At ETHIX360, we’re often asked by companies why systems like CaseTrac are so important to implement.  Are they optional?  A “nice to have?”  Or required?  There is not a simple answer to this.

For many companies that need to have Sarbanes-Oxley compliance, they can be required, or least be the most effective way to come into compliance with those mandates.  The U.S. Sarbanes-Oxley Act of 2002 (“SOX”) requires an anonymous method for employees to report concerns related to accounting and financial matters (Section 301 of the Sarbanes-Oxley Act of 2002; SEC Rule 10A-3(b)(3) promulgated under the Securities Exchange Act of 1934; NASDAQ Rule 4350(d)(3); and NYSE Listed Company Manual Section 303A(6)), and the adoption of a code of ethical conduct designed to promote prompt reporting of code violations (Section 406 of the Sarbanes-Oxley Act of 2002; SEC Item 406 of Regulation S-K; NASDAQ Rule 4350(n) and NYSE Listed Company Manual Section 303A(10)).

These requirements are fundamental to SOX’s main principles, namely that ethics are valued within an organization and potential issues are surfaced to the right supervisors and even management to deal with them as soon as they arise. Congress intended to provide an environment where fraud and accounting impropriety would be discouraged and whistleblowers encouraged or at least not dissuaded in coming forward. In the wake of scandals at companies like Enron and WorldCom, Congress and regulatory authorities sought to restore confidence in the financial statements of public companies and the markets generally.

Lately, we’ve also been blogging on GDPR and a lot of the nuance you need to know as a compliance professional.  Likewise the interconnectivity of SOX and GDPR are important for compliance professionals to explore.

For example, decisions in France and Germany made over a decade ago that anonymous employee whistleblowing hotlines, without certain precautions, are invalid or unlawful in those countries has justifiably caused concern for many multi-national public companies that must comply with SOX and related U.S. rules. The French data protection authority decisions and court cases in France and Germany reflect the historical unease in many E.U. countries over the concept of encouraging individuals to inform against others anonymously and without an immediate opportunity for the accused person to respond. Multi-national companies with operations in the E.U. should seek clarification from counsel on the issues raised by these decisions. 

Subsequently, GDPR brings much more specificity to the data privacy requirements that ethics programs need to maintain, as we’ve discussed in prior blog posts.

The Sarbanes-Oxley Act of 2002 (“SOX”) contains significant protections for corporate whistleblowers. Given its diverse civil, criminal and administrative provisions, the statute may be considered, over time, one of the most important whistleblower protection laws. 

Unlike most whistleblower laws, the SOX's whistleblower protection provisions are not limited to providing a legal remedy for wrongfully discharged employees. In addition to containing employment-based protections for employee whistleblowers, the law contains four other provisions directly relevant to whistleblower protection. First, the law requires that all publicly traded corporations create internal and independent “audit committees.” As part of the mandated audit committee function, publicly traded corporations must also establish procedures for employees to file internal whistleblower complaints, and procedures which would protect the confidentiality of employees who file allegations with the audit committee. 

Second, the SOX sets forth new ethical standards for attorneys who practice before the Securities and Exchange Commission (SEC). This law, and the SEC’s implementing regulations, require attorneys, under certain circumstances, to blow the whistle on their employer or “client.” 

Third, the SOX amended the federal obstruction of justice statute and criminalized retaliation against whistleblowers who provide “truthful information” to a “law enforcement officer” about the “commission or possible commission of any Federal offense.” This provision of the SOX was not limited in its application to publicly traded corporations; it covers every employer nationwide.

Fourth, Section 3(b) of the SOX contains an enforcement provision concerning every clause of the SOX. This section states that “a violation by any person of this Act [i.e. the SOX] . . . shall be treated for all purposes in the same manner as a violation of the Securities Exchange Act of 1934.” This section grants jurisdiction to the SEC to enforce every aspect of the SOX, including the various whistleblower-related provisions. It also provides for criminal penalties for any violation of the SOX, including the whistleblower-related provisions.

These four provisions of the Sarbanes-Oxley Act collectively provide a unique and comprehensive federal framework for enforcing whistleblower protections for corporate employees. In addition to these four provisions, the law contains an employee protection provision which permits whistleblowers to file a complaint before the U.S. Department of Labor alleging unlawful retaliation. This complaint process was directly modeled on other DOL administered whistleblower laws. See 29 C.F.R. Part 24 (nuclear and environmental whistleblower protection laws); 29 C.F.R. Part 1979 (airline safety whistleblower protection law); 29 C.F.R. Part 1987 (surface transportation whistleblower protection law).There is an extensive body of administrative and judicial case law interpreting these whistleblower provisions, much of which is consistent with Congress’ intent to broadly protect whistleblowers covered under the DOL procedures.

Stephanie Jenkins is the Chief Compliance Officer of ETHIX360. At ETHIX360, our goal is simple, to provide an affordable, flexible and comprehensive answer to employee communication and case management on issues related to corporate ethics, code of conduct, fraud, bribery, environmental, health & safety and workplace violence. To learn more about ETHIX360, please visit, or follow us on twitter @ethix360.