Case Information
IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION
:
ERIC SLAWIN, :
:
Plaintiff, :
:
v. : CIVIL ACTION NO.
: 1:19-cv-4129-AT BANK OF AMERICA :
MERCHA N T SERVICES, :
:
Defendant. :
ORDER
This whistlеblower retaliation case comes before the Court on a Motion for Summary Judgment brought by Defendant Bank of America Merchant Services (“BAMS”) [Doc. 175]. Plaintiff Eric Slawin, a former BAMS employee, alleges he was fired for reporting a compliance issue and possible fraud within the entity, in violation of the Sarbanes-Oxley Act of 2002, 18 U.S.C. § 1514A; the Consumer Financial Protection Act of 2010, 12 U.S.C. § 5567; and the Dodd-Frank Wall Street Reform and Consumer Protection Act, 15 U.S.C. § 78u-6. (Compl., Doc. 1.) His former employer claims the real issue was that Mr. Slawin violated company policy by sending confidential work emails to his personal email address. The nature of Mr. Slawin’s retaliation claims— specifically, whether he reasonably believed that BAMS’s conduct was fraudulent, and whether his reports to supervisors contributed to his termination — are inherently fact-intensive issues, making a summary judgment an inapt vehicle for adjudication.
I. BACKGROUND [1]
A. PAN Data & PCI Protections
BAMS was a joint venture between a subsidiary of First Data Corporation (now owned by Fiserv) and a subsidiary of Bank of America. During all times relevant, First Data and Bank of America were publicly traded entities. That joint venture ended in June 2020. (MTD Ord., Doc. 47 at 2, 2 n.4). During its operation, BAMS entered into agreements to provide payment processing services to merchant customers. ( Id. at 3). Under those Merchant Processing Agreements, BAMS agreed to operate in compliance with certain Payment Card Industry (“PCI”) standards. ( Id. ). PCI standards cover organizations that process and transmit cardholder data, such as credit and debit card numbers. That can include entities like banks, merchants, or payment processors. The industry is governed by the PCI Data Security Standards (“PCI DSS”), which are intended to protect cardholder data from security vulnerabilities. (Pl.’s SDMF, Doc. 182 -2 ¶¶ 11 – 12). Any entity that transmits or receives a Primary Account Number (“PAN”)— in other words, the account number linked to a credit or debit card — is required to comply with the PCI DSS. ( ¶¶ 9 13). These standards are not governmentally imposed, but rather are agreed to by contract.
The parties agree that, by January 2017, BAMS had identified instances in which its employees were transmitting full PAN data. That type of transmission would require the company to be PCI compliant, which it was not. (Def.’s SUMF, Doc. 175- 2 ¶ 150; Pl.’s SDM F, Doc. 182-2 ¶ 14). While BAMS did not typically handle full PAN numbers, the entity realized it was doing so while processing chargebacks. (Pl.’s SDMF, Doc. 182 -2 ¶ 34). The identification of the PCI compliance issue raised two possibilities: BAMS could become PCI compliant, which would be a costly undertaking, or alternatively, could change its processing of chargebacks and other transactions to ensure BAMS personnel were never transmitting PAN data. (Def.’s SUMF, Doc. 175 -2 ¶¶ 170 –171; Pl.’s SDMF, Doc. 182-2 ¶ 18).
B. Mr. Slawin’s Assignment
Plaintiff joined BAMS in December 2015 as the Vice President Operations Control Officer. (Pl.’s SDMF, Doc. 182 -2 ¶ 1). Prior to his work at BAMS, Mr. Slawin had spent more than two decades in securities and regulatory banking and compliance. ( Id. ¶ 2). In June 2017, Plaintiff was added to an email chain discussing BAMS’s transmission of full PAN data and its alleged PCI non - compliance. ( ¶ 42). He was assigned by his supervisor Natasha Collins to prepare a “self - identified audit issue” regarding the conc ern — essentially, an internal investigation undertaken to understand the scope of the concern and propose solutions. (Def.’s SUMF, Doc. 175 - 2 ¶¶ 162, 174; Pl.’s SDMF, Doc. 182 -2 ¶ 50). According to Defendants, “ Slawin did not timely initiate the [self-audit] related to the use of PAN data ,” and that “ delay in initiating the [self-identified audit issue] caused a corresponding delay in BAMS’s ability to fully assess and remediate issues related to the use of PAN data .” (Def.’s SUMF, Doc. 175 -2 ¶¶ 175 – 176). On September 26, 2017, Ms. Collins provided Mr. Slawin with a coaching form related to his “ failure to timely develop and submit audit and remediation plans, his failure to adequately follow up to ensure the remediation plan was being implemented in a timely fashion, and his failure to provide reporting on status or to escalate challenges unless requested to do so .” ( Id. ¶¶ 175 180).
Mr. Slawin contends that, “[a] t all relevant times, [he] was aware that merchants for whom BAMS did credit or debit card processing had to certify that they were PCI compliant. ” (Pl.’s SDMF, Doc. 182 -2 ¶ 43). In July 2017 — after being assigned the audit to review the entity’s PCI compliance —he “ became aware that BAMS was required to be PCI compliant under the Merchant Services Agreements (MSA’s) that it had entered into . . . with merchants to do their credit or debit card processing .” ( Id. ¶ 44). He also claims he found agreements online between BAMS and the State of Delaware indicating that BAMS was PCI compliant (which it was not). ( ¶ 45).
“O ne area in which the issue of BAMS ’ non-PCI compliance rose was in the context of how BAMS should respond to client questionnaires that raised questions regarding how data was secured by BAMS, and direct inquiries about whether BAMS was PCI compliant. ” ( Id. ¶ 47; see, e.g. , Opp’n to MSJ, Ex., Doc. 182 -27 (August/September 2017 email chain regarding PCI compliance questionnaire)). Plaintiff claims his designated “ task was to deflect questions from merchants as to whether BAMS was PCI compliant ” by pointing to the fact that one of BAMS’s parent entities, First Data, was PCI compliant. ( Pl.’s SDMF, Doc. 182 -2 ¶¶ 56 – 57; see also, e.g. , Opp’n to MSJ, Ex., Doc. 182 -28 (October 2017 email chain regarding PCI compliance questionnaire from municipality) (“I am in the line of fire when it comes to answering these client questionnaires. ”)) . Plaintiff indicates he “ was uncomfortable being put in a position ” in which he felt he was “ misrepresent[ing] the facts ,” and he “ was afraid of being made a scapegoat or fall guy if it got out that BAMS was not PCI compliant. ” ( Pl.’s SDMF, Doc. 182 -2 ¶¶ 58 59).
Plaintiff claims that, over several months, he raised the issue of BAMS’s alleged PCI non-compliance with multiple supervisors. ( Id. ¶ 74). “ Among the numerous individuals whom Slawin spoke tо about BAMS’ non -PCI compliance and his concerns about fraud and the ramifications if this information were to become public, were Brian Rubin, Sherra Grissom, Mark Kendall, Natasha Collins, and Walt Zimerman, who was a Senior Sales executive at BAMS assigned to the Home Depot relationship. ” ( Id. ¶ 75). [2] Mr. Slawin alleges he “ had at least four or five conversations with Mr. Kendall in which [he] told Mr. Kendall that BAMS was acting fraudulently and misleading its customers . . . both when Mr. Kendall was Slawin’s peer, and after September 2017, when Kendall was Slawin’s immedi ate supervisor.” ( ¶ 62). Mr. Slawin also says that “[d] uring the period August through September 2017, [he] had biweekly meetings with Natasha Collins, ” during which he “ discussed the creation of a self-identified audit issue and mitigation of BAMS’ non -PCI compliance [and] repeatedly advised Ms. Collins about his concerns regarding BAMS’ non -PCI compliance .” ( Id. ¶¶ 65, 75 – 80).
Defendant, conversely, alleges that “[p] rior to the termination of his employment at BAMS, Slаwin did not tell anyone at BAMS that he felt BAMS was engaging in conduct that violated ” either the Dodd -Frank Act, the Sarbanes-Oxley Act, or the Consumer Financial Protection Act. (Def.’s SUMF, Doc. 175 -2 ¶¶ 213 – 15). Defendant also alleges that Mr. Slawin did not “ put any of his concerns that BAMS was engaged in illegal conduct or fraud in writing and provide them to anyone within BAMS ,” nor did he “ express conce rns to anyone in BAMS’s Office of the General Counsel [or Human Resources department] that BAMS was somehow engaged in fraudulent conduct. ” ( Id. ¶¶ 217 27).
C. Alleged Policy Violations & Termination “I n or about August 2017, [Mr. Slawin] began downloading emails to his personal email regarding the PAN data and BAMS ’ PCI noncompliance issue . . . because he was concerned about being drawn into fraudulent and improper data security practices by BAMS. ” (Pl.’s SDMF, Doc. 182 -2 ¶ 97). He claims that “[t] o his understanding and knowledge at the time, downloading the emails did not violate any policy of BAMS. ” ( ¶ 100). Mr. Slawin did not disseminate these emails to others, including anyone outside of BAMS. ( Id. ¶¶ 115, 118).
On November 30, 2017, a member of the information security team emailed BAMS human resources (“HR”) to flag that the team “ had detected multiple instances of Slawin sending emails from his work email address [] to his personal email address .” (Def.’s SUMF, Doc. 175 -2 ¶ 24). As a result of that report, HR staffer Mike Solan initiated an investigation into these emails, including reaching out to Mr. Kendall, then Plaintiff’s direct supervisor. ( Id. ¶¶ 27 –30). “ Based upon Solan’s personal investigation and eva luation of the facts at hand, Solan independently determined that Slawin violated the following BAMS policies: Slawin’s Proprietary Rights and Information Agreement with BAMS, the Associate Handbook, the Information Security Policy . . . , and the Code of Ethics. ” ( Id. ¶ 71).
On Thursday, December 7, 2017, Mr. Solan wrote to his supervisor with “ a summary of the Information Security Escalation regarding high risk confidential information that Eric Slawin sent to his personal email address .” (Deposition of Mike Solan (“Solan Dep.”), Ex. 42, Doc. 182 - 21 at 1). Mr. Solan indicated that “[t] he content of the material that Eric was forwarding to his personal email is related to the way that BAMS treats Primary Account Number (PAN) and associated PCI implications. ” ( Id. ). Mr. Solan also listed numerous recommended next steps, which included “[p]artner[ing] with Legal to understand whether [Mr. Slawin] has any whistleblower protections” and “[d]etermin[ing] the appropriate disciplinary action, including termination. ” ( at 2).
On Friday, December 8, 2017, Mr. Slawin was asked to join a meeting with Mr. Solan and Mr. Kendall . (Pl.’s SDMF, Doc. 182 -2 ¶ 146). Defendant represents that, during investigations like this one, “members of BAMS’s H R department routinely interviewed the employee responsible for the conduct at issu e” to understand the business justification for using a personal email address, determine whether the employee had otherwise disclosed business information, and provide next steps to the employee regarding protecting the information. (Def.’s SUMF, Doc. 175-2 ¶¶ 48 – 52). During the meeting, which lasted 5 – 10 minutes, Mr. Solan asked Mr. Slawin why he had sent emails to his personal account but allegedly “did not identify the specific emails that he was talking about” and did not ask Mr. Slawin to return or delete those emails. (Pl.’s SDMF, Doc. 182-2 ¶¶ 147 – 150). He did indicate that he would send Mr. Slawin some documents for his review. ( Id. ¶ 151). Later that day, Mr. Slawin received an email from BAMS’s Associate General Counsel “ stating that he had violated various company policies by downloading the emails, directing [him] to ‘cease and desist’ from downloading any further emails, requiring [him] to delete the emails that he had downloaded, and requiring [him] to sign a Declaration that he had done [so].” ( ¶ 155 ; Def.’s SUMF, Doc. 175-2 ¶¶ 63 – 64).
Defendant contends that the decision to terminate Mr. Slawin was made that day, December 8, based on “Slawin’s policy violations and the loss of trust that resulted from Slawin’s conduct during his interview with Solan” (Def.’s SUMF, Doc. 175-2 ¶¶ 116 17). In his notes dated Dеcember 8, Mr. Solan appears to have written that “ the decision (as approved by Mark Kendall (Mgr), Maryann D Castro (Associate Relations), Meg Troughlon (Legal), and Lori Orrico (HRBP) is to terminate [Mr. Slawin’s] employment, effective immediately, and request an immediate shutoff of all his systems access. ” (Solan Dep., Ex. 51, Doc. 182-25 at 2). Mr. Solan represented that he “tried t o instant message and call Eric so that we could discuss this decision, as well as next steps, but received no respon se.” ( Id. ).
On Monday, December 11, 2017, Mr. Solan wrote in his notes that “Eric has not answered or responded to multiple attempts to call him to explain the investigation results, as well as the termination notice.” ( Id. at 3 ; Def.’s SUMF, Doc. 175-2 ¶¶ 123 129). Mr. Slawin, however, alleges that contemporaneous emails between the two “ reflect[] only one attempt to call Mr. Slawin . . . on the morning of December 11, 2017 ” and do “ not refer to or memorialize any attempt to call Mr. Slawin on December 8, 2017, nor any attempt to contact Mr. Slawin by Instant Message. ” (Pl.’s SDMF, Doc. 182 -2 ¶ 165). The parties agree, however, that on December 11, Mr. Slawin emailed Mr. Solan indicating that he would not delete the emails or sign the declaration as requested, because it would “make it appear” that he “agree[d] with the actions taken by other parties to withhold information,” presumably referring to information about BAMS’s alleged PCI non -compliance. ( ¶ 162; Solan Dep., Ex. 51, Doc. 182-25 at 2).
On Tuesday, December 12, 2017, Mr. Solan and Mr. Slawin finally connected on a call, during which Mr. Solan informed Mr. Slawin of his termination. Mr. Slawin also received an email from Mr. Solan to his personal account that day with a letter terminating his employment from BAMS. ( Def.’s SUMF, Doc. 175-2 ¶¶ 131 – 135; Pl.’s SDMF, Doc. 182 -2 ¶ 160; MSJ, Ex. 24, Doc. 175-27). Defendant’s position is that “[t]he decision to terminate Slawin’s employment with BAMS was made and was effective Decembеr 8, 2017. ” (Def.’s SUMF, Doc. 175 -2 ¶ 7). They contend that “[t] he termination notice contains typographical errors identifying Slawin’s date of termination as December 7, 2017, when in fact his date of termination is De cember 8, 2017.” ( ¶ 136).
On December 12, Mr. Slawin filed a whistleblower complaint with the Securities and Exchange Commission through its online portal. (Compl., Doc. 1 ¶ 106). Specifically, Plaintiff reported “BAMS’ PCI non -compliance, its refusal to become PCI compliant and fraudulent representations to its customers and shareholders, and that he was terminated when he protested the effort to make him complicit in BAMS’ fraud on its customers and shareholders.” ( Id. ¶ 107; MSJ, Ex. 9, Doc. 175-12). He also submitted equivalent complaints to the Consumer Financial Protection Bureau, the Federal Trade Commission, and the Occupational Safety and Health Administration in the days and weeks after his termination. (MSJ, Ex. 10, Doc. 175-13; id. , Ex. 12, Doc. 175-15).
Mr. Slawin represents that “[d] uring his employment at BAMS, [his] use of аlcohol increased ” to roughly one - fourth of a bottle a day “ as he was put under increasing pressure to misrepresent BAMS non-PCI compliance to merchants, and his distress at BAMS’ fraud.” (Pl.’s SDMF, Doc. 182 -2 ¶ 183).
In September 2019, Plaintiff brought suit against BAMS, its parent entities Bank of America and First Data Corporation, and Fiserv, which at that point had acquired First Data. (Compl., Doc. 1). In September 2020, the Court dismissed Bank of America, First Data Corporation, and Fiserv from the suit in their entirety. (MTD Ord., Doc. 47). The Court also dismissed the Dodd-Frank claim against BAMS. ( Id. ). After a protracted discovery period, Defendant BAMS moved for summary judgment on the remaining claims. [MSJ, Doc. 175]. That Motion is fully briefed and ripe for the Court’s consideration .
II. LEGAL STANDARD
The Court shall grant summary judgment if the record shows “that there is
no genuine dispute as to any material fact and the movant is entitled to judgment
as a matter of law.” Fed. R. Civ. P. 56(a). A factual issue is genuine if there is
sufficient evidence for a reasonable jury to return a verdict in favor of the non-
moving party.
See Anderson v. Liberty Lobby, Inc.
,
When ruling on a Motion for Summary Judgment, the Court must view all
evidence in the record in the light most favorable to the non-moving party (here,
Plaintiff) and resolve all factual disputes in the non- moving party’s favor.
See
Reeves v. Sanderson Plumbing Prods., Inc.
,
The essential question is “whether the evidence presents a sufficient
disagreement to require submission to a jury or whether it is so one-sided that one
party must prevail as a matter of law.”
Anderson
,
Plaintiff’s two remaining claims are conceptually and legally similar. First,
Mr. Slawin has sued under the Sarbanes-Oxley Act of 2002 (“SOX”), 18 U.S.C.
§ 1514 A, which “ prohibits retaliation against an employee who provides
information . . . or assists in an investigation into conduct that the employee
reasonably believes is prohibited by the Act, and where the information or
assistance is provided to a supervisor or other employee with authority to
investigate.”
Marullo v. Rivian Auto., LLC
,
Under SOX, “ an employee must prove that (1) [he] engaged in protected
activity as defined by SOX; (2) the employer knew of the proteсted activity; (3) [he]
suffered an unfavorable personnel action; and (4) the protected activity was a
contributing factor in the unfavorable personnel action. ”
Cruzan v. Hewlett
Packard Enter. Co.
,
“ [A]n employee bears the initial burden of making a prima facie showing of retaliatory discrimination; the burden then shifts to the employer to rebut the employee ’ s prima facie case by demonstrating by clear and convincing evidence that the employer would have taken the same personnel action in the absence of the protected activity. ” Johnson v. Stein Mart, Inc. , 440 F. App ’ x 795, 801 (11th Cir. 2011) . “ [T]he defendant ’ s burden under [§ 1514A(a)] is notably more than under other federal employee protection statutes, thereby making summary judgment against plaintiffs in Sarbanes – Oxley retaliation cases a more difficult proposition.” Kuba v. Disney Fin. Servs., LLC , 623 F. Supp. 3d 1290, 1302 03 (M.D. Fla. 2022).
Similarly, the Consumer Financial Protection Act of 2010, 12 U.S.C. § 5567, bars retaliation against employees who report what they reasonably believe to be a violation of the CFPA or “any other provision of lаw that is subject to the jurisdiction of the [Consumer Financial Protection Bureau,] or any rule, order, standard or prohi bition prescribed by the Bureau.” Under the CFPA, Plaintiff must establish that “ (1) he engaged in protected activity; (2) the employer knew or suspected, either actually or constructively, that he engaged in the protected activity; (3) he suffered an unfavorable personnel or employment action; and (4) the protected activity was a contributing factor in the unfavorable action.” (MTD Ord., Doc. 47 at 7 (citing Veard v. F&M Bank , 704 F. App’x 469, 473 (6th Cir. 2017)). Given the relative dearth of CFPA jurisprudence and the similarities between the two statutes, courts often look to SOX case law in interpreting the CFPA. ( See, e.g. , id. at 25; see also Veard , 704 F. App’x at 474).
III. DISCUSSION
Defendant’s Motion for Summary Judgment is based on the first and fourth elements of SOX and the CFPA. BAMS argues, first, that Mr. Slawin did not engage in a protected activity under either law. Second, BAMS argues that Mr. Slawin cannot show that any protected activity contributеd to his termination. (MSJ, Doc. 175-1 at 16, 24). The Court addresses Defendant’s arguments in that order.
A. Protected Activity
i. SOX
“ To engage in ‘ protected activity ’ [under SOX], an employee must provide
information regarding any conduct he reasonably believes to be one or more of six
enumerated types of misconduct: mail fraud (18 U.S.C. § 1341), wire fraud (18
U.S.C. § 1343), bank fraud (18 U.S.C. § 1344), securities fraud (18 U.S.C. § 1348), a
violation of any rule or regulation of the Securities and Exchange Commission
( ‘ SEC ’ ), or any provision of federal law relating to fraud against shareholders. ”
Sturdivant v. Chem. Waste Mgmt., Inc.
,
This definition raises two pertinent questions: (1) whether Mr. Slawin reasonably believed the conduct described constituted wire fraud, bank fraud, securities fraud, an SEC violation, or illegal fraud on shareholders and (2) whether Mr. Slawin actually provided that information to his supervisors Mr. Kendall and/or Mr. Collins, as asserted. [3]
1. Reasonable Belief
The Eleventh Circuit has “conclude[d] that § 1514A(a)(1) requires an
employee to demonstrate both a subjective belief and an objectively reasonable
belief that the company ’ s conduct violated a law listed in that section. ”
Gale
, 384
F. App’x at 930. “[T]he inquiry into whether an employee had a reasonable belief
[for purposes of a SOX retaliation claim] is necessarily fact-dependent, varying
with the circumstances of the case.”
Thomas v. Tyco Int ’ l Mgmt. Co., LLC
, 262
F. Supp. 3d 1328, 1334 (S.D. Fla. 2017) (quoting
Rhinehimer v. U.S. Bancorp
Investments, Inc
.,
First, then, Mr. Slawin must establish that he actually and subjectively
believed — in light of his education and experience —that BAMS’s PCI non -
compliance, and its failure to share that non-compliance with merchant
customers, constituted fraud as covered by § 1514A(a)(1).
See Gale
, 384 F. App’x at
930;
Thomas
,
I came to a belief in or about July 2017 that BAMS was committing fraud by omission by not disclosing the fact that it was not PCI compliant, which could affect the shareholders of public entities that were having their customers’ purchases processed by BAMS, especially if there was a data breach. I also believed that the omission could affect shareholders of one of BAMS’ parent companies. Bank of Amеrica. . . . I believed that the fraudulent omission could constitute bank fraud and securities fraud, at the very least, and possibly other types of fraud made unlawful under federal statutes. . . . In particular, I was thinking about the 1933 and 1934 acts of the SEC.
In my job at FINRA, I was involved mostly with the 1934 act from the perspective of the public, regarding representations for sales of securities, and at J.P. Morgan, in the private sphere, I was mostly involved with the 1933 act for underwriting and disclosures in offering documents for the sales of securities.
( Declaration of Eric Slawin (“ Slawin Decl. ”) , Doc. 182-3 ¶ 49; see also Deposition of Eric Slawin (“Slawin Dep.”), Doc. 174 -1 175:25 176:7, 183:5 – 18, 193:10 – 20). [4]
Defendant asserts that “Slawin’s [deposition] testimony conclusively shows
he lacked a subjective belief that any statute was violated ” because he “ never
informed anyone at BAMS that he believed any conduct violated the CFPA or SOX,
and he could not articulate any subjective understanding of how such statutes were
violated .” ( MSJ, Doc. 175-1 at 17). Defendant’s contention conflicts with the
principle that a potential whistleblower “ will not be penalized for failing to identify
the specific SOX provision at issue .”
Ronnie
, 81 F.4th at 1351. Slawin’s own
repeated testimony as captured above demonstrates his subjective belief and
understanding regarding BAMS’s alleged fraud and, in particular, its fraudulent
omission of its PCI non-compliance from shareholders, who could be adversely
impacted.
Cf. Gale
,
Next, the Court must also determine whether, viewing the facts in the light
most favorable to Mr. Slawin, he had an objectively reasonable belief that BAMS’s
conduct constituted fraud. “The objective component of the ‘reasonable belief’ test
is evaluated based on the knowledge available to a rеasonable person in the same
factual circumstance with the same level of training and experience as the
aggrieved employee.”
Thomas
,
At this juncture, Plaintiff has alleged the objective reasonableness of his
belief sufficiently to create a disputed issue for the jury ’s resolution . Specifically,
the evidence Mr. Slawin has put forth includes: BAMS’s acknowledged PCI non -
compliance ( Opp’n to MSJ, Ex., Doc. 182 -5); BAMS’s representations of PCI
compliance (MSJ, Ex. 44, Doc. 176-15); and the potential fallout for BAMS’s
merchant customers and their shareholders (Slawin Decl., Doc. 182-3 ¶¶ 62 74).
This evidence supports Plaintiff’s objectively reasonable asserted understanding or
belief that BAMS was engaging in a practice of material omissions to its merchant
clients.
See also Burns
,
2. Disclosure to Supervisors
The second requirement of “protected activity” under SOX is that the putative whistleblower must report the conduct at issue to a supervisory authority. Mr. Slawin represents that, on multiple occasions, he described conduct that he reasonably believed to be fraud to at least two supervisors. For example, Plaintiff says he “had at least four or fivе conversations with Mr. Kendall in which Slawin told Mr. Kendall that BAMS was acting fraudulently and misleading its customers”—both when Mr. Kendall was Mr. Slawin’s peer, and when he was his supervisor. ( Pl.’s SDMF, Doc. 182-2 ¶ 62). [6] Mr. Slawin also “ noted his concern [to Mr. Kendall] that it could affect shareholders, both of the merchants and of Bank of America [.]” ( ; see also Slawin Dep., Doc. 174-1 191:21 – 194:23 (detailing discussions with Mr. Kendall)). According to Mr. Slawin, “ Kendall agreed that BAMS nondisclosure of its PCI noncompliance was fraud. ” (SDMF, Doc. 182-2 ¶ 62). See Shea , 2019 WL 1452887, at *6 (N.D. Ala. Apr. 2, 2019) (denying summary judgment on SOX claim where plaintiff “testified that he did believe it was fraud . . . based on his prior experience with credit application frauds” a nd supervisor to whom plaintiff reported suspicions “described the activity . . . as ‘shady,’ an acknowledgment that he too believed something illegal was afoot”).
Mr. Kendall’s representations during his deposition neither reflect those conversations, nor align with that description. While Mr. Kendall agreed that he was working with Mr. Slawin to investigate the PCI non-compliance issue, he primarily characterized their conversations as “interview[ing] different businesses” within BAMS to “understand the scope of the problem” and “formulate an approach for how to remediate it.” (Deposition of Mark Kendall (“Kendall Depo”) , Doc. 196-1 95:5 9, 96:4 – 22). Mr. Kendall ind icated that he “[didn’t] recall” whether he , like Mr. Slawin, was “also losing confidence that the issue could be remediated.” ( Id. 96:1 – 3).
Mr. Slawin also identifies similar conversations with Ms. Collins: During the period August through September 2017, Slawin had biweekly meetings with Natasha Collins. During these meetings Slawin discussed the creation of a self-identified audit issue and mitigation of BAMS’ non -PCI compliance. Slawin repeatedly advised Ms. Collins about his concerns regarding BAMS’ non -PCI compliance. Slawin reiterated several times that he was uncomfortable being asked to represent to BAMS’ clients and to internal BAMS’ teammates thаt BAMS was PCI compliant when Slawin knew that it was not.
(SDMF, Doc. 182-2 ¶ 65; Slawin Decl., Doc. 174-1 204:11 – 18, 216:9 – 21; 218:11 – 219:22). [7]
But Ms. Collins’s declaration and deposition testimony directly conflict with this account. Ms. Collins explicitly disputed the notion that “Mr. Slawin . . . discussed with [her] his concern about what merchants were being told about BAMS’s PCI noncompliance.” (Deposition of Natasha Collins (“Collins Dep . ”), Doc. 196-2 43:21 – 44:1). While Mr. Slawin says he reiterated to Ms. Collins that “ he was uncomfortable being asked to represent to BAMS’ clients . . . that BAMS was PCI compliant ,” s he denied that “Eric Slawin ever express[ed] to [her] his concern that BAMS’s clients should be told that BAMS was not PCI compliant.” ( 42:24 43:2; see also id. 42:15 –42:19 (stating she “did not have any conversations with [Eric] about” him “telling BAMS merchant clients that BAMS was not PCI compliant”; see also id. 84:14 – 85:2 (denying any conversation with Mr. Slawin that this conduct was “fraudulent or dishonest”)). She also represents that, contrary to Mr. Slawin’s assertions, she was “unaware of any instance in which BAMS responded to a merchant questionnaire by affirmatively representing that it maintained an independent certification of its own PCI compliance.” (Declaration of Natasha Collins (“Collins Decl.”), Doc. 176 -8 ¶ 26).
Finally, Mr. Slawin represents that he “specifically told Sherra Grissom that BAMS was engaged in fraud.” (Pl.’s SDMF, Doc. 182-2 ¶ 77). Ms. Grissom handled Enterprise Risk Management and thus, Mr. Slawin indicates, she was “another reporting [] line for [him].” ( Id. ). “In November 2017, Slawin told Grissom ‘that [he] felt that the fact that [the non- compliance] [wasn’t] being disclosed to clients is omission and [] fraud.” ( ; see also Slawin Dep., Doc. 174-1 188:2 190:9).
As is clear , Mr. Slawin’s accounts of his purported discussions with his supervisors about BAMS’s PCI non -compliance — and how that issue was being represented to merchant clients — create serious factual discrepancies. Mr. Slawin directly declares that he reported perceived fraud to both Mr. Kendall and Ms. Collins. Mr. Kendall and Ms. Collins, for their part, deny ever discussing PCI non- compliance with Mr. Slawin in a way that implied dеceit or fraud. Rather, both recall their conversations with him as focused on his assigned self-audit. [8] This discrepancy — i.e., whether Mr. Slawin reported BAMS’s perceived fraudulent conduct to supervisory authorities — is a genuine dispute of material facts that precludes summary judgment. Viewing the evidence in the light most favorable to the non-moving party, the Court must, at this juncture, credit Mr. Slawin’s account that he repeatedly discussed what he believed was fraudulent conduct with two supervisors and that at least one, Mr. Kendall, “ agreed that BAMS nondisclosure of its PCI noncompliance was fraud.” (SDMF, Doc. 182 -2 ¶ 62). See, e.g., Collins v. Beazer Homes USA, Inc. , 334 F. Supp. 2d 1365, 1377 (N.D. Ga. 2004) (denying summary judgment on issue of protected activity where “the individuals to whom [Plaintiff’s complaints] were addressed understood the serious nature of Plaintiff’s allegations”). Given this and other factual issues, the Court cannot grant summary judgment to the Defendant on its SOX claim.
ii. CFPA
Given the significant similarities between the anti-retaliation provisions in SOX and the CFPA, the Court need not replicate its above analysis. ( See MTD Ord., Doc. 47 at 25 (“The Court looks to decisions interpreting the similar protected activity provision found in SOX.”); see also Veard , 704 F. App’x at 474). The Court has already found that Plaintiff has created a genuine dispute of material fact regarding whether his reports were “protected activities,” specifically whether he reasonably believed BAMS’ s conduct was fraudulent and whether he reported that belief to supervisory authorities. The Court has also found that “ BAMS is [] engaged in providing a consumer financial service and is thus ” covered by the CFPA. (MTD Ord., Doc. 47 at 22).
Putting together these findings, the Court concludes that Mr. Slawin ’s
reports are equally covered by the CFPA. For example, among Plaintiff’s chief
concerns was a data breach affecting one of BAMS’s merchant clients. It is not
difficult to imagine the impact of such a possible or actual breach on consumers
within the ambit of the CFPB’s regulation.
[9]
(
See, e.g.
, Slawin Decl., Doc. 182-3
¶¶ 49; 62 74, 77).
See Becotte v. Coop. Bank
,
B. Contribution to Termination
As described above, to establish a violation of either SOX or the CFPA, Plaintiff must establish that: (1) he engaged in protected activity; (2) BAMS knew or suspected, either actually or constructively, that he engaged in the protected activity; (3) Plaintiff suffered an unfavorable personnel or employment action; and (4) the protected activity was a contributing factor in the unfavorable action. Thus far, the Court has concluded that Mr. Slawin has established genuine disputes of material facts as to whether he engaged in “protected activity” under SOX and the CFPA when he reported perceived fraud to his supervisors. Next, the Court addresses whether this potential protected activity contributed to his termination. [10]
“[A] whistleblower bringing a § 1514A claim must prove that his protected
activity was a contributing factor in the unfavorable personnel actiоn.”
Murray v.
UBS Sec., LLC
,
“T he Court considers evidence of temporal proximity in conjunction with
other evidence of retaliation when determining on summary judgment whether
‘ the totality of the evidence establishes that there is a genuine dispute of material
fact ’” rеgarding Plaintiff’s protected activity as a contributing factor in his
termination.
Highsmith v. CSX Transportation, Inc.
, 2024 WL 3164660, at *6
(S.D. Ga. June 24, 2024) (quoting
Jones v. Gulf Coast Health Care of Del., LLC
,
854 F.3d 1261, 1270 76 (11th Cir. 2017)) (evaluating retaliation claim under
Federal Railroad Safety Act , which also applies “contributing factor” standard) .
Close temporal proximity (i.e., a short period of time between the protected activity
and adverse employment action) is an important, but not the only, category of
circumstantial evidence to support an inference of retaliation.
Shea v. Kohl’s Dep’t
Stores, Inc.
, 2019 WL 1452887 (N.D. Ala. Apr. 2, 2019) (holding circumstantial
evidence of temporal proximity can preclude summary judgment in Sarbanes-
Oxley Act claim case).
But see Thomas v. Tyco Int ’ l Mgmt. Co., LLC
, 416 F. Supp.
3d 1340, 1363 (S.D. Fla. 2019) (“ The Eleventh Circuit Court of Appeals has stated
that
where ‘ there is no other evidence
tending to show causation, the temporal
proximity must be very close. ’” (emphasis added)) ;
Valdes v. Kendall Healthcare
Grp., Ltd.
,
With that framework in mind, the Court notes that the timing of both Mr. Slawin’s protected activities, and his termination, are in factual flux. Plaintiff represents that he had repeated conversations with Mr. Kendall and Ms. Collins regarding BAMS’s PCI non -compliance — which the Court has found could constitute protected activity — throughout the fall of 2017, through at least September 2017, and with Ms. Grissom through roughly November 2017. (Pl.’s SDMF, Doc. 182-2 ¶¶ 62, 65, 77).
There are also factual disputes regarding when Mr. Slawin was actually terminated — and what conduct may have occurred in the days leading up to that decision. On December 8, Mr. Solan and Mr. Kendall first approached Mr. Slawin about his alleged policy violation. (MSJ, Ex. 28, Doc. 175-31 at 3). Mr. Solan claims that the decision to terminate Mr. Slawin was made immediately after that phone call, as memorialized in his investigation notes. ( ). By December 11, Mr. Slawin had lost access to BAMS systems. (MSJ, Ex. 26, Doc. 175-29; Kendall Dep., Doc. 196-1 77:7 –20 (testifying Mr. Slawin’s access to BAMS system was “ turned off approximately the 7th [or] 8th of December ”).
But Mr. Slawin was not notified of his termination until December 12. (MSJ, Ex. 24, Doc. 175-27 (December 12 termination letter)). The parties dispute the degree to which Mr. Solan attempted to contact Mr. Slawin to notify him of his termination in the interim. For example, Mr. Solan wrote in his investigatory notes that he had “ tried to instant message and call Eric so that we could discuss this decision, as well as next steps, but received no response. ” (MSJ, Ex. 28, Doc. 175 - 31 at 3). And, in an email chain between the two on December 11, Mr. Solan asked Mr. Slawin to “give [him] a call back” to “discuss next steps” regarding their Friday conversation. However, they were not able to connect until December 12.
The precise day — and even time —of Mr. Slawin’s termination is a crucial fact issue because, on December 11 around 4 PM, Mr. Slawin emailed Mr. Sоlan, refusing to delete the emails he had downloaded and making clear his continuing concerns about BAMS’s non-compliance. (MSJ, Ex. 26, Doc. 175-29). If a jury were to find that Plaintiff’s termination was not effectuated until December 12— when he was notified — then this response to Mr. Solan could constitute additional protected activity.
Given the possibility that Mr. Slawin’s protected activities continued in the
weeks and even days leading up to his termination, the Court finds it inappropriate
to grant summary judgment on the issue of causation —especially given the “broad
and forgiving” standard of the “contributing factor” rule under SOX.
Shea
, 2019
WL 1452887, at *7 (citing
Feldman
,
Furthermore, “e vidence of temporal proximity is not the only factor
suggesting that [Plaintiff’s] protected activity may have contributed to [his]
termination. ”
Kuba
,
Finally, BAMS argues that “ Slawin cannot create an issue of fact as to whether the decision-makers in his termination were aware of any purported protected activity ,” precluding a finding that his potentially protected activity was a “contributing factor” in his termination. (MSJ, Doc. 175 -1 at 15). This contention is not supported by the record. Defendant states that “BAMS’s HR department (in coordination with the legal department) had exclusive authority over terminations for policy violations. ” ( at 24). As described above, however, Mr. Solan specifically identified that the HR department should “[p]artner with Legal to understand whether [Mr. Slawin] [had] any whistleblower protections,” confirming that Mr. Solan understood the subject matter of Mr. S lawin’s emails. (Opp’n to MSJ, Ex., Doc. 182 -21).
Furthermore, Mr. Kendall — to whom Mr. Slawin contends he reported BAMS’s PCI non -compliance —was a decisionmaker in Plaintiff’s termination. In his investigatory notes following the initial December 8 call with Mr. Slawin, Mr. Solan indicated that “[a] fter the interview ended, Mark Kendall and I connected and discussed his answers. We were both in alignment that . . . there is a complete loss of trust that [Mr. Slawin] can continue to handle proprietary, confidential, and/or sensitive information, which is a core requirement of both his position and employment at BAMS.” (MSJ, Ex. 28, Doc. 175 -31 at 3). Given the consultation of Mr. Kendall in the decision to terminate Mr. Slawin, it is difficult to give credence to BAMS’s argument that none of the decisionmakers were aware of Plaintiff’s potentially protected activity. This argument thus does not compel summary judgment for Defendant.
C. Damages Mitigation
BAMS puts forth the alternative argument that it is “ entitled to partial summary judgment, limiting Slawin’s available back -pay and front-pay damages to at most the period between his termination at BAMS and the commencement of his employment at Wells Fargo Securities .” (MSJ, Doc. 175-1 at 27). This argument is rooted in the fact that, after his termination from BAMS, Plaintiff was subsequently terminated from his next job at Wells Fargo for inappropriate conduct. (SDMF, Doc. 182-2 ¶¶ 186 191). “ The question of damages is ordinarily one for the jury .” O.C.G.A. § 51-12-12. The Court finds that, given the denial of summary judgment to Defendant and the underlying determination that factual, jury triable issues clearly remain, it would be inappropriate to determine limits on Plaintiff’s compensatory damages at this time. See Brown v. Ala. Dep ’ t of Transp. , 597 F.3d 1160 (11th Cir. 2010) (jury determinations of credibility relevant to determine mitigation of backpay issue); see also Murray v. UBS Sec., LLC , 2017 WL 1498051, at *14 (S.D.N.Y. Apr. 25, 2017) (“ [G]enuine disputes of material fact preclude summary judgment in favor of Defendants on Plaintiff ’ s mitigation of back-pay damages. ”).
IV. CONCLUSION
For the foregoing reasons, the Court DENIES Defendant’s Motion for Summary Judgment [Doc. 175]. Construing the facts in the light most favorable to Mr. Slawin, summary judgment is inappropriate at this junсture. Nevertheless, the Court wishes to emphasize the challenging nature of these claims; both parties have significant hurdles to overcome to achieve success on the merits. Nearly eight years after Mr. Slawin’s termination and six years since this suit was filed, it is also crucial to recognize the potential for this litigation to last many more years.
In light of these considerations, the Court will REFER this case for an in- person mediation with the next available Magistrate Judge on the rotation wheel. The parties are DIRECTED to file a status report at the conclusion of the mediation indicating whether this matter is resolved. If this case is not settled in mediation, the parties are DIRECTED to submit their proposed pretrial order within twenty (20) days of the conclusion of the mediation. The Clerk is DIRECTED to ADMINISTRATIVELY CLOSE this case pending mediation. IT IS SO ORDERED this 24th day of September, 2025. ____________________________ Honorable Amy Totenberg United States District Judge
Notes
[1] When deciding a motion for summary judgment, the Court must view the evidence and
all factual inferences in the light most favorable to the party opposing the motion (here,
Plaintiff).
See, e.g.
,
Optimum Techs., Inc. v. Henkel Consumer Adhesives, Inc.
, 496 F.3d
1231, 1241 (11th Cir. 2007). Bearing that in mind, the Court provides the following
statement of facts to place the Court’s legal analysis in the context of this case . This factual
description does not represent actual findings of fact.
In re Celotex Corp
.,
[2] The Court construes Mr. Slawin’s reference to “non - PCI compliance” above as meaning non- compliance with Payment Card Industry (“PCI”) standards.
[3] It is undisputed that, during at least some of these conversations with Mr. Slawin, Mr. Kendall and Ms. Collins both had “supervisory authority over [him].” 18 U.S.C. § 1514A(a)(1)(C). ( See Pl.’s SDMF, Doc. 182 -2 ¶¶ 5 7).
[4] The Court notes that “[a]n employee can engage in § 1514A protected activity even if the
reported conduct did not actually constitute a violation of one of the laws or regulations
enumerated in § 1514A(a)(1).”
Bozeman v. Per-Se Techs., Inc.
,
[5] The Eleventh Circuit has held that a failure to demonstrate scienter, a key element of
fraud, can doom a whistleblower’s claim that they reasonably believed fraud was
occurring.
See Ronnie v. Off. Depot, LLC
,
[6] Mr. Kendall was originally the Director of Risk and Control, reporting to Ms. Collins, before he was promoted to supervise Mr. Slawin. (Pl.’s SDMF, Doc. 182-2 ¶ 6).
[7] Ms. Collins served as the Senior Vice President, Head of Sales Operations and Planning at BAMS, and was Mr. Slawin’s supervisor until around September 2017. (Pl.’s SDMF, Doc. 182-2 ¶ 5).
[8] It does not appear that Ms. Grissom was deposed, submitted a declaration, or otherwise offered testimony in Defendant’s factual proffers.
[9] “ To determine whether Plaintiff engaged in protected activity under the CFPA, the relevant inquiry is whether Plaintiff reasonably believed that Defendants ’ conduct violated the [relevant law], notwithstanding Defendants ’ ability to avoid liability for an actual violation. ” Yoder v. O'Neil Grp., LLC , 2017 WL 6206074, at *7 (D. Md. Dec. 8, 2017) (emphasis added).
[10] Given the identical “contributing factor” test applied to retaliation claims under both statutes, the Court analyzes this element of these two statutory claims together.