Sarbanes-Oxley Protects Disclosures About Inadequate Information Security Controls
SOX Whistleblower Defeats Motion to Dismiss
On March 30, 2017, a Florida district court denied Tyco International Management Company’s (Tyco) motion to dismiss a Sarbanes-Oxley (SOX) retaliation claim brought by its former Manager of Financial Reporting, Carolina Thomas. According to the order, Thomas raised concerns to Tyco’s management about: (1) the falsity and inadequacy of the credentials of an accountant; and (2) the unreliability of Tyco’s process of checking the accuracy of its consolidated financial data. Tyco moved to dismiss, asserting that Thomas’s disclosures were not protected under SOX. In denying the motion to dismiss, the court clarified the broad scope of Sarbanes-Oxley protected whistleblowing. Raymond Fay represents the whistleblower.
During her employment at Tyco, Thomas learned that Alida Garcia, a Tyco contractor who was applying for a manager position at Tyco, misrepresented in her resume that she was a licensed CPA and had a master’s degree. In the position for which Garcia was applying, she would be responsible for reporting $4 billion per year to Tyco’s financial headquarters and ultimately to the Securities and Exchange Commission (SEC). In a meeting on September 26, 2013, Thomas objected to hiring Garcia for this important role managing the company’s financial reporting. Thomas argued that by hiring Garcia, Tyco would be employing an individual who lacked the credentials and integrity to company’s financial reporting.
In addition to raising concerns about Garcia’s qualifications, Thomas questioned the reliability of a monthly tie-out process used to ensure that Tyco’s consolidated financial data reported to the SEC agreed with financial data in its general ledger system. In support of her claims, Thomas conducted testing that revealed that the new process and file system were deficient. Rather than address or investigate Thomas’ concerns, Tyco retaliated against her.
On May 14, 2014, Tyco terminated Thomas’ employment. Tyco’s stated reason for the termination was that Thomas had improperly accessed the records of another employee in violation of company policy. That accusation was determined to be unfounded as the company policy allegedly violated was later rescinded by Tyco as part of a settlement of Thomas’ complaint with the National Labor Relations Board.
Sarbanes-Oxley Whistleblower Protection
SOX prohibits publicly traded companies from retaliating against whistleblowers who raise concerns about securities fraud, shareholder fraud, bank fraud, a violation of any SEC rule or regulation, mail fraud, or wire fraud. A SOX whistleblower need not show that an actual violation occurred so long as the whistleblower reasonably believes that the company’s conduct constituted a SOX violation. The inquiry into whether a whistleblower had a reasonable belief is fact-dependent and varying with the circumstances of the case.
Disclosures About Material Weakness in Internal Controls Are Protected Under SOX
Tyco argued that Thomas’ concerns about Garcia is a personnel matter that falls outside the protection of SOX. Indeed, it is well-established that mere complaints about questionable personnel matters do not reasonable implicate SOX violations. The court noted, however, that Thomas’ complaints were broader than mere questionable personnel matters and encompassed an objection to Tyco’s employment of an individual who lacked the credentials and integrity to handle a key financial accounting role. According to the order:
[Thomas] allegedly voiced her concern over Tyco’s consideration and ultimate employment of an unqualified and dishonest accountant given the responsibility of managing the reporting $4 billion in revenue to Tyco’s financial management. Yet, Tyco seemingly ignored her concerns, hiring the manager and then giving her only more responsibility and thereby raising the inference that Tyco did not evaluate (much less disclose) the presence of the inadequate and untrained accounting professional as a material weakness in its internal control over financial reporting. Given the allegedly incompetent manager’s high level of responsibility for financial reporting at Tyco, and taking into account Plaintiff’s experience and knowledge in financial reporting, the Court cannot conclude as a matter of law that it was unreasonable for Plaintiff to believe that Tyco had violated its obligation to assess and disclose material weaknesses in its internal control over financial reporting.
Thus, while mere complaints about personnel matters are generally not protected under SOX, Thomas’ disclosures relating to potential SOX 404 violations are protected. SOX Section 404 requires management to evaluate the effectiveness of the company’s internal controls over financial reporting and disclose any material weaknesses. Here, the court found that it was reasonable for Thomas to conclude that Tyco was violating SOX Section 404 requirements when it failed to evaluate or assess Thomas’ concerns.
Disclosures About Inadequate Information Security Controls Are Protected Under SOX
The court also held that Thomas’ disclosures about the monthly tie-out process constituted SOX protected activity. Tyco argued that Thomas’ concerns related only to potential deficiencies in the process, not actual misstatements or omissions in an SEC filing. Tyco also argued that Thomas’ concerns only related to potential breaches of internal policy, not SOX violations.
The court, however, that a whistleblower is not required to allege an actual violation. Furthermore, the court noted that Thomas’ complaints related to inadequate information security controls, which are protected disclosures under SOX. Specifically, the court stated:
As to [Tyco’s] argument that [Thomas’] complaint relates only to breaches of internal policy, the allegations of the Amended Complaint show that [Thomas] complained about the lack of data security, the lack of an appropriate approval process, and the lack of segregation of duties in the process used to verify the accuracy of consolidated financial information. Data security, approvals, and segregation of duties are controls that exist to ensure the accuracy of financial reporting. See Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Release Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06, 72 Fed. Reg. 35,343 n.27 (June 27, 2007) (“Controls have unique characteristics, for example, they can be: Automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud.”). An employee’s complaint concerning inadequate internal control over financial reporting can constitute protected activity.” (emphasis added)
Thomas’ win underscores the broad scope of protected whistleblowing under SOX.