On September 28, 2011, the U.S. Department of Labor's Administrative Review Board (ARB) issued a ruling in Vannoy v. Celanese Corp., No. 09-1118 (ARB Sept. 28, 2011), which further expands the scope of the whistleblower protection provision in Section 806 of the Sarbanes-Oxley Act (SOX). In particular, the ruling presents the risk that a whistleblower's violation of confidentiality rules and misconduct that could harm other employees may still qualify as protected activity in certain circumstances.

Background

Respondent Celanese Corporation (the Company) hired Matthew Vannoy (Complainant) to administer its expense reimbursement program. On February 15, 2007, Complainant filed an internal complaint asserting that the Company's system of administering its electronic expense reimbursement and corporate credit card system, and alleged misuse and abuse of employee credit cards, posed financial risk to the Company.

In Spring 2007, the Company decided to move certain finance positions to Hungary, including Complainant's position. At that time, Complainant signed a retention agreement, with the understanding that his position would terminate within 6 to 18 months. Around that same time, Complainant retained an attorney to represent him in connection with the Internal Revenue Service (IRS) Whistleblower Reward Program.

In October 2007, Complainant's supervisor instructed him to refer any inappropriate communications regarding employee credit card charges to her attention, and not to engage in such communications himself. But shortly thereafter, a Company employee complained to Complainant's supervisor about conversations he had with Complainant regarding an expense reimbursement submission. In response, the Company reviewed Complainant's "sent" e-mails to determine if he violated the foregoing directions. Later that day, Complainant was suspended with pay pending further investigation.

In early November 2007, the Company discovered that Complainant sent ? without authorization and in violation of a confidentiality agreement he entered into with the Company ? confidential and proprietary information to his personal e-mail account. Such misappropriated information included business documents related to Company operations, and documents containing Social Security numbers, credit information and other confidential personal information of current and former employees. Thus, on November 5, 2007, the Company converted Complainant's paid suspension to one without pay. Shortly thereafter, Complainant supplemented his earlier internal complaint. In January 2008, the Company terminated Complainant's employment. Once it completed its investigation, the Company sent Complainant a letter addressing the complaints he raised.

OSHA And ALJ Proceedings And The ARB's Ruling

Following his discharge, Complainant filed a Whistleblower retaliation complaint with the Occupational Safety and Health Administration (OSHA) under Section 806 of SOX. OSHA dismissed the complaint, as did an Administrative Law Judge (ALJ). The ALJ found, among other things, that Complainant's disclosure to the IRS was not a "complaint to a federal regulatory or law enforcement agency," and that Complainant was discharged because he violated Company policy and his confidentiality agreement by misappropriating confidential information.

On appeal, the ARB recognized the tension between legitimate employer confidentiality policies and employee whistleblower bounty programs, like the provisions in the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) that preclude companies from enforcing or threatening to enforce confidentiality agreements to prevent whistleblowers from cooperating with the SEC. Thus, the ARB reversed and remanded, directing that the ALJ needed to conduct an evidentiary hearing to determine whether the information Complainant misappropriated is the kind of "original information" Congress intended to protect and whether the method of transfer of information was protected lawful conduct within the scope of SOX. In this regard, the ARB indicated that while Complainant's conduct may have violated company policy, no charges were brought against him. Yet, the ARB did not otherwise explain how "lawful conduct" in this context should be defined.

Implications

There is a risk that the DOL may find that the conduct that led to Complainant's termination ? misappropriation of over a thousand Social Security numbers and confidential Company documents ? qualifies as protected activity if it is deemed "lawful" (and taken in connection with the IRS or Dodd-Frank whistleblower bounty programs). The risks attendant to misappropriation or improper disclosure of confidential information often are immeasurable, which underscores why the possibility that an employee can engage in misconduct in the name of protected activity, such as the misconduct at issue in this case, is so concerning. Thus, although employers may not retaliate against whistleblowers and certain whistleblower bounty programs preclude employers from enforcing confidentiality agreements in this context, it is imperative for employers to ensure that access to sensitive information is appropriately restricted.