Skip to Main Content

Keeping you informed

DOL Upholds Employee's Unauthorized Taking of Confidential Business Information Under SOX

    Client Alerts
  • November 04, 2011

Typically, an employee's unauthorized access to and misappropriation of his or her employer's confidential electronic business information results in termination of employment. However, a recent administrative decision from the Department of Labor's Administrative Review Board appears to encourage and protect such behavior by whistleblowers under the Sarbanes-Oxley Act (SOX).

In Vannoy v. Celanese Corp., the plaintiff was hired to help administer the company's expense reimbursement program. Unknown to his employer, Vannoy filed a claim with the IRS's Whistleblower Rewards Program, contending that Celanese's treatment of reimbursable business expenses violated tax laws. In pursuit of this claim, the employee accessed the company's computer system without authorization, and emailed documents to his personal account that contained Social Security numbers of thousands of Celanese employees. The company fired Vannoy for violation of its confidentiality policy, and filed a criminal complaint against him under the federal Computer Fraud and Abuse Act.

In response, Vannoy filed a retaliation claim against Celanese under SOX. In its decision, the DOL Board reached a number of conclusions that are highly troubling for employers. First, the Board concluded that the plaintiff's complaint fell under SOX's protections despite the lack of any apparent material impact on shareholders of the company. If the IRS Program falls within SOX's whistleblower protections, many types of low level employee complaints regarding mundane tax issues become highly protected behavior.

Second and more troubling, DOL's decision appears to give employees the go ahead to root through their employer's records looking for information that might support their claims. The Board concluded that such activities may be protected activity under SOX in some circumstances, if the behavior was otherwise lawful, and if the resulting information was not otherwise available to the regulatory agency.

This decision ignores employers' legitimate interest in preventing unauthorized employee access to their electronic systems. It also ignores the employer's right to issue and enforce neutral policies regarding use of these systems. Absent correction by federal courts, this decision represents a disturbing administrative expansion of SOX, and of employees' ability to engage in unauthorized "fishing expeditions" within company records.