Sarbanes Oxley made it clear: publicly traded companies must protect whistleblowers from retaliation, or face large fines and legal actions.
Yet a widely misunderstood ruling last year by the Supreme Court opened up that law’s whistleblower protections to apply to employees of a public company’s private contractors and subcontractors as well. Many private firms—even some of the largest one—are still unaware of the huge financial and reputational risk they face.
The Sarbanes-Oxley Act Today
In 2002, the Sarbanes-Oxley Act (SOX) was passed in response to the Enron and WorldCom scandals, offering broad protections for whistleblowers at public companies in order to encourage fraud reporting. Private companies were considered immune to the law.
But in 2014 the Supreme Court heard a challenge to SOX, and ruled that even though the plaintiffs were not employees of the publicly traded company, the SOX whistleblower statute applied to them. The reason? They suffered retaliation for reporting alleged fraud involving financial reporting of a publicly-traded company.
Here’s what the law now says:
- SOX covers employees of a public company’s private contractors and subcontractors.
- SOX covers privately-owned companies if they provide services for publicly-traded ones.
That second point is where things get interesting.
After all, this could imply that an employee of a two-person advertising firm working for a publicly-traded company could now bring retaliation claims under SOX. Indeed, Justice Sonia Sotomayor, one of the court’s liberal justices, lamented in her dissent: “…it would extend whistleblower protections so far as to cover office cleaners, day laborers and even babysitters who work for people employed at public companies.”
Private Companies No Longer Immune
Privately-owned companies are potential targets now for SOX retaliation lawsuits. The Supreme Court did not clearly define its extension of SOX liability, so the full reach of this statute is still to be seen.
But no company wants to be the one to help define this ruling better through lawsuits and court battles.
It’s not clear, for instance, whether a private company is exposed to risk regardless of the nature and extent of the particular services it provides to a public company. Do cleaners and day laborers really count?
Your job is risk mitigation, which means this ruling has the possibility of ensnaring both public and private companies in new and unexpected ways.
For instance, contract employees who allege they were retaliated against for blowing the whistle could file a lawsuit against a company, even if they’re only working a few hours a week. And any private employer who happens to do any work for a public company is subject to SOX’s whistleblower provisions, which could have vast and far-reaching implications.
How Hotlines Offer Protection
Hotlines give compliance departments the ability to get far ahead of any potential lawsuit. Public companies have known this for years, and the most forward-looking ones have robust and well-functioning hotline and case management solutions in place that have end up having a powerful ROI for a company in the form of greater efficiency, risk reduction and improved performance.
A good hotline is designed to allow a whistleblower a safe and easy place to make their claim. Since operational fraud is more likely to be brought in by a tip than by any other method, it is in a company’s best interest to provide easy-to-use and non-threatening ways for employees—and in some cases contractors—to make anonymous or on-the-record reports.
Whistleblowing surveys repeatedly show that employees who spot potential abuse aren’t running to lawyers and suing first. They’re trying to use the system and, when the system is set up right, it works to the company’s advantage by allowing them to investigate and address the claims internally.
Hotlines + Good Case Management = Best Protection
We often come across private companies who do not think they need a hotline service (or a third-party one)—they may or may not have the commonly-held misperception that “this doesn’t apply to us, we’re private.”
Yet enforcement agencies and prosecutors have demonstrated again and again that if a company has effective reporting channels in place, and can provide a record of the report, their investigation, their response and how they protected the whistleblowers, penalties have been reduced or declined altogether.
Regulators know that no company can police and be responsible for every employee, but at the same time they’re no longer willing to let ignorance of wrongdoing insulate senior executives and board members from responsibility.
6 Reasons to Outsource Hotline & Case Management
Solid legal protection comes down to visibility and a clear paper trail. Your company’s compliance falls under your watch, and if you know what’s going on and are trying to address it, you’ll be more likely to demonstrate a good faith effort and establish an affirmative defense in the event of a breakdown.
Many companies, in an effort to keep costs and information under their control, will set up internal hotlines and case management rather than use a third-party solution. Yet this raises numerous problems.
Third-party hotlines provide 6 extra layers of protection against external scrutiny:
- Objectivity: clearly avoids any real or perceived business/personal conflicts of interest.
- No involvement: a third-party provider is not investigating the incident or advocating on behalf of anyone—meaning they have no incentive to protect the company.
- Non-retaliation: employees might be too afraid to report internally for fear of retaliation, or might not have confidence that anything will get done if they report in a company-branded system.
- Consistency: there’s a consistent and standardized workflow and audit trail of everything.
- Cost: outsourcing to an expert can cost far less than internal allocation of human and financial capital.
- Experience: unless hotlines are your business, creating and maintaining an internal solution is not likely to be cost-effective in the long run.
Whistleblower risk should be an area of concern for all employers. Today’s smart public and private companies are investing in third-party hotline and case management systems in order to make sure they’re receiving reports of potential misconduct—and protecting the individuals that make them.
Convercent offers comprehensive and integrated compliance management, reporting, and analytics for compliance departments who want to become best-in-breed.