Safely Collecting Documents for Whistleblower Suits - Interview With an Employment Attorney

In a recent interview with attorney Michael Filoromo we discussed some of the issues surrounding collecting documents to support pharmaceutical and medical industry whistleblower claims. Since this is an important part of the process and there are a number of issues that determine if an employee can legally take information from an employer we spoke with Michael again to bring some clarity to the question. This is the first part of the interview.

Michael is a partner with the whistleblower and employment law firm Katz, Marshall & Banks, LLP, in Philadelphia. He has helped achieve successful outcomes for numerous clients under the Sarbanes-Oxley corporate whistleblower protections, the False Claims Act and the anti-discrimination and retaliation protections of Title VII of the Civil Rights Act and corresponding state laws. He regularly represents whistleblowers in the pharmaceutical, healthcare, nuclear, railroad and aviation industries. Mr. Filoromo is the secretary of the Eastern Pennsylvania chapter of the National Employment Lawyers Association. He can be reached at

CP: There are a number of restrictions on what employees can safely take to support their whistleblower claims. Given that most companies will require that employees contractually agree not to share company information, is it possible for employers to put policies in place that make it impossible for employees to remove documents that support whistleblower claims?

Michael: Most employers will have policies in place that are broadly worded. Often an employee agreement will say that anything you learn in the course of your employment is confidential. However there are overriding considerations based on whistleblower laws, anti-discrimination laws, and general public policy that enable employees to report wrongdoing to law enforcement and regulators even where an employer-imposed agreement would prohibit it.

Historically, employers did not include language in agreements that specifically carved out exceptions to their confidentiality policies for things like disclosing information to regulators. As you can imagine, companies generally do not want to encourage their employees to make external reports. At the very least, they do not want to create the perception that maintaining confidentiality of documents is optional. More recently, though, regulators have cracked down on blanket restrictions because they discourage reporting by making employees concerned about termination or even criminal prosecution.  The SEC has been particularly active on this front, first by issuing a regulation prohibiting such restrictions several years ago, and then taking action against four companies in the past year or so for violating the regulation.

CP: How about a situation where an employee has left the company with a severance package that includes an agreement that the employee will not discuss the company. However, later the employee wants to file a whistleblower claim because they realize the company was involved in wrongdoing. Is the employee not able to file a claim or make a report?

Michael: Several issues come into play there. Typically when an employee is given a severance they have to sign a confidentiality agreement. The same exceptions apply however. If you have justification to report something to a regulator or the government then you can generally do that without regard to the agreement.

Another part of the answer though is that in 99% of the severance agreements you might sign, you are releasing any claims you may have against the company. So you can always report wrongdoing to law enforcement or regulators. But the question of whether you can bring a claim or recover money as a result of an enforcement action is not as clear.

For example in a False Claims Act suit (a qui tam), where you are bringing a suit on behalf of the government for fraud, some courts have made a distinction between a situation where the government already knew about the fraud – whether because of a lawsuit or some other report – versus one where the government was not aware of the fraud. If the government already knew about the fraud, then you may be able to release your right to bring a qui tam. The theory is that the government doesn’t lose anything because you’re not able to bring a qui tam, since it already knows about the fraud. If the government didn't know about the fraud, then there is some case law that suggests that even if you sign a full release, you can still bring that claim. That is because the policy underlying the False Claims Act is to prevent and correct fraud against the government. It is not cut and dry, but that is the distinction.

Other whistleblower programs are different, and different considerations come into play.  The Securities Exchange Commission (SEC) and the Commodities Futures Trading Commission (CFTC) whistleblower programs do not require an individual to file a lawsuit. Instead, the person files a tip with the agency through the whistleblower program, and if the tip results in the government recovering proceeds over $1 million, the person can receive a reward. You cannot release your right to file a tip, so the question is whether you can release your right to receive a reward. There is a strong argument – one that the SEC agrees with – that a company can’t force you to release your right to an award. There are a number of reasons for this that we can get into, but one is that the money for a reward does not even come from the company – it comes from a fund established by Congress specifically to reward tipsters.  And the reward generally has nothing to do with claims you may have against the employer.

The Department of Labor has also taken a firm position against agreements prohibiting communications with government agencies or prohibiting an employee from receiving a whistleblower award.  As your readers may know, the DOL, and OSHA in particular, administers and adjudicates cases that arise under a couple dozen whistleblower-protection laws.  OSHA just recently announced that it will not approve any settlement agreement that contains such restrictions, which will have a big impact on what employers can require of employees when they settle complaints of retaliation.  

CP: From some of the information I have read, it sounds like who you share the documents with is important when considering if taking and sharing documents is protected.

Michael: It is often the case that you can safely share documents with your attorney because you have a confidential, privileged relationship. You are not disseminating the documents in a way that could really damage the company. Even then, there are things that can be problematic. There are some exceptions now for sharing information concerning trade secrets, but communications subject to the company's attorney-client privilege are generally off-limits. Privileged information would include things that the company discussed with counsel, including in-house counsel, for the specific purpose of obtaining legal advice.  That often means any communications that you as an employee of the company had with the company’s lawyers.  So when communications involve a company lawyer it should give you pause.

CP: So if an employee has any doubt about whether taking certain documents is protected, should they consult their attorney first?

Michael: If possible. That is not always an option obviously. It is important to step back and look at some of the factors. The watchword is always reasonableness. So what does reasonable mean? Courts don't always agree. As you can imagine, attorneys on either side often don't agree either.

In the whistleblower context, judges are still working out what is reasonable. There is case law they look to in Title VII of the Civil Rights Act of 1964. Some of the concepts for Title VII retaliation claims are analogous to issues involved in whistleblower retaliation claims.

There is a recent decision in the Title VII context that I think provides guidance for whistleblowers as to what is reasonable in collecting documents. The court looked at several factors. These included: how did you obtain the documents, who did you give the documents to, and what was the content of the documents? Some things like trade secrets are obviously valuable to the company. But other things like non-sensitive emails may be things the company wouldn't want shared, but are not as inherently valuable or important to the company. That is a consideration.

Another factor is, why did you take the documents? Was the employee legitimately concerned about them being destroyed? If so that could be a good reason.

Also important is whether the employee would be allowed to access the documents during the normal course of their duties? If you work in finance and you are looking at financial records, then that is fine. However if you are in research and development or even sales and you are digging into accounting and financial documents on a part of the server that you normally would not access, that is probably outside the scope of your duties. The government wants information, but doesn't want employees ransacking their employer's records.

It's not a sharp line, but with those factors you get some idea of what the court is looking at in trying to determine if it is ok to take the document, was it ok to share it outside the company, etc.

CP: Can you say from a legal sense, what is meant by, “unauthorized computer access”? Does this only mean what people might call “hacking” into a computer system, or could it also include a situation where even though a company might leave files accessible to all, an employee would have no reason to access those files to perform their duties?

Michael: The term “unauthorized access” comes up specifically in laws that prohibit computer trespass or theft, such as the federal Computer Fraud and Abuse Act, a primarily criminal law which prohibits accessing a computer system “without authorization.”  Unfortunately, the law itself does not define “without authorization,” and the courts have not clarified its meaning with great success either.  It’s easy to see that an outsider who hacks into a company’s system is trespassing  without authorization, but it’s a lot harder to reach that conclusion when an employee simply looks at a file that’s within the area to which he normally has access, especially where the employee is uncovering serious wrongdoing and not trying to steal trade secrets or other such information and give it to a competitor.

CP: So to continue with an example, suppose a sales rep who would not normally access financial data finds they have access to information – not through bypassing security but finding that the information is readily available to them. But in accessing the information, they discover evidence of fraud or criminal activity. Would the employee in this case still have a problem reporting this in that they have accessed the information without authorization?

Michael: It might still be considered unauthorized access, but you can’t un-see what you’ve seen. You now know that fraud or criminal activity is occurring, and you know that hard evidence exists. You have the right to report such information. But it is important to tread very carefully when looking into areas that you do not normally access in the course of your work. I would always recommend talking with counsel before venturing into that type of activity.    

Another consideration is that you don't necessarily have to take the document. Just knowing a document exists and being able to provide a regulator or law enforcement with information about the underlying conduct is helpful. It is not as good as being able to hand over the document with evidence of wrongdoing, but you can explain where and how you came across it, and what was in the document. And if the document is no longer there when the government asks for it, it certainly doesn't look good for the company.

CP: Apparently Dodd-Frank specifically provides some protection that is not specifically provided in the context of the False Claims Act or regulations involving IRS whistleblowers. Is that correct?

Michael: Unlike the False Claims Act and many other whistleblower laws, there is a specific rule under Dodd-Frank saying that you can't impede a whistleblower from making a report to the SEC, including – and it specifically says this –  by enforcing a confidentiality agreement. That is remarkable, and it is new with respect to whistleblower law. The SEC has enforced the rule aggressively and has actually gone after companies for having over-broad confidentiality agreements. They have done this even when there is no evidence that the confidentiality agreement actually prevented an employee from reporting something. They just don't like the chilling effect that can have on reporting.

Though there aren't analogous provisions in the False Claims Act and other laws, there are the exceptions I mentioned for making reasonable disclosures to law enforcement of evidence of wrongdoing. There is also a backlash among enforcement agencies against employers using broadly worded, purportedly all-encompassing confidentiality agreements. So though Dodd-Frank is unique in that it has specific regulations, agencies like the National Labor Relations Board have pushed back against these types of blanket policies.

End of part one of the interview. The second part of the interview can be found here.

CP Wire

Submit an article to cafepharma's CP Wire. Click here to find out more.

current feelings about your job

Please rate how you feel about your job this moment. 1 = "I hate my job" and 7 = "I love my job"
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Fill in the blank.