Whistleblower? More like cybercriminal: the Computer Fraud and Abuse Act as applied to Sarbanes-Oxley whistleblowers.

• Author: Turpan, Connor C.

1. INTRODUCTION II. BACKGROUND A. The Sarbanes-Oxley Act of 2002 1. The Passage of the Sarbanes-Oxley Act 2. Whistleblowing under Sarbanes-Oxley B. The Computer Fraud and Abuse Act 1. Enactment of the CFAA 2. General Provisions of the CFAA 3. Circuit Split a. Broad Interpretations i. Broad Interpretation under the Agency Theory. ii. Broad Authorization under Employment Contract Theory b. Narrow Interpretations 4. Recent Congressional Efforts to Amend the CFAA. III. THE NARROW INTERPRETATION OF THE CFAA HOLDS MORE TRUE TO THE ORIGINAL INTENT OF THE CFAA IV. ANALYSIS OF WHISTLEBLOWING AND DOCUMENT COLLECTION UNDER THE SARBANES-OXLEY ACT AND THE IMPACT OF THE CFAA A. Vannoy v. Celanese Corp.--Document Collection in the Realm of Sarbanes-Oxley Whistleblowing B. Effects of the CFAA Circuit Split on the Sarbanes Oxley Whistleblowing Framework V. THE NARROW INTERPRETATION MUST BE ADOPTED TO AVOID POTENTIALLY LABELING WHISTLEBLOWERS AS CYBERCRIMINALS VI. CONCLUSION I. Introduction

   Whistleblowers are the "subject[] of much controversy" in American society. (1) While some cast whistleblowers as noble heroes sacrificing their careers for the greater good, others insist that whistleblowers are simply disgruntled employees seeking to redress personal grievances. (2) Because of this latter view, whistleblowers often suffer retaliation at the hands of their employers in a variety of ways. (3)

   Whistleblowing employees, however, regardless of intention, provide an important service to society by exposing fraud and other misdeeds. For example, while external auditors detected only 4.1 percent of uncovered fraud schemes, "whistleblower tips detected 54.1% of uncovered fraud schemes in public companies" and were thirteen times more effective than external audits. (4) The economic impact of whistleblowers is also significant, as the SEC whistleblowing program has reportedly brought in over $150 million in restitution and fines as of July 2014. (5)

   The importance of whistleblowers was never more apparent than in 2001, when the sudden collapse of Enron shocked the nation and sank the stock market. (6) As the details of Enron's fraud emerged, millions were left wondering what had gone wrong and why no one had publicly blown the whistle on the fraud to avoid this massive collapse. Realizing the need to prevent a repeat of the damage caused by the collapse of Enron, (7) the drafters of the Sarbanes-Oxley Act (8) set out to develop a system to simultaneously encourage whistleblowing and protect employees of publicly traded companies seeking to report accounting fraud from retaliation.

   However, inadvertently, a split amongst the circuits regarding the definition of "authorization" in the Computer Fraud and Abuse Act ("CFAA") (9) may severely weaken the protection afforded to whistleblowers by Sarbanes-Oxley. A statute establishing both criminal and civil liability for its violators, the Computer Fraud and Abuse Act, at its heart, forbids taking information from a computer without authorization to do so. However, courts interpreting the statute have had trouble defining authorization, leading to a great deal of criticism of the law and confusion amongst the courts.

   In the circuits that have adopted the broad interpretation, it remains possible for employers to define the scope of authorization through computer-use policies, confidentiality policies, and other contractual provisions. (10) By tailoring its computer-use policies to prevent the removal of specific information, corporations in these jurisdictions may be able to use the CFAA to retaliate against an employee who removed documents to use as evidence of fraud. However, corporations in jurisdictions supporting the narrow interpretation of "authorization" can only file a claim when that employee accessed documents to which he had not been given permission to access in the first place by circumventing technological or physical barriers to the files.

   This Note will explore the potential for employers to use the Computer Fraud and Abuse Act as a tool to deter whistleblower claims under the Sarbanes-Oxley Act, and the undesirable effects of such use. Part II will examine the backgrounds and intent of both the CFAA and Sarbanes-Oxley, and will also explore the circuit split that has developed regarding the definition of authorization under the CFAA. In Part III, I will argue that the narrow interpretation of the CFAA holds more true to the language and original intent of the CFAA. Part IV will analyze the effect of wrongful document collection on whistleblowing retaliation claims under Sarbanes-Oxley and the impact of the broad interpretation of CFAA's "authorization" provisions on future whistleblowing claims. Part V argues that the narrow interpretation of "authorization" should be adopted in order to prevent employers from being able to combat otherwise valid whistleblowing claims by misusing the CFAA. In Part VI, will conclude with a final call for the adoption, by the Court or by Congress, of the narrow interpretation in order to prevent an "anti-hacking" statute from morphing into a weapon to be used by employers against whistleblowing employees.

2. BACKGROUND

   1. The Sarbanes-Oxley Act of 2002

      1. The Passage of the Sarbanes-Oxley Act

         In October 2001, the financial world was rocked when it was revealed that Enron had severely misstated its income for several years." Prior to the collapse, Enron, placing fifth on the Fortune

         500, had been regarded "as one of the most innovative, fastest growing, and best managed businesses in the United States." (12) However, Enron's rapid growth was buoyed by accounting fictions for the eighteen months prior to October 2001. (13) Corrected accounting statements, adjusting for the accounting fictions, removed over 80 percent of Enron's profits since 2000,14 causing Enron to collapse and declare bankruptcy on December 2, 2001. (15) The collapse eliminated more than $2 billion in employee pensions, $60 billion in Enron stock, and thousands of jobs. (16) It also led to the arrest of several top Enron executives, including its CEO Jeff Skilling, who was sentenced to more than twenty-four years in prison in 2006. (17) The collapse also led to the downfall of Arthur Andersen, a former "Big Five" accounting firm that had handled Enron's auditing. (18) By 2002, similar accounting fraud scandals were uncovered at WorldCom, ImClone, Global Crossing, and Adelphia. (19)

         Prompted by these scandals and a falling stock market, Congress, the Securities and Exchange Commission ("SEC"), President George W. Bush, and various trade associations rushed to reform the nation's corporate governance laws. (20) Accordingly, Congress passed the Sarbancs-Oxley Act of 2002 ("Sarbancs-Oxley") on July 30, 2002. (21) Called by President Bush "the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt," the Act promised harsh punishments for corporate wrongdoers. (22)

         As set out in Sarbancs-Oxley's Senate Report, the Act was passed in order to:

         [P]rovide for criminal prosecution and enhanced penalties of persons who defraud investors in publicly traded securities or alter or destroy evidence in certain Federal investigations ... [and] to protect whistleblowers who report fraud against retaliation by their employers, and for other purposes. (23)

         Sarbanes-Oxley was thus passed "[t]o protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws." (24)

      2. Whistleblowing under Sarbanes-Oxley

         Sarbanes-Oxley established a variety of procedures, regulations, and legal liabilities meant to eliminate and deter corporate fraud. (25) Most importantly to this Note, it also established protections for whistleblowers acting to expose violations of the Act's various provisions. (26)

         Prior to Sarbanes-Oxley, there was no federal protection for whistleblowing employees of publicly traded companies. (27) Drafters of the bill were likewise concerned that state laws protecting whistleblowers did not adequately protect corporate whistleblowers from retaliation. (28) Because publicly traded companies generally do business nationwide, a whistleblower in one state "may be far more vulnerable to retaliation than a fellow employee in another state who takes the same actions." (29) Similarly, the drafters of the bill were concerned that companies that actively engaged in retaliating against whistleblowers "often transcend state lines, and most corporate employers, with help from their lawyers, know exactly what they can do to a whistleblowing employee under the law." (30)

         Sarbanes-Oxley was thus passed, in part, to create protections for all whistleblowing employees of public corporations, independent of any potential deficiencies in state law (.31) The drafters of the bill recognized that "U.S. laws need to encourage and protect those who report fraudulent activity that can damage innocent investors in publicly traded companies." (32) Whistleblower protections were, therefore, included as the best means of "preventing] recurrences of the Enron debacle and similar threats to the nation's financial markets." (33)

         Sarbanes-Oxley outlined procedures for employees to submit confidential, anonymous complaints to the audit committee "regarding questionable accounting or auditing matters." (34) Section 806 of Sarbanes-Oxley provides that a publicly traded company may not take an adverse employment action against an employee who provides information relating to a violation of Sarbanes-Oxley. (35) More specifically, it states that a publicly traded company, or any employee of that company, may not take an adverse employment action, like termination, suspension, demotion, or harassment, because of a "lawful act" done by the employee to provide information that the employee "reasonably believes" constitutes a violation of Sarbanes-Oxley and other securities laws. (36)

         A whistleblowing employee may claim...