Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Reilly v. Glaxosmithkline, LLC

United States District Court, E.D. Pennsylvania

July 16, 2019



          Joyner, J.

         Before the Court are Defendant GlaxoSmithKline, LLC's (“GSK”) Motion for Summary Judgment (Doc. No. 33), Plaintiff Thomas Reilly's (“Reilly”) Opposition thereto (Doc. No. 39), and Defendant's Reply in Support thereof (Doc. No. 40). For the reasons set forth below, the Court GRANTS Defendant's Motion.

         I. Factual Background

         Plaintiff Thomas Reilly (“Reilly”) alleges that he was wrongfully discharged by his former employer, Defendant GlaxoSmithKline (“GSK”), in retaliation for reporting his concerns pertaining to computer stability and security in GSK's global manufacturing and financial servers. See Compl. ¶¶64-66. Defendant has moved for summary judgment on Plaintiff's claim that GSK violated the corporate whistleblower provision of the Sarbanes-Oxley Act (“SOX, ” “Act”), 18 U.S.C.S. § 1514A.

         For sixteen years, Plaintiff Reilly was employed by Defendant GSK, a publicly traded global pharmaceutical company in the Information Technology (“IT”) Department. Compl. ¶6 (Doc. No. 1). In 2003, Mr. Reilly was promoted from Analyst to Senior Consultant for the AS/400 Computer System (“A/S 400”). Reilly Deposition, (“Reilly Depo.”), Def. Ex. 4 at 38-39; Pl. Ex. 1 at 38-39. The AS/400 is a computer operating system manufactured by IBM that hosts manufacturing and financial applications for portions of GSK's business. Miller Deposition, Def. Ex. 5 at 29-30; Taylor Deposition, Def. Ex. 6 at 18, 30-33; Def. Ex. 7 at 40; Miller Declaration, Def. Ex. 8 at ¶3. GSK has a “backup system” for the AS/400 that saves all information in the event of an outage that lasts continuously for 24 hours or more. Def. Ex. 8 at ¶4; Def. Ex. 6 at 111. GSK has never needed to use this system. Mong Deposition, Def. Ex. 9 at 83-84. GSK does not consider a server shut-down of less than 24 hours to have a “significant business impact.” Def. Ex. 6 at 111.

         A. Alleged Protected Activity: Complaints Regarding Computer Stability and Security

         To better understand the context of Plaintiff Reilly's claim that GSK retaliated against him in violation of the whistleblower provision of the Sarbanes-Oxley Act, we will set out relevant requirements for corporate disclosures to the SEC, since SOX requires compliance with SEC rules and regulations. To satisfy SOX's requirements for complying with SEC rules and regulations, a qualifying corporation, like GSK, is required to file “periodic reports” in which high-level corporate officer(s) certify that based on their knowledge, the report does not contain untrue statements or material omissions. 15 U.S.C. § 7241(a)(1)-(2). Further, for the certifications to be SOX-compliant, signatory officers must certify that based on their evaluation, internal controls are effective. Id. at §7241(a)(4). Additionally, signatory officers are required to certify that they have disclosed to the company's auditors “significant deficiencies in the design or operation of internal controls which could adversely affect” reporting on financial data, and any fraud involving anyone with a “significant role” in the internal controls of the company. Id. at §7241(a)(5)(A)-(B). Also relevant is Section 404 of the Sarbanes-Oxley Act, which requires a company's annual SEC report to contain an internal control report, 15 U.S.C.S. § 7262 (a); further, a public accounting firm tasked with auditing the issuing company must attest to the company's evaluation of its financial reporting controls. Id. at § 7262 (b).

         As a Senior Analyst in GSK's IT department, Mr. Reilly was a member of the AS/400 Service Team (“AS/400 Team”) which was dedicated to maintaining the AS/400 operating system. Def. Ex. 8 at ¶4. Mr. Reilly's job responsibilities entailed designing, engineering, and delivering the AS/400 servers, in addition to remediating performance and security issues relating to them. Reilly Depo. at 43; Def. Ex. 8 at ¶4. Mr. Reilly did not have responsibility for setting internal security controls. Reilly Depo. at 69.

         In late 2011, Plaintiff Reilly reported to his AS/400 Team co-worker, Rick Oberholzer (“Oberholzer”), that he was concerned with performance instability in computer servers on the AS/400 system that he attributed to Mr. Oberholzer's decision to implement uncapped processors. Id. at 75. Uncapping processors allows a server to use available CPU capacity from another server. Id. at 80. However, Mr. Reilly perceived that enabling uncapped processors posed a risk to the stability of GSK's servers for two reasons. First, uncapping processors does not automatically add memory to a server. Second, uncapping processors can cause the computer's memory component to “thrash” or “lock up.” Id. Notedly, adding additional memory to the server could prevent the risk of “lock up, ” while an uncapped processor is enabled. Id. at 81. Nevertheless, after the uncapped processors were enabled, GSK users experienced lost orders, “bad performance, ” and “corrupted data” (which, in Plaintiff's words, means “a lot of different things, ” from “the data is garbage to the files are out of sync to something doesn't get reported or recorded.”). Id. at 105-106.

         When Plaintiff told Mr. Oberholzer that he disagreed with his decision to enable uncapped processors, Mr. Oberholzer screamed at him. Id. at 85-86, 88. The confrontation was witnessed by Robert Mattie (“Mattie”), a Senior Director (a level above Mr. Reilly's manager at the time, Brian Gillies, who was on vacation that week). Id. According to Mr. Reilly, Mr. Mattie blamed Mr. Reilly for the confrontation. Mr. Reilly believes that his career was “irreparably damaged” by Mr. Mattie's perception of this altercation. Id. at 89.

         In April 2012, Reilly emailed his supervisor, AS/400 Service Manager, Jo Taylor (“Taylor”) detailing his concerns regarding server performance along with security risks that could have implications for an SOX audit. See Doc. No. 39-1, Pl. Ex. 7 at 106; Def. Ex. 11. Ms. Taylor responded two days later by email, stating, in sum, that she believed it “was IBM's recommendation to turn on Shared Processors, so I would like IBM to review this data and work with you to resolve.” Ms. Taylor's email went on to say that in the meantime, the AS/400 Team should monitor the server response times over a 24-hour period, and that if performance issues persisted during a full 24 hours, “then I'll authorise [sic] turning the shared processing off” as the AS/400 Team continued to monitor and track server performance. Def. Ex. 12.

         In January 2013, in response to a communication by a GSK employee, Sony Leons, that users were complaining about “screen to screen time lag, ” Ms. Taylor placed Mr. Reilly in charge of remediating poor performance on GSK's AS/400 India Server. Def. Ex. 12; Reilly Depo. at 136-137. Mr. Reilly's analysis attributed the performance issues to uncapped processors; he emailed Ms. Taylor as such. Def. Ex. 12.

         Shortly thereafter, Mr. Reilly again alerted Ms. Taylor to server performance problems including memory and response time-lag. On January 16, 2013, Ms. Taylor responded in an email to Mr. Reilly stating, “[I] [u]nderstand but let's keep focus and scope tight on the audit. We do not want [PriceWaterhouseCoopers, GSK's external auditor at the time] picking up any insights that are not part of the current scope.” Pl. Ex. 8 at 109.

         On January 23, 2013, Mr. Reilly emailed Ms. Taylor's supervisor, Steve Miller (“Miller”), Vice President of Enterprise Systems and Technologies, to report the same concerns regarding server stability and uncapped processors which he brought to Ms. Taylor's attention earlier that month. Def. Ex. 6 at 63-65; Def. Ex. 13.

         On February 18, 2013, an IBM representative emailed Mr. Reilly to address his concerns. The IBM representative wrote, “[r]egarding uncapped verses capped [processors], there is no right or wrong answer. It depends on the workload and what other resources are assigned. If you choose to run uncapped the demand for memory and IO will increase as processor is added. My suggestion would be to increase memory. . . .” Def. Ex. 14. The same representative later emailed both Ms. Taylor and Mr. Reilly that he “would not have suggested” using uncapped processors. Pl. Ex. 10. Mr. Oberholzer was later assigned to cap the processors. Reilly Depo. at 131. GSK eventually purchased additional memory to help remediate the risk that a server could “lock-up.” Reilly Depo. at 81. Ultimately, performance issues persisted on the GSK India server even after the processors were capped. Reilly Depo. at 132-136, 139-141.

         In 2013, Plaintiff Reilly reported additional concerns about computer security. Namely, AS/400 “users that are identified as having more authority than the standard or [GSK's] system access management plan would” allow. Reilly Depo. at 113-117. Mr. Reilly was placed in charge of remediating these “access privileges” issues. Id. Eventually, Ms. Taylor took over the remediation effort and addressed the security risk. Def. Ex. 6 at 152-154.

         Dissatisfied with GSK's response to his previous complaints, on January 2, 2014, Plaintiff escalated his complaints to GSK's Global Compliance Office, through the company's internal “Speak Up” line. His complaint detailed his concerns with AS/400 server performance issues and his disagreement with Mr. Oberholzer about enabling uncapped processors.

         Nearly a year later, on January 15, 2015, Plaintiff again escalated his complaints to Andrew Witty (“Witty”), GSK's CEO. Def. Ex. 26; Reilly Depo. at 230. Plaintiff's email to CEO Witty stated his fear that due to the computer stability and security concerns he had reported previously, the company was not in compliance with its internal Code of Conduct and “Corporate Integrity Agreement with the Department of Justice and The Department of Health and Human Services which specifically requires we honor our . . . Code of Conduct [policies and procedures].” Def. Ex. 26 at 6. It was Mr. Reilly's belief that the company's certifications to the SEC in 2013 and 2014 falsely claimed compliance with GSK's internal code of conduct, and thereby violated Sarbanes-Oxley, which requires compliance with SEC rules that mandate corporate disclosure of the effectiveness of internal controls. Mr. Reilly went on in his email to CEO Witty that he had reviewed the company's 2013 annual report to the SEC (“Form 20-F”) and believed it materially omitted reference to “any of these serious performance, security, quality, compliance issues, risk management or corporate responsibility deficiencies. . . .” Id.

         B. Investigation of Mr. Reilly's Complaints

         After Plaintiff complained to GSK's Global Compliance Office in 2014, GSK assigned Global Compliance Officer Michael Woods (“Woods”), who had responsibility over IT and HR, to lead an internal investigation. Def. Ex. 21 at 10, 13, 30, 32. Plaintiff and Mr. Woods communicated about his complaints from January through approximately May 2014.

         In September 2014, Mr. Woods issued a report from GSK's investigation, which found Mr. Reilly's complaints unsubstantiated. Def. Ex. 24 at GSK010589. The report acknowledged that “there are some aspects of access management and privileges which should be reviewed and remediated if found to be overly broad.” Id.

         Following Mr. Reilly's report to CEO Witty, GSK conducted another internal investigation into his complaints, headed by Jason Lord (“Lord”), Director of Corporate Investigations. Def. Ex. 26; Def. Ex. 28 at 22-23. GSK maintains that Mr. Lord's investigation is privileged. Def. Ex. 26.

         C. GSK's SEC Disclosures

         The following disclosures by GSK on its 2013 and 2014 Form 20-F are undisputed. Def. Ex. 29; Def. Ex. 30, Pl. Ex. 31. Both certifications certified that

[t]he company's other certifying officer and I, [GSK CEO Andrew Witty] have disclosed, based on our most recent evaluation of internal control over financial reporting, to the company's auditors and the audit committee of the company's board of directors. . .all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the company's ability to record, process, summarize and report financial information; and (b) any fraud, whether or not material, that involves management or other employees who have a significant role in the company's internal control over financial reporting.

Def. Ex. 29; Def. Ex. 30, Pl. Ex. 31. The disclosure form goes on to explain that “[t]he principal risks discussed [therein]. .. .are the risks and uncertainties relevant to our business, financial condition and results of operations that may affect our performance and ability to achieve our objectives.” Def. Ex. 29 at 3; Def. Ex. 30 at 3.

         What's more, the 2013 and 2014 20-F Reports identify numerous risk impacts ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.