In Erhart v. BofI Holding, Inc., et al. 15-cv-02287-BAS-NLS (Feb. 14, 2017), the United States District Court for the Southern District of California held that enforcing a confidentiality agreement between an employee and employer would violate public policy where an employee appropriated company documents while purportedly acting as a whistleblower. The case is notable because the decision, in essence, sanctioned an employee’s appropriation of information, including consumer personal information, as a “whistleblower.” The decision also held that violation of an employer’s confidentiality agreement could be excused if the violation were committed for “whistleblower” purposes.
Erhart involved two consolidated actions that revolve around state and federal whistleblower protection laws. Charles Matthew Erhart was employed as an internal auditor at BofI Federal Bank when he discovered what he believed to be wrongful conduct. Specifically, BofI asked Erhart to remove a finding that BofI had violated California’s Invasion of Privacy Act from an audit, made statements that indicated that senior management may be falsifying the company’s financials, failed to obtain approval of the company’s strategic plan and budget for fiscal year 2015 from the Board of Directors, and falsely responded to a subpoena from the SEC that it did not have any information regarding the matter being investigated. Erhart reported the conduct to BofI’s principal regulator, the United States Department of the Treasury’s Office of the Comptroller of the Currency, and later filed a whistleblower action against BofI under state and federal law, alleging that BofI had retaliated against him.
Upon filing the lawsuit, The New York Times published an article titled “Ex-Auditor Sues Bank of Internet.” The share price of BofI’s publicly-traded holding company plummeted thirty percent. As a result of the Times article, BofI brought a countersuit against Erhart alleging that he violated California state law and the Computer Fraud and Abuse Act (18 U.S.C. § 1030) by publishing BofI’s confidential information and deleting hundreds of files from his company-issued laptop. The court consolidated BofI’s countersuit with Erhart’s whistleblower retaliation action. BofI moved for summary judgment.
Opposing the motion, Erhart stated in a declaration that he was “fearful that the Bank [BofI] would delete or alter material information, based on what [he’d] seen management do in the past” and therefore needed to find alternative ways to preserve information. Notably, Erhart conceded that he had transmitted confidential information to his mother, including an e-mail containing a spreadsheet of BofI customers’ social security numbers, and had used his girlfriend’s computer to access and download BofI documents. Nevertheless, the court concluded that Erhart had made a sufficient showing for purposes of the motion that his actions were warranted to protect relevant information from what he had reasonably perceived was at risk of destruction. In so holding, the court recognized the strong interest in the enforcement of confidentiality agreements like the one signed by Erhart, but also acknowledged that whistleblowers often need documentary evidence to substantiate their allegations. Accordingly, the court refused to summarily adjudicate Erhart’s whistleblower defenses.