Lamb v. Rockwell Automation Inc
Filing
60
ORDER signed by Judge J.P. Stadtmueller on 4/7/2017: GRANTING 24 Defendant's Motion for Summary Judgment; DISMISSING with prejudice Plaintiff's claim for relief for whistleblower retaliation in violation of the Sarbanes-Oxley Act of 2002; DISMISSING action with prejudice; and DENYING 55 Plaintiff's Motion to Compel and Stay. (cc: all counsel) (jm)
UNITED STATES DISTRICT COURT
EASTERN DISTRICT OF WISCONSIN
LISA LAMB,
Plaintiff,
v.
Case No. 15-CV-1415-JPS
ROCKWELL AUTOMATION, INC.,
Defendant.
1.
ORDER
INTRODUCTION
Plaintiff Lisa Lamb (“Lamb”) brought this action against her former
employer, Defendant Rockwell Automation, Inc. (“Rockwell”), alleging
whistleblower retaliation in violation of the Sarbanes-Oxley Act of 2002
(“SOX”), 18 U.S.C. § 1514A, and the Dodd-Frank Wall Street and Consumer
Protection Act of 2010 (“Dodd-Frank”), 12 U.S.C. § 1454. (Docket #1). The
Dodd-Frank claim was dismissed by the Court on August 12, 2016 on
Rockwell’s motion to dismiss. (Docket #15). On January 30, 2017, Rockwell
filed a motion for summary judgment as to Lamb’s remaining claim under
SOX. (Docket #24). The motion is fully briefed and, for the reasons stated
below, it will be granted.
2.
STANDARD OF REVIEW
Federal Rule of Civil Procedure (“FRCP”) 56 provides that the court
“shall grant summary judgment if the movant shows that there is no genuine
dispute as to any material fact and the movant is entitled to judgment as a
matter of law.” Fed. R. Civ. P. 56(a); see Boss v. Castro, 816 F.3d 910, 916 (7th
Cir. 2016). A fact is “material” if it “might affect the outcome of the suit”
under the applicable substantive law. Anderson v. Liberty Lobby, Inc., 477 U.S.
242, 248 (1986). A dispute of fact is “genuine” if “the evidence is such that a
reasonable jury could return a verdict for the nonmoving party.” Id. The court
construes all facts and reasonable inferences in the light most favorable to the
non-movant. Bridge v. New Holland Logansport, Inc., 815 F.3d 356, 360 (7th Cir.
2016). The court must not weigh the evidence presented or determine
credibility of witnesses; the Seventh Circuit instructs that “we leave those
tasks to factfinders.” Berry v. Chicago Transit Auth., 618 F.3d 688, 691 (7th Cir.
2010). The party opposing summary judgment “need not match the movant
witness for witness, nor persuade the court that her case is convincing, she
need only come forward with appropriate evidence demonstrating that there
is a pending dispute of material fact.” Waldridge v. Am. Hoechst Corp., 24 F.3d
918, 921 (7th Cir. 1994).
3.
RELEVANT FACTS
SOX generally protects an employee from reprisal after she reports
fraud or violation of a rule or regulation of the Securities and Exchange
Commission (“SEC”) by a co-worker. See 18 U.S.C. § 1514A(a). The instant
case grows from Lamb’s claim that she was a whistleblower as to fraudulent
conduct by her supervisor and was eventually terminated as a result.
Rockwell, by contrast, says that Lamb was fired because she violated its
internal policies and was not meeting her job expectations. The focus of
Rockwell’s motion, however, is not on why she was terminated but on its
contention that she was not a whistleblower as defined in SOX. Because the
Court agrees with Rockwell on this threshold question, it need not recite the
facts which are relevant only to the other aspects of Lamb’s claim. The facts
set forth below are presented in the light most favorable to Lamb.
Rockwell is a global provider of industrial automation, power, control,
and information solutions. Lamb worked at Rockwell in various information
Page 2 of 29
technology capacities from 1988 until her termination in 2013. In 2011, she
transitioned to a position relating to the Systems, Applications, and Products
processing system (“SAP”). SAP is an integrated electronic system designed
to streamline various business transactions and processes company-wide.
Based on an employee’s role and rank, she is granted privileges to access and
modify certain data in SAP.
To ensure that a given employee has SAP access that is sufficient but
not greater than necessary to perform her job—what the parties call
“segregation of duties” (“SOD”)—Rockwell employs Governance Risk and
Compliance (“GRC”) software. GRC establishes rules that identify certain
constellations of access privileges that represent a risk of harm to the
company or its legal compliance efforts, such as when an employee has
privileges to both create and review her work. The rules are designed to
prevent one employee from obtaining such pervasive access to Rockwell’s
data as to facilitate fraud or theft of confidential business information. The
system can identify persons that meet the rule definitions so that their
privileges can be evaluated and then either disabled or approved by
management.
Like many other companies, Rockwell employs “controls” teams to
customize the GRC rules in an iterative process that analyzes the operation
of the rules over time to ensure they are working properly and efficiently. The
controls teams sometimes received tasks from the internal audit department,
which would review their work and develop action plans for improvement.
These plans were logged in the Internal Controls Corrective Action Tracking
System (“IC-CAT”). An IC-CAT functioned like an outstanding work order
that could be closed once the goals set out in it had been achieved.
Page 3 of 29
Lamb’s team, the IT internal controls team, worked specifically with
SAP access privileges of IT department users and how those privileges
related to internal control over financial reporting for purposes of SOX
compliance. In order to better understand Lamb’s role, it is important to
observe the relevant requirements drawn from SOX. The statute provides that
a qualifying corporation, like Rockwell, must file periodic reports with the
SEC. 15 U.S.C. § 7241. The reports are required to be certified by high-level
corporate officers, including the principal executive officer and principal
financial officer. Id. § 7241(a). Those officers must certify, among other things,
that they have reviewed the report and that, based on their individual
knowledge, the report does not contain any untrue statement or material
omission. Id. § 7241(a)(1)–(2). Additionally, the signatory officers must certify
that they are responsible for developing internal controls for their company
that “ensure that material information relating to the issuer and its
consolidated subsidiaries is made known to such officers by others within
those entities.” Id. § 7241(a)(4)(B). The officers must also report their
conclusions about the effectiveness of these internal controls. Id. §
7241(a)(4)(D). Further, Section 7262 requires that Rockwell’s annual reports
contain an assessment of the effectiveness of its internal controls as they
relate to the accuracy and completeness of financial reporting. Id. § 7262(a).
When a public accounting firm prepares an audit report for the company, that
firm must report on and attest to the assessment the company made of its
financial reporting controls. Id. § 7262(b).
At Rockwell, the GRC rules Lamb’s team developed were designed to
root out SAP users in the IT department with SOD conflicts that presented
a high risk as to Rockwell’s financial data. The GRC reports the team
generated were used by management and Rockwell’s external auditors as
Page 4 of 29
part of their review of Rockwell’s internal controls over financial reporting.
Lamb’s expert, Norman Marks (“Marks”), opined that the GRC reports were
a “key control” in this process, which is a control procedure that is relied
upon to prevent or detect a material error or omission in financial statements
filed with the SEC. Put simply, a key control is one that is important to SOX
compliance procedures.
In her decades with Rockwell, Lamb had garnered extensive
experience with managing privileged access, whether in SAP or its
predecessor system. She had participated in “countless” audits and meetings
on the topic, and she had produced documentation on privileged access. See
(Docket #51 ¶ 20). She also was the “most highly privileged user in IT on the
mainframe side.” (Docket #39 ¶ 3).
When she moved to the SAP team in 2011, Lamb worked under Mary
Clement (“Clement”) as her immediate supervisor, and Mary Ward (“Ward”)
as Clement’s supervisor. The turning point for this suit occurred on June 28,
2012. That day, Clement asked Lamb to disable certain rules within GRC that
were used to identify SAP users in the IT department with high-risk SOD
conflicts. Lamb did not want to make the changes. She told Clement that she
was “uncomfortable” making the changes and said, “I don’t want to do that.”
Clement testified that she thought Lamb simply did not understand the
changes she wanted to be made. Clement did not understand Lamb to be
saying that disabling the rules would harm the company’s internal controls
relating to SOX compliance.
Although she did not make it plain to Clement at the time, Lamb now
asserts that disabling the rules as Clement asked was “not proper” because
it would hide users in the IT department with high-risk SOD conflicts, which
“left Rockwell vulnerable to a lot of risk.” (Docket #51 ¶ 24). Part of Lamb’s
Page 5 of 29
discomfort was that the particular GRC rules in question were a key control
used to keep management and auditors apprised of risk to Rockwell’s
financial data. Rather than identify over-privileged users and remediate the
SOD conflict by downgrading the user’s access or getting approval for it from
management, it appeared that Clement wanted to simply disable the rules,
effectively masking those users.
Lamb alleges that Clement wanted to make these rule changes because
she was under a deadline imposed by an IC-CAT to resolve thousands of
outstanding SOD conflicts. Lamb claims that in order to avoid reproach by
Ward’s supervisor and Rockwell’s Controller, Dave Dorgan (“Dorgan”),
Clement sought to conceal the problem by eliminating high-risk users from
the GRC reports, which Dorgan reviewed and then passed along to his
superiors and the auditors. Lamb contends that Clement’s actions violated
Rockwell’s internal procedures for reviewing privileged access and SOD
conflicts. They would also “preclude an assessment of internal control over
financial reporting as ‘effective’” because the GRC reports would not have
any information about these high-risk users, and therefore the auditors and
corporate officers looking at the reports would not have all the information
they needed to make an informed assessment of the company’s internal
controls. Id. ¶ 33. Thus, Lamb believes that Clement’s request would lead to
violations of the above-described SOX provisions.1
Later that day, Lamb went to speak with Ward about the proposed
changes. She asked why the changes were being made without approvals and
1
In the context of this suit, Lamb asserts that before December 2012, she had
“many times voiced her concern to Clement and Ward about the SOD conflicts and
unmonitored privileged access.” (Docket #52 ¶ 142). She does not identify the date
or contents of any particular conversation. See id.
Page 6 of 29
or “request for change” record. She did not mention any concerns about the
integrity of Rockwell’s internal controls over financial reporting which she
raises in this lawsuit. Ward responded that the controls group for the IT
department has the ability to change it own rules. Lamb now disagrees,
stating that a request for change was required for “every Production change,
with no exceptions.” Id. ¶ 30. Despite this, Lamb made the GRC rule changes
as Clement requested on June 28.
After June 28, 2012, Lamb and Clement’s relationship soured. As Lamb
tells it, Clement “began to find issues with Lamb that were in many cases
fictitious and in retaliation because Lamb did not agree with Clement’s
approach to resolving SOD conflicts.” (Docket #52 ¶ 28). Clement became
hostile and “started badmouthing Lamb with her co-workers.” Id.
Rockwell portrays Lamb as an employee who clung to the outdated
procedures she employed in her prior position in the company. It also claims
that she was not timely completing her tasks. Lamb counters that she was not
provided proper training and that Clement was assigning her tasks without
meaningful guidance, apparently to ensure Lamb’s failure. The relevant
parties—Lamb, Clement, and Ward—had several meetings around this time
to discuss Lamb’s performance. Because the Court’s disposition below does
not touch on whether Lamb was performing her job to expectations, the
Court will bypass the parties’ vigorous disputes on the topic. It is enough to
say that Clement and Ward became critical of Lamb’s work.
In mid-March 2013, Clement met with Lamb to discuss Lamb’s goals
going forward. Lamb became upset by the goals, arguing that they were
unrealistic. Clement believed that Lamb was disrespectful during the
meeting, and so Senior Human Resources Representative Sheri Anklam
(“Anklam”) met with Lamb shortly thereafter to caution her that
Page 7 of 29
insubordination would not be tolerated and would in the future result in
discipline.
In late March, Anklam, Clement, and Ward met with Dorgan and
Rockwell’s Vice President of Law, Marc Kartman (“Kartman”), to discuss
Lamb’s employment. Rockwell asserts that a performance improvement plan
(“PIP”) was developed during this meeting and presented to Lamb on March
28, 2013. During the meeting, Clement told Lamb that if she did not want to
participate in the PIP, she could resign with a severance package. Lamb
thought the PIP was unwarranted.
After this meeting, Lamb initiated Rockwell’s Employee Issue
Resolution (“EIR”) process, which is used to help human resources staff and
other managers to review employment-related decisions, to appeal her PIP.
Nothing in Lamb’s submissions as part of the EIR process mentioned her
concerns about SOX violations or other fraud. After an initial meeting with
Clement, Ward, and Anklam, Lamb initiated the next phase of EIR, which
brought in Vice President of Human Resources Kristin Fritz.
On April 7, 2013, while Lamb’s request for review was pending with
Fritz, Lamb sent an email to Kartman which, along with the interactions of
June 28, 2012, forms the centerpiece of this case. Kartman was not only the
Vice President of Law but also the company ombudsman, and it appears
Lamb’s email was intended to be a complaint to him in his ombudsman role.
Lamb calls the email a “SOX complaint” in which she complained
about her treatment by Clement, including her interactions with Clement on
June 28, 2012. She alleged that Clement had violated Rockwell “ethics” and
“department policies” when Clement made the GRC rule changes in an
attempt to side-step the IC-CAT. (Docket #34-13 at 1). Lamb stated that the
changes may have “potential significant impact to the organization.” Id.
Page 8 of 29
Lamb did not allege any corporate fraud or violation of SEC rule or
regulation. It appears that the reason she now calls it a “SOX complaint” is
because, as explained above, the rules changes related to Rockwell’s SOX
compliance program.
Despite intending to make an ombudsman complaint, Lamb
mistakenly sent the email to Kartman’s standard email address, not his
ombudsman address. When Kartman saw her email, he decided not to open
it for fear of creating a conflict of interest regarding the ongoing inquiry into
her employment, in which he was providing legal advice to Rockwell. He
never opened or responded to the email.
During the week of April 20, 2013, Lamb allowed an employee of an
outside contractor working with Rockwell to use her login credentials for the
SAP “sandbox,” which is a version of the system that allows users to
experiment with various inputs and settings without risking real-world data.
When Clement, Ward, and Anklam learned of this, they considered it to be
a serious violation of Rockwell’s password policies, which strictly prohibit
the sharing of login credentials. Lamb says, in essence, that it was not a big
deal, noting that the SAP sandbox has no impact on the company’s actual
data. No one agreed with her, and Anklam suspended Lamb on April 25,
2013, pending investigation into the matter. She instructed Lamb to turn in
her identification badge and leave the premises. Lamb said the decision to
suspend her was absurd and unfair, and when she left this meeting, she did
not immediately leave the premises. Instead, she used her work computer to
send an instant message to Dorgan and Kartman, seeking their help. Neither
responded. After thirty minutes, Rockwell security was called and escorted
Lamb off the property. After completing its review of the password-sharing
incident, Rockwell management, considering that incident alongside Lamb’s
Page 9 of 29
other alleged work deficiencies, decided to terminate her, effective April 30,
2013.
4.
ANALYSIS
SOX protects whistleblowers from retaliation by prohibiting
employers from “discharge[ing], demot[ing], suspend[ing], threaten[ing],
harass [ing], or in any other manner discriminat[ing] against an employee in
the terms and conditions of employment.” 18 U.S.C. § 1514A. This protection
extends to employees who lawfully act “to provide information, cause
information to be provided, or assist[ ] an investigation regarding any
conduct which the employee reasonably believes constitutes mail fraud, bank
fraud, securities fraud, or a violation of any rule or regulation of the SEC, or
any federal law relating to fraud against shareholders,” so long as the
assistance is provided to a person with investigatory authority. Harp v.
Charter Commc’ns, Inc., 558 F.3d 722, 723 (7th Cir. 2009) (citing 18 U.S.C. §
1514A(a)). In order to prevail on a SOX whistleblower claim, an employee
must meet the legal burdens of proof set forth in the Wendell H. Ford
Aviation Investment and Reform Act for the 21st Century, 49 U.S.C. §
42121(b), which requires the employee to first “‘prove by a preponderance of
the evidence that (1) she engaged in protected activity; (2) the employer knew
that she engaged in the protected activity; (3) she suffered an unfavorable
personnel action; and (4) the protected activity was a contributing factor in
the unfavorable action.’” Id. (quoting 49 U.S.C. § 42121(b)(2)(B)(iii)); Allen v.
Admin. Review Bd., 514 F.3d 468, 475–76 (5th Cir. 2008)). If the employee
establishes these four elements, the employer may avoid liability if it can
prove “by clear and convincing evidence” that it “would have taken the same
unfavorable personnel action in the absence of that [protected] behavior.” Id.
Page 10 of 29
As can be seen from the statutory language, part of the definition of
“protected activity” is that the employee herself believed that the conduct she
reported violated a law listed in Section 1514A(a), and that belief must have
been objectively reasonable. Id.; see also Day v. Staples, 555 F.3d 42, 54 (1st Cir.
2009); Livingston v. Wyeth, Inc., 520 F.3d 344, 352 (4th Cir. 2008). Objective
reasonableness is assessed “based on the knowledge available to a reasonable
person in the same factual circumstances with the same training and
experience as the aggrieved employee.” Harp, 558 F.3d at 723. The reasonable
person standard recognizes that “[m]any employees are unlikely to be trained
to recognize legally actionable conduct by their employers.” Nielsen v.
AECOM Tech. Corp., 762 F.3d 214, 221 (2d Cir. 2014). Accordingly, “the
inquiry into whether an employee had a reasonable belief is necessarily
fact-dependent, varying with the circumstances of the case.” Rhinehimer v.
U.S. Bancorp Inves., Inc., 787 F.3d 797, 811 (6th Cir. 2015).
In its motion, Rockwell contends that Lamb cannot establish the first,
second, and fourth elements of her prima facie case. The Court need only
address the first element—specifically, whether Lamb’s belief that there was
a violation of a law listed in Section 1514A(a)(1) was objectively
reasonable—to conclude that judgment should be entered in Rockwell’s
favor.
Assessing the objective reasonableness of Lamb’s belief requires a
careful description of the theory of liability she advances. Lamb claims that
changing the GRC rules would result in underreporting of the potential risks
to Rockwell’s SOX data. Yet her fear was not that the individuals whose
access went unmonitored engaged in or were likely to engage in fraud.
Instead, Lamb’s theory is that the fact of underreporting would itself lead to
a violation of federal law. In her view, this is because the SOD data collected
Page 11 of 29
would be incomplete as a result of underreporting, and that data would then
be passed on to Dorgan, and then corporate superiors and outside auditors
as part of Rockwell’s SOX compliance program, eventually ending up in the
hands of the top officials and auditors who had to sign off on Rockwell’s
financial statements. According to Lamb, those officials would then sign the
financial statements on the basis of incomplete information and thereby
violate the relevant SOX provisions because they could not certify the
effectiveness of the company’s internal controls over financial reporting.
Additionally,
this
same
underreporting
would
lead
to
material
misrepresentations in those financial statements.
Against the backdrop of this theory, the Court finds that no employee
with Lamb’s training and experience could reasonably conclude under the
circumstances that a violation of the relevant SOX provisions had occurred
or was imminent. To fully explain the basis for this conclusion, the Court
must first take a detour through the development of the law as it relates to
the “reasonable belief” standard. The Administrative Review Board (“ARB”)
of the Department of Labor, which adjudicates SOX whistleblower claims,
first considered the contours of the objective component of the “reasonable
belief” standard in 2006. Platone v. FLYI, Inc., ARB No. 04–154, 2006 WL
3246910 (ARB Sept. 29, 2006). In Platone, the ARB held that to qualify as
protected conduct, the employee’s complaint must (1) “definitively and
specifically” relate to one of the categories of fraud or securities violations
listed in Section 1514A(a)(1); and (2) “approximate. . .the basic elements” of
the fraud or securities violation to which the complaint relates. Id. at *8.
Circuit courts generally adopted these standards. See Van Asdale v. Int’l Game
Tech., 577 F.3d 989, 996–97 (9th Cir. 2009); Welch v. Chao, 536 F.3d 269, 275
(4th Cir. 2008); Allen, 514 F.3d at 477; Day, 555 F.3d at 54 n.8.
Page 12 of 29
In 2011, however, the ARB reversed course. Sylvester v. Parexel Int’l
LLC, ARB No. 07–123, 2011 WL 2165854, at *12 (ARB May 25, 2011) (en banc).
The ARB held in Sylvester that to satisfy the objective component of the
“reasonable belief” standard, the employee must simply prove that a
reasonable person in the same factual circumstances with the same training
and experience would believe that the employer violated securities laws. Id.
at *11–12. An employee’s mistaken belief in a violation of law may
nevertheless be objectively reasonable. Id. at *13.
Additionally, Sylvester held that an employee need not believe that a
violation has occurred or is presently occurring. Id. It is sufficient that “the
employee reasonably believes that the violation is likely to happen.” Id. at
*14. The ARB tied their conclusion to Title VII case law, which provides that
a report about a future violation is protected if the violation “‘[is] taking
shape,’. . .‘a plan [is] in motion’ to violate the law, or. . .a violation [is] ‘likely
to occur.’” Id. at *37 (quoting Jordan v. Alternative Res. Corp., 458 F.3d 332, 340
(4th Cir. 2006)). Still, “unsupported conjecture about hypothetical future
events” is not protected. Id.
No court has outright rejected the Sylvester standard. The Third Circuit
grants the ruling broad deference under Chevron U.S.A. Inc. v. Natural
Resources Defense Council, Inc., 467 U.S. 837 (1984), which requires courts to
defer to an agency’s permissible interpretation of a statute if Congress has
not spoken on the issue. Wiest v. Lynch, 710 F.3d 121, 131–32 (3d Cir. 2013).
Other Circuits have declined to decide whether the ARB’s decision in
Sylvester warrants Chevron deference and have instead found that its
conclusions warrant deference under the lesser form created in Skidmore v.
Swift & Co., 323 U.S. 134 (1944), which holds that an agency’s interpretation
Page 13 of 29
of a statute is only as controlling as it is persuasive, considering the
specialization and experience of the agency adjudicators. Rhinehimer, 787 F.3d
at 806; Nielsen, 762 F.3d at 220–21. The Eighth Circuit has “adopted” the
Sylvester standard without specifying whether it was according the decision
Chevron or Skidmore deference. Beacom v. Oracle Am., Inc., 825 F.3d 376, 380
(8th Cir. 2016). The Fourth and Tenth Circuits have addressed Sylvester but
found the plaintiff satisfied the more rigorous “definite and specific”
standard from Platone and therefore did not decide the effect of Sylvester on
their past precedent. Feldman v. Law Enforcement Assocs. Corp., 752 F.3d 339,
344 n.5 (4th Cir. 2014); Lockheed Martin Corp. v. Admin. Review Bd., 717 F.3d
1121, 1132 n.7 (10th Cir. 2013). The Seventh Circuit has not weighed in on the
effect of Sylvester on SOX whistleblower claims.
Notable, however, are recent holdings in the Second and Ninth
Circuits that do not accept Sylvester wholesale. In Nielsen, the Second Circuit
commented in a footnote that although it agreed with the ARB that Platone’s
“definite and specific” standard should be dispensed with, it questioned the
ARB’s conclusion that a plaintiff’s beliefs need not even approximate the
elements of a claim under a listed law in Section 1514A(a)(1) in order to be
objectively reasonable. Nielsen, 762 F.3d at 221 n.6. The Court of Appeals
observed that the statute’s plain language requires “plausible allegations that
the whistleblower reported information based on a reasonable belief that the
employer violated one of the enumerated provisions set out in the statute.”
Id. As the Second Circuit read it, “the statutory language suggests that, to be
reasonable, the purported whistleblower’s belief cannot exist wholly
untethered from these specific provisions.” Id.
Page 14 of 29
Similarly, although it did not address the interaction of Platone and
Sylvester, the Ninth Circuit very recently reaffirmed its pre-Sylvester rule that
“‘to have an objectively reasonable belief there has been shareholder fraud,
the complaining employee’s theory of such fraud must at least approximate
the basic elements of a claim of securities fraud.’” Rocheleau v. Microsemi
Corp., Inc., No. 15-56029, 2017 WL 677563, at *1 (9th Cir. Feb. 21, 2017)
(quoting Van Asdale, 577 F.3d at 1001). District courts have echoed the
concern that some amount of “tethering,” however minimal, must be
required to connect the plaintiff’s beliefs about wrongdoing to the fraudprevention purposes of SOX. See Wiggins v. ING U.S., Inc., CIVIL CASE NO.
3:14-CV-01089 (JCH), 2015 WL 8779559, at *4 (D. Conn. Dec. 15, 2015);
Berman v. Neo@Ogilvy LLC, 14-CV-00523 (GHW)(SN), 2016 WL 7975001, at
*6 (S.D.N.Y. Oct. 24, 2016); Erhart v. Bofi Holding, Inc., Case No.
15-cv-02287-BAS(NLS), 2016 WL 5369470, at *10 (S.D. Cal. Sept. 26, 2016).
The only sources of law Lamb cites to support her whistleblower claim
are SOX Sections 302 and 304, which translate to 15 U.S.C. §§ 7241 and 7262.
See (Docket #52 ¶ 18). Neither provides a basis for an objectively reasonable
belief that a SOX violation had occurred or was likely to occur. As explained
above, Section 7241 requires, among other things, that high-level corporate
officers certify in SEC reports that the report is true and not misleading. 15
U.S.C. § 7241(a)(2). That Section also requires those officers to certify that
they have designed effective internal controls over financial information. Id.
§ 7241(a)(4)(B). Similarly, Section 7626 requires Rockwell’s outside auditor,
Deloitte, to certify the effectiveness of its internal controls over financial
information. Id. § 7626(b). Lamb posits that the GRC rule changes, by hiding
risky levels of SAP access to financial information in the IT department,
would diminish the effectiveness of the company’s internal controls. Clement,
Page 15 of 29
in making these changes, robbed her superiors of relevant information, which
in turn caused them to violate the applicable statutes because their
certifications as to the effectiveness of their internal controls were false.
Understood in this way, it becomes clear why Lamb’s claim cannot
proceed further. A whistleblower claim requires an extant or likely, not
theoretical or hypothetical, violation of the law. No reasonable person in
Lamb’s place, with her training and experience, could have believed that
Clement’s conduct violated SOX, since the violation would be perfected, if at
all, only upon some later company official’s signing the SEC certification. In
other words, while Clement’s conduct might arguably have violated
Rockwell’s procedures, it was not a violation of federal law.2 Lamb says that
it is “against SOX regulation to intentionally under-disclose the true risk there
is to an organization.” (Docket #36 at 9). This is true, but it is likewise true
that no such disclosure would occur until the false data was transmitted to
the corporate leaders and they thereafter relied upon it in making SEC
certifications. In short, even if one assumes as true that Clement’s rule
2
During the relevant events, Lamb only cited internal Rockwell policies and
procedures when complaining about Clement’s conduct. Because she did not
complain of fraud, Rockwell insists that Lamb’s claim must fail. Nevertheless, the
Seventh Circuit in Harp instructed that as long as the conduct the employee reports
constitutes a violation of a listed law in Section 1415A(a)(1), it does not matter
whether the employee actually cited that law. Harp, 558 F.3d at 723. Thus, Lamb’s
emphasis on Rockwell’s internal rules is not a categorical basis on which to reject
the claim.
However, the Court is not convinced that the Harp rule should be taken too
far. SOX whistleblowers, who are not often lawyers, should not be expected to cite
the precise provision of law they believe was violated. But neither is it logical to
say that they need merely point to conduct that, if carefully analyzed by lawyers
after the fact, could be or lead to a SOX violation. It cannot be that those employees
who know the least about legal matters should be given the greatest leeway to
report whatever undesirable conduct they see and later be sheltered as unwitting
whistleblowers.
Page 16 of 29
changes “left Rockwell vulnerable to a lot of risk” and was inconsistent with
“industry best practice,” id., vulnerability is not itself a SOX violation, nor
does industry best practice equate to legal requirements.3
Lamb’s own expert agrees. Marks testified that the rule modification
in and of itself was not a violation of SOX. (Docket #52 ¶ 63). He stated that
“I do not believe there was a violation of SOX. I believe there may have been
a violation of other laws but SOX pertains to the company and its
management, not to individuals at Lisa Lamb’s level or her actions.” (Docket
#34-4 194:7–21). Looking at Clement’s conduct, Marks believed that it was
“potentially something that legal people would be concerned about[,] but I
don’t know that technically it’s a violation of SOX.” Id. 194:22–195:5.
Particularly relevant here, he noted that a SOX violation would not be
implicated because “we are not talking about a named officer of the
company, a certifying officer.” Id. 195:6–15. At most, he claimed that the
conduct at issue “would be a violation of potentially some other law or
regulation[,] whatever.” Id.
Although it is not directly relevant to whether Lamb had a reasonable
belief as to a SOX violation at the time of her reporting, it worth noting that
Lamb has never corroborated her theory with some concrete indication there
were material misrepresentations or omissions that made their way into
3
Lamb is emphatic that she believed that Clement was violating
SOX—specifically, the provisions discussed above relating to SEC certifications
about internal controls over financial reporting. See (Docket #36 at 7–11); (Docket
#1 ¶ 55). She does not say whether Clement’s conduct might alternatively
constitute a violation of any other law or regulation listed in Section 1514A(a)(1),
nor does she direct the Court’s attention to any such law, rule, or regulation.
Because Lamb binds her theory to the SOX provisions the Court discussed above,
and to no other sources of law, the Court will not consider whether the facts
support a theory based on violation of any other statute, rule, or regulation listed
in Section 1514A(a)(1).
Page 17 of 29
Rockwell’s financial reports. See (Docket #25 at 27–28); (Docket #50 at 8 n.3).
The slippage in her position is best summed up in her response to Rockwell’s
proposed fact that “Lamb does not know of any situation in which
Rockwell’s data was harmed (i.e., compromised or destroyed) as a result of
the June 28, 2012 modifications to Rockwell’s GRC rule set.” (Docket #52 ¶
58). Lamb responded that the fact is “immaterial” and proceeds to explain
why the GRC rules were a key control that would prevent management and
auditors from learning about high-risk SOD conflicts, which would in turn
lead them to be unable to certify that the company’s internal controls were
effective. Id.; see also id. ¶¶ 59–61. What is lacking, however, is evidence from
Lamb of any actual instance where her fear materialized; that is, a single
example in which a Rockwell executive or outside auditor made a
certification as to the corporate internal controls which was erroneous
because there existed uninvestigated, high-risk SOD conflicts in the IT
department.
Lamb testified that Clement’s actions constituted deliberate fraud in
that “false quarterly reports went to Dorgan,” who then passed them along
to the auditors, but she did not produce even one such report or identify a
false statement that in fact ended up in the auditors’ hands. (Docket #51 ¶
60); (Docket #46 248:3–249:5). Dorgan himself testified that Lamb’s work with
SOD conflicts was “just one small piece” of Rockwell’s overall SOX
compliance program and that it would be hard to imagine how
underreporting SOD conflicts would result in a material misstatement in a
financial report Rockwell ultimately produced. (Docket #54-2 21:3–22:19).
Dorgan opined that “SOX compliance can be achieved no matter what’s on”
the SOD conflicts report. Id. 70:7–19.
Page 18 of 29
The closest Lamb comes to establishing the results of the alleged fraud
is to say that “[s]ince 2011, Rockwell’s external auditors, Deloitte & Touche,
have identified SOD deficiencies.” Id. ¶ 62. She does not describe the SOD
deficiencies the auditors discovered, including whether they implicated
Lamb’s highly specific niche of SOD analysis in the IT department for
purposes of SOX compliance. Nor does she explain why SOD deficiencies
arising before June 28, 2012, would be relevant. She asks for greater
inferential leaps from the facts than they can support. The Court cannot infer
into
existence
the
lynchpin
of
Lamb’s
claim—namely,
that
a
misrepresentation occurred or was likely to occur. See Rocheleau, 2017 WL
677563, at *3 (no claim that suspected data manipulation constituted fraud
because, in part, “no false data was ever transmitted”).
In fact, although the scope and results of the investigations are not
explained by the parties, Lamb seems to believe that Rockwell’s internal
audit department investigated Clement’s rule changes. In her April 7, 2013
letter, Lamb reports that two additional IC-CATs were opened to probe the
problems created by Clement’s rule changes. (Docket #34-13 at 7–8). Thus,
even believing Lamb’s version of events, the changes did not pass unnoticed.
This further undermines her theory, which requires that Clement’s changes
be implemented and that no other safeguard, such as internal or external
auditing or other review, forestall the calamity that underreporting based on
those rules might cause. Moreover, Lamb emphasizes in the letter that she
sees Clement’s actions not as unlawful but as a serious violation of corporate
procedure that should be “subject to disciplinary action.” Id. at 8.
These observations lead into the next inquiry—whether a reasonable
employee in Lamb’s position could have believed that although a SOX
violation had not actually occurred, it was likely to occur in the future. Marks
Page 19 of 29
opined that, although Clement’s actions did not create an extant SOX
violation, a lay person looking at the rule changes would rightly have been
concerned about the potential damage excessive access privileges might
cause. (Docket #34-4 195:6–15).4 Evaluating this aspect of the “reasonable
belief” standard requires an appreciation of the dramatic change in the law
effected by Sylvester, which held that belief in an existing violation is not
required. Sylvester, 2011 WL 2165854, at *14. If Sylvester had not be issued,
Lamb’s claim would undoubtedly be dead on arrival. See Livingston v. Wyeth,
Inc., 520 F.3d 344, 350–51 (4th Cir. 2008) (finding that a violation must have
already occurred or be ongoing to sustain a whistleblower claim); Walton v.
Nova, No. 3:06-CV-292, 2008 WL 1751525, at *9 (E.D. Tenn. Apr. 11, 2008). But
applying even Sylvester’s generous standard, Lamb’s claim nevertheless fails.
As noted above, Sylvester requires a whistleblower to reasonably
believe “that the violation is likely to happen.” Sylvester, 2011 WL 2165854,
at *14. This is not a place for open speculation; instead, the violation must be
“taking shape,” “in motion,” or “likely to occur” to suffice. Id. at *37
4
Lamb and Marks also speculate that the purported violation
here—inaccurate assessment of internal control over financial reporting—is
typically addressed as a violation of the Securities Exchange Act of 1934, not SOX.
(Docket #34-4 195:6–15). This is the most explanation the Court gets from her on
this point, however, and so the Court is left wondering what her theory is as to a
violation of the 1934 Act as opposed to SOX. Notably, in her legal brief she only
cites SOX provisions as the basis of her claim. As the Court has already explained,
it will not go fishing through securities law and regulation for provisions Lamb
may have believed were violated. See supra note 3.
Similarly, Lamb, looking at Marks’ testimony from the vantage point of
summary judgment, notes that he never said the rule changes were not “a violation
of an appropriate SOX compliance program,” though she does not point to any
statute that defines “an appropriate SOX compliance program.” (Docket #52 ¶ 63).
In fact, Marks noted that the SEC recommends certain procedures but does not
require a particular program to be implemented. (Docket #54-5 48:10–49:10).
Page 20 of 29
(quotation omitted). The ARB reiterated that “unsupported conjecture about
hypothetical future events” is not protected. Id. In adopting Sylvester, the
Third Circuit opined that this principle applies to those who perceive an
“imminent” violation. Wiest, 710 F.3d at 133.
The undisputed facts make clear that no reasonable person in Lamb’s
position could have believed that a SOX violation was imminent at the time
of her reporting. Lamb had been with the company for twenty-five years and,
by her own account, she had obtained a huge breadth of experience in
managing privilege access and participating in company audits and
compliance procedures. Yet with this knowledge and experience, she did not
consider the scope of Rockwell’s financial reporting or the other processes in
place to ensure the integrity of its internal controls over financial information.
Rather, the person with the best vantage point for such concerns, Dorgan,
testified that the activities of the IT controls team formed only a small part
of Rockwell’s total SOX compliance program. (Docket #54-2 at 21:3-22:19).
Whatever oversight Lamb made at the time, no reasonable person in her
place would perceive that a substantial step had been taken toward a SOX
violation. See Bishop v. PCS Admin. (USA), Inc., No. 05 C 5683, 2006 WL
1460032, at *8 (N.D. Ill. May 23, 2006).
Lamb acknowledged at the time of her reporting that her fears
regarding SOX compliance were only speculative. In her email to Kartman of
April 7, 2013, she states that Clement’s actions “were a violation of Rockwell
ethics with potential significant impacts on the organization.” (Docket #34-13 at
1) (emphasis added). At the time of her email, there is no indication that she
believed that any purported “impacts” had materialized or would do so
imminently. See Bishop, 2006 WL 1460032, at *8 (“A reasonable belief that
implementing certain procedures will be insufficient to prevent violations is
Page 21 of 29
not, by itself, a reasonable belief that a violation has occurred or been
attempted.”); Andaya v. Atlas Air, Inc., No. 10 CV 7878(VB), 2012 WL
1871511, at *5 (S.D.N.Y. Apr. 30, 2012) (plaintiff’s fears of potential insider
trading did not suffice as report of misconduct under Section 1514A(a)).
Now, armed with this lone, vague statement in her letter, Lamb asks the
Court to pile inference atop inference to fill in the gaps in her evidence.
Although the Court must draw inferences in her favor, it cannot stretch the
evidence as far as she requires.
Take the Seventh Circuit’s whistleblower in Harp. In his dissent, Judge
Tinder described the employee, an internal auditor who expressed concern
about potential fraudulent payments that were about to be made to a
corporate vendor. Harp, 558 F.3d at 728. Her detailed knowledge of imminent
fraud, even if ultimately mistaken, was clearer than Lamb’s fear that some
effect might be felt by someone down the line if the SOD conflicts were not
resolved. Likewise, in Stewart v. Doral Financial Corp., 997 F. Supp. 2d 129, 137
(D.P.R. 2014), the CEO himself instructed employees to cook the books,
which is much more proximate to a SOX violation than a potential risk to the
company’s financial data which might undermine the effectiveness of the
company’s internal controls, assuming these fears materialized and were not
otherwise rectified along the way. In short, Lamb has magnified her limited
role at Rockwell within its SOX compliance program. See Hill v. Komatsu Am.
Corp., Case No. 14–cv–02098, 2015 WL 5162129, at *4 (N.D. Ill. Aug. 26, 2015)
(executive’s concern that repair and maintenance reserves might be too low,
which might lead to misrepresentations in financial statements, was too
tenuous to be considered a concern that securities fraud had occurred). She
has no evidence to support this other than Marks’ averment that her duties
were or should have been a key control in the process, something Dorgan at
Page 22 of 29
least implicitly contested with his undisputed knowledge of the corporation’s
multifaceted SOX compliance program. See (Docket #54-2 21:3–22:19).
Finally, the Court observes that even if everything had turned out as
Lamb feared, and Rockwell’s directors and auditors produced false
certifications and financial reports with some measure of misleading
information, she still would not be able to proceed. Here, Nielsen and
Rocheleau come into play, because they declined to adopt Sylvester’s holding
that a whistleblower need not even approximate the elements of a claim
under a listed law. Nielsen, 762 F.3d at 221 n.6; Rocheleau, 2017 WL 677563, at
*1. This Court agrees with that conclusion, as other district courts have, and
when the facts available to Lamb are stacked against the relevant cause of
action, it is beyond dispute that Lamb’s claim must fail.
In the instant case, Lamb’s claimed SOX violations do not arguably
constitute mail fraud, wire fraud, bank fraud, or securities fraud, nor are the
statutes she cites a rule or regulation of the SEC. As a result, her claim falls
into the catch-all clause of Section 1514A(a)(1), for violations of “any
provision of Federal law relating to fraud against shareholders.” 18 U.S.C. §
1514A(a)(1). Because a whistleblower claim sited in this clause must be
minimally tethered to the shareholder fraud cause of action, a whistleblower
plaintiff must establish at a minimum that it was objectively reasonable to
believe that the conduct in question would have some appreciable effect on
the shareholders. See Nielsen, 762 F.3d at 222–23. Despite the broad,
protective policy objectives of SOX, “[n]othing in the text of § 1514A. .
.suggests that SOX was intended to encompass every situation in which any
party takes an action that has some attenuated, negative effect on the revenue
of a publicly-traded company, and by extension decreases the value of a
shareholder’s investment. . . . [E]xtending SOX’s protections in this way
Page 23 of 29
presents obvious overbreadth concerns that risk making SOX a general
anti-retaliation statute applicable to any private company that does business
with a public company.” Gibney v. Evolution Mktg. Research, LLC, 25 F. Supp.
3d 741, 748 (E.D. Pa. 2014) (internal quotations and alterations omitted).
In Nielsen, the Second Circuit reviewed a complaint by a fire
engineering manager that one of his subordinates was approving engineering
plans without actually reviewing them. Nielsen, 762 F.3d at 217. His superiors
did not take corrective action, and when the manager threatened to resign,
he was fired. Id. The Second Circuit concluded that the manager, in reporting
his subordinate’s conduct, could not reasonably have believed that it
constituted something approximating shareholder fraud. Id. at 222. The
complaint contained no allegations that the fire safety review was required
by any federal statute or regulation or that the allegedly inadequate fire
safety review posed any specified safety hazard. Id. Nor did the manager
allege that the fire safety review was important to the company’s operations.
Id. Thus, the Court of Appeals found, consistent with Sylvester, that the
manager’s concerns related to “‘such a trivial matter’” as to fall below the
threshold for protected activity. Id. (quoting Sylvester, 2011 WL 2165854, at
*19). The company in question was an international firm, and the manager’s
allegations of wrongdoing in its fire safety review—only one, minor part of
its operations—were “simply too tenuous” in their connection to potential
shareholder fraud. Id. at 223.
The Second Circuit also offered a useful contrast between its case and
the more egregious misconduct raised in Sylvester. Id. Before the ARB were
allegations that a company performing drug testing for pharmaceutical
manufacturers falsified information in that testing for several major clients.
Sylvester, 2011 WL 2165854, at *2–4. Some employees refused to participate
Page 24 of 29
in this falsification, and their superiors did nothing about the problem despite
repeated complaints. Id. These employees suffered threats and retaliation and
were eventually terminated just months after their initial complaints. Id.
In contrast to Sylvester, the challenged conduct in Nielsen was not
sufficiently important to the employer’s business, nor was the employer
sufficiently complicit in the misconduct. Nielsen, 762 F.3d at 223. Viewed
favorably, the allegations in Nielsen did not raise the inference that the
misconduct the employee reported “would have significant repercussions for
[the employer] or, by extension, its shareholders.” Id.; see also Wiest, 710 F.3d
at 124–25 (after well-publicized Tyco fraud scandal, corporate accountant
could reasonably conclude that executives continued to engage in similar
fraudulent conduct); Deltek, Inc., v. Dep’t of Labor Admin. Rev. Bd., 649 F.
App’x 320, 328 (4th Cir. 2016) (employee, with help of knowlegeable coworker, reasonably concluded that company was submitting false invoices
to Verizon to cover losses); Robinson v. U.S. Dep’t of Labor, 406 F. App’x 69,
71 (7th Cir. 2010) (objectively reasonable belief of fraud where employee
discovered that her employer, Discover, was inflating its assets by not
charging off customer bankruptcies).
Lamb’s case, although involves the collection of data relevant to SOX
compliance, nevertheless suffers from the same weakness that doomed the
employee’s claims in Nielsen. Other than her assertion that remediating SOD
conflicts in the corporate IT department was a key control for SOX
compliance, she offers nothing to substantiate how Clement’s misconduct
would have a meaningful, or even noticeable, effect on Rockwell as a whole,
much less its shareholders. To follow Lamb on this point, the Court would
have to find that (1) high-risk SOD conflicts in the IT department would go
unremediated; (2) this risk rendered Rockwell’s internal controls ineffective;
Page 25 of 29
(3) Rockwell’s certifications that the controls were effective made after June
28, 2012, would be false; and (4) this would cause some loss to the company
or shareholders. At best, the evidence supports only the first of these steps.
Thus, whether or not Clement’s conduct was wrongful, it is far too
attenuated from the welfare of the shareholders to fall within the SOX ken.
See Westawski v. Merck & Co., CIVIL ACTION NO. 14-3239, 2016 WL 6082633,
at *11–12 (E.D. Pa. Oct. 18, 2016) (concluding that “minor discrepancy” in
company’s financial statements did not have a “material effect” on them that
would implicate shareholder fraud).
Even the principle that a reasonable, though mistaken, belief as to a
violation does not help Lamb here. Sylvester, 2011 WL 2165854, at *13. This
is not a case where the whistleblower might be understandably unsure
whether the employee engaging in the relevant misconduct met each and
every element of a fraud claim, including scienter, materiality, and loss. Zinn
v. American Commercial Lines, Inc., ARB Case No. 10-029, 2012 WL 1143309,
at *4 (Dep’t of Labor Mar. 28, 2012). While the wrongdoer’s state of mind and
the pecuniary effect of certain conduct might be hard for an individual
employee to determine, here the problem is not so complex. Lamb’s mistake
is
whether
the
fundamental
requirements
of
a
fraud
claim—a
misrepresentation that had some effect on shareholders—ever occurred or
would occur imminently. This basic feature of shareholder fraud is something
even a lay person can be expected to assess.
Moreover, although Lamb need not have known with certainty
whether Clement had the state of mind required for shareholder fraud, it is
notable that the information available to Lamb actively undermined such a
conclusion. Recall that Lamb believed that Clement, in requesting the rule
changes, wanted to avoid the ire of her superiors for not completing an
Page 26 of 29
assigned task. See (Docket #36 at 5–6). Lamb did not believe, at the time of
her report or now, that Clement acted with the intent to deceive
shareholders. This further destabilizes the reasonableness of her belief that
shareholder fraud had or would occur. Allen, 514 F.3d at 480. It also shows
how a run-of-the-mill office dispute between subordinate and supervisor
should not be transformed, without good reason, into a case about corporate
fraud. See Verfeuth, 2016 WL 4507317, at *5 (cautioning against treating “runof-the-mill corporate problems into claims of securities fraud”).
SOX “was intentionally written to sweep broadly, protecting any
employee of a publicly traded company who took such reasonable action to
try to protect investors and the market.” 149 Cong. Rec. S1725–01, S1725,
2003 WL 193278 (Jan. 29, 2003). By failing to show how anything less than a
lengthy, unbroken string of hypothetical scenarios and unsupported
inferences could work harm on the company or the shareholders, Lamb has
not connected her report, nor her beliefs about the report, to SOX’s
admittedly broad purpose. Consequently, Lamb’s claim must be dismissed
without the need to reach any of the other myriad questions the parties
presented.
Page 27 of 29
5.
CONCLUSION
On the undisputed facts in the record, Lamb cannot establish that she
held an objectively reasonable belief that Clement’s actions constituted an
extant or likely violation of any law listed in the SOX whistleblower statute.
As a result, her complaint must be dismissed.5
Accordingly,
IT IS ORDERED that Defendant Rockwell Automation, Inc.’s motion
for summary judgment (Docket #24) be and the same is hereby GRANTED;
IT IS FURTHER ORDERED that Plaintiff Lisa Lamb’s first claim for
relief, for whistleblower retaliation in violation of the Sarbanes-Oxley Act of
2002 (Docket #1 at 17), be and the same is hereby DISMISSED with
prejudice;
IT IS FURTHER ORDERED that, all of Plaintiff Lisa Lamb’s claims
for relief having been dismissed, this action must be DISMISSED with
prejudice; and
IT IS FURTHER ORDERED that Plaintiff Lisa Lamb’s motion to
compel and stay (Docket #55) be and the same is hereby DENIED.
The Clerk of the Court is directed to enter judgment accordingly.
5
On April 2, 2017, Lamb filed a motion to compel discovery responses from
Rockwell and stay Rockwell’s summary judgment motion pursuant to FRCP 56(d).
(Docket #55). The motion must be denied. It comes after summary judgment
briefing has been completed, including Lamb’s own response, which was filed
more than a month ago. If she had wanted additional information to prepare her
response, a motion to stay should have been filed as soon as she had reviewed
Rockwell’s summary judgment motion and determined that the factual record was
not adequately developed (ideally within a few days). At the very least, the motion
to stay should have come no later than her response due date. Thus, her request
for additional time to “more fully dispute” Rockwell’s statements of fact, (Docket
#55 at 3-5), is untimely.
Page 28 of 29
Dated at Milwaukee, Wisconsin, this 7th day of April, 2017.
BY THE COURT:
J.P. Stadtmueller
U.S. District Judge
Page 29 of 29
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?