Working with Whistleblowers

as an Advocacy Organization

Many organizations and activists are interested in the information whistleblowers offer but are not in the business of representing whistleblowers or providing advice about their rights, risks and options for disclosure. Whether your organization is actively soliciting information from whistleblowers, or if an employee approaches your organization with evidence of serious wrongdoing, keep the following information in mind.
 

What is

Whistleblowing?

Understand the

Risk of Reprisal

Appreciate the

Legal Landscape

Reconsider Anonymity

Develop

Trust

Information

Security

Protect Your

Organization

Share

Best Practices

What is Whistleblowing?

A whistleblower is an individual who discloses information that he or she reasonably believes evidences: a violation of law, rule or regulation; gross mismanagement; a gross waste of funds; abuse of authority; or a substantial and specific danger to public health or safety.

The Whistleblower Protection Act

The Whistleblower Protection Act is the primary law that gives most federal employees the right to report serious wrongdoing free from reprisal. The WPA gives most federal employees the right to disclose information, both internally to co-workers, managers, organizational hotlines, or an agency Inspector General and externally to Congress, regulators, the media, or watchdog organizations.

Disclosures of "Lesser" Misconduct and Policy Disagreements

If the misconduct does not fall into a category of concern as outlined above, it does not mean that the concern isn't important, valid, or even corrosive to workplace integrity. Likewise, an employee may have a legitimate dispute about a decision of management.

However, if an employee’s concern is not about legal violations, gross mismanagement, a gross waste of funds, abuse of authority, a substantial and specific danger to public health or safety, the disclosures would not rise to a level that would meet the standard of “whistleblowing” protected under the WPA or most other whistleblower protection laws.

Similarly, if an employee’s disagreement with a policy decision is rooted in a difference of opinion, rather than about the specific consequences of the policy decision that the employee reasonably believes would result in legal violations, gross mismanagement, gross waste of funds, abuse of authority or a substantial and specific danger to public health or safety, that policy disagreement would not constitute protected whistleblowing under the WPA.

Illegal Non-Disclosure Policies

It is illegal to gag federal employees and contractors from blowing the whistle. In fact, the Whistleblower Protection Enhancement Act mandates that any policy, directive, or form limiting employee speech must include explicit language that informs employees that their rights to blow the whistle supersede the terms and conditions of the nondisclosure agreement or policy.

The First Amendment

The First Amendment protects federal employees’ ability to speak in their private capacities, on their own time, about matters of public concern. For speech to be protected under the First Amendment, courts must determine that the public benefit of the speech outweighs the government’s interest in efficient operations free from disruption.

Generally speaking, public employees are covered by the First Amendment when engaging in public discourse about political, social, or community concerns as private citizens, such as writing a letter to the editor critical of policy choices or speaking at a public meeting about climate science as a concerned citizen.

Whistleblower Protections for Federal Contractors and Grantees

Government contractor employees and federal grant recipients who work for non-intelligence federal agencies also have whistleblower protections. The National Defense Authorization Act (NDAA) for FY 2013 extends with better due process the Whistleblower Protection Act (WPA) rights for federal civil service employees. The NDAA rights cover all individuals performing work on a government contract or grant, including personal services contractors and employees of contractors, subcontractors, grantees, or subgrantees.

Whistleblower Protections for Intelligence Community (IC) Workers

A separate legal patchwork allows Intelligence Community (IC) employees and contractors to lawfully report wrongdoing and receive protection from retaliation. Created to safeguard classified information while allowing oversight from both internal and external federal watchdogs, the system requires workers, whether they be case officers or analysts or support staff, to follow the disclosure process outlined in the Intelligence Community Whistleblower Protection Act (ICWPA) of 1998 in order to obtain protections from retaliation.
 

The ICWPA allows intelligence employees to make “protected disclosures” of “urgent concerns” to either their agency’s Inspector General or the Inspector General of the Intelligence Community. Urgent concerns may include serious or fragrant violations of laws, gross waste, or improper administration relating to an intelligence program. Urgent concerns may also include lying to or willfully withholding information from Congress, as well as certain retaliation or threats of retaliation for making a protected disclosure of an urgent concern.

Understand the Risk of Reprisal

No matter how right they are about wrongdoing, corruption, and public safety threats, employees who speak out often suffer reprisals rather than thanks. Allies that support whistleblowers— including journalists and advocacy organizations—are also vulnerable to retaliation.

Reprisals against whistleblowers can take a range of forms, including: retaliatory investigations, gag orders, removal of duties or resources, reassignment, public humiliation, surveillance, management efforts to recruit complaints by peers, poor performance appraisals, threats, harassment, termination, violence, and lawsuits for defamation.

It is important not to underestimate the risk of aggressive reprisal strategies that an employer can take against an employee who has exposed its wrongdoing. Not only can these destroy a whistleblower, but they can chill others in that organization or industry from disclosing concerns in the future. 

Appreciate the Complicated Legal Landscape

Understanding that whistleblower law is complicated can help protect your source.

No single law protects whistleblowers from reprisal. Instead, a patchwork of First Amendment rights, more than 60 federal laws and statutes, and numerous state and local laws offer whistleblowers protections and avenues for disclosure. In addition, laws protecting whistleblowers have different remedies, different procedural steps and different paths for enforcement.

​

Organizations that do not offer direct legal assistance to whistleblowers should not attempt to conduct the legal analysis necessary to evaluate possible legal remedies for a source. However, understanding that the legal landscape is complicated should prompt organizations to prioritize consulting with experienced legal counsel, and to encourage the source to do the same to maximize protection and minimize risk. 

​

Figuring out what legal protection might be available to a specific whistleblower depends
on several factors: 

What is the nature of the information? The federal Whistleblower Protection Act (WPA) allows most federal employees to challenge nearly any significant abuse of authority with consequences for the public. Whether protection exists depends on whether the issue the whistleblower is disclosing relates to an area that is subject to regulations and rises to a level of severity to demonstrate a violation, abuse or threat of harm.

​

​Who is disclosing the information? Different protections apply depending on whether the whistleblower is a federal employee, a federal contractor, a corporate employee in a publicly traded versus a privately held company, an intelligence/national security employee, a state or municipal employee, a citizen of another country or an employee of an international organization.  

​

Is the information classified? In the United States, whistleblowers have no legal protection to publicly release classified information. Indeed, it is a criminal offense for which they could be prosecuted. Similarly, there is no protection to publicly share information whose confidentiality is specifically protected by a statute, such as the Trade Secrets Act or the Privacy Act.
  

​
Where was the disclosure made? Local and state protections vary significantly and can sometimes preempt federal remedies or limit the choice of venue for appeals.

To whom and how was the disclosure made? Whether protection exists might depend on whether the whistleblower disclosed concerns as part of their job duties or on personal initiative; whether they disclose internally to co-workers, supervisors, union representatives, ethics officers, ombudspersons; or whether they report externally to Congress, an Inspector General, an oversight agency, a watchdog organization, or the media. Certain laws may also mandate that the whistleblower report the concerns to specified parties in a prescribed order to receive protection.

What reprisal has the employee experienced? Different laws protect against differing kinds of retaliation taken in response to whistleblowing. The federal WPA outlines specific prohibited personnel actions that cannot be taken in retaliation for protected whistleblowing activity. Most federal corporate whistleblower laws protect against any discrimination sufficiently severe to create a chilling effect on the exercise of associated rights, a broader standard, while some state common law rights protect only against wrongful discharge but not reprisal short of termination. 

When did the employee became aware of the reprisal? Statutes of limitations differ widely, ranging from 30 days to three years or none.

Anonymity: Challenges & Consequences

If information provided by a whistleblower is going to be used in public, risk-free anonymity simply cannot be guaranteed. Because the vast majority of employees raise concerns internally first, or because the information can be connected to an employee’s job duties and expertise, an employer may be able to quickly identify the likely source.

​

Public disclosure may be safer and more effective. Going public, with the whistleblower serving as a human interest focal point for news stories, can sustain the whistleblower’s viable legal rights.

Despite the greater insulation and effectiveness that speaking out publicly often affords whistleblowers, many still request anonymity. While hotlines using secure communication technology may seem to address this concern, it may fail to provide whistleblowers with attorney-client privilege.

Anonymous hotlines encouraging external whistleblowing should not only utilize secure communication practices, they should offer informed legal advice or referrals to attorneys experienced in whistleblower law. 
 

Developing Trust With Whistleblowers

Often whistleblowers are bewildered and scared not only by the risks they have assumed, but by an alien world of strangers, new contexts and new rules with which they are unfamiliar. This usually is entirely new territory for people who do not think of themselves as whistleblowers and have no experience navigating the landscape of news, politics or advocacy tactics.

Below are some pointers for public interest groups to earn the trust of their sources by ensuring the paramount importance of their protection. 

Partner with a lawyer to protect the source if you plan to go public with information. In addition to analyzing rights, risks and strategies to maximize effective and safe disclosure, a lawyer can help issue warnings to an employer of zero tolerance for retaliation. This can create a presumption of misconduct for any reprisal tactics and also potentially  protect witnesses who might support the whistleblower’s claims.

​

Work with congressional staff who can support oversight efforts and help protect the source. Being willing to think strategically about the most effective way to protect the employee and ensure that action is taken on the disclosure establishes solidarity and alignment of interests.

​

Honor all commitments, from scheduling to substantive, or provide advance notice if they must be adjusted. 
  

​
Be clear about confidentiality from the beginning, including your commitment to maintaining it along with the true limits of your ability to guarantee it. 

Be clear about what protection you can provide, including your commitment to maintaining it along with the true limits of your ability to guarantee it.

​
Make whistleblowers’ protection a visible priority so they feel the relationship is a two-way street, rather than being mere “evidence objects” who will be discarded when no longer needed. 

​

Provide a safe environment for interviews and communications.

Engage in active listening during interviews. Feeling heard is significant for whistleblowers to open up further. 

​
Engage in visible quality control. Even if there will not be an affidavit attesting to concerns, have the whistleblower read and confirm that the report of interview is accurate. They must agree that they said what you say they did. 

​

Enfranchise the whistleblowers in the larger context by asking their opinions and brainstorming with them. They may have more to offer than expected or previously realized. 

​
Network to expand the scope of witnesses once trust with the pioneer whistleblower has been established. Sometimes a community will form around support for the investigation, which means you will almost certainly crack the case.

​

Sustain the relationship. Following through can earn a steady stream of new issues and updated evidence or cultivate a source of expertise for help with verification of other investigations in the future.

Information Security

If an employee has come to you with information about serious wrongdoing, your organization should exercise special care in communicating with the employee source to ensure that the employee retains the flexibility to consider all options in making choices about the best, and safest, ways to disclose information.

Sources should not contact advocacy groups using work-related email accounts, computers, or telephones. Whistleblowers who are current employees should use non-work computers scanned for monitoring software or malware that could be used to record their activities. They also should consider using both secure operating systems that the individual controls and an anonymous web browser (such as Tor).

​

Be careful about how you ask for documents. It’s always better to phrase a request as “How could I obtain documents to back up what you’re saying?” rather than directly ask a source to provide actual documents. For classified documents, note that it might be illegal to instruct or directly aid a source in sharing classified information with someone who does not have the proper clearances or “need to know.”
  

​
Handle electronic documents with care. Be careful about transmitting documents electronically, especially if they are going through a third party. Anything sent via email (e.g., Gmail), stored on Google Drive, or added to an internal calendar could be subject to a subpoena issued to the third-party service that may not be as committed to protecting the identities of its users.

​

Use Signal or encrypted email for communication and document exchange. Encrypting emails makes it so the content is only readable by you and the recipient. If encrypted properly and without compromise (i.e., free from malware that allows spying on your or the whistleblower’s computer activities), the government will only be able to see the metadata of the email (e.g., the header information containing details about the email recipient and sender, the date and the subject line), but the content of the message will remain encrypted and unreadable. 

​
Store sensitive documents securely. Ideally, sensitive paper documents should be stored in a secured office, safe or locked file cabinet. Electronic documents can be encrypted and stored on a flash drive that can then also be stored in the secured physical location after deleting unencrypted copies stored elsewhere.

​

Be cautious about original documents. Do not post the originals online, where identifying features could be discovered. Printers leave nearly invisible identifying markings that can be used to track down the source of the disclosure. If you insist on posting sensitive documents, consider re-creating or re-typing your own version for use or disclosure.

Remove metadata from documents or photos posted online. Make sure to remove the metadata, such as the location a photo was taken, a watermark, or track changes. You can use tools like Document Inspector (which can remove metadata from Microsoft Office files) to remove much of this information. If you are redacting names or other information from a PDF by covering it with black bars, make sure you’ve actually permanently hidden the information. Export your file as a JPEG, then make it a PDF again, otherwise someone will be able to delete the redactions you made and see the information hidden under them. When hiding an image, doing it with a full black block will always be safer than blurring it.

Do not give original documents, or anything else, to another source while verifying your source’s allegations. You may trust your other contact, but you should not take the risk—many agencies and businesses have implemented “insider threat” programs to deter and detect perceived threats to information security. These programs encourage employees to report suspicious activity. Be careful even describing the information and how you obtained it to avoid putting your verifying source in a position of choosing between loyalty to you or loyalty to their employer.

​

Protect your communication with your coworkers about your source. At times, the government and corporate sectors have spied on advocacy organizations to monitor their work and to find their information sources. Locking sensitive files in a dedicated room, locking computers, using encrypted tools to discuss sensitive issues or the source are all important best practices to implement in the workplace. 

​
Install an app to remotely wipe your phone if it is lost or stolen by activating the Android Device Manager for Android devices and the Find My iPhone on iCloud.com for iOS devices.

​

Be careful about crossing international borders, particularly U.S. borders, with sensitive information on your phone and computer, including names and contacts.

Protecting Your Organization

If your organization is considering working with or acting on information provided by a whistleblower, it is wise to consult with a lawyer with whistleblower expertise before using material supplied by an employee source. 

Always remember, though, that while the whistleblower came to you with the intention of having the information used so the problem identified might be addressed, what is in the whistleblower’s best professional interest to minimize the risk of reprisal may conflict with various advocacy strategies. 

Referring an employee who wants to share information to an experienced attorney, and offering to work with the whistleblower and the lawyer to ensure that advocacy efforts are undertaken responsibly to both promote reform and protect the source, will help build trust with whistleblowers by demonstrating that your organization cares and is paying attention  to their welfare. Advocacy groups who work with whistleblowers will be the good and bad advertisements for others who consider coming forward to share their knowledge. New potential whistleblowers might come forward if earlier whistleblowers are treated wisely and well.

Advise Whistleblowers on Best Practices

You can help your source mitigate risks by alerting them to a few basic best practices he or she should consider when deciding to blow the whistle:

Advise Whistleblowers on Best Practices

You can help your source mitigate risks by alerting them to a few basic best practices he or she should consider when deciding to blow the whistle:  

Before exposing themselves to risks, whistleblowers should talk to an experienced lawyer so as to make an informed choice about taking those risks. Also, if an employee drops out in the middle after realizing the price of dissent, wrongdoers will be better off by being able to cover up evidence and chill future employees from blowing the whistle. 

They should consult with their loved ones, who will be sharing the consequences of the whistleblowing to a significant degree, before taking the risk. If whistleblowers make the decision alone to take on the power structure, they may well end up alone. Loss of family is far worse than loss of job.

They should continue to work within their system as long as possible without incurring suspicion.  It can backfire badly for a whistleblower to make aggressive internal allegations from a lonely perch of isolation. By contrast, without making charges, whistleblowers can be the insider eyes and ears that allow NGOs to stay one step ahead of their adversaries. If whistleblowers raise issues internally in a non-threatening manner, they can learn and share with NGOs the advance previews for cover-ups.

They should create a contemporaneous paper trail or diary of everything that happens, including when they raised complaints and issues, and whether they faced any retaliation.​

They should keep evidence in a safe place. Authorities usually are not limited in access to the whistleblower’s workplace, but home storage of documents can also be risky, potentially subjecting a whistleblower to a pretextual but seemingly valid discipline and harassment such as expanded retaliatory investigations. Since agencies have subpoenaed, searched and ransacked homes, the best choice is to secure the evidence with the whistleblower’s attorney, where it is shielded by attorney-client privilege. 

Without giving themselves away, they should test the waters and organize support for themselves among their colleagues,  if possible. This is necessary for quality control. A second set of eyes can ensure the accuracy and legitimacy of the concern. Seeking support can also determine whether there is a sufficient solidarity base of supporting witnesses for the disclosure to have an impact. If the whistleblower is isolated, making allegations alone again could backfire by guaranteeing that those engaging in misconduct will weather the storm.

If there are legitimate liability concerns attached to blowing the whistle, coach them on how to secure and protect evidence without removing it. Tactics such as taking cell phone pictures on a personal (not work) phone can secure documents that otherwise would be destroyed. Whistleblowers can also reproduce memorized documents at home. 

Keeping an index of critical documents is another strategy, as is hiding incriminating documents and electronic records in a camouflaged (misnamed) file in their work computer so that they are not lost and can be shown to law enforcement later if an employer tries to destroy evidence. These strategies can help prove the whistleblower’s claims while limiting vulnerability to charges of theft of records. If there is uncertainty, do not keep records without a legal opinion confirming lawfulness. 

If maintaining anonymity is a priority, they should communicate with you through secure means, including using Signal, SecureDrop, or snail mail with no return address.

Your source should not contact you while they are at work. A whistleblower should not use work equipment either, including office phones, computers, or even paper. Otherwise, he or she can be fired for engaging in personal business with the employer’s time and resources.​

They should turn off location tracking in their phone before taking any pictures of documents, and strip any metadata from documents before sending them. NGOs are well-advised to maintain a relationship or retainer with professionals experienced in removing traceability. 

Use an advocacy group as the beach head for a coalition. Solidarity is the magic word for whistleblowers to make a difference and survive. It can be a fatal mistake for an employee, or a public interest organization, to try to do everything alone. Normally a hostile bureaucracy surrounds the isolated whistleblower. The most effective contribution an organization can make is to facilitate strategic matchmaking—getting the truth into so many hands that an awakened, informed majority of stakeholders surrounds the bureaucracy, reversing the balance of power.

Contact Government Accountability Project

 We are the international leader in whistleblower protection and advocacy.

A non-partisan, 501(c)(3) non-profit organization, Government Accountability Project actively promotes government and corporate accountability by providing legal representation to whistleblowers and ensuring their disclosures make a difference. Our longstanding work with more than 8,000 whistleblowers has involved working for decades in the areas of public health, food safety, national security, human rights, immigration, energy and the environment, finance and banking, and international institutions, as well as expanding whistleblower protections domestically and internationally.

​

Solidarity with other advocacy organizations is critical to amplifying the importance of whistleblowers’ disclosures and demanding reform. In partnership with your organization, Government Accountability Project stands ready to offer pro bono legal and strategic advice and support to employees considering reporting, or who have already reported, misconduct.