When IT Business Edge began following Cardinal Bancshare CFO David Welch's case two years ago, it seemed there were new whistleblower stories in the news every day. In early 2007, whistleblower attorney Jason Zuckerman explained the apparent uptick this way:

... [E]mployees have become more aware of their right to blow the whistle on fraud and securities law violations without suffering retaliation .... Another reason that Sarbox cases may be increasing is that the burden of proof...is favorable to employees. If an employee can demonstrate by a preponderance of the evidence that her protected disclosure was a contributing factor (not the sole factor) in the employer’s decision to take an adverse employment action (termination, suspension, harassment, blacklisting, etc.), the employer must then demonstrate by clear and convincing evidence that it would have taken the same adverse action in the absence of complainant’s protected conduct.

For Welch, though, the problem was not connecting the whistleblowing to his termination. The appeals court agreed with a federal administrative review board that he did not show that the activity on which he "blew the whistle" (i.e., violating U.S. GAAP and the company's internal controls) was also a violation that would fit into one of Sarbanes-Oxley's categories of "protected activity." He didn't even get to showing that his termination resulted from the whistleblowing.

And Welch is not alone in receiving an adverse outcome. A study by University of Nebraska law professor Richard Moberly revealed that the administrative review board has never ruled in favor of a Sarbanes-Oxley whistleblower. Not once in the six years since Sarbanes-Oxley became law.

Sarbanes-Oxley section 806 provides protection to employees of publicly traded companies who blow the whistle on activity they reasonably believe is protected. Four of the six categories of "protected activity" involve federal criminal violations found in Title 18 of the U.S. Code: frauds and swindles (section 1341), wire fraud (section 1343), bank fraud (section 1344), and securities fraud (section 1348). The other two are a bit broader: Securities and Exchange Commission rules violations, and violation of any federal law that addresses fraud against shareholders.

So why isn't anyone winning? Moberly dug into decision makers' written opinions to find out where the problems had been, and he discussed his findings in a recent IT Business Edge interview. "In an overwhelming amount of cases, decision makers found that whistleblowers weren't getting their claims within the boundaries of the Act," he said.

Generally, those errors fell into three categories: 1) failing to get claims in within the 90-day statute of limitations; 2) failing to prove that the employer was a publicly traded company, which is narrowly defined in Sarbanes-Oxley; and 3) like Welch, failing to prove that the activity they had complained of fell within one of the six "boxes" in the act that defined "protected activity."

Moberly also noted that the agencies investigating employees' claims are interpreting those claims very narrowly. Given this information, and especially in light of the Fourth Circuit's decision in Welch's case, Moberly says, potential plaintiffs (and their attorneys) should be very clear when they are making their claim about which of the six Sarbanes-Oxley "boxes" the activity they complained about fits. In fact, he even suggests that someone who is considering blowing the whistle should consult an employment law attorney first — before reporting anything — to make sure the activity is protected under the Sarbox whistleblower provisions.

Understanding what's protected and what's not is key, according to Moberly, and that's where the biggest problem lies.

"Employees are not actually well attuned to their level of protection or lack thereof," he said. "Most employees are at will ... And yet employees believe that they will be protected by the law if they report things like theft or fraud. In many cases that's just not true .... The details and the twists and turns of what protects you and what doesn't don't make it to the normal employee."

The employee who is retaliated against should file their claim quickly so as not to miss the 90-day deadline, and it's also important to document.

"And from a cynical perspective," Moberly says, "[you] need to have a spotless record. The typical response from an employer ... They are going to go back through your record with a fine-toothed comb, and that will be the justification for why they fired you."