Summary
setting forth burden-shifting element under Sarbanes-Oxley Act
Summary of this case from Opela v. Apogee Wausau Grp., Inc.Opinion
Case No. 15-CV-1415-JPS.
04-07-2017
Alan C. Olson, Alan C. Olson & Associates SC, New Berlin, WI, for Plaintiff. Robert H. Duffy, Lindsey W. Davis, Quarles & Brady LLP, Milwaukee, WI, for Defendant.
Alan C. Olson, Alan C. Olson & Associates SC, New Berlin, WI, for Plaintiff.
Robert H. Duffy, Lindsey W. Davis, Quarles & Brady LLP, Milwaukee, WI, for Defendant.
ORDER
J.P. Stadtmueller, U.S. District Judge
1. INTRODUCTION
Plaintiff Lisa Lamb ("Lamb") brought this action against her former employer, Defendant Rockwell Automation, Inc. ("Rockwell"), alleging whistleblower retaliation in violation of the Sarbanes–Oxley Act of 2002 ("SOX"), 18 U.S.C. § 1514A, and the Dodd–Frank Wall Street and Consumer Protection Act of 2010 ("Dodd–Frank"), 12 U.S.C. § 1454. (Docket #1). The Dodd–Frank claim was dismissed by the Court on August 12, 2016 on Rockwell's motion to dismiss. (Docket #15). On January 30, 2017, Rockwell filed a motion for summary judgment as to Lamb's remaining claim under SOX. (Docket #24). The motion is fully briefed and, for the reasons stated below, it will be granted.
2. STANDARD OF REVIEW
Federal Rule of Civil Procedure ("FRCP") 56 provides that the court "shall grant summary judgment if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed. R. Civ. P. 56(a) ; see Boss v. Castro , 816 F.3d 910, 916 (7th Cir. 2016). A fact is "material" if it "might affect the outcome of the suit" under the applicable substantive law. Anderson v. Liberty Lobby, Inc. , 477 U.S. 242, 248, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). A dispute of fact is "genuine" if "the evidence is such that a reasonable jury could return a verdict for the nonmoving party." Id. The court construes all facts and reasonable inferences in the light most favorable to the non-movant. Bridge v. New Holland Logansport, Inc. , 815 F.3d 356, 360 (7th Cir. 2016). The court must not weigh the evidence presented or determine credibility of witnesses; the Seventh Circuit instructs that "we leave those tasks to factfinders." Berry v. Chicago Transit Auth. , 618 F.3d 688, 691 (7th Cir. 2010). The party opposing summary judgment "need not match the movant witness for witness, nor persuade the court that her case is convincing, she need only come forward with appropriate evidence demonstrating that there is a pending dispute of material fact." Waldridge v. Am. Hoechst Corp. , 24 F.3d 918, 921 (7th Cir. 1994).
3. RELEVANT FACTS
SOX generally protects an employee from reprisal after she reports fraud or violation of a rule or regulation of the Securities and Exchange Commission ("SEC") by a co-worker. See 18 U.S.C. § 1514A(a). The instant case grows from Lamb's claim that she was a whistleblower as to fraudulent conduct by her supervisor and was eventually terminated as a result. Rockwell, by contrast, says that Lamb was fired because she violated its internal policies and was not meeting her job expectations. The focus of Rockwell's motion, however, is not on why she was terminated but on its contention that she was not a whistleblower as defined in SOX. Because the Court agrees with Rockwell on this threshold question, it need not recite the facts which are relevant only to the other aspects of Lamb's claim. The facts set forth below are presented in the light most favorable to Lamb.
Rockwell is a global provider of industrial automation, power, control, and information solutions. Lamb worked at Rockwell in various information technology capacities from 1988 until her termination in 2013. In 2011, she transitioned to a position relating to the Systems, Applications, and Products processing system ("SAP"). SAP is an integrated electronic system designed to streamline various business transactions and processes company-wide. Based on an employee's role and rank, she is granted privileges to access and modify certain data in SAP.
To ensure that a given employee has SAP access that is sufficient but not greater than necessary to perform her job—what the parties call "segregation of duties" ("SOD")—Rockwell employs Governance Risk and Compliance ("GRC") software. GRC establishes rules that identify certain constellations of access privileges that represent a risk of harm to the company or its legal compliance efforts, such as when an employee has privileges to both create and review her work. The rules are designed to prevent one employee from obtaining such pervasive access to Rockwell's data as to facilitate fraud or theft of confidential business information. The system can identify persons that meet the rule definitions so that their privileges can be evaluated and then either disabled or approved by management.
Like many other companies, Rockwell employs "controls" teams to customize the GRC rules in an iterative process that analyzes the operation of the rules over time to ensure they are working properly and efficiently. The controls teams sometimes received tasks from the internal audit department, which would review their work and develop action plans for improvement. These plans were logged in the Internal Controls Corrective Action Tracking System ("IC–CAT"). An IC–CAT functioned like an outstanding work order that could be closed once the goals set out in it had been achieved.Lamb's team, the IT internal controls team, worked specifically with SAP access privileges of IT department users and how those privileges related to internal control over financial reporting for purposes of SOX compliance. In order to better understand Lamb's role, it is important to observe the relevant requirements drawn from SOX. The statute provides that a qualifying corporation, like Rockwell, must file periodic reports with the SEC. 15 U.S.C. § 7241. The reports are required to be certified by high-level corporate officers, including the principal executive officer and principal financial officer. Id. § 7241(a). Those officers must certify, among other things, that they have reviewed the report and that, based on their individual knowledge, the report does not contain any untrue statement or material omission. Id. § 7241(a)(1)–(2). Additionally, the signatory officers must certify that they are responsible for developing internal controls for their company that "ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities." Id. § 7241(a)(4)(B). The officers must also report their conclusions about the effectiveness of these internal controls. Id. § 7241(a)(4)(D). Further, Section 7262 requires that Rockwell's annual reports contain an assessment of the effectiveness of its internal controls as they relate to the accuracy and completeness of financial reporting. Id. § 7262(a). When a public accounting firm prepares an audit report for the company, that firm must report on and attest to the assessment the company made of its financial reporting controls. Id. § 7262(b).
At Rockwell, the GRC rules Lamb's team developed were designed to root out SAP users in the IT department with SOD conflicts that presented a high risk as to Rockwell's financial data. The GRC reports the team generated were used by management and Rockwell's external auditors as part of their review of Rockwell's internal controls over financial reporting. Lamb's expert, Norman Marks ("Marks"), opined that the GRC reports were a "key control" in this process, which is a control procedure that is relied upon to prevent or detect a material error or omission in financial statements filed with the SEC. Put simply, a key control is one that is important to SOX compliance procedures.
In her decades with Rockwell, Lamb had garnered extensive experience with managing privileged access, whether in SAP or its predecessor system. She had participated in "countless" audits and meetings on the topic, and she had produced documentation on privileged access. See (Docket #51 ¶ 20). She also was the "most highly privileged user in IT on the mainframe side." (Docket #39 ¶ 3).
When she moved to the SAP team in 2011, Lamb worked under Mary Clement ("Clement") as her immediate supervisor, and Mary Ward ("Ward") as Clement's supervisor. The turning point for this suit occurred on June 28, 2012. That day, Clement asked Lamb to disable certain rules within GRC that were used to identify SAP users in the IT department with high-risk SOD conflicts. Lamb did not want to make the changes. She told Clement that she was "uncomfortable" making the changes and said, "I don't want to do that." Clement testified that she thought Lamb simply did not understand the changes she wanted to be made. Clement did not understand Lamb to be saying that disabling the rules would harm the company's internal controls relating to SOX compliance.
Although she did not make it plain to Clement at the time, Lamb now asserts that disabling the rules as Clement asked was "not proper" because it would hide users in the IT department with high-risk SOD conflicts, which "left Rockwell vulnerable to a lot of risk." (Docket #51 ¶ 24). Part of Lamb's discomfort was that the particular GRC rules in question were a key control used to keep management and auditors apprised of risk to Rockwell's financial data. Rather than identify over-privileged users and remediate the SOD conflict by downgrading the user's access or getting approval for it from management, it appeared that Clement wanted to simply disable the rules, effectively masking those users.
Lamb alleges that Clement wanted to make these rule changes because she was under a deadline imposed by an IC–CAT to resolve thousands of outstanding SOD conflicts. Lamb claims that in order to avoid reproach by Ward's supervisor and Rockwell's Controller, Dave Dorgan ("Dorgan"), Clement sought to conceal the problem by eliminating high-risk users from the GRC reports, which Dorgan reviewed and then passed along to his superiors and the auditors. Lamb contends that Clement's actions violated Rockwell's internal procedures for reviewing privileged access and SOD conflicts. They would also "preclude an assessment of internal control over financial reporting as ‘effective’ " because the GRC reports would not have any information about these high-risk users, and therefore the auditors and corporate officers looking at the reports would not have all the information they needed to make an informed assessment of the company's internal controls. Id. ¶ 33. Thus, Lamb believes that Clement's request would lead to violations of the above-described SOX provisions.
In the context of this suit, Lamb asserts that before December 2012, she had "many times voiced her concern to Clement and Ward about the SOD conflicts and unmonitored privileged access." (Docket #52 ¶ 142). She does not identify the date or contents of any particular conversation. See id.
Later that day, Lamb went to speak with Ward about the proposed changes. She asked why the changes were being made without approvals and or "request for change" record. She did not mention any concerns about the integrity of Rockwell's internal controls over financial reporting which she raises in this lawsuit. Ward responded that the controls group for the IT department has the ability to change it own rules. Lamb now disagrees, stating that a request for change was required for "every Production change, with no exceptions." Id. ¶ 30. Despite this, Lamb made the GRC rule changes as Clement requested on June 28.
After June 28, 2012, Lamb and Clement's relationship soured. As Lamb tells it, Clement "began to find issues with Lamb that were in many cases fictitious and in retaliation because Lamb did not agree with Clement's approach to resolving SOD conflicts." (Docket #52 ¶ 28). Clement became hostile and "started badmouthing Lamb with her co-workers." Id.
Rockwell portrays Lamb as an employee who clung to the outdated procedures she employed in her prior position in the company. It also claims that she was not timely completing her tasks. Lamb counters that she was not provided proper training and that Clement was assigning her tasks without meaningful guidance, apparently to ensure Lamb's failure. The relevant parties—Lamb, Clement, and Ward—had several meetings around this time to discuss Lamb's performance. Because the Court's disposition below does not touch on whether Lamb was performing her job to expectations, the Court will bypass the parties' vigorous disputes on the topic. It is enough to say that Clement and Ward became critical of Lamb's work.
In mid-March 2013, Clement met with Lamb to discuss Lamb's goals going forward. Lamb became upset by the goals, arguing that they were unrealistic. Clement believed that Lamb was disrespectful during the meeting, and so Senior Human Resources Representative Sheri Anklam ("Anklam") met with Lamb shortly thereafter to caution her that insubordination would not be tolerated and would in the future result in discipline.
In late March, Anklam, Clement, and Ward met with Dorgan and Rockwell's Vice President of Law, Marc Kartman ("Kartman"), to discuss Lamb's employment. Rockwell asserts that a performance improvement plan ("PIP") was developed during this meeting and presented to Lamb on March 28, 2013. During the meeting, Clement told Lamb that if she did not want to participate in the PIP, she could resign with a severance package. Lamb thought the PIP was unwarranted.
After this meeting, Lamb initiated Rockwell's Employee Issue Resolution ("EIR") process, which is used to help human resources staff and other managers to review employment-related decisions, to appeal her PIP. Nothing in Lamb's submissions as part of the EIR process mentioned her concerns about SOX violations or other fraud. After an initial meeting with Clement, Ward, and Anklam, Lamb initiated the next phase of EIR, which brought in Vice President of Human Resources Kristin Fritz.
On April 7, 2013, while Lamb's request for review was pending with Fritz, Lamb sent an email to Kartman which, along with the interactions of June 28, 2012, forms the centerpiece of this case. Kartman was not only the Vice President of Law but also the company ombudsman, and it appears Lamb's email was intended to be a complaint to him in his ombudsman role.
Lamb calls the email a "SOX complaint" in which she complained about her treatment by Clement, including her interactions with Clement on June 28, 2012. She alleged that Clement had violated Rockwell "ethics" and "department policies" when Clement made the GRC rule changes in an attempt to side-step the IC–CAT. (Docket #34–13 at 1). Lamb stated that the changes may have "potential significant impact to the organization." Id. Lamb did not allege any corporate fraud or violation of SEC rule or regulation. It appears that the reason she now calls it a "SOX complaint" is because, as explained above, the rules changes related to Rockwell's SOX compliance program.
Despite intending to make an ombudsman complaint, Lamb mistakenly sent the email to Kartman's standard email address, not his ombudsman address. When Kartman saw her email, he decided not to open it for fear of creating a conflict of interest regarding the ongoing inquiry into her employment, in which he was providing legal advice to Rockwell. He never opened or responded to the email.
During the week of April 20, 2013, Lamb allowed an employee of an outside contractor working with Rockwell to use her login credentials for the SAP "sandbox," which is a version of the system that allows users to experiment with various inputs and settings without risking real-world data. When Clement, Ward, and Anklam learned of this, they considered it to be a serious violation of Rockwell's password policies, which strictly prohibit the sharing of login credentials. Lamb says, in essence, that it was not a big deal, noting that the SAP sandbox has no impact on the company's actual data. No one agreed with her, and Anklam suspended Lamb on April 25, 2013, pending investigation into the matter. She instructed Lamb to turn in her identification badge and leave the premises. Lamb said the decision to suspend her was absurd and unfair, and when she left this meeting, she did not immediately leave the premises. Instead, she used her work computer to send an instant message to Dorgan and Kartman, seeking their help. Neither responded. After thirty minutes, Rockwell security was called and escorted Lamb off the property. After completing its review of the password-sharing incident, Rockwell management, considering that incident alongside Lamb's other alleged work deficiencies, decided to terminate her, effective April 30, 2013.
4. ANALYSIS
SOX protects whistleblowers from retaliation by prohibiting employers from "discharge[ing], demot[ing], suspend[ing], threaten[ing], harass [ing], or in any other manner discriminat[ing] against an employee in the terms and conditions of employment." 18 U.S.C. § 1514A. This protection extends to employees who lawfully act "to provide information, cause information to be provided, or assist[ ] an investigation regarding any conduct which the employee reasonably believes constitutes mail fraud, bank fraud, securities fraud, or a violation of any rule or regulation of the SEC, or any federal law relating to fraud against shareholders," so long as the assistance is provided to a person with investigatory authority. Harp v. Charter Commc'ns, Inc. , 558 F.3d 722, 723 (7th Cir. 2009) (citing 18 U.S.C. § 1514A(a) ). In order to prevail on a SOX whistleblower claim, an employee must meet the legal burdens of proof set forth in the Wendell H. Ford Aviation Investment and Reform Act for the 21st Century, 49 U.S.C. § 42121(b), which requires the employee to first " ‘prove by a preponderance of the evidence that (1) she engaged in protected activity; (2) the employer knew that she engaged in the protected activity; (3) she suffered an unfavorable personnel action; and (4) the protected activity was a contributing factor in the unfavorable action.’ " Id. (quoting 49 U.S.C. § 42121(b)(2)(B)(iii) ); Allen v. Admin. Review Bd. , 514 F.3d 468, 475–76 (5th Cir. 2008) ). If the employee establishes these four elements, the employer may avoid liability if it can prove "by clear and convincing evidence" that it "would have taken the same unfavorable personnel action in the absence of that [protected] behavior." Id.
As can be seen from the statutory language, part of the definition of "protected activity" is that the employee herself believed that the conduct she reported violated a law listed in Section 1514A(a), and that belief must have been objectively reasonable. Id. ; see also Day v. Staples , 555 F.3d 42, 54 (1st Cir. 2009) ; Livingston v. Wyeth, Inc. , 520 F.3d 344, 352 (4th Cir. 2008). Objective reasonableness is assessed "based on the knowledge available to a reasonable person in the same factual circumstances with the same training and experience as the aggrieved employee." Harp , 558 F.3d at 723. The reasonable person standard recognizes that "[m]any employees are unlikely to be trained to recognize legally actionable conduct by their employers." Nielsen v. AECOM Tech. Corp. , 762 F.3d 214, 221 (2d Cir. 2014). Accordingly, "the inquiry into whether an employee had a reasonable belief is necessarily fact-dependent, varying with the circumstances of the case." Rhinehimer v. U.S. Bancorp Inves., Inc. , 787 F.3d 797, 811 (6th Cir. 2015).
In its motion, Rockwell contends that Lamb cannot establish the first, second, and fourth elements of her prima facie case. The Court need only address the first element—specifically, whether Lamb's belief that there was a violation of a law listed in Section 1514A(a)(1) was objectively reasonable—to conclude that judgment should be entered in Rockwell's favor.
Assessing the objective reasonableness of Lamb's belief requires a careful description of the theory of liability she advances. Lamb claims that changing the GRC rules would result in underreporting of the potential risks to Rockwell's SOX data. Yet her fear was not that the individuals whose access went unmonitored engaged in or were likely to engage in fraud. Instead, Lamb's theory is that the fact of underreporting would itself lead to a violation of federal law. In her view, this is because the SOD data collected would be incomplete as a result of underreporting, and that data would then be passed on to Dorgan, and then corporate superiors and outside auditors as part of Rockwell's SOX compliance program, eventually ending up in the hands of the top officials and auditors who had to sign off on Rockwell's financial statements. According to Lamb, those officials would then sign the financial statements on the basis of incomplete information and thereby violate the relevant SOX provisions because they could not certify the effectiveness of the company's internal controls over financial reporting. Additionally, this same underreporting would lead to material misrepresentations in those financial statements.
Against the backdrop of this theory, the Court finds that no employee with Lamb's training and experience could reasonably conclude under the circumstances that a violation of the relevant SOX provisions had occurred or was imminent. To fully explain the basis for this conclusion, the Court must first take a detour through the development of the law as it relates to the "reasonable belief" standard. The Administrative Review Board ("ARB") of the Department of Labor, which adjudicates SOX whistleblower claims, first considered the contours of the objective component of the "reasonable belief" standard in 2006. Platone v. FLYI, Inc. , ARB No. 04–154, 2006 WL 3246910 (ARB Sept. 29, 2006). In Platone , the ARB held that to qualify as protected conduct, the employee's complaint must (1) "definitively and specifically" relate to one of the categories of fraud or securities violations listed in Section 1514A(a)(1) ; and (2) "approximate...the basic elements" of the fraud or securities violation to which the complaint relates. Id. at *8. Circuit courts generally adopted these standards. See Van Asdale v. Int'l Game Tech. , 577 F.3d 989, 996–97 (9th Cir. 2009) ; Welch v. Chao , 536 F.3d 269, 275 (4th Cir. 2008) ; Allen , 514 F.3d at 477 ; Day , 555 F.3d at 54 n.8.
In 2011, however, the ARB reversed course. Sylvester v. Parexel Int'l LLC , ARB No. 07–123, 2011 WL 2517148 , at *12 (ARB May 25, 2011) (en banc). The ARB held in Sylvester that to satisfy the objective component of the "reasonable belief" standard, the employee must simply prove that a reasonable person in the same factual circumstances with the same training and experience would believe that the employer violated securities laws. Id. at *11–12. An employee's mistaken belief in a violation of law may nevertheless be objectively reasonable. Id. at *13.
Additionally, Sylvester held that an employee need not believe that a violation has occurred or is presently occurring. Id. It is sufficient that "the employee reasonably believes that the violation is likely to happen." Id. at *14. The ARB tied their conclusion to Title VII case law, which provides that a report about a future violation is protected if the violation " ‘[is] taking shape,’...‘a plan [is] in motion’ to violate the law, or...a violation [is] ‘likely to occur.’ " Id. at *37 (quoting Jordan v. Alternative Res. Corp. , 458 F.3d 332, 340 (4th Cir. 2006) ). Still, "unsupported conjecture about hypothetical future events" is not protected. Id.
No court has outright rejected the Sylvester standard. The Third Circuit grants the ruling broad deference under Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc. , 467 U.S. 837, 104 S.Ct. 2778, 81 L.Ed.2d 694 (1984), which requires courts to defer to an agency's permissible interpretation of a statute if Congress has not spoken on the issue. Wiest v. Lynch , 710 F.3d 121, 131–32 (3d Cir. 2013). Other Circuits have declined to decide whether the ARB's decision in Sylvester warrants Chevron deference and have instead found that its conclusions warrant deference under the lesser form created in Skidmore v. Swift & Co. , 323 U.S. 134, 65 S.Ct. 161, 89 L.Ed. 124 (1944), which holds that an agency's interpretation of a statute is only as controlling as it is persuasive, considering the specialization and experience of the agency adjudicators. Rhinehimer , 787 F.3d at 806 ; Nielsen , 762 F.3d at 220–21. The Eighth Circuit has "adopted" the Sylvester standard without specifying whether it was according the decision Chevron or Skidmore deference. Beacom v. Oracle Am., Inc. , 825 F.3d 376, 380 (8th Cir. 2016). The Fourth and Tenth Circuits have addressed Sylvester but found the plaintiff satisfied the more rigorous "definite and specific" standard from Platone and therefore did not decide the effect of Sylvester on their past precedent. Feldman v. Law Enforcement Assocs. Corp. , 752 F.3d 339, 344 n.5 (4th Cir. 2014) ; Lockheed Martin Corp. v. Admin. Review Bd. , 717 F.3d 1121, 1132 n.7 (10th Cir. 2013). The Seventh Circuit has not weighed in on the effect of Sylvester on SOX whistleblower claims.
Notable, however, are recent holdings in the Second and Ninth Circuits that do not accept Sylvester wholesale. In Nielsen , the Second Circuit commented in a footnote that although it agreed with the ARB that Platone's "definite and specific" standard should be dispensed with, it questioned the ARB's conclusion that a plaintiff's beliefs need not even approximate the elements of a claim under a listed law in Section 1514A(a)(1) in order to be objectively reasonable. Nielsen , 762 F.3d at 221 n.6. The Court of Appeals observed that the statute's plain language requires "plausible allegations that the whistleblower reported information based on a reasonable belief that the employer violated one of the enumerated provisions set out in the statute." Id. As the Second Circuit read it, "the statutory language suggests that, to be reasonable, the purported whistleblower's belief cannot exist wholly untethered from these specific provisions." Id.
Similarly, although it did not address the interaction of Platone and Sylvester , the Ninth Circuit very recently reaffirmed its pre- Sylvester rule that " ‘to have an objectively reasonable belief there has been shareholder fraud, the complaining employee's theory of such fraud must at least approximate the basic elements of a claim of securities fraud.’ " Rocheleau v. Microsemi Corp., Inc. , No. 15–56029, 680 Fed.Appx. 533, 535, 2017 WL 677563, at *1 (9th Cir. Feb. 21, 2017) (quoting Van Asdale , 577 F.3d at 1001 ). District courts have echoed the concern that some amount of "tethering," however minimal, must be required to connect the plaintiff's beliefs about wrongdoing to the fraud-prevention purposes of SOX. See Wiggins v. ING U.S., Inc. , CIVIL CASE NO. 3:14–CV–01089 (JCH), 2015 WL 8779559, at *4 (D. Conn. Dec. 15, 2015) ; Berman v. Neo@Ogilvy LLC , 14–CV–00523 (GHW)(SN), 2016 WL 7975001, at *6 (S.D.N.Y. Oct. 24, 2016) ; Erhart v. Bofi Holding, Inc. , Case No. 15–cv–02287–BAS(NLS), 2016 WL 5369470, at *10 (S.D. Cal. Sept. 26, 2016).The only sources of law Lamb cites to support her whistleblower claim are SOX Sections 302 and 304, which translate to 15 U.S.C. §§ 7241 and 7262. See (Docket #52 ¶ 18). Neither provides a basis for an objectively reasonable belief that a SOX violation had occurred or was likely to occur. As explained above, Section 7241 requires, among other things, that high-level corporate officers certify in SEC reports that the report is true and not misleading. 15 U.S.C. § 7241(a)(2). That Section also requires those officers to certify that they have designed effective internal controls over financial information. Id. § 7241(a)(4)(B). Similarly, Section 7626 requires Rockwell's outside auditor, Deloitte, to certify the effectiveness of its internal controls over financial information. Id. § 7626(b). Lamb posits that the GRC rule changes, by hiding risky levels of SAP access to financial information in the IT department, would diminish the effectiveness of the company's internal controls. Clement, in making these changes, robbed her superiors of relevant information, which in turn caused them to violate the applicable statutes because their certifications as to the effectiveness of their internal controls were false.
Understood in this way, it becomes clear why Lamb's claim cannot proceed further. A whistleblower claim requires an extant or likely, not theoretical or hypothetical, violation of the law. No reasonable person in Lamb's place, with her training and experience, could have believed that Clement's conduct violated SOX, since the violation would be perfected, if at all, only upon some later company official's signing the SEC certification. In other words, while Clement's conduct might arguably have violated Rockwell's procedures, it was not a violation of federal law. Lamb says that it is "against SOX regulation to intentionally under-disclose the true risk there is to an organization." (Docket #36 at 9). This is true, but it is likewise true that no such disclosure would occur until the false data was transmitted to the corporate leaders and they thereafter relied upon it in making SEC certifications. In short, even if one assumes as true that Clement's rule changes "left Rockwell vulnerable to a lot of risk" and was inconsistent with "industry best practice," id. , vulnerability is not itself a SOX violation, nor does industry best practice equate to legal requirements. Lamb's own expert agrees. Marks testified that the rule modification in and of itself was not a violation of SOX. (Docket #52 ¶ 63). He stated that "I do not believe there was a violation of SOX. I believe there may have been a violation of other laws but SOX pertains to the company and its management, not to individuals at Lisa Lamb's level or her actions." (Docket #34–4 194:7–21). Looking at Clement's conduct, Marks believed that it was "potentially something that legal people would be concerned about[,] but I don't know that technically it's a violation of SOX." Id. 194:22–195:5. Particularly relevant here, he noted that a SOX violation would not be implicated because "we are not talking about a named officer of the company, a certifying officer." Id. 195:6–15. At most, he claimed that the conduct at issue "would be a violation of potentially some other law or regulation [,] whatever." Id.
During the relevant events, Lamb only cited internal Rockwell policies and procedures when complaining about Clement's conduct. Because she did not complain of fraud, Rockwell insists that Lamb's claim must fail. Nevertheless, the Seventh Circuit in Harp instructed that as long as the conduct the employee reports constitutes a violation of a listed law in Section 1415A(a)(1), it does not matter whether the employee actually cited that law. Harp, 558 F.3d at 723. Thus, Lamb's emphasis on Rockwell's internal rules is not a categorical basis on which to reject the claim.
However, the Court is not convinced that the Harp rule should be taken too far. SOX whistleblowers, who are not often lawyers, should not be expected to cite the precise provision of law they believe was violated. But neither is it logical to say that they need merely point to conduct that, if carefully analyzed by lawyers after the fact, could be or lead to a SOX violation. It cannot be that those employees who know the least about legal matters should be given the greatest leeway to report whatever undesirable conduct they see and later be sheltered as unwitting whistleblowers.
Lamb is emphatic that she believed that Clement was violating SOX—specifically, the provisions discussed above relating to SEC certifications about internal controls over financial reporting. See (Docket #36 at 7–11); (Docket #1 ¶ 55). She does not say whether Clement's conduct might alternatively constitute a violation of any other law or regulation listed in Section 1514A(a)(1), nor does she direct the Court's attention to any such law, rule, or regulation. Because Lamb binds her theory to the SOX provisions the Court discussed above, and to no other sources of law, the Court will not consider whether the facts support a theory based on violation of any other statute, rule, or regulation listed in Section 1514A(a)(1).
Although it is not directly relevant to whether Lamb had a reasonable belief as to a SOX violation at the time of her reporting, it worth noting that Lamb has never corroborated her theory with some concrete indication there were material misrepresentations or omissions that made their way into Rockwell's financial reports. See (Docket #25 at 27–28); (Docket #50 at 8 n.3). The slippage in her position is best summed up in her response to Rockwell's proposed fact that "Lamb does not know of any situation in which Rockwell's data was harmed (i.e., compromised or destroyed) as a result of the June 28, 2012 modifications to Rockwell's GRC rule set." (Docket #52 ¶ 58). Lamb responded that the fact is "immaterial" and proceeds to explain why the GRC rules were a key control that would prevent management and auditors from learning about high-risk SOD conflicts, which would in turn lead them to be unable to certify that the company's internal controls were effective. Id. ; see also id. ¶¶ 59–61. What is lacking, however, is evidence from Lamb of any actual instance where her fear materialized; that is, a single example in which a Rockwell executive or outside auditor made a certification as to the corporate internal controls which was erroneous because there existed uninvestigated, high-risk SOD conflicts in the IT department.
Lamb testified that Clement's actions constituted deliberate fraud in that "false quarterly reports went to Dorgan," who then passed them along to the auditors, but she did not produce even one such report or identify a false statement that in fact ended up in the auditors' hands. (Docket #51 ¶ 60); (Docket #46 248:3–249:5). Dorgan himself testified that Lamb's work with SOD conflicts was "just one small piece" of Rockwell's overall SOX compliance program and that it would be hard to imagine how underreporting SOD conflicts would result in a material misstatement in a financial report Rockwell ultimately produced. (Docket #54–2 21:3–22:19). Dorgan opined that "SOX compliance can be achieved no matter what's on" the SOD conflicts report. Id. 70:7–19.
The closest Lamb comes to establishing the results of the alleged fraud is to say that "[s]ince 2011, Rockwell's external auditors, Deloitte & Touche, have identified SOD deficiencies." Id. ¶ 62. She does not describe the SOD deficiencies the auditors discovered, including whether they implicated Lamb's highly specific niche of SOD analysis in the IT department for purposes of SOX compliance. Nor does she explain why SOD deficiencies arising before June 28, 2012, would be relevant. She asks for greater inferential leaps from the facts than they can support. The Court cannot infer into existence the lynchpin of Lamb's claim—namely, that a misrepresentation occurred or was likely to occur. See Rocheleau , 680 Fed.Appx. at 536, 2017 WL 677563, at *3 (no claim that suspected data manipulation constituted fraud because, in part, "no false data was ever transmitted").
In fact, although the scope and results of the investigations are not explained by the parties, Lamb seems to believe that Rockwell's internal audit department investigated Clement's rule changes. In her April 7, 2013 letter, Lamb reports that two additional IC–CATs were opened to probe the problems created by Clement's rule changes. (Docket #34–13 at 7–8). Thus, even believing Lamb's version of events, the changes did not pass unnoticed. This further undermines her theory, which requires that Clement's changes be implemented and that no other safeguard, such as internal or external auditing or other review, forestall the calamity that underreporting based on those rules might cause. Moreover, Lamb emphasizes in the letter that she sees Clement's actions not as unlawful but as a serious violation of corporate procedure that should be "subject to disciplinary action." Id. at 8.
These observations lead into the next inquiry—whether a reasonable employee in Lamb's position could have believed that although a SOX violation had not actually occurred, it was likely to occur in the future. Marks opined that, although Clement's actions did not create an extant SOX violation, a lay person looking at the rule changes would rightly have been concerned about the potential damage excessive access privileges might cause. (Docket #34–4 195:6–15). Evaluating this aspect of the "reasonable belief" standard requires an appreciation of the dramatic change in the law effected by Sylvester , which held that belief in an existing violation is not required. Sylvester , 2011 WL 2517148, at *14. If Sylvester had not be issued, Lamb's claim would undoubtedly be dead on arrival. See Livingston v. Wyeth, Inc. , 520 F.3d 344, 350–51 (4th Cir. 2008) (finding that a violation must have already occurred or be ongoing to sustain a whistleblower claim); Walton v. Nova , No. 3:06–CV–292, 2008 WL 1751525, at *9 (E.D. Tenn. Apr. 11, 2008). But applying even Sylvester 's generous standard, Lamb's claim nevertheless fails.
Lamb and Marks also speculate that the purported violation here—inaccurate assessment of internal control over financial reporting—is typically addressed as a violation of the Securities Exchange Act of 1934, not SOX. (Docket #34–4 195:6–15). This is the most explanation the Court gets from her on this point, however, and so the Court is left wondering what her theory is as to a violation of the 1934 Act as opposed to SOX. Notably, in her legal brief she only cites SOX provisions as the basis of her claim. As the Court has already explained, it will not go fishing through securities law and regulation for provisions Lamb may have believed were violated. See supra note 3.
Similarly, Lamb, looking at Marks' testimony from the vantage point of summary judgment, notes that he never said the rule changes were not "a violation of an appropriate SOX compliance program," though she does not point to any statute that defines "an appropriate SOX compliance program." (Docket #52 ¶ 63). In fact, Marks noted that the SEC recommends certain procedures but does not require a particular program to be implemented. (Docket #54–5 48:10–49:10).
As noted above, Sylvester requires a whistleblower to reasonably believe "that the violation is likely to happen." Sylvester , 2011 WL 2517148, at *14. This is not a place for open speculation; instead, the violation must be "taking shape," "in motion," or "likely to occur" to suffice. Id. at *37 (quotation omitted). The ARB reiterated that "unsupported conjecture about hypothetical future events" is not protected. Id. In adopting Sylvester , the Third Circuit opined that this principle applies to those who perceive an "imminent" violation. Wiest , 710 F.3d at 133.
The undisputed facts make clear that no reasonable person in Lamb's position could have believed that a SOX violation was imminent at the time of her reporting. Lamb had been with the company for twenty-five years and, by her own account, she had obtained a huge breadth of experience in managing privilege access and participating in company audits and compliance procedures. Yet with this knowledge and experience, she did not consider the scope of Rockwell's financial reporting or the other processes in place to ensure the integrity of its internal controls over financial information. Rather, the person with the best vantage point for such concerns, Dorgan, testified that the activities of the IT controls team formed only a small part of Rockwell's total SOX compliance program. (Docket #54–2 at 21:3–22:19). Whatever oversight Lamb made at the time, no reasonable person in her place would perceive that a substantial step had been taken toward a SOX violation. See Bishop v. PCS Admin. (USA), Inc. , No. 05 C 5683, 2006 WL 1460032, at *8 (N.D. Ill. May 23, 2006).
Lamb acknowledged at the time of her reporting that her fears regarding SOX compliance were only speculative. In her email to Kartman of April 7, 2013, she states that Clement's actions "were a violation of Rockwell ethics with potential significant impacts on the organization ." (Docket #34–13 at 1) (emphasis added). At the time of her email, there is no indication that she believed that any purported "impacts" had materialized or would do so imminently. See Bishop , 2006 WL 1460032, at *8 ("A reasonable belief that implementing certain procedures will be insufficient to prevent violations is not, by itself, a reasonable belief that a violation has occurred or been attempted."); Andaya v. Atlas Air, Inc. , No. 10 CV 7878(VB), 2012 WL 1871511, at *5 (S.D.N.Y. Apr. 30, 2012) (plaintiff's fears of potential insider trading did not suffice as report of misconduct under Section 1514A(a) ). Now, armed with this lone, vague statement in her letter, Lamb asks the Court to pile inference atop inference to fill in the gaps in her evidence. Although the Court must draw inferences in her favor, it cannot stretch the evidence as far as she requires.
Take the Seventh Circuit's whistleblower in Harp . In his dissent, Judge Tinder described the employee, an internal auditor who expressed concern about potential fraudulent payments that were about to be made to a corporate vendor. Harp , 558 F.3d at 728. Her detailed knowledge of imminent fraud, even if ultimately mistaken, was clearer than Lamb's fear that some effect might be felt by someone down the line if the SOD conflicts were not resolved. Likewise, in Stewart v. Doral Financial Corp. , 997 F.Supp.2d 129, 137 (D.P.R. 2014), the CEO himself instructed employees to cook the books, which is much more proximate to a SOX violation than a potential risk to the company's financial data which might undermine the effectiveness of the company's internal controls, assuming these fears materialized and were not otherwise rectified along the way. In short, Lamb has magnified her limited role at Rockwell within its SOX compliance program. See Hill v. Komatsu Am. Corp. , Case No. 14–cv–02098, 2015 WL 5162129, at *4 (N.D. Ill. Aug. 26, 2015) (executive's concern that repair and maintenance reserves might be too low, which might lead to misrepresentations in financial statements, was too tenuous to be considered a concern that securities fraud had occurred). She has no evidence to support this other than Marks' averment that her duties were or should have been a key control in the process, something Dorgan at least implicitly contested with his undisputed knowledge of the corporation's multifaceted SOX compliance program. See (Docket #54–2 21:3–22:19).
Finally, the Court observes that even if everything had turned out as Lamb feared, and Rockwell's directors and auditors produced false certifications and financial reports with some measure of misleading information, she still would not be able to proceed. Here, Nielsen and Rocheleau come into play, because they declined to adopt Sylvester's holding that a whistleblower need not even approximate the elements of a claim under a listed law. Nielsen , 762 F.3d at 221 n.6 ; Rocheleau , 680 Fed.Appx. at 534–35, 2017 WL 677563, at *1. This Court agrees with that conclusion, as other district courts have, and when the facts available to Lamb are stacked against the relevant cause of action, it is beyond dispute that Lamb's claim must fail.
In the instant case, Lamb's claimed SOX violations do not arguably constitute mail fraud, wire fraud, bank fraud, or securities fraud, nor are the statutes she cites a rule or regulation of the SEC. As a result, her claim falls into the catch-all clause of Section 1514A(a)(1), for violations of "any provision of Federal law relating to fraud against shareholders." 18 U.S.C. § 1514A(a)(1). Because a whistleblower claim sited in this clause must be minimally tethered to the shareholder fraud cause of action, a whistleblower plaintiff must establish at a minimum that it was objectively reasonable to believe that the conduct in question would have some appreciable effect on the shareholders. See Nielsen , 762 F.3d at 222–23. Despite the broad, protective policy objectives of SOX, "[n]othing in the text of § 1514A...suggests that SOX was intended to encompass every situation in which any party takes an action that has some attenuated, negative effect on the revenue of a publicly-traded company, and by extension decreases the value of a shareholder's investment. ... [E]xtending SOX's protections in this way presents obvious overbreadth concerns that risk making SOX a general anti-retaliation statute applicable to any private company that does business with a public company." Gibney v. Evolution Mktg. Research, LLC , 25 F.Supp.3d 741, 748 (E.D. Pa. 2014) (internal quotations and alterations omitted).
In Nielsen , the Second Circuit reviewed a complaint by a fire engineering manager that one of his subordinates was approving engineering plans without actually reviewing them. Nielsen , 762 F.3d at 217. His superiors did not take corrective action, and when the manager threatened to resign, he was fired. Id. The Second Circuit concluded that the manager, in reporting his subordinate's conduct, could not reasonably have believed that it constituted something approximating shareholder fraud. Id. at 222. The complaint contained no allegations that the fire safety review was required by any federal statute or regulation or that the allegedly inadequate fire safety review posed any specified safety hazard. Id. Nor did the manager allege that the fire safety review was important to the company's operations. Id. Thus, the Court of Appeals found, consistent with Sylvester , that the manager's concerns related to " ‘such a trivial matter’ " as to fall below the threshold for protected activity. Id. (quoting Sylvester , 2011 WL 2517148, at *19 ). The company in question was an international firm, and the manager's allegations of wrongdoing in its fire safety review—only one, minor part of its operations—were "simply too tenuous" in their connection to potential shareholder fraud. Id. at 223.
The Second Circuit also offered a useful contrast between its case and the more egregious misconduct raised in Sylvester . Id. Before the ARB were allegations that a company performing drug testing for pharmaceutical manufacturers falsified information in that testing for several major clients. Sylvester , 2011 WL 2517148, at *2–4. Some employees refused to participate in this falsification, and their superiors did nothing about the problem despite repeated complaints. Id. These employees suffered threats and retaliation and were eventually terminated just months after their initial complaints. Id.
In contrast to Sylvester , the challenged conduct in Nielsen was not sufficiently important to the employer's business, nor was the employer sufficiently complicit in the misconduct. Nielsen , 762 F.3d at 223. Viewed favorably, the allegations in Nielsen did not raise the inference that the misconduct the employee reported "would have significant repercussions for [the employer] or, by extension, its shareholders." Id. ; see also Wiest , 710 F.3d at 124–25 (after well-publicized Tyco fraud scandal, corporate accountant could reasonably conclude that executives continued to engage in similar fraudulent conduct); Deltek, Inc., v. Dep't of Labor Admin. Rev. Bd. , 649 Fed.Appx. 320, 328 (4th Cir. 2016) (employee, with help of knowlegeable coworker, reasonably concluded that company was submitting false invoices to Verizon to cover losses); Robinson v. U.S. Dep't of Labor , 406 Fed.Appx. 69, 71 (7th Cir. 2010) (objectively reasonable belief of fraud where employee discovered that her employer, Discover, was inflating its assets by not charging off customer bankruptcies).
Lamb's case, although involves the collection of data relevant to SOX compliance, nevertheless suffers from the same weakness that doomed the employee's claims in Nielsen . Other than her assertion that remediating SOD conflicts in the corporate IT department was a key control for SOX compliance, she offers nothing to substantiate how Clement's misconduct would have a meaningful, or even noticeable, effect on Rockwell as a whole, much less its shareholders. To follow Lamb on this point, the Court would have to find that (1) high-risk SOD conflicts in the IT department would go unremediated; (2) this risk rendered Rockwell's internal controls ineffective; (3) Rockwell's certifications that the controls were effective made after June 28, 2012, would be false; and (4) this would cause some loss to the company or shareholders. At best, the evidence supports only the first of these steps. Thus, whether or not Clement's conduct was wrongful, it is far too attenuated from the welfare of the shareholders to fall within the SOX ken. See Westawski v. Merck & Co. , CIVIL ACTION NO. 14–3239, 215 F.Supp.3d 412, 427–30, 2016 WL 6082633, at *11–12 (E.D. Pa. Oct. 18, 2016) (concluding that "minor discrepancy" in company's financial statements did not have a "material effect" on them that would implicate shareholder fraud).
Even the principle that a reasonable, though mistaken, belief as to a violation does not help Lamb here. Sylvester , 2011 WL 2517148, at *13. This is not a case where the whistleblower might be understandably unsure whether the employee engaging in the relevant misconduct met each and every element of a fraud claim, including scienter, materiality, and loss. Zinn v. American Commercial Lines, Inc. , ARB Case No. 10–029, 2012 WL 1143309, at *4 (Dep't of Labor Mar. 28, 2012). While the wrongdoer's state of mind and the pecuniary effect of certain conduct might be hard for an individual employee to determine, here the problem is not so complex. Lamb's mistake is whether the fundamental requirements of a fraud claim—a misrepresentation that had some effect on shareholders—ever occurred or would occur imminently. This basic feature of shareholder fraud is something even a lay person can be expected to assess.
Moreover, although Lamb need not have known with certainty whether Clement had the state of mind required for shareholder fraud, it is notable that the information available to Lamb actively undermined such a conclusion. Recall that Lamb believed that Clement, in requesting the rule changes, wanted to avoid the ire of her superiors for not completing an assigned task. See (Docket #36 at 5–6). Lamb did not believe, at the time of her report or now, that Clement acted with the intent to deceive shareholders. This further destabilizes the reasonableness of her belief that shareholder fraud had or would occur. Allen , 514 F.3d at 480. It also shows how a run-of-the-mill office dispute between subordinate and supervisor should not be transformed, without good reason, into a case about corporate fraud. See Verf u e r th v. Orion Energy Systems, Inc. , 2016 WL 4507317, at *5 (E.D. Wis. Aug. 25, 2016) (cautioning against treating "run-of-the-mill corporate problems into claims of securities fraud").
SOX "was intentionally written to sweep broadly, protecting any employee of a publicly traded company who took such reasonable action to try to protect investors and the market." 149 Cong. Rec. S1725–01, S1725, 2003 WL 193278 (Jan. 29, 2003). By failing to show how anything less than a lengthy, unbroken string of hypothetical scenarios and unsupported inferences could work harm on the company or the shareholders, Lamb has not connected her report, nor her beliefs about the report, to SOX's admittedly broad purpose. Consequently, Lamb's claim must be dismissed without the need to reach any of the other myriad questions the parties presented.
5. CONCLUSION
On the undisputed facts in the record, Lamb cannot establish that she held an objectively reasonable belief that Clement's actions constituted an extant or likely violation of any law listed in the SOX whistleblower statute. As a result, her complaint must be dismissed.
On April 2, 2017, Lamb filed a motion to compel discovery responses from Rockwell and stay Rockwell's summary judgment motion pursuant to FRCP 56(d). (Docket #55). The motion must be denied. It comes after summary judgment briefing has been completed, including Lamb's own response, which was filed more than a month ago. If she had wanted additional information to prepare her response, a motion to stay should have been filed as soon as she had reviewed Rockwell's summary judgment motion and determined that the factual record was not adequately developed (ideally within a few days). At the very least, the motion to stay should have come no later than her response due date. Thus, her request for additional time to "more fully dispute" Rockwell's statements of fact, (Docket #55 at 3–5), is untimely.
--------
Accordingly,
IT IS ORDERED that Defendant Rockwell Automation, Inc.'s motion for summary judgment (Docket #24) be and the same is hereby GRANTED;
IT IS FURTHER ORDERED that Plaintiff Lisa Lamb's first claim for relief, for whistleblower retaliation in violation of the Sarbanes–Oxley Act of 2002 (Docket #1 at 17), be and the same is hereby DISMISSED with prejudice;
IT IS FURTHER ORDERED that, all of Plaintiff Lisa Lamb's claims for relief having been dismissed, this action must be DISMISSED with prejudice; and IT IS FURTHER ORDERED that Plaintiff Lisa Lamb's motion to compel and stay (Docket #55) be and the same is hereby DENIED.
The Clerk of the Court is directed to enter judgment accordingly.