Retaliation Against Informants

SOX Section 1107 makes it a federal crime to knowingly retaliate against someone for giving truthful information to law enforcement about a possible federal offense. To operationalize it, you must prevent retaliation, detect it early, investigate and remediate fast, and retain evidence that you protected informants across HR actions, reporting channels, and third-party relationships. ¹

Key takeaways:

• SOX 1107 is a criminal anti-retaliation requirement tied to truthful disclosures to law enforcement. ¹
• Your controls must cover the full retaliation lifecycle: prevention, intake, investigation, corrective action, and documentation.
• HR decisions (termination, demotion, pay, performance) are the highest-risk operational touchpoints; build gating and review there.

Retaliation risk is operational, not theoretical. SOX Section 1107 is short, but it reaches into everyday decisions: who gets disciplined, who gets reassigned, whose contract gets ended, and who is labeled “not a team player” after raising concerns that later reach law enforcement. The statutory trigger is narrow but severe: knowingly taking harmful action against a person because they provided truthful information to law enforcement relating to the commission or possible commission of a federal offense. ¹

For a Compliance Officer, CCO, or GRC lead, the job is to translate that into repeatable safeguards. You need clear non-retaliation rules, credible reporting options, tight coordination with HR and Legal, and auditable proof that employment and third-party decisions are not being used as punishment. You also need escalation paths when a matter may intersect with law enforcement contact, because Section 1107 focuses on that specific context. ¹

This page gives requirement-level guidance you can put into practice quickly: who it applies to, what to implement, what evidence to keep, and where audits and investigations commonly go off the rails.

Regulatory text

Excerpt (SOX Section 1107): “Whoever knowingly retaliates against any person for providing truthful information to law enforcement shall be imprisoned up to 10 years.” ¹

Plain-English interpretation

• What’s prohibited: Any knowing retaliation (harmful action) against a person because they provided truthful information to a law enforcement officer about the commission or possible commission of a federal offense. ¹
• What “retaliation” looks like in practice: Termination, demotion, pay cuts, threats, harassment, exclusion from work, punitive performance reviews, adverse schedule changes, contract termination, or blacklisting. The statute does not list examples, so you should treat any adverse action connected to the disclosure as in-scope risk. ¹
• Why operators care: This is framed as a criminal offense with potential imprisonment up to 10 years. That changes escalation expectations, documentation rigor, and the level of control you want around employment actions in sensitive cases. ¹

Operator obligation: Put controls in place to prevent retaliation, detect and triage retaliation allegations, and show that adverse actions involving a known or suspected informant went through neutral review and were supported by documented, legitimate reasons.

Who it applies to

Entities

• Public companies (issuers) and the officers and directors who act for them. ¹

Operational contexts where the requirement shows up

• HR lifecycle actions: hiring decisions, performance management, promotions, compensation, disciplinary actions, terminations, reductions in force.
• Investigations and reporting: hotline cases, internal investigations, legal holds, and any situation where the company learns an individual contacted or may contact law enforcement.
• Third-party relationships: contractors, consultants, and other third parties who may report issues and later face “offboarding,” non-renewal, reduced scope, delayed payment, or exclusion from projects.

What you actually need to do (step-by-step)

1) Set a clear non-retaliation standard with “law enforcement” coverage

1. Publish a non-retaliation policy that explicitly includes retaliation risk tied to providing truthful information to law enforcement about potential federal offenses. Keep the language plain; avoid trying to restate criminal elements in a way that creates loopholes. ¹
2. Define “adverse action” broadly for internal control purposes (HR actions, work conditions, contract decisions).
3. Require escalation to Compliance/Legal when a manager, HRBP, or investigator becomes aware that an individual has contacted, or intends to contact, law enforcement in connection with a concern.

Practical tip: Add a short manager-facing “red flag” list. People retaliate through process moves: “performance improvement plans,” “role realignment,” “security access changes,” and “project removal.”

2) Build protected reporting paths and train the “control owners”

1. Maintain multiple intake channels (hotline, web, open-door, Compliance email, Ombuds where applicable). Your goal is early detection of retaliation attempts even when the underlying issue is disputed.
2. Train three groups differently:
   • Managers: what retaliation is, what to do when someone raises a concern, and what not to do (no threats, no “career limiting” comments, no informal punishment).
   • HR and Employee Relations: how to document legitimate performance issues without contaminating the record after a report.
   • Investigations/Compliance: how to capture and preserve evidence, and how to coordinate with Legal if law enforcement contact is involved. ¹

3) Put a gate on high-risk HR actions (“retaliation check”)

Create an internal requirement that certain actions require pre-clearance when the subject is a reporter/witness/informant (or when retaliation risk is otherwise elevated):

• Termination or contract non-renewal
• Demotion, pay reduction, removal of responsibilities
• Formal discipline or a performance improvement plan
• Material schedule/location changes not requested by the worker

How the gate works (minimum viable):

1. HRBP triggers a retaliation check in the case management tool or ticketing system.
2. Compliance/Legal reviews: timeline, documentation quality, comparators, and decision rationale.
3. Approve, deny, or require mitigating steps (different decision-maker, extra documentation, delay pending investigation).

4) Investigate retaliation allegations like a standalone case

Retaliation investigations fail when teams treat them as “noise” around the underlying complaint. Run a clean workflow:

1. Intake and immediate safety steps: If there is ongoing harm (harassment, threats, pay impact), stop the harm fast and document interim measures.
2. Preserve evidence: HRIS history, performance records, Slack/Teams messages, email, badge access changes, scheduling records, compensation changes, contract records for third parties.
3. Timeline analysis: Map report date(s), law enforcement contact awareness (if known), and adverse action dates. ¹
4. Decision review: Who decided? What documentation existed before the protected activity? Are there comparators treated differently?
5. Outcome and remediation: substantiated/unsubstantiated/inconclusive, corrective action for retaliator, remediation for impacted person, and control fixes.

5) Extend the controls to third parties

Retaliation can occur through procurement or business owners even if HR is not involved.

• Add non-retaliation clauses to third-party contract templates and codes of conduct.
• Require business owners to route offboarding/non-renewal of sensitive third parties through a similar “retaliation check” when they have raised concerns or are witnesses.

6) Operationalize recordkeeping and escalation

• Centralize cases in a system that supports confidentiality, access controls, and audit logs.
• If law enforcement contact is implicated, involve Legal early because Section 1107 specifically references truthful information to law enforcement about potential federal offenses. ¹

Where Daydream fits: Daydream can act as your control hub to track non-retaliation attestations, route HR action approvals, manage investigation workflows, and keep the evidence package tied to each decision so you can respond quickly to audits and counsel requests.

Required evidence and artifacts to retain

Keep artifacts that prove both prevention and non-retaliatory decisioning:

Governance and training

• Non-retaliation policy and revision history
• Manager/HR training materials and completion records
• Role-based job aids (manager “do/don’t” guide, HR retaliation check checklist)

Reporting and investigations

• Hotline and case logs (with access controls)
• Triage notes, investigation plans, interview summaries
• Evidence preservation log (what was collected, when, by whom)
• Findings report and documented remediation

HR and third-party decision evidence

• Retaliation check approval records (who reviewed, what they checked, outcome)
• HRIS extracts showing timeline of actions
• Pre-existing performance documentation (created before protected activity)
• Contract change approvals and rationale for third-party scope changes/non-renewal

Common exam/audit questions and hangups

• “Show me how you prevent retaliation after a report.” Expect to demonstrate training, policy, and gating of HR actions.
• “How do you know managers follow the process?” Auditors look for workflow controls, not just policy text.
• “How do you handle retaliation claims from contractors?” Many programs stop at employees; that gap gets attention quickly.
• “Can you produce a complete file for an adverse action involving a reporter?” Missing comparator analysis, missing pre-existing documentation, or no independent review are common hangups.

Frequent implementation mistakes (and how to avoid them)

1. Relying on policy only. Fix: add workflow gates on terminations, demotions, and formal discipline for protected individuals.
2. Letting the accused manager “own” the documentation. Fix: require independent HR/Compliance review and lock key records.
3. Treating retaliation as a sub-issue inside the main investigation. Fix: open a distinct retaliation case with its own findings and remediation.
4. Forgetting procurement-driven retaliation. Fix: route sensitive third-party offboarding through the same review logic.

Enforcement context and risk implications

Section 1107 creates a federal criminal offense for knowingly retaliating against a person who provided truthful information to law enforcement about a possible federal offense, with potential imprisonment up to 10 years. ¹ From a risk standpoint, that means:

• Escalation should be faster and more formal when law enforcement contact is involved.
• Documentation must be clean enough to withstand external scrutiny.
• Decisions that affect the informant’s job or contract should have independent review and a defensible rationale.

A practical 30/60/90-day execution plan

First 30 days (stabilize)

• Confirm current non-retaliation policy language covers disclosures to law enforcement tied to potential federal offenses. ¹
• Identify “high-risk actions” and implement an interim manual pre-clearance step through Compliance/Legal.
• Inventory where retaliation allegations currently come in (hotline, HR, Ethics, managers) and route all to a single case queue.

Days 31–60 (control build)

• Build a standardized retaliation investigation playbook: intake checklist, evidence list, timeline template, findings format.
• Implement a documented “retaliation check” workflow in your case tool or GRC system, including approver roles and required fields.
• Add third-party non-retaliation language to templates and update third-party reporting instructions.

Days 61–90 (prove it works)

• Run tabletop scenarios with HR, Legal, Compliance, and procurement: termination request involving a recent reporter; contractor non-renewal after raising concerns.
• Start QA on closed cases for retaliation risk: completeness of evidence, independence of review, remediation follow-through.
• Prepare an “audit-ready” evidence package template so you can export a complete record quickly.

Frequently Asked Questions

Does SOX Section 1107 only protect employees?

The text applies to retaliation against “any person” who provides truthful information to law enforcement. ¹ Operationally, treat employees, contractors, and other third parties as potentially in scope.

What if the person reported internally, not to law enforcement?

Section 1107 is tied to truthful information provided to law enforcement. ¹ Your internal non-retaliation program should still protect internal reporters, but keep your Section 1107 escalation trigger focused on law enforcement contact.

Do we need to prove the underlying allegation was correct to avoid retaliation risk?

The statute references truthful information provided to law enforcement. ¹ From a controls perspective, do not condition protection on whether the allegation is ultimately substantiated; focus on preventing adverse actions motivated by the reporting.

What HR actions should require a “retaliation check”?

Gate actions that materially change employment or working conditions: termination, demotion, pay reduction, formal discipline, forced transfer, or contract non-renewal. Add other actions if your incident history shows managers use them as informal punishment.

How do we handle performance issues that existed before the person reported?

Keep clean timelines and documentation that predates the protected activity, and require independent review before taking adverse action. The goal is to show a legitimate, well-documented rationale that is not driven by the disclosure.

Who should own retaliation investigations: HR or Compliance?

Use a joint model: HR/ER runs employment process steps, Compliance (and Legal when needed) owns independence, evidence preservation, and escalation when law enforcement contact is implicated. ¹

Footnotes

1. Public Law 107-204