As a general rule, Tycko says, “Take what you absolutely need and nothing more. If a government investigator or the lawyer or FBI agent or whoever you’re going to show this to, if what you’ve taken taken demonstrates illegal conduct, they will not worry about how you got it. [And the company] will not bring more attention to the fact by suing you.” (He stresses that the chances are not zero, though—some companies indiscriminately sue everyone.) HIPAA, for example, has a large exemption carved out for whistleblowers.
Consult with a lawyer.
You can do this at any stage of the process—Marshall recommends seeking out an attorney before you take any action so you can protect yourself from retaliation. If that moment has come and gone, then Tycko says, “If you’re at the point where you haven’t been able to fix the problem internally, and you’re being targeted [or fear retaliation], or you just want to do the right thing, you should consult with a lawyer.”
If you’re in the corporate world, you can start with Taxpayers Against Fraud and look for lawyers’ names. Tycko notes that whistleblower law is very niche—he estimates maybe 500 practitioners in the U.S.—so potential whistleblowers need to look nationally and concentrate their search in big cities. “Look for expertise, not locale.”
If you’re in government, both Marshall and Tycko recommend turning to the Government Accountability Project or the Project on Government Oversight and looking for advice and counsel there. Tycko wrote a brief guide to “qui tam” whistleblower cases—cases in which a worker discloses an employer’s unlawful conduct to the government and so becomes eligible to receive a reward that’s some fraction of the government’s recovery (think health care fraud)—so if that’s your situation, it’s worth a read. For everyone else, remember: Complain specifically, gather (not too much) evidence, stay off Facebook, and get a lawyer.