Whistleblower Risk for Private Companies

Misperceptions about whistleblower protections could cost private sector companies

Whistleblower protection in the private sector has long been murky territory. Historically, legislation such as Sarbanes-Oxley (SOX) has covered publicly traded companies, without specific provisions for the private sector. But among Supreme Court rulings, the Private Sector Whistleblower Protection Streamlining Act of 2012, and most recently, the EU Whistleblower Protection Directive, it’s clear that private companies are increasingly being held to the same standard as their public counterparts 

Sarbanes-Oxley: From 2002 Until Now

In many ways, the Sarbanes-Oxley Act (SOX) was one of the very first pieces of legislation offering protections for whistleblowers. Passed in 2002 in response to the Enron and WorldCom scandals, SOX was designed to encourage fraud reporting. But at that time, private companies were considered immune to the law.

Then, in 2014, the Supreme Court heard a challenge to SOX and ruled that even though the plaintiffs were not employees of the publicly traded company, the SOX whistleblower statute applied to them. The reason? They suffered retaliation for reporting alleged fraud involving financial reporting of a publicly-traded company.

Here’s what the law now says:

  1. SOX covers employees of a public company’s private contractors and subcontractors.
  2. SOX covers privately-owned companies if they provide services for publicly-traded ones.

That second point is where things get interesting.

After all, this could imply that an employee of a two-person advertising firm working for a publicly-traded company could now bring retaliation claims under SOX.

Indeed, Justice Sonia Sotomayor, one of the court’s liberal justices, lamented in her dissent: “…it would extend whistleblower protections so far as to cover office cleaners, day laborers and even babysitters who work for people employed at public companies.”

The EU Whistleblower Protection Directive for Private Companies 

Effective as of December 17, 2021, the EU Whistleblower Protection Directive was established to provide more stringent reporting guidelines and greater whistleblower protection for all companies that are based in or do business in the European Union with more than 50 employees. The Directive takes care to specify that many of its provisions apply to both public and private corporations.  

The Directive specifies that entities with 50+ employees must: 

  • Maintain records of every report received, compliant with the Directive’s confidentiality requirements 
  • Provide internal, local reporting channels  
  • Prevent retaliation against whistleblowers using a reverse burden of proof 
  • Offer an option to anonymize reports
  • Download our eBook, the Ultimate Guide to the EU Whistleblower Protection Directive, for an in-depth breakdown of the Directive’s requirements

Unlike SOX, the EU Whistleblower Protection Directive can be interpreted and implemented differently in each of the EU Member States. However, it is in the best interests of private companies to establish whistleblower-first reporting protocols that comply, since the Directive itself establishes bare minimum best practices. 

Private Companies No Longer Immune to Whistleblower Risk

Today, privately-owned companies in the U.S. and Europe are potential targets for SOX and and EU Directive retaliation lawsuits. Up until now, the full reach of SOX or the Directive has yet to be seen.

But no company wants to be the one to help define this ruling better through lawsuits and court battles.

Under SOX, it wasn’t clear, for instance, whether a private company is exposed to risk regardless of the nature and extent of the particular services it provides to a public company. Do all public employees, including cleaners and day laborers really count?

To combat any misinterpretation, the EU Whistleblower Protection Directive specifies that “Protection should also extend to categories of natural persons, who, whilst not being ‘workers‘…can play a key role in exposing breaches of Union law.” Simply put, this means that the Directive can protect self-employed persons, shareholders, personnel of (sub)contractors, former employees, job applicants, and more. 

Your job is risk mitigation. Both public and private companies can now become ensnared in new and unexpected ways.

For instance, contract employees who allege they were retaliated against for blowing the whistle could file a lawsuit against a company, even if they’re only working a few hours a week.

And private employees who happen to do any work for a public company are subject to these whistleblower provisions under SOX, which could have vast and far-reaching implications.

How Hotlines Lower Whistleblower Risk for Private Companies

Whistleblower hotlines give compliance departments the ability to protect whistleblowers at private companies—and get far ahead of any potential lawsuit.

Public companies have known this for years, and the most forward-looking ones have robust and well-functioning hotline and case management solutions in place that have end up having a powerful ROI for a company in the form of greater efficiency, risk reduction and improved performance.

A good hotline is designed to allow a whistleblower a safe and easy place to make their claim without fear of retribution or disciplinary action. Since operational or corporate fraud is more likely to be brought in by a tip than by any other method, it is in a company’s best interest to prevent whistleblower risk by to providing easy-to-use and non-threatening ways for employees—and in some cases contractors—to make anonymous or on-the-record reports.

Whistleblowing surveys repeatedly show that employees who spot potential abuse or OSHA violation aren’t running to lawyers and suing first. They’re trying to use the system and, when the system is set up right, it works to the company’s advantage by allowing them to investigate and address the claims internally.

Whistleblower Hotlines + Good Case Management = Best Protection

While some private companies may not think they need a hotline, now is a crucial time to get one. 

Federal laws and sentences have demonstrated again and again that if a company has effective reporting channels in place, and can provide a record of the report, their investigation, their response and how they protected the whistleblowers, penalties have been reduced or declined altogether. Beyond that, clear and concise documentation is now an imperative under the EU Whistleblower Protection Directive.

Regulators in Europe and the U.S. know that no company can police and be responsible for every employee, but at the same time, they’re no longer willing to let ignorance of wrongdoing insulate senior executives and board members from responsibility.

6 Reasons to Outsource Hotline & Case Management to More Effectively Manage Whistleblower Risk in the Private Sector

Solid legal protection comes down to visibility and a clear paper trail.

Your company’s compliance falls under your watch, and if you know what’s going on and are trying to address it, you’ll be more likely to demonstrate a good faith effort to protect whistleblowers and prevent retaliation, establishing an affirmative defense in the event of a breakdown.

Many companies, in an effort to keep costs and information under their control, will set up internal hotlines and case management rather than use a third-party solution. Yet this raises numerous problems.

Third-party hotlines provide 6 extra layers of protection against external scrutiny:

  1. Objectivity: clearly avoids any real or perceived business/personal conflicts of interest.
  2. No involvement: a third-party provider is not investigating the incident or advocating on behalf of anyone—meaning they have no incentive to protect the company.
  3. Non-retaliation: employees might be too afraid to report internally for fear of retaliation, or might not have confidence that anything will get done if they report in a company-branded system.
  4. Consistency: there’s a consistent and standardized workflow and audit trail of everything.
  5. Cost: outsourcing to an expert can cost far less than the internal allocation of human and financial capital.
  6. Experience: unless hotlines are your business, creating and maintaining an internal solution is not likely to be cost-effective in the long run.

Not to mention, a third-party hotline is equipped to meet the local intake requirements of the EU Directive, while segmenting case data and making anonymized data visible at the central or global level. 

Bottom Line About Private Sector Whistleblower Protection

Whistleblower protection should be an area of concern for all employers. Today’s smart public and private companies are investing in third-party hotline and case management systems in order to mitigate risk, encourage reporting, and improve compliance.

Convercent offers comprehensive and integrated compliance management, reporting, and analytics solutions for compliance departments who want to support employees, promote a speak-up culture, and protect whistleblowers.