United States District Court, E.D. Pennsylvania
the Court are Defendant GlaxoSmithKline, LLC's
(“GSK”) Motion for Summary Judgment (Doc. No.
33), Plaintiff Thomas Reilly's (“Reilly”)
Opposition thereto (Doc. No. 39), and Defendant's Reply
in Support thereof (Doc. No. 40). For the reasons set forth
below, the Court GRANTS Defendant's Motion.
Thomas Reilly (“Reilly”) alleges that he was
wrongfully discharged by his former employer, Defendant
GlaxoSmithKline (“GSK”), in retaliation for
reporting his concerns pertaining to computer stability and
security in GSK's global manufacturing and financial
servers. See Compl. ¶¶64-66. Defendant has
moved for summary judgment on Plaintiff's claim that GSK
violated the corporate whistleblower provision of the
Sarbanes-Oxley Act (“SOX, ” “Act”),
18 U.S.C.S. § 1514A.
sixteen years, Plaintiff Reilly was employed by Defendant
GSK, a publicly traded global pharmaceutical company in the
Information Technology (“IT”) Department. Compl.
¶6 (Doc. No. 1). In 2003, Mr. Reilly was promoted from
Analyst to Senior Consultant for the AS/400 Computer System
(“A/S 400”). Reilly Deposition, (“Reilly
Depo.”), Def. Ex. 4 at 38-39; Pl. Ex. 1 at 38-39. The
AS/400 is a computer operating system manufactured by IBM
that hosts manufacturing and financial applications for
portions of GSK's business. Miller Deposition, Def. Ex. 5
at 29-30; Taylor Deposition, Def. Ex. 6 at 18, 30-33; Def.
Ex. 7 at 40; Miller Declaration, Def. Ex. 8 at ¶3. GSK
has a “backup system” for the AS/400 that saves
all information in the event of an outage that lasts
continuously for 24 hours or more. Def. Ex. 8 at ¶4;
Def. Ex. 6 at 111. GSK has never needed to use this system.
Mong Deposition, Def. Ex. 9 at 83-84. GSK does not consider a
server shut-down of less than 24 hours to have a
“significant business impact.” Def. Ex. 6 at 111.
Alleged Protected Activity: Complaints Regarding Computer
Stability and Security
better understand the context of Plaintiff Reilly's claim
that GSK retaliated against him in violation of the
whistleblower provision of the Sarbanes-Oxley Act, we will
set out relevant requirements for corporate disclosures to
the SEC, since SOX requires compliance with SEC rules and
regulations. To satisfy SOX's requirements for complying
with SEC rules and regulations, a qualifying corporation,
like GSK, is required to file “periodic reports”
in which high-level corporate officer(s) certify that based
on their knowledge, the report does not contain untrue
statements or material omissions. 15 U.S.C. §
7241(a)(1)-(2). Further, for the certifications to be
SOX-compliant, signatory officers must certify that based on
their evaluation, internal controls are effective.
Id. at §7241(a)(4). Additionally, signatory
officers are required to certify that they have disclosed to
the company's auditors “significant deficiencies in
the design or operation of internal controls which could
adversely affect” reporting on financial data, and any
fraud involving anyone with a “significant role”
in the internal controls of the company. Id. at
§7241(a)(5)(A)-(B). Also relevant is Section 404 of the
Sarbanes-Oxley Act, which requires a company's annual SEC
report to contain an internal control report, 15 U.S.C.S.
§ 7262 (a); further, a public accounting firm tasked
with auditing the issuing company must attest to the
company's evaluation of its financial reporting controls.
Id. at § 7262 (b).
Senior Analyst in GSK's IT department, Mr. Reilly was a
member of the AS/400 Service Team (“AS/400 Team”)
which was dedicated to maintaining the AS/400 operating
system. Def. Ex. 8 at ¶4. Mr. Reilly's job
responsibilities entailed designing, engineering, and
delivering the AS/400 servers, in addition to remediating
performance and security issues relating to them. Reilly
Depo. at 43; Def. Ex. 8 at ¶4. Mr. Reilly did not have
responsibility for setting internal security controls. Reilly
Depo. at 69.
2011, Plaintiff Reilly reported to his AS/400 Team co-worker,
Rick Oberholzer (“Oberholzer”), that he was
concerned with performance instability in computer servers on
the AS/400 system that he attributed to Mr. Oberholzer's
decision to implement uncapped processors. Id. at
75. Uncapping processors allows a server to use available CPU
capacity from another server. Id. at 80. However,
Mr. Reilly perceived that enabling uncapped processors posed
a risk to the stability of GSK's servers for two reasons.
First, uncapping processors does not automatically add memory
to a server. Second, uncapping processors can cause the
computer's memory component to “thrash” or
“lock up.” Id. Notedly, adding
additional memory to the server could prevent the risk of
“lock up, ” while an uncapped processor is
enabled. Id. at 81. Nevertheless, after the uncapped
processors were enabled, GSK users experienced lost orders,
“bad performance, ” and “corrupted
data” (which, in Plaintiff's words, means “a
lot of different things, ” from “the data is
garbage to the files are out of sync to something doesn't
get reported or recorded.”). Id. at 105-106.
Plaintiff told Mr. Oberholzer that he disagreed with his
decision to enable uncapped processors, Mr. Oberholzer
screamed at him. Id. at 85-86, 88. The confrontation
was witnessed by Robert Mattie (“Mattie”), a
Senior Director (a level above Mr. Reilly's manager at
the time, Brian Gillies, who was on vacation that week).
Id. According to Mr. Reilly, Mr. Mattie blamed Mr.
Reilly for the confrontation. Mr. Reilly believes that his
career was “irreparably damaged” by Mr.
Mattie's perception of this altercation. Id. at
April 2012, Reilly emailed his supervisor, AS/400 Service
Manager, Jo Taylor (“Taylor”) detailing his
concerns regarding server performance along with security
risks that could have implications for an SOX audit.
See Doc. No. 39-1, Pl. Ex. 7 at 106; Def. Ex. 11.
Ms. Taylor responded two days later by email, stating, in
sum, that she believed it “was IBM's recommendation
to turn on Shared Processors, so I would like IBM to review
this data and work with you to resolve.” Ms.
Taylor's email went on to say that in the meantime, the
AS/400 Team should monitor the server response times over a
24-hour period, and that if performance issues persisted
during a full 24 hours, “then I'll authorise
[sic] turning the shared processing off” as
the AS/400 Team continued to monitor and track server
performance. Def. Ex. 12.
January 2013, in response to a communication by a GSK
employee, Sony Leons, that users were complaining about
“screen to screen time lag, ” Ms. Taylor placed
Mr. Reilly in charge of remediating poor performance on
GSK's AS/400 India Server. Def. Ex. 12; Reilly Depo. at
136-137. Mr. Reilly's analysis attributed the performance
issues to uncapped processors; he emailed Ms. Taylor as such.
Def. Ex. 12.
thereafter, Mr. Reilly again alerted Ms. Taylor to server
performance problems including memory and response time-lag.
On January 16, 2013, Ms. Taylor responded in an email to Mr.
Reilly stating, “[I] [u]nderstand but let's keep
focus and scope tight on the audit. We do not want
[PriceWaterhouseCoopers, GSK's external auditor at the
time] picking up any insights that are not part of the
current scope.” Pl. Ex. 8 at 109.
January 23, 2013, Mr. Reilly emailed Ms. Taylor's
supervisor, Steve Miller (“Miller”), Vice
President of Enterprise Systems and Technologies, to report
the same concerns regarding server stability and uncapped
processors which he brought to Ms. Taylor's attention
earlier that month. Def. Ex. 6 at 63-65; Def. Ex. 13.
February 18, 2013, an IBM representative emailed Mr. Reilly
to address his concerns. The IBM representative wrote,
“[r]egarding uncapped verses capped [processors], there
is no right or wrong answer. It depends on the workload and
what other resources are assigned. If you choose to run
uncapped the demand for memory and IO will increase as
processor is added. My suggestion would be to increase
memory. . . .” Def. Ex. 14. The same representative
later emailed both Ms. Taylor and Mr. Reilly that he
“would not have suggested” using uncapped
processors. Pl. Ex. 10. Mr. Oberholzer was later assigned to
cap the processors. Reilly Depo. at 131. GSK eventually
purchased additional memory to help remediate the risk that a
server could “lock-up.” Reilly Depo. at 81.
Ultimately, performance issues persisted on the GSK India
server even after the processors were capped. Reilly Depo. at
2013, Plaintiff Reilly reported additional concerns about
computer security. Namely, AS/400 “users that are
identified as having more authority than the standard or
[GSK's] system access management plan would” allow.
Reilly Depo. at 113-117. Mr. Reilly was placed in charge of
remediating these “access privileges” issues.
Id. Eventually, Ms. Taylor took over the remediation
effort and addressed the security risk. Def. Ex. 6 at
with GSK's response to his previous complaints, on
January 2, 2014, Plaintiff escalated his complaints to
GSK's Global Compliance Office, through the company's
internal “Speak Up” line. His complaint detailed
his concerns with AS/400 server performance issues and his
disagreement with Mr. Oberholzer about enabling uncapped
a year later, on January 15, 2015, Plaintiff again escalated
his complaints to Andrew Witty (“Witty”),
GSK's CEO. Def. Ex. 26; Reilly Depo. at 230.
Plaintiff's email to CEO Witty stated his fear that due
to the computer stability and security concerns he had
reported previously, the company was not in compliance with
its internal Code of Conduct and “Corporate Integrity
Agreement with the Department of Justice and The Department
of Health and Human Services which specifically requires we
honor our . . . Code of Conduct [policies and
procedures].” Def. Ex. 26 at 6. It was Mr. Reilly's
belief that the company's certifications to the SEC in
2013 and 2014 falsely claimed compliance with GSK's
internal code of conduct, and thereby violated
Sarbanes-Oxley, which requires compliance with SEC rules that
mandate corporate disclosure of the effectiveness of internal
controls. Mr. Reilly went on in his email to CEO Witty that
he had reviewed the company's 2013 annual report to the
SEC (“Form 20-F”) and believed it materially
omitted reference to “any of these serious performance,
security, quality, compliance issues, risk management or
corporate responsibility deficiencies. . . .”
Investigation of Mr. Reilly's Complaints
Plaintiff complained to GSK's Global Compliance Office in
2014, GSK assigned Global Compliance Officer Michael Woods
(“Woods”), who had responsibility over IT and HR,
to lead an internal investigation. Def. Ex. 21 at 10, 13, 30,
32. Plaintiff and Mr. Woods communicated about his complaints
from January through approximately May 2014.
September 2014, Mr. Woods issued a report from GSK's
investigation, which found Mr. Reilly's complaints
unsubstantiated. Def. Ex. 24 at GSK010589. The report
acknowledged that “there are some aspects of access
management and privileges which should be reviewed and
remediated if found to be overly broad.” Id.
Mr. Reilly's report to CEO Witty, GSK conducted another
internal investigation into his complaints, headed by Jason
Lord (“Lord”), Director of Corporate
Investigations. Def. Ex. 26; Def. Ex. 28 at 22-23. GSK
maintains that Mr. Lord's investigation is privileged.
Def. Ex. 26.
GSK's SEC Disclosures
following disclosures by GSK on its 2013 and 2014 Form 20-F
are undisputed. Def. Ex. 29; Def. Ex. 30, Pl. Ex. 31. Both
certifications certified that
[t]he company's other certifying officer and I, [GSK CEO
Andrew Witty] have disclosed, based on our most recent
evaluation of internal control over financial reporting, to
the company's auditors and the audit committee of the
company's board of directors. . .all significant
deficiencies and material weaknesses in the design or
operation of internal control over financial reporting which
are reasonably likely to adversely affect the company's
ability to record, process, summarize and report financial
information; and (b) any fraud, whether or not material, that
involves management or other employees who have a significant
role in the company's internal control over financial
Def. Ex. 29; Def. Ex. 30, Pl. Ex. 31. The disclosure form
goes on to explain that “[t]he principal risks
discussed [therein]. .. .are the risks and uncertainties
relevant to our business, financial condition and results of
operations that may affect our performance and ability to
achieve our objectives.” Def. Ex. 29 at 3; Def. Ex. 30
more, the 2013 and 2014 20-F Reports identify numerous risk