On January 19, 2017, in Pratt v. M & T Bank Corp., the U.S. District Court for Delaware found an information technology auditor at M & T Bank could not support his Delaware Whistleblower Protection Act (the Act) claim with allegations that he was fired for reporting violations of data privacy laws. In granting M & T Bank’s motion for summary judgment on this issue, the court stated, “[t]his is a case of an auditor that did his job too well, or not well enough…that is for the jury to sort out.”
In his complain, the plaintiff, Charles Pratt, Jr., alleges that he worked for M & T Bank for 17 months before he was fired from his job in the audit department of the bank’s information technology security team. During his employment, Pratt claims “that his reports of data security violation, requests for further testing, and objections to misleading reports were why [M & T Bank] wrote him up and ultimately fired him.” In short, Pratt claims M & T Bank violated data privacy laws including the Gramm Leach Bliley Act and HIPAA. M & T Bank argued that violations of these laws are not covered under the Act.
Pratt’s first cause of action was based on an alleged violation of the Act. The Act protects employees fired for reporting violations of certain state and federal laws. In particular, a violation under the Act for fraud is defined as:
“an act or omission…that is [materially inconsistent with, and a serious deviation from, financial management or accounting standards implemented pursuant to a rule or regulation promulgated by the employer or a law, rule, or regulation promulgated under the laws of this State, or the United States, to protect any person from fraud, deceit, or misappropriation of public or private funds or assets under the control of the employer.”
The court found Pratt’s first cause of action failed because he did not claim M & T Bank violated any financial management or accounting standards as required under the Act. Further, the court found “[t]he legislative history of the Act reinforces the intuition that the statute refers to how a business manages and accounts for its finances.” The court further noted that “the fraud provision of the Act was added in 2004, in the wake of the Enron scandal.” Based on the legislative history, the court held “the Act’s text that the Act reaches only standards related to finances, not data privacy” and granted M & T Bank’s summary judgment on the Act claim.
This case demonstrates how the development of cyber security is impacting the laws currently on the books and the need to at least revisit these laws. In Pratt, the court discusses how the fraud provision in the Act “was added in 2004, in the wake of the Enron scandal” and “at its core, the Enron scandal involved the fraudulent accounting and reporting of Enron’s earnings and debts.” Data security was not a pressing concern for many corporations in 2004. Further, corporate officers were not facing potentially dire consequences for not having proper security measures in place or ignoring employees’ calls for proper security measures to be taken. Consequently, the argument made by the plaintiff in Pratt, that he was fired for reporting data security issues, may become an issue for legislatures to start considering related to the current protections offered by Whistleblower Protection Acts.