On Whistleblowers and Access to Data
An interesting bit of whistleblower retaliation news for those who follow the subject: the co-founder of a cyberfraud prevention company that itself imploded in fraud two years ago has agreed to pay $97,000 to settle charges that he obstructed a corporate whistleblower by restricting that employee’s access to internal systems.
Peirce
The settlement, announced Tuesday by the Securities and Exchange Commission, sparked a dissenting statement from Republican commissioner Hester Peirce. She complained that the SEC’s whistleblower protection program is only meant to assure that whistleblowers can communicate with the SEC — not necessarily to assure that whistleblowers have unfettered access to corporate data they might want to use to press their case. Such a broad interpretation of whistleblower protection rules, Peirce said, could prohibit companies from limiting employees’ access to data.
It’s an interesting point to ponder in whistleblower protection. So let’s unpack the facts here and do just that.
The company in question is NS8, one of the more colorful cases of corporate misconduct we’ve seen in recent years. In the late 2010s NS8 was a technology darling, raising $150 million from venture capital firms with gauzy promises of selling software to detect fraud in e-commerce transactions.
Behind the scenes, however, founder and CEO Adam Rogas had been doctoring bank statements and other corporate documents to falsify NS8’s revenue numbers. Rogas misled investors to raise a bundle and then pocket millions for himself, while the company actually had almost no money. NS8 went bankrupt in 2020, and just last month Rogas pleaded guilty to fraud charges in federal court. He now faces up to 20 years in prison.
The whistleblower case involves an unnamed employee at the company and David Hansen, who was NS8’s co-founder and chief information officer. The SEC filed civil charges against Hansen for interfering with that whistleblower’s efforts to report NS8’s fraud back in 2019.
That brings us to the facts of the case, and whether the SEC was or wasn’t justified in bringing charges against Hansen. (In this week’s settlement, Hansen neither confirms nor denies the allegations brought against him.) This is where it gets thought-provoking.
Allegations of Fraud and Spying
As detailed in the SEC’s settlement order, the whistleblower first tried to raise concerns internally about the company’s bogus numbers in 2018 and 2019, before the SEC knew anything was amiss. Apparently that didn’t produce the desired results, so the whistleblower hired a lawyer and submitted a tip to the SEC in July 2019.
The following month, the whistleblower raised his concerns with Hansen directly, even though the whistleblower didn’t report to Hansen on the org chart. He warned Hansen that if NS8 didn’t rectify its false numbers, he would tell the company’s customers, investors, and anyone else about the fraud scheme. Hansen then told the whistleblower to take his concerns to his immediate supervisor or to Rogas personally.
Later that day, the whistleblower did call his immediate supervisor and made the same threats. The supervisor then reported that conversation to Hansen, who promptly emailed Rogas, “[P]lease call me ASAP. This is EXTREMELY URGENT.” When they spoke, Hansen told Rogas that the whistleblower might spill the beans about a securities law violation.
After Hansen and Rogas talked, the SEC says, they both worked to limit the whistleblower’s access to internal corporate databases. For example, at one point, Rogas told Hansen that he removed the whistleblower’s administrator privileges to one system but kept read-only access “so it looks like an error.”
Hansen also offered to spy on the whistleblower’s laptop remotely (“I can watch what he is doing if we care”), and used NS8’s administrative account to access the whistleblower’s company computer. He shared the whistleblower’s password with Rogas. Later that week, Rogas fired the whistleblower.
Creepy? Yes. Behavior so intrusive as to violate the SEC’s whistleblower protection rules? Well, that brings us to Peirce’s statement.
Define ‘Actions to Impede’
Peirce argued that SEC whistleblower protection rules only say a whistleblower must have the ability to speak directly to the SEC — and nothing NS8 or Hansen did to the whistleblower (as outlined in the SEC settlement, at least) prevented him from doing so. Restricting access to data, she argued, isn’t the same as impeding a whistleblower’s ability to approach the SEC. Her words:
[SEC whistleblower rules] ensure the whistleblower’s entitlement to speak directly to the Commission, and NS8 did not prevent the NS8 employee from doing so. Actions that limit access to company data do not necessarily limit access to the Commission. Mr. Hansen’s actions, as reported in the order, did not hinder the NS8 Employee’s communications with the Commission regarding his already-submitted tip.
Peirce does concede that if Hansen knew about the tip, then his actions might have violated the whistleblower rules — except, nothing in the settlement order says that Hansen did know about the tip. (Were there other, more damaging allegations against Hansen that were negotiated out of the settlement order, that might undermine Peirce’s argument? We’ll never know.)
The allegations we do have, Peirce said, create a slippery slope where the SEC could sanction a company for taking legitimate actions to restrict employee access to data:
A plausible inference, based on the facts recited in the order, is that Mr. Hansen was concerned about the NS8 employee’s threat to disclose confidential company data “to NS8’s customers, investors, and any other interested parties.” [The SEC whistleblower protection rule] by its plain terms applies only to communications with the commission. We should not read it in a manner that complicates a company’s ability to act to protect its data in the face of sweeping disclosure threats, even well-intentioned ones by concerned employees.
Does Peirce have a point? Well, yes and no.
She’s not wrong to say that companies do have a legitimate interest in restricting employee access to corporate data. Indeed, restricting access to data is a crucial control for cybersecurity and anti-fraud efforts. When there isn’t any allegation of fraud, and it’s just an employee threatening to share confidential data with outsiders — sure, firing that person is perfectly reasonable, with a civil lawsuit thereafter.
On the other hand, at an abstract level, Peirce’s textualist interpretation of SEC rules seems somewhat divorced from reality. If whistleblower protection rules only cover an employee’s ability to speak to the agency, what would that mean in practice? There’s no redress unless the company is physically restraining the whistleblower from calling the agency or visiting the local SEC office?
As a practical matter, restricting a would-be whistleblower’s access to company data can have an intimidating effect. That’s an impediment to unfettered communication with the SEC, and the rule expressly says: “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation.”
So, yes: a company can and should govern employee access to data, even when employees might be raising concerns about misconduct and threatening to report to the SEC. But, no: a company can’t use that principle as a club to hold over a whistleblower’s head.
If we were going to draw any broad lesson from Hansen’s case, it’s this: senior managers shouldn’t handle allegations of fraud and misconduct alone. They need to bring compliance professionals into that conversation immediately, to provide proper guidance.
As to Peirce’s fears about a slippery slope — well, they might be valid in some cases, but much more often, the slippery slope is continued intimidation of whistleblowers. That’s what I worry about.