process, and the lack of segregation of duties in the process used to verify . . . financial information[,]” which all relate to the accuracy of financial reporting. Therefore, the court found that complaints concerning lack of data security and internal controls can constitute protected activity under SOX. The court also noted how the Company’s alleged failure to properly investigate Plaintiff’s complaint regarding the monthly tie-out process raised a reasonable inference that the Company violated its duties to assess the effectiveness of internal controls under SOX.

B. Dodd-Frank Retaliation Claim

The court rejected the Company’s argument that Plaintiff’s complaints to the SEC were not a factor in her termination and concluded that Dodd-Frank protected internal complaints (an issue that is currently before the U.S. Supreme Court, as noted in our recent blogs on March 9, 2017, May 1, 2017, and June 26, 2017). In addition, the court rejected the Company’s argument that a showing of more favorable treatment of other similarly situated employees was required to show causation.

Implications. The court’s conclusion that complaints concerning lack of appropriate data security and internal controls can constitute a basis for a SOX retaliation claim reflects a broad interpretation of the scope of protected activity under SOX. It may be argued, however, that such claims are not actionable because, at their core, they implicate internal policies.