Frances Haugen, a former product manager at Facebook, recently revealed her identity as the whistleblower who reported Facebook to the U.S. Securities and Exchange Commission (SEC) and provided internal Facebook documents to Congress and to the press. Questions have arisen about what kinds of protections she and other whistleblowers have when it comes to sharing documents with government regulators, Congress, and news outlets. Whistleblowers have a number of protections that allow them to disclose documents, even those that may be deemed confidential; however, the availability of these protections depends on the nature of the documents, the scope of what the whistleblower takes from the company, and to whom she provides these documents.
Documents Related to Securities Violations
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) and the Sarbanes-Oxley Act of 2002 (SOX) provide anti-retaliation protections for whistleblowers who share information with specific recipients to report possible securities violations. The SOX anti-retaliation provision, 18 U.S.C. § 1514A, protects employees who report fraud or securities violations to (1) federal regulatory or law enforcement agencies, like the SEC; (2) to a person in the company with supervisory authority over the employee; or (3) to any Congressperson or any committee of Congress. The Dodd-Frank Act’s anti-retaliation provision, 15 U.S.C. § 78u-6(h)(1)(A), prohibits retaliation by an employer against an employee who provides information to the SEC; initiates, testifies in, or assists any SEC action or investigation; or, makes required or protected disclosures regarding securities violations. Under both laws, an employer is prohibited from discharging, demoting, threatening, harassing, or in any way discriminating against whistleblowers as it relates to their employment.
If their employer retaliates against them, whistleblowers may pursue different avenues of relief. Under SOX, whistleblowers may file a complaint with the Secretary of Labor and seek “all relief necessary to make the employee whole,” including reinstatement, back pay, and compensation for any special damages. 18 U.S.C. § 1514A(c). If dissatisfied with the outcome, the whistleblower can seek further administrative and judicial review, but first must exhaust these administrative remedies. 18 U.S.C. § 1514A(b)(2)(A). Under Section 922 of the Dodd-Frank Act, whistleblowers have a private right of action. If an employer violates this provision, the whistleblower may sue directly in federal court. If the whistleblower is successful, she would be entitled to reinstatement, two times the amount of back pay otherwise owed to her, and compensation for litigation costs and attorneys’ fees.
Relevant SEC regulations, such as Commission Rule 21F-17, 17 C.F.R. § 240.21f-17, also protect whistleblowers. This regulation prohibits employers from impeding communications with the SEC about possible securities violations, including by enforcing or threatening to enforce confidentiality agreements. This rule permits an individual to share documents, even those that the company may consider to be confidential, with the Commission in order to report possible securities violations. In Ms. Haugen’s case, according to the Wall Street Journal, Facebook has a confidentiality agreement in place that generally prohibits her from sharing proprietary information, but it allows her to communicate with regulators, Congress, and law enforcement. Other companies may have confidentiality agreements that are written more broadly, which might violate SEC Rule 21F-17.
Only the SEC can enforce this Rule 21F-17, and it has enforced it against companies with confidentiality agreements that impede an employee’s communications with the SEC. In one instance, a company had a provision in its severance agreement that required the departing employee to notify the company about any third-party disclosures. The SEC determined that the agreement violated Rule 21F-17 because it did not exempt communications with the Commission, and therefore created an impediment to a potential whistleblower’s communications with the SEC. The SEC Division of Examinations has also affirmatively reviewed companies’ documents, including compliance manuals, employment agreements, and severance agreements, to ensure that these polices are consistent with the protections afforded to whistleblowers under Rule 21F-17. Therefore, even where there are contractual prohibitions against sharing information with third parties, whistleblowers are nonetheless protected when they share internal documents with the Commission to report possible securities violations.
In addition to anti-retaliation protections, the Dodd-Frank Act created the SEC Whistleblower Program, which incentivizes individuals to come forward with information about possible securities violations. The Program offers monetary awards to whistleblowers who provide the SEC with original information leading to an enforcement action that results in over $1 million in monetary sanctions. A whistleblower’s right to seek an award under the Program cannot be waived by contract, such as a severance agreement, as the Commission concluded in a past order, because the SEC views such a prohibition as an impediment to the whistleblower’s communications with the Commission and therefore a violation of Rule 21F-17. More information on navigating the Program can be found in the SEC Whistleblower Practice Guide.
Documents Related to Fraud on the Government
Government contractors working in the tech industry may also be protected by the False Claims Act (FCA), 31 U.S.C. § 3729, et seq., if they report fraud on the government. The FCA prohibits the intentional presentation of false claims to the government for payment, which can include providing false information in connection with any claim for payment, and it allows private citizens to file a lawsuit on behalf of the government, known as a qui tam action. The FCA also includes an anti-retaliation provision, which prohibits retaliation against individuals who undertake “lawful acts . . . in furtherance of” a qui tam action or “other efforts to stop one or more violations” of the FCA.
In pursuing claims under the FCA, whistleblowers, known as relators in the qui tam context, may disclose documents to the government that their employers consider confidential when these documents are reasonably necessary to support the fraud allegations. For example, a court dismissed counterclaims for breach of contract alleging that an employee-whistleblower violated the confidentiality agreement by disclosing documents to the government and noted the strong public policy that protects whistleblowers from retaliation for reporting allegations of fraud to the government. However, whistleblowers must be careful not to take documents beyond those that show fraud, and relators who have indiscriminately taken large quantities of documents have not been afforded protections from claims by the employer for breach of contract.
Limitations and Potential Risks of Document Disclosures
While the FCA, SOX, and the Dodd-Frank Act provide robust protections to whistleblowers who report wrongdoing to government regulators, law enforcement agencies, or Congress, these laws do not provide absolute protection. The availability of protection for taking confidential documents depends on what the whistleblower takes, how much material she takes, and to whom she gives it.
If a whistleblower has information that may be deemed attorney-client privileged, for example, she should be careful not to disclose this information to any third party and should speak with a whistleblower attorney before making such a disclosure. Similarly, disclosures made to news outlets are not afforded the same protections as disclosures made to regulators, law enforcement agencies, or Congress. Nearly a decade ago, the Ninth Circuit held that disclosures to media outlets were not protected by SOX. Whistleblower protections for disclosures made to the press vary depending on the particular state or federal law, as well as the specific context and circumstances of the disclosure, so it is important to proceed cautiously and to seek the advice of a whistleblower attorney before sharing information with media outlets.
Further, if a whistleblower takes information that constitutes an employer’s trade secrets, the employer could sue for misappropriation of trade secrets. Such whistleblowers may have protection under the Defend Trade Secrets Act (the “DTSA”), which includes a safe harbor provision for whistleblowers in certain circumstances. The DTSA provides immunity from civil or criminal liability under any federal or state trade secret law for disclosure of a trade secret that is made either: (1) in confidence to government officials or to an attorney “solely for the purpose of reporting or investigating a suspected violation of law” or (2) in a complaint or other document in a legal proceeding, if that document is filed under seal. Whistleblowers may invoke this immunity when faced with an employer’s claim for misappropriation of trade secrets, but only if they disclosed the documents in one of these two circumstances.
Potential whistleblowers also should consider whether their actions might violate the Computer Fraud and Abuse Act (“CFAA”) if they use their computers to access their employer’s documents to provide support for their whistleblower claims. In general, whistleblowers should not fear prosecution under the CFAA so long as they access a computer with authorization and do not obtain information located in areas on the computer to which their access is prohibited. In Van Buren v. United States, 141 S.Ct. 1648 (2021), the Supreme Court held that an individual violates the law only when she accesses information that she is prohibited from accessing. This ruling protects whistleblowers, who prior to the Court’s opinion may have faced a CFAA claim by the employer for gathering documentary evidence for the purpose of supporting a whistleblower claim even though the whistleblower had not exceeded her authorized access on the employer’s computer. Even so, the interpretation of the CFAA under Van Buren means whistleblowers should be careful not to access areas of a computer that are off limits to them (i.e., specific folders with restricted access for only certain levels of employees to which the whistleblower does not belong), regardless of whether their purpose is to gather evidence to support their whistleblower claim.
Finally, employees should understand that the whistleblower laws discussed above do not protect disclosures to the press. In the case of Ms. Haugen, it is possible that Facebook could pursue an action against her for providing internal documents to media outlets, including claims for breach of contract or misappropriation of trade secrets. KMB partner Lisa Banks spoke with CNN about these potential risks in Ms. Haugen’s case.
Whistleblowers like Ms. Haugen are integral to holding companies accountable and assisting state and federal agencies in investigations against companies that may have engaged in serious misconduct. Strong public policy favors allowing whistleblowers to raise complaints without fear of retaliation from their employers. Whistleblowers have a number of protections available to them if they share documents with government regulators, law enforcement, or Congress, yet they should proceed cautiously and consult with an attorney before disclosing documents to the press. An experienced whistleblower lawyer can assist employees in understanding the scope of their rights and how to proceed in a manner that maximizes the protections and incentives available to them.
 See U.S. ex rel. Cieszynski Lifewatch Servs., Inc., 2016 WL 2771798, at *5 (N.D. Ill. May 13, 2016)
 See, e.g., U.S. ex rel. Cafasso v. Gen. Dynamics C4 Sys., Inc., 637 F.3d 1047, 1062 (9th Cir. 2011) (concluding that the relator’s “grabbing of tens of thousands of documents” was too overbroad and unreasonable to warrant protection from liability for breach of contract for violating the employer’s confidentiality agreement).
 Tides v. The Boeing Co., 644 F.3d 809 (9th Cir. 2011).
 Compare Pacheco v. Waldrop, 84 F. Supp. 3d 606, 609 (W.D. Ky. 2015) (holding that complaints made to newspapers did not qualify as protected disclosures for the purpose of protections under the Kentucky Whistleblower Act) with Dep’t of Homeland Sec. v. MacLean, 574 U.S. 383, 398-99 (2015) (holding that the federal employee-whistleblower’s public disclosures made to media were not “specifically prohibited by law” and were therefore entitled to protections under the Whistleblower Protection Act); Chambers v. Dep’t of Interior, 602 F.3d 1370, 1378-79 (Fed. Cir. 2010) (concluding that statements made by a federal government employee to a newspaper about a substantial and specific danger to public health or safety were protected disclosures under the Whistleblower Protection Act).
 See FirstEnergy Corp. v. Pircio, --- F. Supp. 3d ---, 2021 WL 857107, at*4-5 (N.D. Ohio Mar. 8, 2021) (concluding that the defendant-employee who shared documents with his attorney, who then provided documents to the government, was protected by the immunity provision of the DTSA because he provided these documents solely for the purpose of reporting a violation of the law).