CFTC Announces First Whistleblower Award

The U.S. Commodity Futures Trading Commission’s whistleblower program was created as part of the Dodd-Frank Act. Under the program, the CFTC will provide awards to whistleblowers who report violations of the Commodity Exchange Act when the information leads to an action that results in more than $1 million in sanctions. Today, the CFTC announced its first whistleblower award.

Although the CFTC did not disclose the identity of the whistleblower or the enforcement action that resulted from the information provided, it did confirm that the person will receive approximately $240,000. Gretchen Lowe, Acting Director of the CFTC’s Division of Enforcement, said that the “whistleblower provided specific, timely and credible information that led to the Commission bringing important enforcement actions.” With respect to the types of information being reported by whistleblowers, Ms. Lowe said that the program “is attracting high-quality tips and cooperation we might not otherwise receive and is already having an impact on the Commission’s enforcement mission.”

No doubt, the establishment of a whistleblower program and awards in connection with information provided as part of that program will encourage more people to report. It remains to be seen, however, the true impact these programs have on enforcement activity.

SEC to Examine Registered Broker-Dealers’ and Investment Advisers’ Procedures for Countering Cybersecurity Threats

Background and Purposes

On April 15, 2014, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a “Risk Alert” explaining a new initiative to assess cybersecurity preparedness in the securities industry.  Although not an official rule, regulation or statement of the SEC, the Risk Alert advised that OCIE will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, regarding their cybersecurity and data security procedures and policies.

OCIE’s cybersecurity initiative is designed to obtain information about the industry’s recent experiences with certain types of cyber threats.  The examinations will focus on the following topics: the firm’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain specific cybersecurity threats.

Questions Registered Entities May be Asked

As an appendix to the Risk Alert document it released this week, OCIE included a sample list of requests for information that OCIE may use to assess registered firm’s preparedness to deal with cybersecurity threats. A primary area of OCIE inquiry is the firm’s internal policies and procedures for data preservation and cybersecurity.  For example, one sample question asks the firm to identify the last time it completed certain cybersecurity precautions, such as: preparing a firm-wide inventory of physical devices and systems; mapping network resources, connections and data flows; and cataloguing connections to the firm’s network from external sources.  Another asks the firm whether it maintains data breach/cybersecurity insurance, and if so, the firm is asked to describe the nature of the coverage and whether the firm has filed any claims against the policy.  The OCIE also asks if the firm maintains written data destruction policies or cybersecurity incident response policies, and if so, the firm is asked to provide copies of the policies and identify the date they were last updated.

Unsurprisingly, the security of customer-related data and fund transfer information is also a primary OCIE focus.  One sample question asks the firm about its customers’ online account access platform, including how customers are authenticated for online transactions, a description of any security measures used to protect stored customer PINs, and software used to detect anomalous transaction requests that may be the result of compromised customer access.  Another question asks for a copy of the firm’s procedures for verifying the authenticity of email requests seeking to transfer customer funds.

OCIE also plans to inquire about risks related to vendors and other third parties.  The sample questions include cybersecurity requirements the firm incorporates in contracts with third parties; policies, procedures and training provided to third parties about cybersecurity; and how the firm segregates network components to which third parties have access from purely internal components.

Other areas of inquiry include how the firm detects unauthorized activity on its networks and devices, whether the firm conducts “white-hat” hacker penetration tests and vulnerability scans; how the firm identifies and implements “best practices” for cybersecurity; and whether (and how) the firm has been the target of digital attacks or data breaches, and how it responded to those incidents.

Conclusion

The regulatory environment for cybersecurity compliance in all business sectors is fast-moving, particularly for companies in the financial services industry. This is clearly an area to which the SEC is giving a great deal of attention and the sample requests signal the specific concerns that the SEC has identified thus far. The OCIE Risk Alert to broker-dealers and investment advisers comes less than three weeks after the SEC held a day-long roundtable discussion on cybersecurity.

Quarterly Whistleblower Award Update

The SEC recently announced that it has denied whistleblower claims in connection with three different matters and awarded an additional $150,000 to the inaugural recipient of an award under the SEC’s whistleblower program.

The SEC denied a whistleblower award claim relating to its case against penny stock promoters for fraudulently hyping Anscott Industries.  See SEC v. Esposito, No. 08:00494 T26 (M.D. Fla. June 30, 2011).  In Esposito, the court entered final judgments against the defendants ordering them to pay more than $20 million in disgorgement and civil penalties in a fraudulent touting case.  The SEC denied the award because (1) the claimant failed to submit the claim within 90 days of the Notice of Covered Action and failed to demonstrate such tardiness should be waived based on extraordinary circumstances as “claimant failed to diligently pursue the claim for award upon termination of the purported ‘extraordinary circumstances’”; and (2) the claimant failed to provide original information since claimant did not provide information for the first time to the SEC after the date of enactment of Dodd-Frank.

The SEC denied a second set of whistleblower award claims because claimant failed to demonstrate she provided original information.  In what the SEC described as “an unusual award application,” the claimant did not contend she provided information directly to the SEC, but instead contends that she provided information to the U.S. Department of Housing and Urban Development (“HUD”) and the FBI, which in turn shared that information with the SEC.  The claimant alleged that this information helped the SEC in its case against former officers of subprime lender New Century Financial Corp., who allegedly lied about the company’s losses from loan defaults.  See SEC v. Morrice, No. 09-0426 (C.D. Cal.); SEC v. Mozilo, No. 09-03994 (C.D. Cal.).  The SEC reached a settlement with the officers that included more than $1,000,000 in disgorgement and civil penalties.  The SEC denied the award because (1) any information provided by HUD or the FBI to the SEC prior to the enactment of Dodd-Frank in July 2010 would not be original information under Rule 21F-4(b)(1)(iv) and (2) any information provided after July 21, 2010, failed to meet the procedural requirements that original information must be provided to the SEC in writing by the claimant under Rule 21F-9(b).

The SEC denied two other whistleblower award claims determining that the first claimant failed to provide original information that led to a successful enforcement action and that the second claimant did not timely submit his application in response to the Notice of Covered Action.  The first claimant had provided information to the SEC both before and after the enactment of Dodd-Frank.  With respect to the first claimant’s pre-Dodd-Frank information, the SEC reiterated that information provided by the claimant to the SEC before the enactment of Dodd-Frank in July 2010 did not constitute original information under Rule 21F-4(b)(1)(iv).  With respect to the post-Dodd-Frank information, the SEC concluded that the information did not lead to a successful enforcement action.  According to the SEC, under Rule 21F-4(c)(1)-(2), “original information ‘leads to’ a successful enforcement action if either:  (i) the original information caused the staff to open an investigation, and the Commission brought a successful action based in whole or in part on conduct that was the subject of the original information; or (ii) the conduct was already under investigation, and the original information significantly contributed to the success of the action.”  The SEC determined the second claimant did not submit his Form WB-APP (Application for Award for Original Information Submitted Pursuant to Section 21F of the Securities Exchange Act of 1934) within 90 days of the Notice of Covered Action as required by Rule 21F-10(b).  The SEC rejected claimant’s argument the SEC lost his original, timely WB-APP because the late-filed WB-APP did not cross-reference an earlier submission, claimant did not argue he had filed an earlier WB-APP until the SEC issued its Preliminary Determination, the claimant did not produce a copy of his alleged original submission, the SEC did not find it after an “exhaustive review of [its] records,” and the claimant did not offer any explanation why he filed the “second” WB-APP if he already had filed a timely form.

The first person to receive an award under the SEC’s whistleblower program received another $150,000 after the SEC collected an additional $500,000 in the case.  This award represents the maximum percentage payout (30%) under the whistleblower program.  Sean McKessy, chief of the SEC’s whistleblower office, commented “[t]his latest payment shows that the SEC’s aggressive collection efforts pay dividends not only for harmed investors but also for whistleblowers,” and emphasized that “[a]s [the SEC collects] additional funds from securities law violators, we can increase the payouts to whistleblowers.”

Lawson and Doral Expand Whistleblower Protections

Two recent decisions interpreting the Sarbanes-Oxley Act have significantly expanded the protections available for federal whistleblowers and increase the potential liability for public companies and private companies that contract for public companies.

In Lawson v. FMR LLC, 571 S. Ct. __, 188 L. Ed. 2d 158 (Mar. 4, 2014), the U.S. Supreme Court held that SOX protects from retaliation not only the direct employees of public companies, but also employees of private contractors and subcontractors serving public companies.  At issue in Lawson was the scope of the protected class in section 1514A of the statute:

No [public] company … or any officer, employee, contractor, subcontractor, or agent of such company, may discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee in the terms and conditions of employment because of any lawful act done by the employee … to provide information, cause information to be provided, or otherwise assist in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of section 1341, 1343, 1344, or 1348, any rule or regulation of the Securities and Exchange Commission, or any provision of Federal law relating to fraud against shareholders ….

18 U.S.C. § 1514A(a).  The plaintiffs in Lawson were former employees of privately held companies that provide advisory and management services to a mutual fund, a public company.  The mutual fund itself has no employees.  The defendants argued that the plaintiffs could not bring whistleblower claims under SOX because the statute only protects those directly employed by the public company.

In a 6–3 opinion, Justice Ginsburg, writing for the Court, concluded that section 1514A shields employees of privately held contractors and subcontractors, including investment advisors, law firms, and accounting enterprises, that contract for public companies.  The Court reasoned that “nothing in § 1514A’s language confines the class of employees protected to those of a designated employer.”  188 L. Ed. at 175.  In addition to its textual interpretation of the statute, the Court recognized that including employees of contractors and subcontractors would comport with Congress’s goal of encouraging outside professionals to report fraud without fear of retribution.

In Stewart v. Doral Financial Corporation, No. 13-1349, 2014 U.S. Dist. LEXIS 22441 (D.P.R. Feb. 21, 2014), the U.S. District Court for the District of Puerto Rico addressed the standard for pleading protected conduct.  The plaintiff claimed that he was terminated illegally after expressing concerns to the company’s audit committee that certain financial information would not be reported accurately in quarterly filings.  Relying on the Department of Labor’s Administrative Review Board’s (“ARB”) decision in Platone v. FLYi, Inc., 2006 WL 3193772 (Dept’ of Labor Sept. 29, 2006), the company moved to dismiss the plaintiff’s claim for failing to plead that the alleged protected activity “definitively and specifically” implicated the federal laws upon which section 1514A is based.  After Platone, however, the ARB abandoned the “definitively and specifically” standard in favor of a more liberal standard:  that a plaintiff must only plead she had “a reasonable belief” the alleged protected activity that the reported conduct violated applicable federal law.  Sylvester v. Parexel Int’l LLC, ARB Case No. 07-123, 2011 WL 2165854 (Dep’t of Labor May 25, 2011).  Even though the First Circuit already had adopted the “definitively and specifically” standard, see Day v. Staples, Inc., 555 F.3d 42, 56 (1st Cir. 2009), the Doral court ruled that the ARB’s more recent “reasonable belief” standard controlled and that plaintiff’s pleading was sufficient, 2014 U.S. Dist. LEXIS 22441, at *19–24.

Both the Lawson and Doral rulings dramatically broaden the scope of whistleblower liability for public companies and private companies that contract for public companies.  In fact, the dissent in Lawson points out that the Court’s interpretation gives section 1514A a “stunning reach” that will allow babysitters and cleaning staff who work for people employed by a public company to file federal cases claiming retaliation.  And the Doral decision—which echoes the conclusions of the U.S. Courts of Appeals for the Third and Tenth Circuits—allows those claims to survive the pleading stage by demonstrating only that the employee had a reasonable belief that the perceived illegal conduct implicated the federal laws upon which SOX is based.  Lawson and Doral demonstrate that it is vital for public companies and private companies who contract for public companies to have robust reporting policies in place to address employee complaints of misconduct.

Drinker Biddle & Reath LLP filed an amicus curiae brief in the Lawson case on behalf of the National Federation of Independent Business.  That brief advocated that the whistleblower protections of section 1514A not extend to employees of private contractors and subcontractors of public companies.

Arbitration Agreements and Whistleblower Protections

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 directed the SEC to establish a “bounty program” for certain individuals who voluntarily provide the SEC with original information that leads to successful SEC actions resulting in monetary sanctions over $1,000,000. Dodd-Frank also prohibits employers from taking retaliatory action against employees who report potential violations to the SEC and authorizes an employee to bring a private action in federal court alleging retaliation.  If successful, the employee may be entitled to reinstatement, double back pay, litigation costs, expert witness fees, and attorneys’ fees.  See 18 U.S.C. § 1514A.

Dodd-Frank also provides that pre-dispute arbitration clauses are invalid and unenforceable.  See id. at § 1514A(e)(2). This means companies and their executives or employees cannot agree to arbitrate Dodd-Frank whistleblower claims. But does this prohibition apply to employment contracts negotiated and entered into pre-Dodd-Frank?  Based upon a handful of district court rulings, the answer is:  possibly.

Most recently, in Khazin v. TD Ameritrade Holding Corp., Civil Action No. 13-4149 (SDW)(MCA), 2014 U.S. Dist. LEXIS 31142 (D.N.J. Mar. 11, 2014), the court granted the defendants’ motion to compel arbitration on the basis that the arbitration agreement at issue was contained in an employment agreement that pre-dated Dodd Frank. The court reasoned that to disregard a pre-Dodd-Frank arbitration provision “would fundamentally interfere with the parties’ contractual rights and would impair the predictability and stability of their earlier agreement.” The court also emphasized the “strong federal policy in favor of the resolution of disputes through arbitration” and cited a number of other federal courts that have reached a similar result. See Weller v. HSBC Mortg. Servs. Inc., No. 13-00185, 2013 U.S. Dist. LEXIS 130544, 2013 WL 4882758, at *4 (D. Colo. Sept. 11, 2013); Blackwell v. Bank of Am. Corp., No. 11-2475, 2012 U.S. Dist. LEXIS 51991, 2012 WL 1229673, at *4 (D.S.C. Mar. 22, 2012), report and recommendation adopted, No. 11-2475, 2012 U.S. Dist. LEXIS 51447, 2012 WL 1229675 (D.S.C. Apr. 12, 2012); Henderson v. Masco Framing Corp., No. 11-0088, 2011 U.S. Dist. LEXIS 80494, 2011 WL 3022535, at *3 (D. Nev. July 22, 2011); Taylor v. Fannie Mae, 839 F. Supp. 2d 259, 263 (D.D.C. 2012).

Several cases, however, view the prohibition on arbitration clauses from a different prospective and conclude that the prohibition has retroactive effect. See Pezza v. Investors Cap. Corp., 767 F. Supp. 2d 225, 234 (D. Mass. 2011); Wong v. CKX, Inc., 890 F. Supp. 2d 411, 422–23 (S.D.N.Y. 2012). In Pezza, the court followed the U.S. Supreme Court’s decision in Landgraf v. USI Film Products, 511 U.S. 244, 271 (1994), which directs courts to examine whether the statute at issue is one “affecting contractual or property rights” (and thus should not be applied retroactively) or is “conferring or ousting jurisdiction” (and thus may be applied retroactively). The court found that 18 U.S.C. § 1514A(e)(2) is more analogous to the latter because it “takes away no substantive right but simply changes the tribunal that is to hear the case.” The court in Wong found the court’s decision in Pezza persuasive and came to this same conclusion.

Employment agreements and their impact on whistleblowing activity is a hot topic at the SEC as well. Last year, a law firm that represents whistleblowers sent a letter to the Commissioners urging them to take action against what they believe were actions intended to prevent employees from reporting potential corporate violations to the SEC. See Letter to SEC Commissioners (alerting SEC of the use of settlement and severance agreements as a means to prevent reporting and whistleblower claims). Recent comments by Sean McKessy, Chief of the SEC’s Office of the Whistleblower, suggest the Commission may have taken those concerns to heart. Mr. McKessy warned, “[W]e are actively looking for examples of confidentiality agreements, separat[ion] agreements, [and] employment agreements that … in substance say ‘as a prerequisite to get this benefit you agree you’re not going to come to the commission or you’re not going to report anything to a regulator.” See article SEC Warns In-House Attys Against Whistleblower Contracts. Mr. McKessy also said that the SEC not only will penalize companies, but the “lawyers who drafted” such an agreement or language. Id. These comments warn employers and their lawyers to proceed with caution (if at all) when they are thinking about using an employment agreement as a means to curtail or deter Dodd-Frank reporting and claims.