Over the past decade or so, corporate governance has undergone a dramatic transformation largely due to legislative efforts to facilitate—and even compel—the reporting of misconduct. Unfortunately, these efforts are failing. Why? Because of the difficulties posed by the competing sides of the privacy question: on the one hand, an increase in reporting of suspected misconduct can lead to unfair charges on the innocent (destroying careers in the process); on the other, the intended safeguards of the whistleblowers in this kind of action are impractical and insufficient. Even with legislative protection, the corporate whistleblower faces a substantial risk of retaliation and other adverse consequences.
At the federal level, recent legislative efforts began with the Sarbanes-Oxley Act of 2002, which required public companies to develop means of reporting misconduct while simultaneously banning retaliation against those who report misconduct. Similar thinking was evident in The American Recovery Reinvestment Act of 2009 and the Troubled Asset Relief Program: reporting channels were made available to whistleblowers and retaliation was prohibited. The trend continued, and indeed reached new heights, with the 2010 enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act. "Dodd-Frank" created a bounty system for whistleblowers to bypass internal compliance programs and report concerns of misconduct directly to the Securities and Exchange Commission (a move that faced substantial opposition from the community of corporate general counsels and compliance officers who would prefer, of course, to keep such matters in-house). Dodd-Frank even provided for confidential reporting, provided certain conditions were met. Ultimately, I believe that these efforts, despite their good intentions, will continue to fall short of the goal of protecting those who do come forward to report misconduct because they fail to acknowledge the fundamental conflict between reporting and privacy as well as the inability of the law to protect those who are brave enough to come forward.
The first problem is reconciling privacy interests. In Europe, which has a dark history of governments encouraging people to “report” on each other, the European Union Data Protection Directive was written to safeguard those accused of misconduct from the kinds of reckless or vindictive charges that might be likely to result, for instance, from anonymous reporting. The belief in Europe is that people targeted in such reports should know about them and have an opportunity to defend themselves (as in our Sixth Amendment right to face one’s accuser). While the Supreme Court has discovered a right to privacy in the Constitution (in Griswold v. Connecticut and then later in Roe v. Wade), it has been limited to private behavior, not professional conduct. Yet, here there is potential for abuse of privacy in offering substantial financial rewards to those who rat out a co-worker.
What we need are better mechanisms to help employees address misconduct issues.
Another, and in some ways more significant, problem is that efforts to compel and encourage whistleblowers fail to account for what really happens to people who become whistleblowers. A closer examination reveals why even financial incentives to encourage reporting are not sufficient for many people and why, despite what the law says, whistleblowers fear that they cannot be protected from retaliation.
To be successful, legislative efforts will have to address the factors that cause people to resist reporting misconduct. First, most people who discover information about possible misconduct are able to do so because they work in a collective enterprise that is filled with personal relationships that they risk destroying by coming forward. In other words, no one really wants to rat out a colleague.
Second, the bounties we have created are undermined by timing issues. The essential point here is that a bounty is awarded only at the end of a process that usually takes several years. On the other hand, a person’s decision whether to report misconduct is made at a point when there is no assurance that any bounty will ever be forthcoming.
Third, the timing problem is made all the more problematic by substantive and procedural requirements. For example, how does a whistleblower under Dodd-Frank know whether his or her information is original or will ultimately lead to the government’s recovery of $1 million or more (both prerequisites to receiving a bounty)? Our collective concern for due process and our belief in the adversarial system of law has resulted in other procedural barriers that are just as formidable. Reporting misconduct in a way to be eligible for a bounty is a complicated process. It is also a complicated process to succeed on a claim for retaliation for reporting. Moreover, a retaliation lawsuit often destroys relationships and involves the loss of a job and difficulty in finding another, and it can take years to resolve.
Fourth, the blunt truth is that current whistleblower laws are ill-equipped to protect whistleblowers from many of the types of retaliation they are likely to experience. Despite the prohibition against retaliation for good faith reports, laws and policies can do little to punish the types of subtle treatment by supervisors that is under the radar or the retaliation inflicted by non-supervisory peers. It is difficult if not impossible to hold an employer accountable for these subtle types of retaliation, but they can have every bit as much of a chilling impact as more overt forms of retaliation.
All of these factors combine to teach most people that reporting misconduct is not worth the cost, even with potential bounties such as those offered by Dodd-Frank or the False Claims Act (which was enacted during the Civil War). What we need are better mechanisms to help employees address misconduct issues. Compliance officers, HR, and line supervisors can provide guidance to employees, but each of these functions is a formal management reporting channel. That means that they must investigate and act on any possible misconduct that comes to their attention. Consequently, an employee cannot discuss issues with them without also risking that they will commence an investigation.
Rather, what workers need is first, a knowledgeable and confidential resource with whom they may discuss their concerns and obtain information or guidance about the company’s policies, procedures, and reporting options before having to make the commitment to make a report; and, second, a way to surface issues without having to be identified as the whistleblower. Only by separating management responsibilities from the role of providing advice and guidance to workers can the case for confidential communications be made.
As many corporations are now discovering, an organizational ombudsman is just such a resource. An ombudsman is a person or office—working under a charter that assures independence, neutrality, informality, and confidentiality—with whom an employee may speak confidentially and off-the-record about work-related concerns or questions. The organizational ombudsman office has no management or policy responsibilities but is staffed with employees who know the company and can provide a potential whistleblower with options for reporting so that they can decide whether to report and, if so, how. By presenting and discussing various reporting options, organizational ombudsmen can often find ways to surface an issue for one of the company’s formal channels to investigate without either compelling the inquirer to become a whistleblower or specifically identifying a target of the concern.
Recent American history has demonstrated the need for more careful oversight of corporate conduct and the importance of the whistleblower as an agent of sound business practice. But as Congress’s efforts demonstrate, legislative attempts to fix our corporate governance problems —by offering bounties, sanctioning anonymous reporters and encouraging reports of misconduct directly from employee to the SEC—are not likely to be successful and could prove to create more problems than they solve. A better answer would seem to lie in corporations aggressively addressing their own internal procedures in a way that safeguards constructive reporting and, through that, mitigates the need for governmental intervention.
Charles Howard is a partner with Shipman and Goodwin, a Hartford, Connecticut law firm, and the author of The Organizational Ombudsman: Origins, Roles and Operations-A Legal Guide, published by the American Bar Association in 2010.