For unprepared companies, whistleblowers can pose a double whammy. If a whistleblower does not feel comfortable reporting suspected wrongdoing to the company’s senior management, the whistleblower may take his concerns to the Securities and Exchange Commission or another law enforcement authority. That can potentially lead to a lengthy and burdensome investigation of the company, civil or criminal charges, and substantial fines and other sanctions.

But that is not all. If the company learns the whistleblower’s identity and does not handle the situation carefully, it can face exposure for alleged retaliation against the whistleblower, through an SEC enforcement action as well as a private damages action by the whistleblower. The number of whistleblowers has increased dramatically since the SEC, taking advantage of new authority under the 2010 Dodd-Frank Act, created a program six years ago awarding bounties to whistleblowers, which have reached as high as millions of dollars.

Not surprisingly, an important whistleblower retaliation case has made it to the U.S. Supreme Court. Last month, the court heard argument in Digital Realty Trust v. Somers, which presents the question whether Dodd-Frank’s anti-retaliation protections apply to employees who report a potential securities-law violation internally within their company, but do not externally report their concerns to the SEC. A decision is expected later this Term.

The legal issue before the court is one of statutory interpretation. The employer, supported by the U.S. Chamber of Commerce, points to Dodd-Frank’s definition of “whistleblower,” which is limited to an individual who reports a violation to the SEC. The employee, supported by the SEC, points to a different provision of Dodd-Frank, prohibiting retaliation against a whistleblower making disclosures protected under the 2002 Sarbanes-Oxley Act, which includes internal reporting as a protected disclosure. The employee and the SEC also argue that the courts should give so-called Chevron deference to a 2011 SEC rule interpreting Dodd-Frank to protect internal as well as external whistleblowers from retaliation.

In prior cases, the Fifth Circuit adopted the employer’s position in Asadi v. GE Energy USA, 720 F.3d 620 (5th Cir. 2013), and the Second Circuit deferred to the SEC rule in Berman v. Neo@Ogilvy, 801 F.3d 145 (2d Cir. 2015). The Supreme Court granted certiorari earlier this year after the Ninth Circuit sided with the Second Circuit’s view in Digital Realty Trust, 850 F.3d 1045 (9th Cir. 2017).

What’s at stake in Digital Realty Trust is the process available to whistleblowers in private actions alleging retaliation by employers. Dodd-Frank added to, but did not repeal, the process established eight years earlier by Sarbanes-Oxley, which protects both internal and external whistleblowers from retaliation.

Under Sarbanes-Oxley, a whistleblower must file a retaliation claim first with the Occupational Safety and Health Administration (OSHA) within 180 days of becoming aware of the retaliation, and can file in federal court only if OSHA does not rule within 180 days. Under Dodd-Frank, by contrast, the whistleblower can go straight to federal court to allege retaliation, and has a much longer statute of limitations—at least six years and in some cases as long as 10 years. In addition, under Sarbanes-Oxley prevailing whistleblowers are entitled to reinstatement, back pay, and special damages (including litigation fees and costs), while under Dodd-Frank they can win reinstatement, double back pay, but no special damages other than litigation fees and costs.

The likely practical effect of the court’s ruling is in dispute. As the Chamber of Commerce argues in its amicus brief, if the court limits Dodd-Frank to external reporting only, that could limit the amount of costly whistleblower claims brought in federal court, and could cut off some claims entirely if internal-only whistleblowers miss the 180-day statute of limitations in Sarbanes-Oxley. On the other hand, the SEC argues that narrowing the rights of internal-only whistleblowers would incentivize more employees to report suspected violations externally, which could deprive companies of the opportunity to address issues internally and increase the likelihood of an SEC investigation.

Whichever way the court rules, however, it will continue to be illegal for companies to retaliate against whistleblowers and whistleblowers will still be able to sue for retaliation, regardless of whether the whistleblower complains internally or externally. So what should companies do to protect themselves?

The key is to focus on both culture and process. Without the right culture, employees will not trust a company’s internal whistleblowing process and so won’t use it. And without an effective process, a well-intentioned culture won’t translate into positive action.

A company needs to develop the right culture before a whistleblower emerges. Senior management should broadcast to all employees that the company encourages employees to raise potential compliance issues. Employees should see managers praise other employees who solve or prevent problems by raising their hands when concerned about questionable practices. The company also needs to make clear that it will not retaliate against any employee for raising a potential compliance issue, even if it involves a manager or executive. These points should be reaffirmed to all employees on a regular basis, not just pasted in a handbook employees receive when they join the company.

In the end, instilling this culture is not only the right thing to do—it’s good strategy. The more comfortable employees are elevating issues internally, the less likely they will feel the need to approach the SEC or other law enforcement agencies.

A sensible process for handling whistleblower complaints is also essential. Companies need to set up hotlines and other channels for employees to raise issues anonymously, and the procedures should be spelled out for employees in an easily accessible place. All managers, including middle and low-level managers, should be trained on how to handle a whistleblower request. The company also must designate multiple recipients who will be trusted and perceived as objective.

Upon receipt of a complaint, the recipient should fashion an appropriate response based on the nature of the complaint (policy violation, HR problem, or legal issue), the seniority of the alleged violator, and the scope of the issue, including the number of employees involved and whether it was a single incident or a long-running practice. Doing nothing is never an appropriate response, as is merely having a quick conversation with the subject of the complaint.

Smaller whistleblower matters can be handled in-house by the HR, compliance, and legal departments (depending on their size), while other matters may require independent investigation by external counsel under the direction of the company’s legal department or board of directors. Either way, the company needs to rely on objective information. For potentially serious issues, it is important to consult with counsel who understand that the SEC or other regulator may look at the same set of facts and draw inferences and conclusions that are very different from how the company sees them.

Communication with the whistleblower is a key facet of the process. It should occur at the beginning and at the end of the company’s investigation. The company need not and should not reveal to the whistleblower the details of the investigation, but it must convey that it is taking the complaint seriously. Many employees who report externally do so because they feel they are being ignored. Even if the whistleblower is disagreeable or a poor performer, it’s in the company’s best interest to take the complaint seriously and interact with the person respectfully.

Finally, documentation of each step of the process, including all communications with the whistleblower, is critical. It provides objective evidence of the company’s good faith and becomes invaluable if and when the SEC or others outside the company review the company’s response to the whistleblower.

Whistleblowing is an area fraught with risk for companies. While the Supreme Court’s decision in the Digital Realty Trust case this Term will clarify the legal protections for whistleblowers subject to retaliation, companies should ensure that their culture and process encourage whistleblowers to address issues internally rather than instigate a government investigation.

David Kornblau, a partner at Covington & Burling in New York, chairs the firm’s securities enforcement practice. He was the SEC Enforcement Division’s Chief Litigation Counsel from 2000 to 2005. Stephen Dee is a litigation associate in Covington’s New York office.