A national bank client calls you and says that an internal auditor employee, who has signed stringent confidentiality and non-disclosure agreements, has provided highly confidential bank and customer documents and information to the SEC and other government enforcement agencies. He also sent these documents to the New York Times, which publishes an article about your client, causing its share value to drop 30 percent.
For good measure, the auditor sent files including customer Social Security numbers to his mother (for safekeeping), uses his girlfriend's computer to access confidential company documents, deletes hundreds of confidential files from his company-issued laptop, and uses his personal Gmail account to email confidential company information to his Gmail address.
No, you're not having a nightmare. You are not dreaming. This scenario happened to the California bank BofI (formerly known as Bank of Internet USA). The disturbing facts and their legal aftermath are set forth in a 2017 federal court decision, Erhart v. BofI Holding, 2017 U.S. Dist. LEXIS 20959 (S.D. Cal. Feb. 14, 2017), charmingly issued on Valentine's Day.
Charles Matthew Erhart was an internal auditor at BofI's San Diego headquarters. As an internal auditor, he had access to proprietary and confidential information, including customer banking information, nonpublic communications between BofI and its regulators, communications between BofI's attorneys and agents, internal audit findings, and BofI employees' personal information.
He was required to execute a confidentiality agreement as a condition of his employment, in which he agreed, except as required or authorized by the Bank, not to "use, publish or disclose any of BofI's Trade Secrets and/or Confidential Information in any manner whatsoever." He also agreed that, if his employment was terminated for any reason, he would "[i]nform BofI of and deliver to BofI all records, files, electronic data … and the like in [his] possession, custody or control that contain any … Trade Secrets or Confidential Information …."
While performing his work as an internal auditor, Erhart claimed to encounter repeatedly conduct he believed to be wrongful. Once, he felt that the Bank failed to disclose certain information in response to an SEC-issued subpoena. He therefore contacted the SEC to inform him of his views.
He also contacted the SEC regarding a BofI loan customer whom he believed was "suspicious" and operating as an unregistered investment advisor. In doing so, he disclosed confidential information about the customer to the SEC.
Also, to preserve Bank documents, as noted above, he sent them to his personal Gmail account; he downloaded confidential files to his personal computer; and, when he felt his job was in jeopardy, he emailed files to his mother and used his girlfriend's computer to access Bank files.
He also contacted the U.S. Department of the Treasury's Office of the Comptroller of the Currency (OCC), the Bank's principal regulator, and provided them with copies of Bank files.
After being placed on unpaid FMLA leave after he reported that he "felt very unwell," he filed a whistleblower complaint with the federal Department of Labor's Occupational Safety and Health Administration (OSHA), claiming that BofI retaliated against him for reporting conduct he believed to be wrongful to the government.
Finally, BofI claimed that shortly before filing his whistleblower complaint, Erhart disclosed confidential Bank information to the newspaper of record, the New York Times.
Several days later, BofI filed a countersuit against Erhart for (1) breach of contract, (2) conversion, (3) breach of the duty of loyalty, (4) negligence, (5) fraud, (6) unauthorized computer access and fraud in violation of California criminal law, (7) violation of the federal Computer Fraud and Protection Act, and (8) unfair business practices in violation of the California Business and Professions Code.
Erhart answered by raising 52 affirmative defenses; 13 of them related to whistleblower protection, and BofI moved for summary judgment on those 13 defenses.
Disclosures to the Government
Erhart claimed that he could not be held liable on the Bank's breach of contract claim, based on the confidentiality agreement, because enforcement of the agreement in these circumstances would be illegal.
In considering these claims, the court considered that there was "a strong interest in enforcing the Confidentiality Agreement because it serves several legitimate interests," among them the freedom of parties to enter into contracts, the "significant government interests" promoted by legal protection of trade secrets, the government interest in protecting against a financial institution's disclosure of non-public personal information, and BofI's strong interest, as an employer, in discouraging an employee from taking sensitive personnel documents.
At the same time, the court recognized a public policy in favor of encouraging workplace whistleblowers to report unlawful acts without fearing retaliation.
How did these competing interests weigh in the circumstances of Erhart's multiple disclosures, to everyone from the federal government to his mother?
First, perhaps predictably, the court held that public policy permitted Erhart's disclosures of the confidential information to the SEC and the OCC, notwithstanding the countervailing interests in enforcing the confidentiality agreements. The court's analysis was nuanced. The court recognized that "whistleblowers often need documentary evidence to substantiate their allegations," but held that the question as to whether a public policy exception permitting disclosure notwithstanding the confidentiality agreement would be subject to an analysis of whether in "particular instances" disclosure of "particular documents" would be justified.Id. at *33 (quoting Cafaso v. General Dynamics C4 Systems , 637 F. 3d 1047, 1061-62 (9th Cir. 2011)).
Here, Erhart claimed that he was "very careful in [selecting] the information [he] accessed and turned over. Each document was specifically related to one of the allegations of wrongdoing [he] had discussed with [his supervisor] and then reported to federal law enforcement."
In these circumstances, BofI had "not demonstrated that Erhart engaged in a 'wholesale stripping of [BofI's] confidential documents'—or that his appropriation of its files was 'vast and indiscriminate.'"Id. at *36 (quoting Cafaso, 637 F.3d at 1062).
Disclosures to Mom, Girlfriend
How about, at the other extreme, Erhart's transmission of confidential information to the women in his life—his mother and his girlfriend? Erhart had sent an email to his mother that included a spreadsheet that contained customers' Social Security numbers. His mother briefly accessed the email, but she didn't print, forward, or otherwise provide it to anyone.
Erhart justified the disclosure based on his alleged fear that the Bank would delete or alter material information—allegedly "based on what [he'd] seen management do in the past." Not without some drama, he declared that he sent his mother the information "for safekeeping because [he] was fearful, in case something happened to [him] or that information."
As for the girlfriend, she never looked at the BofI information Erhart placed on her computer, and never shared the information with anyone.
In these circumstances, the court declined to dismiss Erhart's affirmative defenses of whistleblower protection as to these disclosures.
Disclosures to the Times
The court made relatively short shrift of Erhart's argument that his alleged leaks to the Gray Lady constituted protected activity sufficient to justify his alleged violation of the confidentiality agreement. Citing precedent from the U.S. Court of Appeals for the Ninth Circuit, Tides v. Boeing , 644 F. 3d 809, 811 (9th Cir. 2011), the court stated that none of the various federal, state and common law whistleblower remedies he sought to invoke gave whistleblower protection to media disclosures.
In Tides, the Ninth Circuit noted in particular that Sarbanes-Oxley's whistleblower protection applies only to disclosures to (1) a federal regulatory or law enforcement agency, (2) a member or committee of Congress, or (3) a supervisor or other individual who has the authority to investigate, discover or terminate such misconduct. Id. at 815, citing 18 U.S.C. §1514A(a)(1). The court held that the same reasoning applied as well to the remaining whistleblower remedies Erhart sought to invoke.
Disclosures in the Pleadings
BofI went so far as to argue that Erhart's disclosures of confidential information in his publicly filed complaint also violated the confidentiality agreement, and was not justified by any public policy in favor of such disclosure. The court noted that Erhart "should not be able to disclose any of BofI's information in his complaint simply because he is pursuing a whistleblower retaliation claim." Again, the court said that resolving the issue would turn on whether disclosure was "reasonably necessary" in order for Erhart to pursue his retaliation claim. This assessment, the court held, would turn on issues of fact, and thus was not susceptible to a summary judgment ruling.
The court also declined to rule summarily on whether Erhart's disclosures might or might not constitute conversion or a breach of his duty of loyalty. The court held that reaching the issue of whether public policy permitted his disclosures would require a factual assessment, and hence it again declined to strike Erhart's affirmative defenses.
Erhart, alas, does not represent an isolated occurrence. Banks and indeed all businesses must anticipate that a whistleblower—from a lowly auditor, to a chief financial officer, or even a general counsel—may disclose highly confidential and even privileged records to an enforcement agency or third party. These disclosures, if carried out in good faith and in the reasonable pursuit of a legal claim, are likely to be held to be fully lawful.
There are multiple lessons to be learned, perhaps too many to list here. Companies must be sure to have in place strong policies prohibiting the transmission or unauthorized use of confidential data, while recognizing employees' right to make use of them in legitimate government disclosures. Companies must be sure that information they deem to be confidential is in fact confidential—the data must be stored in a manner to preserve their confidential nature.
And finally, of course, companies must put in place robust policies encouraging employees to come forward if they believe their employer is engaging in unethical or illegal activity; companies must investigate and take such complaints seriously; and they must not tolerate any conduct that could give rise to a whistleblower complaint by setting a "tone at the top" of abiding by the highest standards of ethics and respect for the law.
Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm's U.S. International Employment Law Practice Group and the Financial Services Industry Group. Reprinted with permission from the March 8, 2017 edition of the New York Law Journal© 2017 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. ALMReprints.com – 877-257-3382 - firstname.lastname@example.org.