Supplementary – United States – Whistleblowing Laws in Europe: An international guide
Legislative and common law protections
There are many US federal statutes that prohibit employers in the private sector from retaliating against whistleblowers, many of which are sector or industry specific. For example, the Occupational Safety and Health Act 1970 protects those who have reported or complained about workplace safety and health issues; the Corporate and Criminal Fraud Accountability Act 2002 (Sarbanes-Oxley (SOX)), as expanded by the Wall Street Reform and Consumer Protection Act 2010 (Dodd-Frank), protects securities law-related whistleblowers; and the Affordable Care Act protects those blowing the whistle on issues related to healthcare reform. Most of these laws are enforced by the Department of Labor (DOL) or the Occupational Safety and Health Agency (OSHA). OSHA’s Whistleblower Protection Program enforces the anti-retaliation provisions of more than 20 federal statutes that protect employees who raise or report concerns about hazards or violations, each with its own regime and requirements related to issues such as the number of days to file a complaint, respondents covered, days to complete an investigation, burden of proof and allowable remedies.
There are also federal statutes of general application that protect those who report fraud on the government or complain about violations of federal anti-discrimination laws, federal statutes that specifically apply to protect public sector employees and subcontractors, and statutes and common law protections at the state and local levels.
As a general matter, employees may not be directly or indirectly, or in any other manner, discriminated against in the terms and conditions of employment. because they have exercised any right afforded to them under one of the laws that protect whistleblowers. Prohibited actions can encompass any act by an employer that a reasonable employee would find materially adverse (eg disciplined, transferred, denied a raise or benefits, demoted, suspended, harassed). This can vary based on the applicable statute or common law.
The scope of protections also varies based on the applicable statute or body of common law. All of the statutes with whistleblower provisions protect employees of companies covered by the applicable statute. Some also cover employees of contractors and subcontractors who work for the covered company. For example, SOX protects employees of certain publicly traded companies and companies with certain reporting requirements with the Securities and Exchange Commission (SEC), as well as their contractors, subcontractors, and agents, including, under certain circumstances, employees of privately held contractors who perform services for public companies. The term “employee” is broadly defined to include current workers; former workers, if the protected activity occurred during the course of their employment (or even post-employment depending on the facts); applicants for employment with a covered employer; and individuals whose employment may be affected by a covered person, such as supervisors, managers, and officers.
Many statutes protect both internal whistleblowing (eg reporting to a supervisor) and external whistleblowing (reporting to the relevant agency); however, this can vary. For example, for a whistleblowing report to be protected under Section 806 of SOX, the employee must have provided information regarding any action or inaction that the employee reasonably believes is a violation of a covered law to a federal regulatory body or law enforcement agency, member of Congress or committee of Congress, or a supervisor or person authorized by the employer to investigate, discover, or terminate misconduct. In contrast, under the Dodd-Frank Act, whistleblower protection is predicated on a showing that the whistleblower disclosed a possible securities violation directly to the SEC.
Like filing requirements, the definitions of a protected disclosure can vary, but typically include: initiating a proceeding under, or for the enforcement of, any of the statutes with whistleblower protections, or causing such a proceeding to be initiated; testifying in any such proceeding; assisting or participating in any such proceeding or in any other action to carry out the purposes of those statutes; and complaining about a violation.
Any employee who believes they have been discriminated or retaliated against in violation of the statutes administered by OSHA must file a complaint with OSHA within the statutorily defined time period (that complaint is itself protected activity), which differs by statute. If OSHA has not issued a final decision within a statutorily defined time period, and there is no showing that there has been delay due to the bad faith of the employee, the employee may file an action in federal court. If OSHA does issue a final decision, the matter may be appealed to a federal appellate court.
For those statutes enforced by OSHA, the investigative process may vary. In general, upon receipt of a timely complaint, OSHA notifies the employer, and if conciliation fails, conducts an investigation. Complaints without merit will be dismissed. Where OSHA finds a complaint has merit, it will either be referred to the DOL Office of Solicitor for legal action or OSHA will issue a determination letter which may provide for remedies (eg back wages, reinstatement, reimbursement of attorneys’ fees and litigation costs). The relief available can vary. Some statutes allow for additional damages, such as Dodd-Frank, which provides for increased back pay awards and a percentage of the money recouped by the government for the reporting. In FY 2020, the SEC awarded approximately USD175 million to 39 individuals – both the highest dollar amount and the highest number of individuals awarded in a fiscal year.
Employers may challenge OSHA’s determinations under most federal statutes by requesting a hearing before an Administrative Law Judge, whose decisions are subject to review by DOL’s Administrative Review Board and can ultimately be challenged in the federal courts. Again, this can vary based on the applicable statute.
Under SOX, there are also criminal penalties, including a fine or ten years’ imprisonment (or both), for retaliation against a whistleblower who made a report to a law enforcement agency concerning the commission of any federal offense.
Internal whistleblower programs
US companies may be required to establish a whistleblower program. For example, SOX directs the audit committees of covered companies to establish procedures for:
- the receipt, retention, and treatment of complaints received by the Company regarding accounting, internal accounting controls, or auditing matters; and
- the submission by employees of the Company and others, on a confidential and anonymous basis, of good faith concerns regarding questionable accounting or auditing matters.
The regulations do not proscribe specific procedures that audit committees must establish, and there is no one-size-fits-all approach. Rather, the SEC has recognized that compliance programs will vary based on the company’s size, industry, geographic footprint, regulatory landscape and other factors.
In general, in evaluating the sufficiency of a program, the SEC and other enforcement agencies consider whether the program is well-designed, periodically reviewed, applied in good faith (adequately resourced and empowered to function effectively) and works in practice. For example, simply putting in place a whistleblower hotline is generally not sufficient. Rather, enforcement agencies will consider whether the company periodically tests the effectiveness of the hotline to ensure employees are aware of the hotline and feel comfortable using it, and whether it incorporates lessons learned from its own issues, updating policies and procedures if necessary.
Key considerations in designing a program include: who should receive and act on complaints (intake, notice and assignment); escalation protocols; how to provide for the anonymous submission of complaints (eg internal or third-party telephone hotlines, web-based approaches, paper submission boxes); how and when to communicate with the reporter; how to conduct the investigation; and how to make employees and others aware of procedures by broadly disseminating the procedures.
Even in the absence of a statutory requirement, public and private companies are encouraged to implement a strong compliance program, including anonymous reporting, non-retaliation pledges, robust investigation and remediation, and training and awareness campaigns. An effective compliance program offers numerous advantages. It promotes an organizational culture that encourages ethical conduct and a commitment to compliance with the law and allows companies to discover and remediate wrongdoing at the earliest stages, which in turn prevents or minimizes reputational and monetary damages.