Sarbanes-Oxley Protects Disclosures About Inadequate Information Security Controls

Sarbanes-Oxley Whistleblower Defeats Motion to Dismiss

On March 30, 2017, a Florida district court denied Tyco International Management Company’s (Tyco) motion to dismiss a Sarbanes-Oxley (SOX) retaliation claim brought by its former Manager of Financial Reporting (CT). According to the order in Thomas v. Tyco Int’l Mgmt. Co., LLC, 2017— F.Supp.3d —-2017 WL 4466507 (S.D. Fla.March 31, 2017), CT raised concerns to Tyco’s management about: (1) the falsity and inadequacy of the credentials of an accountant; and (2) the unreliability of Tyco’s process of checking the accuracy of its consolidated financial data. Tyco moved to dismiss, asserting that CT’s disclosures were not protected under SOX. In denying the motion to dismiss, the court clarified the broad scope of Sarbanes-Oxley protected whistleblowing. Raymond Fay represents the whistleblower.

Whistleblowing About Information Security Controls

During her employment at Tyco, CT learned that Alida Garcia, a Tyco contractor who was applying for a manager position at Tyco, misrepresented in her resume that she was a licensed CPA and had a master’s degree. In the position for which Garcia was applying, she would be responsible for reporting $4 billion per year to Tyco’s financial headquarters and ultimately to the Securities and Exchange Commission (SEC). In a meeting on September 26, 2013, CT objected to hiring Garcia for this important role managing the company’s financial reporting. CT argued that by hiring Garcia, Tyco would be employing an individual who lacked the credentials and integrity to company’s financial reporting.

In addition to raising concerns about Garcia’s qualifications, CT questioned the reliability of a monthly tie-out process used to ensure that Tyco’s consolidated financial data reported to the SEC agreed with financial data in its general ledger system. In support of her claims, CT conducted testing that revealed that the new process and file system were deficient. Rather than address or investigate CT’s concerns, Tyco retaliated against her.

On May 14, 2014, Tyco terminated CT’s employment. Tyco’s stated reason for the termination was that CT had improperly accessed the records of another employee in violation of company policy. That accusation was determined to be unfounded as the company policy allegedly violated was later rescinded by Tyco as part of a settlement of CT’s complaint with the National Labor Relations Board.

Sarbanes-Oxley Corporate Whistleblower Protection

SOX prohibits publicly traded companies from retaliating against whistleblowers who raise concerns about securities fraud, shareholder fraud, bank fraud, a violation of any SEC rule or regulation, mail fraud, or wire fraud. A SOX whistleblower need not show that an actual violation occurred so long as the whistleblower reasonably believes that the company’s conduct constituted a SOX violation. The inquiry into whether a whistleblower had a reasonable belief is fact-dependent and varying with the circumstances of the case.

Disclosures About Material Weakness in Internal Controls Are Protected Under SOX

Tyco argued that CT’s concerns about Garcia is a personnel matter that falls outside the protection of SOX. Indeed, it is well-established that mere complaints about questionable personnel matters do not reasonably implicate SOX violations. The court noted, however, that CT’s complaints were broader than mere questionable personnel matters and encompassed an objection to Tyco’s employment of an individual who lacked the credentials and integrity to handle a key financial accounting role. According to the order:

[CT] allegedly voiced her concern over Tyco’s consideration and ultimate employment of an unqualified and dishonest accountant given the responsibility of managing the reporting $4 billion in revenue to Tyco’s financial management. Yet, Tyco seemingly ignored her concerns, hiring the manager and then giving her only more responsibility and thereby raising the inference that Tyco did not evaluate (much less disclose) the presence of the inadequate and untrained accounting professional as a material weakness in its internal control over financial reporting. Given the allegedly incompetent manager’s high level of responsibility for financial reporting at Tyco, and taking into account Plaintiff’s experience and knowledge in financial reporting, the Court cannot conclude as a matter of law that it was unreasonable for Plaintiff to believe that Tyco had violated its obligation to assess and disclose material weaknesses in its internal control over financial reporting.

Thus, while mere complaints about personnel matters are generally not protected under SOX, CT’s disclosures relating to potential SOX 404 violations are protected. SOX Section 404 requires management to evaluate the effectiveness of the company’s internal controls over financial reporting and disclose any material weaknesses. Here, the court found that it was reasonable for CT to conclude that Tyco was violating SOX Section 404 requirements when it failed to evaluate or assess CT’s concerns.

Disclosures About Inadequate Information Security Controls Are Protected Under the Sarbanes-Oxley Act

The court also held that CT’s disclosures about the monthly tie-out process constituted SOX-protected activity. Tyco argued that CT’s concerns related only to potential deficiencies in the process, not actual misstatements or omissions in an SEC filing. Tyco also argued that CT’s concerns only related to potential breaches of internal policy, not SOX violations.

The court, however, that a whistleblower is not required to allege an actual violation. Furthermore, the court noted that CT’s complaints related to inadequate information security controls, which are protected disclosures under SOX. Specifically, the court stated:

As to [Tyco’s] argument that [CT’s] complaint relates only to breaches of internal policy, the allegations of the Amended Complaint show that [CT] complained about the lack of data security, the lack of an appropriate approval process, and the lack of segregation of duties in the process used to verify the accuracy of consolidated financial information. Data security, approvals, and segregation of duties are controls that exist to ensure the accuracy of financial reporting. See Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Release Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06, 72 Fed. Reg. 35,343 n.27 (June 27, 2007) (“Controls have unique characteristics, for example, they can be: Automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud.”). An employee’s complaint concerning inadequate internal control over financial reporting can constitute protected activity.” (emphasis added)

CT’s win underscores the broad scope of protected whistleblowing under SOX.

Cybersecurity Whistleblower Protection Attorneys

The cybersecurity whistleblower lawyers at Zuckerman Law have substantial experience litigating Sarbanes Oxley whistleblower retaliation claims. To learn more about corporate whistleblower protections, see our Sarbanes-Oxley Whistleblower Protection FAQ.

The firm has represented several cybersecurity whistleblowers and has written extensively about protections for cybersecurity whistleblowers, including the following publications:

The Rise of Cybersecurity Whistleblowing, NYU Law Compliance & Enforcement Blog (December 2016)
Cybersecurity Whistleblowing: What Employees at Public Companies Should Know Before Reporting Information Security Concerns, ISSA Journal (June 2016)
Practitioner’s Guide to Cybersecurity Whistleblowing

Recently, Corporate Crime Reporter interviewed Dallas Hammer about the Rise of Cybersecurity Whistleblowing.

Cybersecurity Whistleblower Protections

Cybersecurity Whistleblower Retaliation

Cybersecurity Whistleblower Remedies

Cybersecurity Whistleblower Attorneys

The cybersecurity whistleblower lawyers at Zuckerman Law have substantial experience litigating Sarbanes Oxley whistleblower retaliation claims and have achieved substantial recoveries for officers, executives, accountants, auditors, and other senior professionals.

To learn more about corporate whistleblower protections, see our Sarbanes-Oxley Whistleblower Protection FAQ. Click here to read client testimonials about the firm’s work in SOX whistleblower matters and other employment-related litigation. To schedule a free preliminary consultation, click here or call us at 202-262-8959.

See our column in Forbes: One Billion Reasons Why The SEC Whistleblower-Reward Program Is Effective.
See our column in Going Concern: Sarbanes-Oxley 15 Years Later: Accountants Need to Speak Up Now More Than Ever.
See our post in Accounting Today: Whistleblower Protections and Incentives for Auditors and Accountants.
See our post in The Compliance and Ethics Blog: Shkreli Trial Reveals the Challenges Faced by Compliance Whistleblowers.

Download our free guide to the Sarbanes-Oxley whistleblower protection law:

Leading whistleblower law firm Zuckerman Law has written extensively about whistleblower protections and is quoted frequently in the media on this topic. A sample of those blog posts and articles appears below: