How-to guide: How to develop a whistleblower policy and reporting program (USA)

Introduction

This guide will assist in-house counsel, private practice lawyers, and human resource departments with developing a whistleblower policy and reporting program. It will also help in-house counsel, private practice lawyers, and human resource departments respond to workplace whistleblower complaints.

This guide covers the following:

Overview of the legal framework relating to the protection of whistleblowers
Whistleblower policy: foundation and application
Whistleblower policy: reporting process
Governance by the organization

For further information on this topic, see How-to guides: Overview of US employment law; and How to prepare for an Occupational Safety and Health Administration (OSHA) inspection, and Checklist: Dealing with workplace injuries

Section 1 – Overview of the legal framework relating to the protection of whistleblowers

Whistleblowing laws are aimed at protecting current or former employees who ‘blow the whistle’ (ie, report or expose their employer’s unlawful or unethical conduct). There are numerous federal and state laws in the United States that protect whistleblowers.

1.1 Federal law

Note that many of the whistleblower provisions contained in federal law also provide for substantial rewards in the event that the whistleblower produces evidence that results in convictions, fines, or penalties against their employers.

1.1.1 Department of Labor’s whistleblower protection

Under the US Department of Labor’s (DOL) whistleblower protection laws, employees are protected from adverse action by their employers when reporting suspected employer violations of a variety of laws, or engaging in other related, protected activities. Whistleblower protection applies to employees who report issues relating to:

discrimination;
employee safety;
wage and hours laws;
consumer product and food safety; and
fraud and other financial issues.

An adverse action is broadly defined by the DOL as ‘any type of action that would dissuade a reasonable employee from raising a concern about a possible violation or engaging in other related protected activity.’ Specific examples of adverse actions cited by the DOL include termination; confiscating a worker’s passport or other immigration documents;

disciplinary actions; threats to employees, their families or co-workers; reduction of work hours or rate of pay; shift changes or elimination of premium pay; blacklisting; demotion; excluding an employee from a regularly scheduled meeting; or threatening an employee with deportation.

‘Protected activities’ typically include the following:

initiating a proceeding under, or for the enforcement of, any of the applicable statutes, or causing such a proceeding to be initiated;
testifying in any such proceeding;
assisting or participating in any such proceeding or in any other action to carry out the purposes of the applicable statutes; or
complaining about a violation.

Whistleblower and anti-retaliation laws are administered through five agencies that operate under the umbrella of the DOL:

1.1.2 False Claims Act

Under the federal False Claims Act (FCA), a person or entity who has evidence of fraud against federal programs or contracts is authorized to bring a qui tam (loosely translated as ‘on behalf of the king’) action against the wrongdoer on behalf of the United States’ government. In common law, an action brought by private individuals on behalf of the government may receive all or part of the financial penalties recovered as part of the action. Under the FCA, private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. For example, if an individual has knowledge of a company defrauding the federal government as part of a federal contract, they may bring a qui tam action and receive a portion of the recovery.

The FCA, as amended, provides that any person who knowingly submits false claims to the government is liable for treble damages plus a penalty that is linked to inflation.

1.1.3 Sarbanes Oxley Act

Largely in response to the corporate failure and fraud that was uncovered through the Enron scandal that resulted in substantial financial losses to institutional and individual investors, Congress passed the Sarbanes Oxley Act (SOx) in 2002. SOx contains provisions that regulate corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting, fraud, and corruption. More specifically, relevant sections of SOx establish requirements for publicly held companies to report on management’s responsibility for establishing and maintaining an adequate internal control structure, including controls over financial reporting, and the results of management’s assessment of the effectiveness of internal control over financial reporting. The external auditors must then report whether they agree with management’s assessment of the company’s internal control over financial reporting.

SOx also has whistleblower provisions that protect any employee that provides information, causes information to be provided, or otherwise assists in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of SOx and other Securities and Exchange Commission (SEC) provisions.

1.1.4 Dodd Frank Act

The Dodd Frank Act (DF Act) was enacted in response to the financial crisis of 2007-2008 when the real estate ‘bubble’ burst and falling house prices ultimately left many bank and financial institutions with trillions of dollars’ worth of subprime mortgages.

The DF Act also provides whistleblower protections to any employee that discloses information about corporate wrongdoing to the SEC. The provisions also offer rewards to the whistleblowers who voluntarily provide the SEC with original information that leads to a successful enforcement action resulting in monetary sanctions exceeding $1 million. The award amount is required to be between 10% and 30% of the total monetary sanctions collected. In addition, the law provides employees with a private cause of action if they are discharged or discriminated against by their employers as a result of the reporting.

1.1.5 Corporate Whistleblower Awards Pilot Program

On August 1, 2024, the Department of Justice’s (DOJ) Criminal Division launched a Corporate Whistleblower Awards Pilot Program to uncover and prosecute corporate crime. The new program will offer awards to individuals who ‘blow the whistle’ on corporate crimes under the jurisdiction of the DOJ which are not already covered by other whistleblower programs. Under this pilot program, a whistleblower who provides the DOJ’s Criminal Division with original and truthful information about corporate misconduct that results in a successful forfeiture may be eligible for an award. As detailed in guidance provisions released the same day, the information received from the whistleblower must relate to one of the following areas: (1) certain crimes involving financial institutions, from traditional banks to cryptocurrency businesses; (2) foreign corruption involving misconduct by companies; (3) domestic corruption involving misconduct by companies; or (4) health care fraud schemes involving private insurance plans.

1.1.6 Other whistleblower protections

Additional federal protections are provided by the Whistleblower Protection Act of 1989 as well as the Whistleblower Protection Enhancement Act of 2012. Both laws are designed to protect federal employees or applicants for federal employment from potential retaliation for protected disclosures, such as blowing the whistle on significant federal agency malfeasance.

1.2 State law

In addition to the federal laws outlined above, most states have whistleblower protection laws, many of which evolved from state court decisions that protected whistleblowers.

State laws sometimes mirror the federal provisions, or may be less or more restrictive. In particular, some state laws protect only government workers while others extend the protections to also include private sector workers.

An important element to protecting whistleblowers is understanding that many states are employment at-will states, meaning that an employee can be terminated at any time without cause. One main exception to this is that employers cannot terminate an employee for reasons that violate public policy. As a result, even in a state that does not have a whistleblower specific statute, the employee would likely be protected by the public policy exception.

For further information about the termination of employment of at-will employees, see Checklist: Terminating the employment of an at-will employee

Examples of states with whistleblower laws are set out below.

1.2.1 California

California Labor Code section 1102.5 prohibits employers from retaliating against employees for:

reporting potential violations to a regulatory or law enforcement agency, when the employee believes that there was a violation of a law or non-compliance with a regulation or law; and
giving information or testimony to a public regulatory body conducting an investigation, inquiry, or hearing about what the employee believes to be a violation or non-compliance with a regulation or law.

The whistleblower protections extended under this law will apply to an employee whether or not the investigation determines that the employer violated a law or public policy, provided that the employee reasonably believed that a violation had occurred.

California has other laws that provide whistleblower protections for specific employee complaints in California. For example, California Labor Code section 98.6, prohibits an employer from retaliating against an employee who reports suspected violations of wage and hour laws, such as employers paying less than minimum wage, failing to pay required overtime, or failing to provide rest or meal breaks. In addition, California Labor Code 6310 prohibits employers from retaliating against employees who report any violations of health and safety rules to the California Division of Occupational Safety and Health (Cal/OSHA).

1.2.2 Florida

Florida protects both private and public employees from retaliation under the Florida Whistleblower’s Act. Workers in Florida may sue for back pay, reinstatement of the worker’s full fringe benefits and seniority rights, and lost wages, in addition to other damages.

Private employees wishing to claim protection under this law must meet the following six criteria:

have disclosed (or threatened to disclose) to an agency under oath and in writing;
a specific activity, policy, or practice of the employer. ‘Agency’ is defined in the statute as ‘any state, regional, county, local, or municipal government entity, whether executive, judicial, or legislative; any official, officer, department, division, bureau, commission, authority, or political subdivision therein; or any public school, community college, or state university’;
that violated a law, rule, or regulation;
resulting in retaliation by the employer due to the disclosure or threat to disclose;
after the employee had given written notice to the employer of its activity, policy, or practice; and
providing the employer reasonable opportunity to correct the activity, policy, or practice.

The criteria concerning the requirement for an employee to have given written notice to the employer and provided a reasonable opportunity to correct the activity applies only in specific situations, primarily when the disclosure involves the employer’s violation of a rule or regulation or illegal activity. The precise circumstances under which a whistleblowing employee of a private business is protected are complex. The employee’s protection will depend on whether the disclosure was made to someone within the business, or if it was made to a government regulatory or law enforcement agency, and the nature of the violation.

1.2.3 Georgia

Georgia’s whistleblower laws prohibit public employers from taking action against an employee in response to a complaint about a legal violation or breach of the public trust. Georgia’s whistleblower laws protect only public (not private) employees.

Georgia’s courts do not recognize a common law public policy wrongful termination action, and so any exception to the at-will employment doctrine must be created by the legislature. While no general exception has been created, there are three exceptions that have been enacted: Ga Code Ann section 45-1-4 (public employee whistleblowers), Ga Code Ann section 34-6A-5 (retaliation by employers against persons with disabilities), and Ga Code Ann section 34-5-3(c) (retaliation for claims of sex discrimination).

1.2.4 Qui tam statutes

As noted above, under the federal FCA a person or entity who has evidence of fraud against federal programs or contracts is authorized to bring a qui tam action against the wrongdoer on behalf of the United States’ government. Some states have passed similar laws concerning fraud in state government contracts.

An employee who is terminated, demoted, harassed, or otherwise discriminated against due to actions related to a proceeding under the FCA may bring a lawsuit for reinstatement, double back pay, and compensation for special damages (eg, litigation costs and reasonable attorneys’ fees).

Section 2 – Whistleblower policy: foundation and application

While there is generally no legal requirement for organizations to have a whistleblower policy in place (although see information about special circumstances below), it is still advisable because it may encourage employees to raise any concerns directly with the organization rather than going to an administrative agency. It may also avoid deliberate or inadvertent breach of whistleblowing laws by ensuring that the employee base has been educated about whistleblowing as a part of the policy. The information set out in sections 2 and 3 represents best practice for employers.

There may be special circumstances where a requirement to have a whistleblowing policy exists. For example, section 715-b(a) of the New York Not-for-Profit Corporation Law requires certain not-for-profit corporations to ‘adopt . . . a whistleblower policy to protect from retaliation persons who report suspected improper conduct’. Organizations should perform adequate due diligence to determine whether such a requirement exists for them.

2.1 Foundational matters

An effective whistleblower policy is a set of written rules and guidelines for all stakeholders of an organization to follow whenever something illegal or unethical is observed or identified within the organization. Stakeholders may include employees, contractors, shareholders, vendors, or any other person who is part of the organization.

2.1.1 Purpose of the policy

The purpose of the whistleblower policy should be consistent with the public policy of the federal and state whistleblower laws, which is to ensure that any employees who report wrongdoing are protected from retaliation. The key components of a whistleblower policy are as follows:

to establish a process for reporting;
to encourage employees to report misconduct;
to create awareness of what amounts to misconduct;
to provide a process to guide stakeholders on how to proceed in the event misconduct is reported;
to protect the interests of external stakeholders;
to make sure that reports are investigated promptly and thoroughly and also impartially; and
to establish clear procedures that guarantee that employees who make good faith reports of their concerns are not retaliated against.

2.1.2 Organization commitment

The whistleblower policy should be tied to the core values of the organization. Specific commitments that might be articulated in the policy include:

a commitment to protect the employees’ ability to provide feedback and report wrongdoing or misconduct that they have observed;
a commitment to protect the safety of employees; and
a commitment to protect against retaliation or abuse for employees reporting wrongdoing or misconduct.

2.2 Application of the policy

2.2.1 Conduct covered under the policy

The policy should specifically identify examples of the types of misconduct that the organization encourages employees to report if identified or observed, and should provide reassurance that employees can report these actions without fear of retaliation. The policy should make clear that it is not only concerned with criminal activity, but that employees are encouraged to report anything they are concerned about. A non-exhaustive list of examples of reportable misconduct in the policy might include:

fraud;
theft;
harassment;
discrimination; and
breach of any legal or regulatory requirement.

2.2.2 Individuals covered under the policy

The whistleblower policy should make it clear that it applies to every employee, partner, intern, contractor, consultant, or other stakeholder. The policy should include examples and define others who may be covered under the policy (eg, former employees).

A whistleblowing policy should be clear as to the legal entities that are covered by the policy. This could be important for complex corporate groups that include parent and subsidiary entities.

Section 3 – Whistleblower policy: reporting process

The whistleblower policy should set out the process employees and other individuals must follow in order to report a concern.

3.1 Filing a report

3.1.1 How to make a disclosure

Ideally,multiple channels should be available for employees to make a report of misconduct, including web-based or mobile-based software, telephone hotline, email, or other channels as appropriate. Details should be provided on what would constitute an effective report, such as dates, specific actors, and details of the concern. The methods for reporting should be consistently reinforced through organizational communications, for example, via meetings, posters, reinforcement by managers, and training.

Two key stakeholders that are usually involved in any whistleblowing report are the legal and human resources departments. Some organizations may wish to designate specific members of either of these departments as point persons for receiving reports.

3.1.2 Anonymity

Some individuals that wish to make a report may be concerned about disclosing their identity, especially initially. It is important, therefore, to emphasize the importance the organization places on allowing reporting parties to stay anonymous (if they choose to do so) and not to influence the individual to disclose their identity. An explanation as to how anonymous reporters can be accommodated should be included in the whistleblowing policy, so that an anonymous reporter trusts the process.

The policy should include information that differentiates between the ability to keep the whistleblower’s identity anonymous versus the potential need for their identity to be revealed at some later date (eg, if or when an investigation ensues). The policy should also address the potential limitations that could be placed on an investigation in the event the whistleblower chooses to stay anonymous throughout the course of an investigation. The organization should use this opportunity to stress the legal protections whistleblowers have against retaliation.

3.2 Investigative procedure

The whistleblowing policy should contain a description of the investigation process that will follow a report, as well as potential resolutions to a complaint. At a high level the process should include at least the following elements:

intake and initial processing of complaints or reports;
conducting the investigation;
disposition of the investigation (eg, dismiss, withdraw, settle, turn over to authorities for prosecution, etc); and
remedies for wronged parties.

The parties responsible for the intake and processing of the complaints or reports will vary depending on a number of factors, such as the size of the organization. In a smaller organization it may simply be the legal department. In a large, multinational company, it may be prudent to have a third party as the processor of the initial reports.

Conducting the investigation would, for example, include reviewing documents, getting testimony from witnesses or others that may have knowledge relative to the complaint, reviewing electronic communications, and reviewing video footage of on-site security cameras. The OSHA Whistleblower Investigations Manual provides some valuable insights into how these investigations may be conducted, as well as the possible outcomes.

3.2.1 Internal stakeholders

The teams involved in investigating a whistleblower report will need to be determined by the person or department designated to process incoming reports. The specific people involved in the internal investigation would depend on the nature of the report. For example, if there has been a report of theft, the legal department would have more involvement, whereas human resources personnel would lead an investigation into a report of harassment.

Other stakeholders who should be notified will depend on the organization and the nature of the report. For example, the organization may notify a plant manager where harassment has been reported within a department they head and if there are concerns that it may be systemic.

3.2.2 Third parties

The whistleblowing policy should clearly outline when third parties will be called upon to conduct investigations. External entities, such as law firms, accountants, specialized forensic or investigative teams, or human resources experts may be the best way of conducting a meaningful investigation, particularly when specialized expertise is involved. Use of a third party will also help ensure impartiality and the appearance of impartiality. The third parties must agree to adhere to strict confidentiality protocols and ethical guidelines to ensure the integrity of the investigation and protect the identity of the whistleblower.

3.2.3 Updates

The whistleblowing policy should set expectations for those who report wrongdoing, by providing an outline of how and when the organization will update whistleblowers regarding their report and any investigation carried out. This should include:

confirmation of a report being successfully made and received; and
regular and timely updates regarding the status of an investigation.

Updates must be made with due regard for any applicable privacy laws and guidelines. Communications regarding the progress of the investigation should be limited to the parties involved in the claim, and identities of any witnesses should remain confidential.

3.2.4 Final determinations

The whistleblower policy should include a mechanism for notifying the reporting party when an investigation is completed and what the result is.

Potential results of any incoming complaint or report may include:

no investigation was deemed necessary;
investigation was dismissed due to lack of cooperation by the parties or lack of evidence;
withdrawal by the reporting party;
that the investigation did not confirm that misconduct occurred and details of available next steps the reporting party can take; or
that the misconduct was confirmed and details of any subsequent action that may be taken by the organization (or other parties), which, for example, may include:
- settlement with the reporting party (eg, back pay),
- report the issue to outside authorities (eg, fraud), or
- litigation with the reporting party (eg, where wrongdoing was confirmed but they are unable to reach a settlement).

The whistleblower policy should describe the escalation procedure and process available to the reporting party in the event that the investigation did not confirm misconduct. The policy should highlight the fact that the reporting party will likely not be able to remain anonymous if they choose to escalate their report. The escalation of the report may be to an appeal process within the organization, to some external authority, or possibly to the reporting party retaining outside counsel.

3.3 Whistleblower protections

The whistleblower policy should describe the protections available to whistleblowers, including protection against retaliation, as well as protection and immunities that may be available to parties other than the reporting party (eg, employees called upon to provide witness evidence as part of the investigation).

3.3.1 Risk of retaliation

The organization should consider the risk of retaliation by the organization, other employees, or other parties on a case-by-case basis, including where the reporting party is anonymous, and document the steps taken by the organization to prevent retaliation against reporters. Where there are performance or conduct issues on the part of the reporter, organizations must ensure that these are kept separate from their report, otherwise any action taken against the employee for poor conduct unrelated to the complaint could be viewed as retaliatory.

In 2024, the Supreme Court in Murray v. UBS Securities, LLC, 601 US 23 (2024), held that there does not need to be a presence of retaliatory intent in bringing suits under the SOx. This lowered the threshold needed to support a claim that an employer’s actions were retaliatory. Instead of requiring plaintiffs to show retaliatory intent, it allows evidence to be brought to help support a showing that there was discrimination against the employee.

3.3.2 Subsequent remedial measures

The organization must document reports of incidents of retaliation, if any, that have already occurred, and detail the subsequent protections provided after retaliation has occurred. It must also develop a process of escalation if those who have filed reports believe they were not protected from retaliation. This information would be required in any subsequent claim against the organization.

The whistleblower policy should set out the ways in which the organization will address individuals (such as other employees) who retaliate against whistleblowers, including the disciplinary measures (up to and including termination) that may be taken against them.

Section 4 – Governance by the organization

Once a whistleblower policy is fully developed, it will need to be maintained and updated. There should be a plan in place that describes the roles, responsibilities, and personnel involved with the maintenance and updating of the whistleblower policy.

Whenever a change or update is made to the policy, the organization should document the individuals involved as well as the reason for the update and those who approved the update. There should also be a procedure developed for reporting changes to the policy to the organization’s board of directors.

Additional resources

Filed under

Topics

Whistleblower

Related contract templates: