Since its enactment in 2002, Sarbanes-Oxley (SOX) has left a large, albeit often controversial, footprint in the world of corporate internal controls. As the compliance world has adjusted to the post-SOX era, businesses and courts have observed a growing need to address the current and future SOX requirements of private companies. This has had particular significance with regards to SOX’s retaliation provisions.
SOX contains two provisions that prohibit retaliation against employees attempting to report potential legal violations: Section 806 and Section 1107. Section 806 creates a civil cause of action for employees of public companies who face retaliation for reporting potential securities violations to a wide range of responsible actors, such as a federal regulatory or law enforcement agency, a member of Congress, a congressional committee, a company supervisor, or any person at the company with the power to “investigate, discover or terminate misconduct.” Section 806 takes a similarly broad approach to the type of reports an employee can make on a protected basis: the employee must “reasonably believe” that the conduct at issue violates securities laws. While Section 806 was previously thought to be limited to employees of public companies, in 2014 the United States Supreme Court held that SOX’s prohibition on retaliation extends to contractors and subcontractors of publicly traded companies. See Lawson v. FMR, LLC., 134 S.Ct. 1158 (2014).
Section 1107 does not differentiate between private company employees and public company employees and instead criminalizes all retaliation by an employer against an employee seeking to report wrongful conduct to a law-enforcement official or agency. Being a criminal provision, Section 1107 does not necessarily contain a private right of action, and importantly, it is limited to reports to law enforcement and other regulatory authorities. Accordingly, Section 1107 does not cover internal reports. However, like Section 806, Section 1107 places private companies, with no other connection to public companies, squarely within the purview of Sarbanes-Oxley.
Companies that believe they may one day file an initial public offering should consider speaking to an attorney with experience in Sarbanes-Oxley requirements. As already stated, they may be subject to more SOX requirements than they realize simply based on their relationships to public companies and investigations related to public companies. In addition to fulfilling yet another SOX requirement for public companies, taking steps to ensure that employees can anonymously report violations without fear of reprisal will help growing companies reduce risk and liability while they prepare to take the next steps in their business.