NOT PRECEDENTIAL
UNITED STATES COURT OF APPEALS
FOR THE THIRD CIRCUIT
_____________
No. 19-2897
_____________
THOMAS REILLY,
Appellant
v.
GLAXOSMITHKLINE, LLC
_____________
On Appeal from the United States District Court
for the Eastern District of Pennsylvania
(D.C. Civil No. 2:17-cv-02045)
District Judge: Honorable J. Curtis Joyner
_____________
Submitted Pursuant to Third Circuit L.A.R. 34.1(a)
April 14, 2020
_____________
Before: CHAGARES, SCIRICA, and ROTH, Circuit Judges
(Filed: July 16, 2020)
____________
OPINION*
____________
*
This disposition is not an opinion of the full Court and, pursuant to I.O.P. 5.7, does not
constitute binding precedent.
CHAGARES, Circuit Judge.
Appellant Thomas Reilly claims he was wrongfully discharged by his former
employer GlaxoSmithKline (“GSK”) in retaliation for reporting his concerns regarding
computer stability and security in GSK’s global manufacturing and financial servers.
The District Court granted summary judgment to GSK for Reilly’s claim under section
806 of the Sarbanes-Oxley Act of 2002 (“SOX”), 18 U.S.C. § 1514A(a). We will affirm.
I.
We write only for the parties, so our summary of the facts is brief.
A.
GSK is a publicly traded global pharmaceutical company. Reilly worked for GSK
for sixteen years in its Information Technology (“IT”) Department, first as an Analyst
and then as a Senior Consultant on the AS/400 service team (“AS/400 Team”). The
AS/400 is a computer operating system manufactured by IBM that hosts manufacturing
and financial applications for portions of GSK’s business. Reilly’s job responsibilities
included designing, engineering, and delivering AS/400 servers, and remediating
performance and security issues relating to them. He did not set internal security
controls.
Beginning in 2011, Reilly complained about “[s]erious security exposures [and]
serious performance problems” with the AS/400. Joint Appendix (“JA”) 84. His
concerns included the decision to uncap the AS/400 processors and resulting performance
issues. Uncapping processors allows one server to use capacity from another server if
capacity is available. Reilly believed that uncapping the processors resulted in the
2
AS/400 servers becoming “destabilized” — in effect, causing “bad performance” and
“corrupted data.” JA 94. First, he complained to his supervisor Jo Taylor, who noted
that “it was IBM’s recommendation to turn on Shared Processors,” JA 220, and then he
emailed Taylor’s supervisor to report the same concerns regarding server stability and
uncapped processors. An IBM representative told Reilly that “[r]egarding uncapped
versus capped [processors,] there is no right or wrong answer” because “[i]t depends on
the workload and what other resources are assigned.” JA 246. Taylor decided to cap the
processors, putting Reilly in charge of the recapping. Ultimately, performance issues
persisted even after the processors were capped.
In 2013, Reilly reported an additional concern about computer security: that some
AS/400 “users . . . are identified as having more authority than the standard or [GSK’s]
system access management plan would” allow. JA 164. Reilly was placed in charge of
remediating these access privilege issues, but eventually, Taylor took over and addressed
the security risk.
Dissatisfied with GSK’s response to his previous complaints, on January 2, 2014,
Reilly escalated his complaints to GSK’s Global Compliance Office. He detailed his
concerns with AS/400 server performance issues and his disagreement about enabling
uncapped processors. A year later, on January 15, 2015, Reilly further escalated his
complaints to GSK’s CEO. In his email, Reilly noted that the problems, which included
the “stability, quality control and compliance of the AS[/]400 computer systems . . . could
eventually lead to drug manufacturing quality problems, financial data irregularities and
even more FDA penalties against GSK.” JA 323. He also noted that the risks he
3
complained of should have been, but were not, disclosed in GSK’s 2013 annual report to
the U.S. Securities and Exchange Commission (“SEC”).
In response to Reilly’s complaints, GSK conducted two investigations. The first,
completed in 2014, found Reilly’s complaints unsubstantiated. The second, following
Reilly’s email to the CEO, determined that Reilly’s complaints “regard[ing] . . . the
stability of the AS[/]400 system” were “unfounded.” JA 339.
Form 20-F — part of GSK’s annual report to the SEC — provides certifications as
to “internal control over financial reporting.” JA 356, 370. GSK’s 2013 and 2014 20-F
Forms identified numerous risk impacts including the “[f]ailure to adequately protect
critical and sensitive systems and information [which] may result in [GSK’s] . . . business
disruption including litigation or regulatory sanction and fines.” JA 355, 369. The
Forms also noted that GSK “rel[ies] on critical and sensitive systems and data” and
“[t]here is the potential that malicious or careless actions expose [GSK’s] computer
systems or information to misuse or unauthori[z]ed disclosure.” JA 355, 369. GSK also
disclosed the “[r]isk to the Group’s business activity if critical or sensitive computer
systems . . . are not available when needed, are accessed by those not authori[z]ed, or are
deliberately changed or corrupted.” JA 355, 368.
B.
In 2013, GSK started a program to reorganize Reilly’s department; as part of this
reorganization, GSK decided to outsource the AS/400 system to a third-party vendor.
GSK announced the outsourcing in March 2014, when Reilly learned that every position
in the AS/400 Team was being eliminated except the Manager position, then occupied by
4
Taylor, and one Analyst position. On May 6, 2014, the AS/400 Team was informed that
all people who were not selected for the Analyst position would be terminated effective
September 28, 2014.
Nevertheless, Reilly decided not to apply for the Analyst position. Reilly testified
that he believed he would be “protected” because “[he] was escalating to Global
Compliance, and they were trying to save [his] job.” JA 110–11. After Reilly declined
to apply for the Analyst position, the date on which his termination would become
effective changed more than once. Before any effective termination dates arrived,
however, Reilly took a short-term disability leave in July 2014, during which his “official
notification of separation” was “postponed.” JA 273.
Reilly returned to work in January 2015, and he was informed that he would
receive his notice of separation on January 23, 2015. However, because there was a
pending internal investigation of Reilly’s complaints made to the CEO, Reilly’s
notification of separation was postponed once again. Once the investigation was
complete, Reilly was notified in April 2015 that, based on the prior outsourcing of the
AS/400 Team, his “official notification of separation from GSK is 8th April 201[5].” JA
377. His last day of employment was June 30, 2015.
Reilly filed a whistleblower complaint with the Occupational Safety and Health
Administration in July 2015, which was eventually dismissed. He then filed a petition for
review with the Administrative Review Board. While that petition was pending, Reilly
filed a complaint in federal court, claiming that he had been terminated in retaliation for
engaging in SOX-protected activity. The District Court granted summary judgment for
5
GSK, finding that “Reilly has not established facts showing that his complaints about
computer security were even remotely related to fraud of any kind, either at the time of
his complaints or in the future.” JA 36. The District Court concluded, therefore, that
“[n]o factfinder could find [Reilly’s] belief that GSK violated SOX by not naming
precise server issues to be objectively reasonable.” JA 36.
This timely appeal followed.
II.
The District Court had jurisdiction under 28 U.S.C. § 1331 and 18 U.S.C.
§ 1514A(b) and we have jurisdiction under 28 U.S.C. § 1291. “We review a district
court’s grant of summary judgment de novo, applying the same standard the district court
applied.” Edmonson v. Lincoln Nat’l Life Ins. Co., 725 F.3d 406, 420 n.12 (3d Cir.
2013) (quotation marks omitted). “Summary judgment is appropriate when there is no
genuine dispute of material fact and the movant is entitled to judgment as a matter of
law.” Id.
III.
Reilly argues that issues of material fact exist regarding whether he made SOX-
protected complaints; specifically, that his “complaints about GSK’s computer instability
and security and breakdown of internal controls are SOX-protected.” Reilly Br. 20. We
disagree.
Congress introduced SOX “to prevent and punish corporate and criminal fraud,
protect the victims of such fraud, preserve evidence of such fraud, and hold wrongdoers
accountable for their actions.” Lawson v. FMR LLC, 571 U.S. 429, 434 (2014)
6
(quotation marks omitted). Section 806 of SOX “protects whistleblowing employees
from retaliation” by their employers, Wiest v. Tyco Elecs. Corp. (Wiest II), 812 F.3d 319,
328 (3d Cir. 2016), for “provid[ing] information [to their supervisors] . . . regarding any
conduct which the employee reasonably believes constitutes a violation of section 1341
[mail fraud], 1343 [wire fraud], 1344 [bank fraud], or 1348 [securities fraud], any rule or
regulation of the Securities and Exchange Commission, or any provision of Federal law
relating to fraud against shareholders,” 18 U.S.C. § 1514A(a)(1).
For his anti-retaliation claim to survive summary judgment, Reilly “must identify
evidence in the record from which a jury could deduce . . . [he] ‘engaged in a protected
activity’” under section 806. Wiest II, 812 F.3d at 329 (quoting 29 C.F.R.
§ 1980.104(e)(2)(i)). An employee’s activity is “protected” if he had “both a subjective
and an objective[ly reasonable] belief that the conduct that is the subject of [his]
communication relates to an existing or prospective violation of one of the federal laws
referenced in § 806.” Wiest v. Lynch (Wiest I), 710 F.3d 121, 134 (3d Cir. 2013). “A
belief is objectively reasonable when a reasonable person with the same training and
experience as the employee would believe that the conduct implicated in [his]
communication could rise to the level of a violation of one of the enumerated provisions
in [s]ection 806.” Id. at 132.
Reilly does not meet this standard. He fails to show that his “belief” that GSK
was committing one of section 806’s enumerated forms of fraud was objectively
reasonable. Reilly argues that “[d]isclosures can be protected even if they do not mention
fraud, illegal activity, or anything that could reasonably be perceived to be a violation of
7
the six enumerated categories in SOX.” Reilly Br. 20. This is true, but immaterial in this
case. Although Reilly is not required to show “a reasonable belief that each element of a
listed anti-fraud law is satisfied,” he must still “have an objectively reasonable belief of a
violation of one of the listed federal laws.” Wiest I, 710 F.3d at 132 (emphasis added).
Reilly’s complaints about uncapped processors were nothing more than workplace
disagreements about routine IT issues — ones that do not relate to illegal conduct or
fraud. Indeed, in response to Reilly’s complaints about uncapping the processors, Taylor
worked with Reilly to get IBM’s input and then made the decision to have all processors
capped again. Taylor even assigned Reilly to the task of implementing the capping. The
same scenario occurred regarding purported inappropriate access privileges: Taylor
assigned Reilly to remediate and fix the issue. It is not objectively reasonable in these
circumstances to believe that Taylor would assign Reilly to remediate those issues and, at
the same time, was perpetuating a cover-up or fraud.
Reilly believed that GSK had an obligation to disclose to the SEC “a recurring
incident that is caused by a deficiency in internal controls”; for example, “[i]f [a
computer] goes down for an hour and comes back up once a week for a year.” JA 125.
In Reilly’s view, GSK failed to disclose “all significant deficiencies and material
weaknesses” by omitting the intricacies of computer performance issues from its annual
SEC reports. JA 125. Even assuming this is true, however, Reilly fails to explain how
this is fraud. His assertions that “GSK’s computer instability and security and breakdown
of internal controls . . . [and] [d]isclosures about deficient information security controls
are protected under SOX” — without more — do not make it so. Reilly Br. 20. They fall
8
short of showing that his complaints about internal controls “relate in an understandable
way” to any of section 806’s enumerated forms of fraud. Weist I, 710 F.3d at 134.
Reilly, therefore, fails to identify a prohibition within the scope of SOX.
And, in any event, GSK did disclose the “[r]isk to the Group’s business activity if
critical or sensitive computer systems or information are not available when needed, are
accessed by those not authori[z]ed, or are deliberately changed or corrupted.” JA 355,
368. GSK also reported the risk to its business posed by “[f]ailure to adequately protect
critical and sensitive systems and information . . . which could materially and adversely
affect [GSK’s] financial results” and “the potential that malicious or careless actions
[could] expose [GSK’s] computer systems or information to misuse or unauthori[z]ed
disclosure.” JA 355, 369.
Based on these facts, no reasonable person in Reilly’s place, with his training and
experience, could have believed that GSK’s conduct violated SOX.1
IV.
For these reasons, we will affirm the judgment of the District Court.
1
Reilly also claims that issues of material fact exist regarding whether his SOX-
protected activity contributed to GSK terminating his employment. Because we will
affirm the District Court on the grounds discussed above — that Reilly did not engage in
SOX-protected activity — we need not reach this argument.
9