On March 31, 2020, the U.S. District Court for the Southern District Court of California entered partial summary judgment in Erhart v. BofI Holding, Inc., a prominent, long-running whistleblower lawsuit under the Sarbanes-Oxley and Dodd-Frank Acts. The court’s decision provides welcome limitations on the scope of protected activity under these statutes, but also emphasizes the need for employers to be diligent in protecting their confidential data and documents against theft by internal actors.

The plaintiff, Charles Erhart, was an internal auditor for the Bank of the Internet, a publicly-traded financial institution. Although Erhart claimed he battled upper management to confront illegality in a turbulent corporate environment, the Bank contended that he was, in the court’s words, an “auditor gone rogue - a loose cannon who recklessly handled confidential information and conducted unauthorized investigations.” Among other things, the Bank claimed Erhart instructed staff to run unauthorized due diligence reports to find “dirt” on another executive’s son, improperly accessed the Bank’s CEO’s personal tax returns, and disseminated confidential compensation data to other employees.

Wherever the truth lies, Erhart ultimately filed a whistleblower lawsuit under Sarbanes-Oxley and Dodd-Frank, claiming he had been retaliated against for reporting illegal conduct. The next day, the New York Times ran a story about the lawsuit and the stock price of the Bank’s holding company fell by thirty percent. Numerous securities lawsuits asserting similar claims to those alleged in Erhart’s lawsuit followed. The Bank later filed its own lawsuit against Erhart, asserting contract and tort claims based on his alleged theft of confidential information. The court’s summary judgment ruling significantly narrowed both Erhart’s and the Bank’s claims. With respect to Erhart’s whistleblower claims, the court ruled that the bulk of his alleged internal and external reporting did not constitute protected activity under either Sarbanes-Oxley or Dodd-Frank. Erhart claimed he reported illegal or improper conduct spanning eleven categories of wrongdoing, including, among other things, late 401(k) contributions, the lack of Board approval of the Bank’s strategic plan, high deposit concentration risk, the failure to disclose to regulators the Bank’s receipt of subpoenas, and improprieties with respect to the CEO’s brother’s account. The court noted that Sarbanes-Oxley and Dodd-Frank do not generally protect alleged whistleblowers who report any type of wrongdoing, but only extend protection to certain types of reports of certain types of fraud and securities violations.

Seeking to evade Sarbanes-Oxley and Dodd-Frank’s limitations on protected activity, Erhart advanced expansive arguments based on the SEC’s “Books and Records” and “Internal Controls” rules. The court rejected these arguments. The court found that the Books and Records rule implicated only the accuracy of records necessary to accurately and fairly reflect the transactions and dispositions of a corporation’s assets, not any and all corporate records. Similarly, the court limited the Internal Controls rule to procedures to assure accurate financial reporting and prevent unauthorized financial transactions, rejecting the argument that it required compliance with any and all laws or risk management objectives. Based on these narrow interpretations, the court granted the Bank summary judgment on Erhart’s claims based on reporting alleged illegal conduct and wrongdoing outside of the scope of the SEC rules, finding they did not constitute protected activity.

Although the court’s narrow construction of the scope of Sarbanes-Oxley and Dodd-Frank protected activity is a welcome sign for employers, its rulings on the Bank’s claims against Erhart for document misappropriation are not. After previously ruling in the case that the Bank could not enforce Erhart’s confidentiality agreement with respect to confidential documents and information he removed that directly related to his whistleblowing activity, the court also struck down the bulk of the Bank’s tort claims relating to Erhart’s document misappropriation. The court ruled that California’s uniform trade secret act preempted the Bank’s tort claims for Erhart’s misappropriation of confidential business information. The Bank’s claims were limited to Erhart’s alleged misappropriation of confidential documents containing personally identifiable information of the Bank’s customers and employees. The court’s ruling emphasizes the need for employers to enforce the rigorous security measures required to obtain trade secret protection, such as marking documents as confidential, limiting internal distribution and access, maintaining and enforcing confidentiality agreements, and ensuring information is protected by information security best practices.

Although the court’s decision limited the Bank’s ability to seek redress for Erhart’s misappropriation of confidential information, it continues a trend of employer victories on the scope of Sarbanes-Oxley and Dodd-Frank protected activity. Polsinelli will continue to monitor this trend and other developments in the whistleblower space.