Compliance & Ethics September 2015 Professional a publication of the society of corporate compliance and ethics www.corporatecompliance.org Meet May Jane Coulson Manager of Inter-Institutional and Administrative Coordination, Office of the Administrator/CEO, Panama Canal Authority, Republic of Panama See page 16 29 Some thoughts on antitrust risk assessment Robert E. Connolly 35 Binding Corporate Rules, Part 4: From creation to approval Jan Dhont, Alyssa Cervantes, and Delphine Charlot 39 Corruption within Compliance in higher education Diane T. Hockenberry 49 CCO Liability: Mixed messages from the SEC Scott Killingsworth This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.
by Mary Beth Bosco, Robert K. Tompkins, and Kwamina Williford Growing whistleblower and investigation risks for government contractors Congress and the executive agencies are scrutinizing standard confidentiality, non-disclosure, and other agreements for potential chilling effects on whistleblowers. Employee and third-party agreements may not unduly limit employees ability to report suspected fraud, waste, or abuse to the government. Federal government contractors are subject to multi-layered statutory and regulatory prohibitions on whistleblower retaliation and must be aware of changes in government policy. Recent changes have expanded protected whistleblower activities, so those designated to receive employee complaints must be trained how to handle both the complaint and the employee making the complaint. Adoption of government-identified best practices minimizes the risk of a government investigation or adverse action. The federal government s whistleblower protection advocacy has been very evident in 2015. Both executive agencies and Congress have taken aim at standard corporate practices, such as employee confidentiality agreements, arguing that these agreements stifle potential whistleblowers. This activity adds another layer to the very specific whistleblower program mandates and reprisal prohibitions imposed on federal government contractors. Examined against the backdrop of the existing government contractor whistleblower protection programs, these recent developments signal a set of best practices that contractors can adopt in order to minimize the risk of whistleblower reprisal actions as well as defend against any claims that do occur. They also suggest some areas where refinement is needed and pushback may be appropriate. Recent executive and congressional efforts to protect whistleblowers The federal government has been focusing on the impact of employee confidentiality agreements on potential whistleblowers. Earlier this year, the Securities and Exchange Commission (SEC) issued a cease-and-desist order to KBR, Inc. alleging that a standard KBR employee confidentiality agreement violated the Dodd- Frank Act s whistleblower protections. The offending form prohibited employees who participated in internal reviews from discussing the interview with anyone without the prior Bosco Tompkins Williford Compliance & Ethics Professional September 2015 +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 73
Compliance & Ethics Professional September 2015 authorization of the KBR Law department. The SEC maintained that this language impeded the employees ability to communicate with the government regarding possible securities law violations. At the same time, the SEC admitted that it did not find any instances in which the confidentiality agreement actually prevented whistleblower activities or in which KBR had acted to enforce the agreement. KBR paid $130,000 to settle the matter, and agreed to revise the language of the confidentiality agreement to state that nothing in the agreement prohibited employees from reporting possible violations to the government. The KBR/SEC settlement was not an isolated incident. According to press reports, the SEC sent information requests to several other companies seeking copies of employment agreements, non-disclosure agreements (NDAs), and other documents containing confidentiality obligations. The SEC action coincided with the State Department s Office of Inspector General s (IG) release of a report (The State IG Report) examining the use of employee confidentiality agreements by its 30 largest contractors. 1 Congress has joined in the concern regarding confidentiality agreements. The Further Consolidated Budget Resolution Act of 2015 bans funding to contractors, subcontractors, and grantees that employ confidentiality agreements deemed to prevent whistleblower activities. 2 These and other whistleblower protections, however, need to be balanced against a government contractor s legitimate need to Multiple regulations and specific pieces of legislation contain whistleblower protection provisions that are specific to federal government contractors. protect confidential business information. The State IG Report recognizes this tension, at least to an extent. It provides a framework for development of workable confidentiality language and it also identifies the five components of what it deems to be a compliant whistleblower protection program. The report therefore provides State Department and other contractors with guidance as to the IG s view of best practices in this area. The next section of this article outlines government contractorspecific whistleblower protections in order to provide context for the State IG Report. Whistleblower antireprisal requirements specific to government contractors Multiple regulations and specific pieces of legislation contain whistleblower protection provisions that are specific to federal government contractors. The civilian and defense acquisition regulations Protecting whistleblowers from retaliation has been a general requirement for many years. Department of Defense (DoD) and civilian contractors are subject to an increasing number of specific whistleblower protection regulatory schemes (exceptions exist for Intelligence Community contractors and employees designed to protect the unauthorized disclosure of classified information). Federal Acquisition Regulation (FAR) Part 3.9 implements the 2013 National Defense Authorization Act s (NDAA) four-year pilot program (ending September 30, 2017) for contractor employees. The program protects 74 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
from reprisal employees of both contractors and subcontractors who disclose information that the employee reasonably believes is evidence of (1) gross mismanagement of a federal contract; (2) a gross waste of federal funds; (3) an abuse of authority relating to a contract; (4) a substantial and specific danger to public health or safety; or (5) a violation of law, rule, or regulation related to a federal contract or bid or proposal. The FAR provisions contain a lengthy list of potential recipients of protected whistleblower allegations: (1) members of Congress or congressional committee representatives; (2) an Inspector General; (3) the General Accountability Office; (4) a federal employee with contract oversight or management responsibility; (5) the Department of Justice; (6) a court or grand jury; or (7) a management official or other employee of the contractor or subcontractor with responsibility to investigate or address misconduct. The pilot program is significant for several reasons. First, it protects not just contractor employees, but subcontractor personnel, setting up some potentially thorny situations. For example, who may be liable if a subcontractor employee reports on potential violations by the prime contractor and is subsequently assigned to another project by the subcontractor? Could the prime contractor be the subject of a reprisal complaint based on the terms of its subcontract or actions of its subcontractor? To protect themselves, The pilot program is significant for several reasons. First, it protects not just contractor employees, but subcontractor personnel, setting up some potentially thorny situations. prime and subcontractors may want to perform diligence on each other s respective whistleblower protection policies and practices, and consider addressing the issue in subcontract agreements. Further, the pilot program does not limit protected activities to reports to the government: An employee can claim protection if he/she made a report to a supervisor. If that supervisor is not trained to handle the report or the employee properly, the company might be exposing itself to added risk. This provision should also prompt companies to review how they designate the employees who are assigned to receive reports of alleged misconduct. Under the FAR regulatory scheme, an employee who believes he/she has been subject to retaliatory action may file a complaint with the Inspector General of the relevant agency. If the agency finds that the contractor or subcontractor subjected the employee to a prohibited reprisal, the agency may order the company to take remedial action, including reinstatement and back pay. The employer may also be liable for the employee s costs of pursuing the reprisal complaint. The parallel DoD whistleblower regulations contain similar provisions defining the scope of protected whistleblower activities, the persons to whom protected disclosures may be made, and the range of remedies. 3 In its last semi-annual report to Congress, the DoD IG referenced 76 investigations of defense contractor reprisal allegations in the most recent fiscal year. Compliance & Ethics Professional September 2015 +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 75
Compliance & Ethics Professional September 2015 The report found only one instance of actual reprisal, but the number of investigations points to the importance of a good whistleblower reporting and protection program in terms of preventing reprisal accusations and defending against claims when they do arise. A new avenue for whistleblower reprisal complaints Further evidence of the expanding range of whistleblower encouragement when government contractors are involved came at the beginning of 2015 in the form of regulatory changes proposed by the U.S. Office of Special Counsel (OSC). OSC has investigated government employees reports of fraud, waste, and abuse for decades. It is now proposing to enlarge its jurisdiction to take complaints from contractor, subcontractor, and grantee employees. Once it receives a disclosure, OSC must determine whether there is a substantial likelihood that it concerns a violation of any law, rule, or regulation; gross mismanagement or gross waste of funds; abuse of authority; or a substantial and specific danger to public health or safety. Under the proposed regulations, if OSC makes a substantial likelihood determination, it must turn the matter over to the relevant agency Inspector General. By opening OSC to receipt of reports by contractor employees, the government is placing another protective layer Further evidence of the expanding range of whistleblower encouragement when government contractors are involved came at the beginning of 2015 in the form of regulatory changes proposed by the U.S. Office of Special Counsel (OSC). between the employee, the employer, and the contracting agency with whom the employer does business, thus potentially easing an employee s reprisal concerns. Congressional funding ban Title VII of the Further Continuing Budget Resolution Act of 2015 created another significant mandate for contractors. The Act prohibits use of FY 2015 funds to contract with an entity that requires employees or subcontractors to sign internal confidentially agreements or statements prohibiting or otherwise restricting such employees or contractors from lawfully reporting fraud, waste, or abuse to a designated investigative or law enforcement officials. DoD already has drafted a contract clause implementing this prohibition. 4 That clause expressly states that submission of an offer in response to a solicitation containing the improper confidentiality provision constitutes a representation by the contractor that it does not require its employees or subcontractors to sign an offending agreement. This language serves as a caution that False Claims Act liability may be visited on any contractor who falsely represented that it does not use an improper confidentiality clause. It also underscores the importance of the necessity for a review of a company s employment agreements, confidentiality agreements, NDAs, and other restrictions on discussing company business. 76 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
Navigating employee and whistleblower protections The SEC cease-and-desist order, the State Department IG Report, and the congressional funding ban all focus on employee confidentiality agreements. Taken together, they point the way towards an acceptable medium between the employee s rights to report perceived fraud, waste, or abuse, and the employer s rights to protect confidential business information and attorney-client privileged discussions. By identifying whistleblower best practices, the State IG Report suggests some specific means of risk mitigation for all government contractors. Confidentiality agreements The State IG Report surveys the practices of its 30 largest contractors for handling whistleblowers. The report found that all of the companies had some form of employee confidentiality agreements, but that none expressly precluded disclosures to the government. Notably, the report did not take exception to those agreements that state a duty to keep company information confidential, so long as they did not sweep evidence of fraud, waste, and abuse into the definition of confidential information. However, the report did critique policies that required employees to notify company officials if they are contacted by a government auditor or investigator, or that imposed a nondisparagement obligation on the employee without an exception for whistleblower activities. The State IG Report and the SEC settlement read together support some general principles for drafting confidentiality and other corporate policy statements: Companies should collect and review their employment and consultant agreements, NDAs, and investigation and audit policies for potentially problematic language; Any confidentiality restrictions or non-disparagement agreements must make clear that they do not prohibit protected disclosures to the government; Contractors may place restrictions on the dissemination of confidential information, but they should pay attention to the definition of confidential information to avoid the appearance of impeding reports of wrong-doing to the government; and Government contractors should incorporate into their policies and procedures an express statement that the corporation and its employees must cooperate with government audits and investigations. Although these three principles fairly reflect the government s whistleblower protection aims, some of the government s recent positions deserve a closer look and a more nuance approach. For example, not impeding an employee s ability to make reports about events underlying misconduct seems quite appropriate, but a requirement preventing employers from seeking to maintain confidentiality over internal investigations, including interviews of witnesses by legal counsel, likely goes too far. A breach of those confidential communications might eviscerate application of the attorney-client privilege. Thus, an approach that balances the employee s ability to speak with the government with the employer s right to maintain the attorneyclient privilege may need to be developed. In addition, the suggestion that employees cannot be compelled to inform their employers of contact by or with government investigators also deserves closer consideration. Such a requirement could have a chilling effect on employees uses of hotline and other reporting mechanisms prescribed by the FAR and elsewhere. In addition, this suggestion Compliance & Ethics Professional September 2015 +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 77
Compliance & Ethics Professional September 2015 could be construed as reflecting an anticontractor bias in its apparent presumption that contractors will retaliate against any employee who communicates with the government. Most contractors maintain robust and effective compliance programs. In many cases the company itself is in the best position to evaluate and address misconduct. Walling off the company from potentially important information will compromise a fundamental element of those compliance programs, which is to detect fraud and other forms of misconduct. Finally, the recent policy shifts could be construed to require every employee to be treated as a whistleblower, whether they are or not. Faced with a situation where all employees are required to disclose suspicions of misconduct to the government, but employers are not allowed to inquire whether the employee has contacted government officials, puts employers in a vexing position, particularly in the context of internal investigations. Presumably an employee is only being interviewed in an investigation because they hold some knowledge relevant to suspected misconduct. Given the mandate for the employee to report such information to the government, it seems logical that the employer would be compelled to treat that witness as a whistleblower. Adverse employment action with respect to that employee could set up the company for claims of reprisal. The best defense Practices that explain employee rights and protect whistleblower activities may be the best defense in the event of reprisal accusations. If, as suggested above, there is a perception among government enforcement authorities that contractors are apt to take retaliatory action, the best defense may be maintenance of an effective compliance program. The State IG Report is helpful in this regard in that it lists practices that are useful in encouraging employees to report fraud, waste, or abuse. These are: (1) an internal hotline for reporting violations of law, fraud, waste, or abuse; (2) display of a federal agency fraud hotline poster; (3) incorporation of the FAR anti-retaliation and other code of business conduct provisions in the company s policies or code of ethics; (4) informing employees that the they have the right to contact the government; and (5) advising employees of the company policy to cooperate in government audits and investigations. Interestingly, none of the 30 contractors surveyed for the State IG Report employed all of the five best practices. According to the report, very few incorporated the FAR provisions into their own policies and codes of conduct, and only one-fifth of the contractors advised their employees of their right to contact the government. The State IG Report therefore presents a useful framework. An employer that implements the five best practices, or a majority of them, may be better equipped to defend a whistleblower reprisal complaint. In addition, a well-defined reporting and reprisal protection policy ensures against some of the risks raised by the various whistleblower regulations, for example: The FAR pilot program offers whistleblower protections to an employee who reports an alleged violation to a supervisor with responsibility to address misconduct. Contractors should therefore carefully evaluate who within their companies are designated as having this responsibility and ensure that these individuals are trained in both how to handle the complaint itself and the employee making the complaint; Contractors should ensure that their policies or employee handbooks contain instructions for reporting misconduct 78 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
as well as affirmance of an anti-reprisal policy; and Contractors should examine third-party agreements to evaluate whether they can be viewed as impeding whistleblower activities or can expose the contractor to risk. These examples illustrate the types of activities that federal contractors should review in order to minimize the risk of whistleblower reprisal allegations and maximize the potential for a successful defense if allegations do arise. 1. Office of Evaluations and Special Projects, Office of Inspector General, U.S. Department of State: Review of the Use of Confidentiality Agreements by Department of State Contractors, March 2015. Available at http://bit.ly/oig-state 2. The Further Consolidated Budget Resolution Act of 2015, Division C. Available at http://bit.ly/acq-osd-mil 3. Defense Federal Acquisition Regulation Supplement (DFARS) 203.903 and 906; 48 C.F.R. 203.903 and 203.906. Available at http://bit.ly/acq-osd-2 4. DFARS 252.203-7998; 48 C.F.R. 252.203-7998. Available at http://bit.ly/acq-osd-2 Mary Beth Bosco (Marybeth.bosco@hklaw.com), Robert K. Tompkins (Robert.Tompkins@hklaw.com), and Kwamina Williford (Kwamina.Williford@hklaw.com) are all Partners at Holland & Knight in Washington DC. Upcoming SCCE Web Conferences 9.3.2015 Interacting with Government Officials: Ten Tips to Ensure Compliance WESLEY D. BIZZELL, Assistant General Counsel, Altria Client Services LLC 9.17.2015 Cyber Attacks and Liabilities - Why Do So Many Organizations Keep Getting Hacked, Sued, and Fined? RICK SHAW, CEO/President, Awareity 9.9.2015 Cyber Threats and Business Critical Information: Steps to Reduce Risks and Protect Assets PAMELA PASSMAN, President and CEO, Center for Responsible Enterprise and Trade (CREATe.org) ALLEN N. DIXON, Intellectual Property Counsel, Center for Responsible Enterprise and Trade (CREATe.org) 9.10.2015 Ethics and Compliance from the Board s Perspective ADAM TURTELTAUB, VP Membership Development, SCCE/HCCA LES PRENDERGAST, Senior Analyst, NYSE Governance Services LERIC MOREHEAD, Head of Advisory Services, NYSE Governance Services 9.14.2015 Too little in the middle? Engaging middle management to enhance your ethics and compliance program CHARLOTTE NAFZIGER, CHC, CCEP, Director of Compliance, T-System 9.21.2015 Writing Effective Investigation Reports MERIC BLOCH, CCEP-F, CFE, PCI, LPI, Principal, Winter Compliance LLC 9.22.2015 5 Fresh Ideas for Anti-Bribery and Corruption Training MATT PLASS, Chief Learning Officer, Interactive Services PATRICIA AQUARO, Dean of the School of Risk and Compliance at BNY Mellon s BK University, BNY Mellon 9.23.2015 Proactively Detect Insider Breaches and Data Theft by Employees and Contractors JOHN VASTANO, PhD, Chief Scientist, Veriphyr ALAN NORQUIST, CEO, Veriphyr 10.21.2015 Data Breaches and Sponsored Research DANIEL R. WALWORTH, partner, Duane Morris LLPr 11.10.2015 Third-Party Risk Management: Reducing the Costs of Third-Party Compliance JENNIFER CHILDS KUGLER, Principal Executive Advisor, CEB Learn more and register at www.corporatecompliance.org/webconferences Compliance & Ethics Professional September 2015 +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 79