You are the Company's top in-house employment lawyer buried with work in the middle of your busy workday. Suddenly, a copy of a legal threat letter, settlement demand, and draft lawsuit pops up in your email. The letter and draft lawsuit contain a former salesperson's allegations of financial fraud occurring within the Company.

The allegations pertain to the Company's internal sales plan, which incentivizes sales employees to sell monthly maintenance service contracts for software programs. The former employee claims she had learned that the software programs did not need monthly maintenance, and the maintenance services did not actually enhance the programs' operation.

The former employee was a top sales producer. She alleges the Company terminated her unlawfully in retaliation for complaining to her manager about the fraudulent nature of the sales incentive plan, and for trying to stop the Company from further using the plan. The draft lawsuit alleges various federal and state-law whistleblower retaliation claims, and other wrongful termination claims.

The former salesperson had been making north of $385,000 in total compensation. She claims she would have continued to work for the Company for at least three more years, most likely longer. Her settlement demand is $1,325,000, in addition to attorneys' fees, in exchange for which she will agree to provide a full release of claims and stay silent. The threat letter gives the Company five business days to accept the demand before she files the lawsuit in court.

Equally disturbing, you notice how her draft lawsuit contains detailed allegations that identify and disclose a massive amount of the Company's internal confidential business information, including:

(1) the dollar amounts charged to each customer for the software programs' maintenance service contracts;

(2) the dollar amounts of the Company's monthly and annual revenue and profit margins made off the contracts;

(3) the dollar amounts of the commission percentages the sales employees are receiving on each sale, including in comparison as a percentage of their overall annual compensation;

(4) in exhibits attached to the draft complaint, the name of the customers, identity of the customers' key personnel, their contact information, and the amounts paid by each customer for a monthly service contract over the last three years;

(5) in exhibits attached to the draft complaint, copies of internal email communications from various customers questioning the effectiveness of the maintenance services purchased; and

(6) in exhibits attached to the complaint, a copy of the entire internal sales incentive plan.

Understandably, your initial reaction is something along these lines:

"Damn! This former employee looks like a legally protected whistleblower. But, she obviously has taken a huge amount of confidential business information. She's using the information to support her termination claims.

But, if she files the lawsuit, she'll be disclosing — in a publicly available court docket — the Company's highly confidential and competitive business information. This will embarrass the Company, cause competitive harm, and damage customer relationships.

Competitors also will have immediate access to the Company's sales incentive program and other highly competitive business information — and their access will be for free.

But, she's stolen the information! We need to take legal action against her to prevent this from happening and to try to get the Company's information back."

The scenario above identifies two competing but equally important legal concepts. One concept concerns the Company's long-established legal right to protect its creation of and economic investment in its competitive business information.

The other concept involves an equally important policy to foster whistleblowing — i.e., to protect the public from fraudulent or other unlawful conduct, and to protect legitimate whistleblowers from unlawful retaliation.

This includes allowing whistleblowers lawfully to (a) disclose internal Company business information — including documents and "trade secret" information — to an appropriate governmental enforcement agency in order to support a report of possible unlawful conduct that has occurred or is occurring within the Company; (b) "misappropriate" "trade secret" information and use the information to support of the whistleblower's retaliation claim; and (c) take and use other confidential business information — even if in violation of a contractual non-disclosure agreement (NDA) — to make legitimate reports to a governmental enforcement agency and to support whistleblower retaliation and other employment-related claims.

When these legal concepts clash simultaneously, the law provides certain protections to both the Company and to the whistleblower. But, the law only goes so far.

The law also imposes certain legal obligations on both the Company and the whistleblower. These legal protections and obligations can become blurred, and the legal protections are not complete for either side.

Generally speaking, NDAs are lawful in every state in the United States. NDAs often include strong enforcement and remedy provisions, including the Company's right to seek temporary and permanent injunctive relief against the unauthorized possession, use or disclosure of the Company's confidential business information and trade secrets.

Other remedies include actual damages caused by a breach and, if the Company successfully negotiated these terms into the NDA, possible liquidated damages and the recovery of reasonable attorneys' fees, legal costs and expenses incurred in enforcing a breach of the NDA.

Notably, while claims for breach of an NDA normally are straightforward and require proof of traditional elements of a breach of contract claim, that's not always the case when a whistleblower is involved.

A body of federal case law has emerged that addresses a whistleblower's "justified" theft of a company's internal business information, such as where the theft is to support whistleblowing to a government agency or a whistleblower's retaliation lawsuit.

A mix of authority exists across the United States for when a whistleblower may be "excused" from violating an NDA. Generally, the courts will focus on: (1) what information was taken; (2) why it was taken; (3) how it was taken and how much was taken — targeted or indiscriminately; and (4) to whom it was disclosed and why.

A "law school exam" example of such a court decision is the U.S. District Court for the Southern District of California's lengthy order in Erhart v. BofI Holding.

In Erhart, the whistleblower was an internal auditor for a federally chartered bank. During his employment, he removed a massive volume of the bank's highly confidential and trade secret information.

This information included internal audit reports, audit committee meeting minutes, bank regulators' supervisory information, lists of customer accounts, specific customer account information, customers' Social Security numbers, documents concerning law enforcement and SEC inquiries, wire transfer details, and portions of customer loan files.

Denying the bank's motion for summary adjudication of the bank's breach of an NDA claim, the Erhart court held that under California contract law, the whistleblower may not have violated the standard NDA.

Instead, the court discussed at length how California state courts will not enforce an NDA if doing so will violate California's public policy, including California's strong policy in favor of whistleblowing.

Other courts outside of California have reached similar conclusions; however, still other courts have upheld a breach of NDA claim against a whistleblower's "theft" of internal confidential business information, regardless of the whistleblower's intent or purpose.

Bottom line — under current case law, a whistleblower's "self-help" may be permissible despite a breach of the plain language of an NDA.¹

In addition to the case law — which may or may not protect a whistleblower from a breach of an NDA claim — the NDA itself may contain an express "carve out" for certain use and disclosure of internal business information for whistleblowing purposes.

Certain federal laws, and federal agency regulations and enforcement decisions, compel employers to include such "carve outs" in NDAs.

These "carve outs" are intended to promote whistleblowing about potentially unlawful conduct, while protecting the whistleblower legally. Some common "carve outs" contained in NDAs include:

This rule applies to publicly traded companies — i.e., companies with securities registered under Section 12 of the Securities and Exchange Act or companies required to file reports under Section 15(d) of the Act. SEC Rule 21F-17(a) provides:

No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement (other than agreements dealing with information covered by § 240.21F-4(b)(4)(i)² and § 240.21F-4(b)(4)(ii)³ of this chapter related to the legal representation of a client) with respect to such communications.

In 2014, the SEC's Office of the Whistleblower initiated very aggressive enforcement of SEC Rule 21F-17 against publicly traded companies whose NDAs did not contain an express exception — in compliance with Rule 21F-17 — for employees and former employees to report possible violations of securities laws or rules to the SEC.

SEC enforcement decisions also began to penalize employers whose NDA provisions required whistleblowers to provide prior notice to and obtain permission from the employer — such as from the company's General Counsel — before communicating with and disclosing confidential business information to the SEC.

A significant number of SEC enforcement decisions under SEC Rule 21F-17 have imposed six-figure monetary penalties on public companies. Today, in any enforcement action the SEC initiates — for any type of potential SEC rule violation — the SEC commonly will look for compliant Rule 21F-17 language in the company's NDAs.

The SEC will add a Rule 21F-17 violation to the enforcement action if the SEC does not see the necessary language. Such enforcement actions also have picked up pace under the Biden administration.⁴

OSHA also has taken the position on how NDAs — including in settlement agreements involving OSHA-governed whistleblower retaliation claims — cannot restrict a whistleblower's ability to (a) provide information to OSHA; (b) participate in an investigation; (c) file a complaint with OSHA; or (d) testify in OSHA proceedings based on the Company's past or future conduct.

Also, because OSHA enforces approximately 25 federal whistleblowing statutes — including the Sarbanes-Oxley Act — OSHA's "carve out" requirement has broader reach than SEC Rule 21F-17, since OSHA governs employers that are not publicly traded companies.

The EEOC has taken a similar approach to OSHA's. The EEOC proactively has attacked NDAs that interfere with an individual's rights to communicate directly and voluntarily with the EEOC about possible legal violations.

FAR regulations bar federal contractors and subcontractors from receiving federal contract funds if the contractor or subcontractor requires its employees to enter into NDAs that restrict the employees from lawfully reporting to the government waste, fraud and abuse occurring in connection with the federal contract.

The National Labor Relations Act (NLRA) protects "concerted activities," including when two or more employees discuss terms and conditions of employment, including compensation or possibly unlawful conduct.⁵

The NLRA's protections also apply to employees who are not represented by a labor union. Against this backdrop, the National labor Relations Board ("NLRB") has determined that NDAs cannot restrict an employee's ability to communicate directly with the NLRB and to disclose internal company information to the NLRB, which may reflect or constitute a violation of the NLRA.

The federal Defend Trade Secrets Act (DTSA) provides an employer with a multitude of legal and equitable remedies to seek against a trade secret misappropriator.⁶

In addition to injunctive relief to stop further misappropriation and compel the preservation or return of the information, the DTSA's civil remedies include recovery of: (i) actual damages; (ii) unjust enrichment "caused by the misappropriation of the trade secret that is not addressed in computing damages for actual loss"; or (iii) "in lieu of damages measured by any other methods…imposition of liability for a reasonable royalty for the misappropriator's unauthorized disclosure or use of the trade secret."

The court can also award "exemplary" damages of no more than two times the amount of actual damages awarded if the evidence shows the trade secret was "willfully and maliciously misappropriated."

Finally, "if a claim of the misappropriation is made in bad faith," if a motion to terminate an injunction is made or opposed in bad faith, and/or if the trade secret was "willfully and maliciously misappropriated," the court can award reasonable attorney's fees "to the prevailing party."

Similar state-law remedies also remain available, as the DTSA expressly states it does not preempt available state-law remedies.

Finally, crime reporting and possible criminal prosecution for trade secret misappropriation always remains available under the DTSA's parent statute, the Economic Espionage Act (EEA).

But, garnering the U.S. government's interest in prosecuting a day-to-day misappropriation of an employer's internal business information, where the misappropriation does not amount to theft of a large volume of highly secret business information that could have national or international implications, can be a challenge.

Uniquely, the DTSA provides limited legal immunity to whistleblowers who misappropriate trade secret information for certain whistleblowing purposes.

Recognizing the equally important but conflicting policies between encouraging whistleblowing while also trying to protect an employer's legitimate trade secrets, the DTSA protects whistleblowers from civil and criminal liability — under federal and state trade secret laws — if the whistleblower misappropriates the trade secret information for specific reasons and in a specific manner.

Namely, the DTSA's immunity extends to the whistleblower if the possession, use and disclosure of the trade secret information:

(A) is made: (i) in confidence to a federal, state, or local government official, either directly or indirectly, or to an attorney; and (ii) solely for the purpose of reporting or investigating a suspected violation of law; or:

(B) is made in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal.⁷

Note how the DTSA's legal immunity protection for whistleblowers is limited and does not apply to unauthorized misappropriation of trade secrets beyond what Section 1833(b) allows.

Also, the immunity is only for misappropriation in violation of federal and state trade secret laws. Thus, there is no immunity if (1) the information taken is not a "trade secret" as defined in 18 U.S.C Section 1839(3); or (2) the taking violates other laws, as described below.

For example, there is no legal immunity for the common "grab and bolt" misappropriation of trade secret information if it is taken for competitive business purposes, such as a salesperson who downloads and takes internal customer sales information to use in a new job with a competitor.

In addition, and in what may have been a drafting oversight by Congress, the DTSA's immunity protections do not provide whistleblowers with any legal immunity for violations of other types of civil and criminal laws beyond the federal and state criminal and civil trade secret misappropriation laws.

Thus, there is no legal immunity:

•for breach of contract claims for violating an NDA that do not have a "carve out" as noted above.

•for violations of various civil tort common law, such as common-law conversion or breach of fiduciary duty.

•for violations of certain federal and state computer-use laws which prohibit the unauthorized access to or the misuse of another's computer. Although, keep in mind the U.S. Supreme Court's 2021 decision in Van Buren v. United States, which greatly narrowed an employer's ability to sue under the federal Computer Fraud and Abuse Act to challenge an employee's computer-based misappropriation of trade secret information. But, certain states have similar computer misuse laws that may provide civil and criminal remedies.

In addition, federal courts are beginning to develop certain "guideposts" and factors in deciding how broadly to recognize the DTSA's immunity defense.

These have included assessing the significance to the company of the trade secret information and documents taken; whether the whistleblower has filed a retaliation lawsuit using the information and documents; whether the whistleblower turned over the trade secret information and documents to their attorney and/or to the government; and the whistleblower's other plans, if any, to use the information and documents.

So, back to our terminated salesperson who is demanding $1,325,000 plus attorneys' fees under the threat of filing a publicly available lawsuit that will disclose damaging confidential business information.

What immediate legal actions can the Company take against the former employee? What action should the Company take — and not take? What legal rights did she have to take, possess, and use the Company's confidential business information and trade secrets to support her threatened whistleblower retaliation lawsuit and/or to report to a government agency? Can she lawfully provide the internal business information — including the Company's internal documents — to her lawyer and/or to a governmental compliance or enforcement agency?

In today's world of whistleblower protections and avoidance of unlawful retaliation, the action steps can be, well, complicated.

Here are some practical suggestions:

•Contact IT — First, in a confidential manner alert the Company's IT department about the situation and determine the location of whatever computer and other electronic device(s) she was using for the Company's business purposes. If it has not been done already, ask IT to shut down her access to the Company's computer system. Also, ask IT if it can image and search the hard drive of the computer she was using to determine if she recently downloaded any internal Company information to a thumb drive or similar device, or emailed information to a gmail or cloud account, etc. If she did, ask IT for an inventory that includes dates, times, and subject matter. If the Company owns the mobile phone she was using, and if this has not been accomplished already, obtain the phone back from her immediately. Then have IT image and search of the phone. If she owns the phone, if possible, ask her or her counsel to make it available to IT for imaging and then wiping of the Company's business information off the phone. There should be a protocol put in place for IT to accomplish this remotely, including without obtaining or viewing her personal information, photographs, videos, etc. If IT cannot handle these tasks, consider retaining and using a third-party forensics computer firm.

•Locate and review any NDA or other restrictive covenant agreement she may have signed — review and assess any NDA and other restrictive covenant agreement the Company has in place with her. Is her soon-to-be disclosure of the Company's confidential business information and trade secrets permitted under any "carve out" in the NDA? If so, to what extent, precisely? If not, consider whether she will be in breach of the NDA if she ends up filing a lawsuit. Are there any other post-employment covenants contained in the NDA? Note those covenants as well and begin to determine what the Company expects from her as far as her compliance with any other post-employment covenants. Also, note what remedies the NDA provides to the Company for enforcing a breach. In particular, does the NDA provide for the recovery of attorneys' fees — to either party — depending on who prevails? Also, is there an agreed venue and choice of law provision that would govern any lawsuit?

•Assess the parties' respective rights under the DTSA — note her trade secret misappropriation as well as her civil and criminal immunity rights under the DTSA. Consider asking her counsel to ensure that any complaint, per the DTSA, that contains the Company's trade secret information must be filed under seal. Note the Company's legal and equitable remedies under the DTSA, and under state common law, where no DTSA immunity exists.

•Reach out to her legal counsel — don't be shy — contact the former employee's legal counsel and acknowledge receipt of the threat letter, money demand, and draft complaint. If you think it is in the Company's best interest and will be supported by key business decision makers, indicate to her counsel a willingness to discuss her allegations and demands. But, as a condition for the same, ask for more time than five business days and for her agreement to delay filing any lawsuit if and while the parties are talking and exploring a possible resolution.

•Instruct her legal counsel to direct her to preserve the status quo — while the Company certainly can demand the immediate return of any documents and electronically stored information (ESI) that constitute or contain the Company's confidential business information and trade secrets, as set forth above, she may have certain legal rights to possess and use the information and documents for purposes of whistleblowing and to support her anti-retaliation lawsuit.

A nuanced and compromise approach to consider would be to instruct her legal counsel, in writing, about (1) the Company's rights under the NDA and the DTSA to maintain the confidentiality of its trade secret and other internal business information; (2) her legal obligations to do the same, including under the DTSA's "filing under seal" requirement; and (3) the Company's request that she preserve the confidentiality of the information and to not use or disclose it for any other purpose while the parties are talking and, if such talks fail to achieve a resolution, for any purpose beyond which any NDA "carve out" or the DTSA allows.

In other words, for example, she cannot disclose the information to or use it for the benefit of a business competitor.

Another possibility would be to propose downloading and transferring all such information and documents into a secure share-file site, with a password-protected portal, so that both the Company and the former employee and her counsel will have access to the same information and documents until the matter, including any litigation, is resolved.

Who pays for setting up the site, who will have access to it, and who will pay to maintain the site becomes a matter of negotiation between the parties.

•To sue or not to sue — if any talks and negotiations fail to reach a resolution, or if none occur, the Company may determine it needs to sue the former salesperson to try to secure and seek the return of its confidential business information and trade secrets. Certainly, this is doable if the facts and applicable law support doing so — subject to any NDA "carve out" and the DTSA's civil and criminal immunity for trade secret misappropriation discussed above. But, keep in mind that even if there is a factual and legal basis for suing the whistleblower, as a practical matter doing so may create a perception that the Company (a) is trying to silence and punish the whistleblower; and (b) has something to hide. So, how any such lawsuit or counterclaim is drafted and advanced in litigation needs to be carefully analyzed and orchestrated with these possible adverse "perceptions" against the Company in mind.

•Potential criminal prosecution — this is a possibility under the Economic Espionage Act (and possibly under various state laws) for trade secret misappropriation. State-law criminal theft of property and/or unauthorized use of a computer system are other possibilities.

But, triggering such a prosecution has its risks and challenges. Also, ethically, in-house and outside counsel cannot "present, participate in presenting, or threaten to present criminal charges solely to obtain an advantage in a civil matter."

So, a threshold decision needs to be made on whether to contact criminal law enforcement right away, or to try to resolve the matter civilly and then subsequently contact law enforcement.

With the former, the government may not be interested in becoming involved in a "civil business dispute" or, if it does decide to become involved, it may take over the situation entirely and the Company could lose control. The government's goals and time frame for its investigation and prosecution also may be vastly different from the Company's goals and time frame.

If the Company waits to resolve the matter civilly and then contacts the government, the government may appreciate how the Company has done the legwork on an investigation and gathered the material facts and evidence.

But, the government may also view the matter as being resolved and may not be interested in pursuing it criminally at that point. Reputation in the industry of an unsuccessful prosecution, potential civil liability for malicious prosecution, and whether the former employee actually is a legitimate whistleblower with a legitimate retaliation claim — and a person who does not deserve to have criminal charges alleged against her — are other considerations to keep in mind.

1 For a more thorough discussion of these type of cases, see the May 14, 2018, Littler Report, "Purloined Letters": Management Options When a Departing Employee Puts a Business Entity at Risk by Collecting Confidential Business or Personal Information for Use in the Employee's Personal Litigation, by Edward T. Ellis, Kevin E. Griffith, Earl M. Jones, III, Jill M. Weimer, Christian A. Angotti, and Bryan M. Gramlich.

2 https://bit.ly/3OhWv4w

3 https://bit.ly/3zI9kRC

4 For a more thorough review of the SEC's enforcement actions under Rule 21F-17, see previous Littler Insights and ASAPs by Kevin E. Griffith and Earl (Chip) M. Jones III, SEC Issues Cease-and-Desist Order Against Severance Agreement Clause Limiting Whistleblowers' Rights to Recover Bounty Awards, Littler Insight, (Aug. 12, 2016), https://bit.ly/3nf9Ijj; and Philip M. Berkowitz, Philip N. Storm, Gregory Keating, and Kevin E. Griffith, SEC's Attack on Confidentiality Agreements, Littler Insight (Apr. 6, 2015), https://bit.ly/3O0veE3.

5 See generally 29 U.S.C. § 158(a)(1), https://bit.ly/3tJrmix, (making it an "unfair labor practice for an employer to interfere with, restrain, or coerce employees in the exercise of their rights" under 29 U.S.C. § 157); 29 U.S.C. § 157, https://bit.ly/3OkxvcP, ("[e]mployees shall have the right ... to engage in other concerted activities for the purpose of ... mutual aid or protection").

6 The DTSA is an amendment that Congress enacted in May 2016 into a federal trade secret criminal statute called the "Economic Espionage Act" (EEA). As originally enacted, the EEA provided only criminal remedies for governmental criminal prosecutions for trade secret misappropriation. After numerous failed efforts, in 2016 Congress finally amended the EEA to provide private civil remedies — as well as certain express protections for whistleblowers who misappropriate trade secret information. Congress named this amendment the "Defend Trade Secrets Act."

7 See 18 U.S.C Section 1833(b).