by Stephen Kohn
Should Employees Avoid Hotlines?
Question: “Are corporate compliance and ethics programs just window-dressing?” Answer: “In many companies, probably yes.”
Donna Boehme, Former Chief Compliance Officer, BP
A corporate compliance program is not a substitute for a strategy to protect the whistleblower. Employees must take steps to defend themselves, and not simply rely upon the goodwill of an in-house compliance program, regardless of the best intentions of the compliance officers. There is no hard-and-fast rule concerning hotline communications. It depends on the quality of the in-house program and the nature of the employee’s concerns. However, before contacting any hotline, whether a corporation or the government runs it, an employee should take the following steps.
STEP 1: ENSURE THE CONTACT IS PROTECTED UNDER LAW
Employees need to be sure that their disclosures to compliance are protected under law. If the contact to the hotline is not fully protected, whistleblowers should find another method to report the misconduct.
STEP 2: THE FALSE CLAIMS ACT AND OTHER QUI TAM PROCEDURES ARE SUPERIOR TO THE BEST INTERNAL COMPLIANCE PROCEDURES
If employees want to complain about fraud in government contracting, large-scale tax fraud, or violations of the securities and commodities exchange laws, they may want to consider utilizing the respective qui tam laws applicable to their case. The False Claims Act is the most powerful antifraud law; it contains provisions that help protect an employee’s identity, and it requires the government to conduct an investigation. It is the best mechanism to force a company to fix a problem. It also provides for substantial rewards for whistleblowers who risk their careers in order to expose wrongdoing.
STEP 3: RESEARCH THE IN-HOUSE PROGRAM
Before using an in-house program, employees should do some research into the program. Is the program required under the Sarbanes-Oxley Act or Federal Acquisitions Regulations? Employees should try to find out if other workers have alleged retaliation after using an in-house program (that information may be online). An attorney should be able to conduct more detailed reviews of an in-house program, including a review of materials published by the corporation in order to determine whether the company is contractually bound to follow its own in-house compliance procedures and whether the company procedures comply with acceptable “best practices.”
STEP 4: DOCUMENT EVERYTHING
Whistleblowers need to create a detailed paper trial. If a lawsuit were to develop, contacts with the hotline program will be very relevant. Employees can also conduct civil discovery into the company’s hotline records after a lawsuit is filed. These records can be extremely helpful in demonstrating protected activity, employer knowledge, retaliation, or pretext.
STEP 5: DON’T REST ON LAURELS
Whistleblowers cannot assume the system will work. The contact with a hot-line often is just the first step in a series of disclosures. It is common for workers to first raise a concern with a supervisor, then elevate the concern to an internal compliance department, and finally file a concern with a government agency. But simply relying on a hotline investigation to fix a problem or provide protection is naive.
STEP 6: DON’T TAKE LEGAL ADVICE FROM A COMPLIANCE OFFICER
Compliance officers and hotline investigators work for the company; they do not work for the employees. They are under no obligation to provide employees with complete or accurate advice. They are under no obligation to inform employees of their rights or the laws that may protect them. Even if whistle-blowers contact a government inspector general, the government official need not tell them of their right to obtain a financial reward, and they have no obligation to advise them to file a proper claim to obtain a reward.
STEP 7: DETERMINE WHETHER CONTACTING THE HOTLINE IS NECESSARY
If a whistleblower has already attempted to solve a problem internally within a company, contacting the hotline may be futile.
STEP 8: BE SKEPTICAL ABOUT CONFIDENTIALITY
Many hotline programs promise confidentiality. Under the Sarbanes-Oxley Act and Federal Acquisitions Regulations, companies are required to grant confidentiality to employees. However, it is well-known that the very nature of an employee’s complaint can act to “fingerprint” the worker. Often, only a small group of workers are aware of the details concerning a regulatory violation. When the hotline investigator commences his or her review of the complaint, it is often not difficult for the employer to figure out the identity of the whistleblower.
STEP 9: AVOID PROGRAMS MANAGED BY CORPORATE ATTORNEYS
Whistleblowers should investigate who manages the compliance program. Some compliance programs report directly to a company’s chief executive officer or to an independent audit committee. These programs tend to have more integrity than compliance programs that report to, or are managed by, the company’s general counsel. Not surprisingly, company attorneys focus on protecting employers from lawsuits, not fixing problems. As is more fully explained in Rule 18, compliance programs that report to the office of general counsel (or other company attorneys) should be avoided or approached with extreme caution.
STEP 10: GIVE THEM ROPE TO HANG THEMSELVES
The failure of a corporation to properly investigate a hotline concern can constitute evidence of a cover-up and evidence that a company was hostile to the whistleblower. The hotline records can be obtained as part of pretrial discovery. These files may contain significant information that could help prove retaliation, including statements by various managers and factual findings related to the underlying allegations of misconduct. Under the False Claims Act, the failure of a company to properly investigate a hotline allegation can be essential in helping an employee prove his or her case. The hotline allegation can demonstrate that a company was aware of the fraud against the government and failed to take reasonable action to prevent or correct the fraud. Even when a company tries to use its hotline investigation to demonstrate that an employee’s concern had no basis, an employee can still muster additional facts that the compliance officers failed to consider and impeach the company’s conduct.
Given the sensitivity of internal compliance programs, and the pressure that is sometimes placed on compliance officers to cover up problems, it is not uncommon for compliance officers themselves to become whistleblowers and/or witnesses in an employee’s case.
Thus, pursued thoughtfully and carefully, a disclosure to a hotline can be an important part of a successful whistleblower case.
STEP 11: BLOWING THE WHISTLE ON THE LACK OF PROPER “INTERNAL CONTROLS”
A publicly traded company that lacks effective “internal controls” necessary to detect securities fraud, ensure accurate corporate disclosures, and detect improper payments (such as paying bribes) may be in violation of the “bookkeeping” and accounting requirements of the Foreign Corrupt Practices Act and other securities laws. These failures can result in large fines, and under the Dodd-Frank Act a whistleblower (including, in the appropriate circumstances, a whistleblower who works directly in a company’s compliance program) can qualify for a large financial reward by exposing these defects. Recent cases have held that employees who blow the whistle on corporate violations of “internal control standards” engage in protected activity under the Sarbanes-Oxley Act.
The New Dodd-Frank Rules
On June 13, 2011, the Securities and Exchange Commission published new rules implementing the whistleblower rewards provisions of the Dodd-Frank Act. These rules contained two provisions that would enhance internal whistleblower protections and corporate compliance. See Rule 19.
PRACTICE TIPS
• The Sarbanes-Oxley Act requirement mandating that audit committees include a confidential employee concerns program is codified at 15 U.S.C. § 78(f)(4). The Federal Acquisition Regulations mandating compliance and ethics programs are located at 48 C.F.R. Chapter 1 and Subpart 3.900.
• In 2011 the Securities and Exchange Commission and the Commodity Futures Trading Commission imple
mented whistleblower reward rules mandated under the Dodd-Frank Act. These rules created incentives for employees to report potential violations to corporate compliance programs. These new incentives are codified at SEC Final Rules 17 C.F.R. §§ 240.21F-4(b)(7) and F-6(a)(4) and CFTC Final Rules 17 C.F.R. §§ 165.2(i)(3) and 165.9(b)(4).
• Rule 19 fully explains the circumstances when compliance officials, auditors, and corporate directors can qualify for rewards under Dodd-Frank. It also explains how employees can qualify for rewards if they intentionally report fraud to their managers or to a company’s compliance department.
RULE 18Don’t Talk to Company Lawyers
At the height of the war in Iraq, employees from the U.S. government’s largest defense contractor, Kellogg Brown & Root, Inc. (better known as KBR), witnessed gross frauds and reported them to the company’s compliance investigators stationed in Iraq. They provided highly credible information that KBR employees were involved in bribery and “presented inflated and fraudulent bills” for “terrible” work paid for by the taxpayers. They did not know that the “compliance” program was managed by the company’s general counsel, whose primary goal was to protect the company, not combat corruption. The compliance investigators (none of whom were attorneys) sent the investigatory reports that confirmed the frauds up the chain of command and, ultimately, to the company lawyers in Houston, Texas. The lawyers’ job was not to disclose misconduct to the government but to advise the company on how to escape liability. None of the information disclosed by the whistleblowers was ever provided to the government. Instead the information collected could be used to help KBR defend against a government investigation, or a whistleblower claim if one was ever to be filed.
Years later, one of these KBR employees, frustrated that the company had gotten away with the frauds, filed a complaint under the False Claims Act. The whistleblower, Harry Barko, had worked for KBR and suspected that other employees would confirm what he saw: widespread fraud in KBR’s contracting practices that cost U.S. taxpayers millions. He subpoenaed the compliance department. KBR objected to the release of the investigatory files, claiming the documents were protected under corporate attorney–client privilege. Their basis for objecting was simple. KBR’s compliance program, known as the Code of Business Conduct (COBC), ultimately reported to the company’s general counsel; therefore all its documents, including direct evidence of fraud provided to the company internal whistleblowers, were confidential.
The trial judge reviewed the contested documents in camera (privately), without giving a copy to Mr. Barko’s counsel. After looking at the materials, he ordered KBR to produce the documents for Mr. Barko’s review. The judge noted that the documents contained no legal advice, were not written by lawyers, and the employees who were interviewed were never directly advised that their interviews were covered under an attorney-client or attorney–work product privilege. Moreover, because the interviews were conducted as part of the company’s standard compliance program—a program all large government contractors were required to have under federal law—the judge determined that the primary purpose of the investigation was business related and not part of a protected attorney investigation.
The judge looked at the interviews and called the material “eye-openers.” Clearly, KBR wanted to keep the material secret because it was damaging and supported findings that KBR committed serious fraud while profiting from its war contracts. Describing the contents of the COBC reports, the court spelled out the direct evidence of contract fraud the company had uncovered as part of its internal compliance review:
• “Preferential treatment” to a favored subcontractor;
• KBR employees accepting payoffs to illegally steer business to an unqualified subcontractor;
• Permitting the less-qualified subcontractor to improperly undercut bids submitted by companies that were not paying bribes by giving them inside information;
• Approving contracts that were more expensive to the United States, with “terrible completion performance” and “regular attempts to double bill”;
• Awarding a contract despite the “bid being twice another bid from a competent contractor” (the bid was twice as expensive as a more competent competitor);
• Paying the full bills from a favored subcontractor (which had given payoffs to KBR employees), despite the work being “incomplete and late” and “substandard”;
• Paying “ballooned” costs (three times the contract price) for work, even when performance was terrible.
The trial judge ordered the reports to be produced.
KBR, with strong support from the U.S. Chamber of Commerce, filed an emergency appeal to the U.S. Court of Appeals District of Columbia Circuit. The basis of their appeal was simple: KBR’s COBC program was ultimately managed by the company’s law department. Thus, all the investigatory files and interview notes were protected from disclosure under attorney-client privilege. According to KBR, it did not matter that the employees were misled about the nature of the program they were reporting to.
The U.S. Court of Appeals sided with KBR. The documents would remain secret, despite the fact that they proved that taxpayers had been robbed. Nor did it matter that none of the persons interviewed at KBR were directly told that the interviews were covered under company’s attorney-client privilege.
The Court of Appeals justified its holding by reasoning that “[t]he attorney-client privilege protects confidential employee communications made during a business’s internal investigation led by company lawyers.” Corporate compliance reviews managed by general counsel are such internal investigations. Because the privilege applied not only to the lawyers themselves but also to “agents and subordinates” working under the “direction or control of the lawyer,” everyone working within compliance can fall under the privilege. In the case of KBR, this included its entire compliance program. In this way a company can choose to hide the results of an internal investigation (if the results are harmful), release the results (if they do not vindicate the whistle-blower), or use some (or all) of the investigatory materials to build a defense against a government sanction or a whistleblower case.
One of the justifications used by the Court of Appeals to justify its broad holding was that it did not want to “inject uncertainty into the application of the attorney-client and work product protection to internal investigations.” The Court effectively protected KBR’s COBC compliance program by defining it as an arm of the company’s Office of Legal Counsel. The Code of Conduct, designed in theory to promote ethical behavior, became a tool for the lawyers. Instead of supporting a rule that would promote independent compliance programs, the Appeals Court went in the opposite direction. They provided legal support for keeping compliance programs under the tight control of lawyers primarily tasked with protecting companies from liability and defending against whistleblower lawsuits, undermining the trust and transparency necessary to change corporate culture.
The incriminating KBR documents remained secret. The evidence of fraud, which the employees wanted to report, was suppressed. Mr. Barko, the U.S. government, and the American public were denied access to these materials.
The main lesson from KBR is to be aware of for whom compliance officials work before talking with them. In Mr. Barko’s case, KBR used its compliance program to find out who the whistleblowers were, learn what evidence they had against the company, and prepare legal defenses should the government learn about the allegations and initiate its own investigation.
“It doesn’t take a pig farmer from Iowa to smell the stench of conflict in that arrangement.”
Senator Charles Grassley on General Counsels running compliance programs
But the ability for companies like KBR to twist compliance programs to serve their self-interest is far greater them simply hiding information. KBR, the corporate client, can always decide to “waive” the privilege and release the attorney-client information any time it is to their advantage. If the documents had been c
ritical of Mr. Barko, KBR could have used them to attack his credibility. If the reports demonstrated that the company was a good corporate citizen, they could be released to impeach the “good faith” of the whistleblower or to demonstrate to a court how thorough and objective its program is. Under the KBR precedent, the purported goals of a lawyer-run compliance program can be twisted and, instead of promoting ethical corporate behavior, become a prime enabler for corporate crime.
Before you speak with company lawyers or compliance officials who report to lawyers, beware of their incentives. They may be hired to protect the company and not you. In reality, they may be part of a cover-up, like in the KBR case. The company may use your own words against you and actually try to blame you for the problems you report. As a number of courts have recognized, these lawyer-run compliance programs are legally permitted to throw any employee “under the bus” if it is in the company’s interest.
The division between compliance programs that report to the general counsel and compliance programs that are independent (reporting directly to the CEO or board of directors) is the biggest disputed issue within the compliance profession. Leading experts in this area, along with a majority of compliance professionals, all oppose general counsel controlled compliance programs. They strongly argue that for compliance to work, the programs must be transparent, trustworthy, and independent. Employees do not, and should not, trust lawyer-run compliance programs. Always remember that the company’s lawyer is only required to act in the company’s best interest, not yours. Unlike other company officials who can be compelled to release their e-mails or other documents if a case is ever filed, lawyers can use attorney-client privilege to hide evidence that may help your case.
