On April 1, the US Securities and Exchange Commission issued—in a settled administrative proceeding—a cease-and-desist order in In the Matter of KBR, Inc.,1 directing that the respondent cease violating Commission Rule 21F-17(a).2 That rule prohibits "tak[ing] any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications."3 This rule was adopted pursuant to authority granted by the Dodd-Frank Act, and became effective in August 2011.4

In the months leading up to the settlement with KBR, the Commission staff had signaled its intent to bring actions pursuant to this rule. In a speech in March 2014, Sean McKessey, the Chief of the SEC Enforcement Division's Whistleblower Office, stated that the Division was looking to pursue enforcement actions against companies that sought to dissuade employees from reporting corporate misconduct to the SEC.5 

The KBR order seems to be an effort to make good on that threat. However, the decision to discipline KBR for violating Rule 21F-17(a) appears unwarranted on the facts as described in the order. We discuss the case below and then consider its practical implications. We conclude that the cease-and-desist order raises more questions than it answers. Specifically, it calls into question how companies may communicate with their employees about the need to protect company confidential information and privileged communications without being viewed as prohibiting whistleblowers from communicating with the Commission staff.

The KBR Cease-and-Desist Order

At issue in KBR was a form confidentiality statement used by the company when conducting internal investigations of alleged misconduct reported by company employees. The confidentiality statement at issue had been used long before the passage of both the Dodd-Frank Act and Rule 21F-17. The confidentiality statement required individuals interviewed during an internal investigation to agree as follows:

I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.6  

The Commission acknowledged that it was not aware of any instance in which this confidentiality statement prevented any employee from reporting a possible securities law violation to the SEC.7 Nor was the Commission aware of any instance in which KBR sought to enforce the confidentiality statement so as to prevent an employee from reporting an alleged securities law violation to the SEC.8 Nevertheless, the Commission believed that the confidentiality statement alone constituted a violation of Rule 21F-17(a) because "the language found in the form confidentiality statement impedes such communications by prohibiting employees from discussing the substance of their interview without clearance from KBR's law department under penalty of disciplinary action including termination of employment."9

The Commission's conclusion that this fact pattern violated Rule 21F-17(a) is surprising for several reasons:

First, Rule 21F-17(a), by its terms, is violated only when one takes action for the purpose of impeding ("action[s] to impede") an individual from reporting a securities law violation to the SEC. The adopting release accompanying the rule similarly emphasizes that the rule was directed at "efforts to impede" reporting.10 There was no evidence in this case of any such intent, and the facts conceded by the Commission in its order undermine the notion that KBR had any such intent. What is more, the Commission made no finding that KBR acted with such an intent. Instead, the Commission adopted a lesser effects test, finding a violation because in the Commission's view the confidentiality statement language "impedes" employee reporting regardless of its intent.11 Even this conclusion seems to be unsupported by the facts described in the order since the SEC acknowledged that it was aware of no situation in which an employee was prevented from reporting.

Second, the Commission's finding of a violation seems to contradict the language of the rule itself. The rule makes it unlawful to take action to impede reporting, such as "enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications."12 Because the language of the rule focuses on attempts or threats to enforce confidentiality agreements with respect to an employee's effort to report misconduct to the SEC, the rule implies that the mere existence of a generalized confidentiality agreement is not violative of the rule. But, the Commission's order could, under the broadest reading, be viewed as having essentially forbidden generalized confidentiality agreements unless they contain an express disclaimer to the effect that the agreement does not prohibit reporting to law enforcement.13 In other words, the order could be viewed as requiring companies that use confidentiality agreements to affirmatively advise employees of their right to be whistleblowers. If an accurate read of the Commission's intent, this would be a dramatic expansion of the whistleblower rules as adopted.

Third, the Commission's interpretation of KBR's confidentiality statement seems unwarranted. The confidentiality statement prohibited employees interviewed during internal investigations from "discussing any particulars regarding this interview and thesubject matter discussed during the interview, without the prior authorization of the Law Department."14 The Commission read KBR's confidentiality statement as impeding an employee from reporting to the SEC the underlying facts about which the employee was interviewed. But this is far from an obvious reading of the confidentiality statement. As an initial matter, the US Supreme Court has recognized that a company conducting an internal investigation needs to advise employees to maintain the confidentiality of the interview in order to preserve the investigation's privilege.15 Thus, there cannot be anything improper in advising an employee that he or she is not to recount the contents of the privileged interview to other persons. To the extent the Commission reads KBR's confidentiality statement as going further-i.e., to prohibit discussing with others the underlying facts that were the subject of the interview-this too is nothing more than a widely-used precaution to prevent cross-contamination of witness memories. And, by the SEC's own admission, there was no evidence that any employee understood this language to apply to reports to federal law enforcement.16  

Practical Considerations Going Forward

Unless the Commission provides additional guidance, the KBR settlement necessitates that companies take precautionary measures.

First, a company should take care that any severance or separation agreements with officers or employees do not contain confidentiality requirements that could be misconstrued by the SEC as prohibiting an employee from making a lawful whistleblower complaint. To the extent that a severance or separation agreement contains a confidentiality or non-disparagement requirement, it may be necessary to include in that agreement an express carve-out for whistleblower complaints.

Second, a company should review its corporate policy manuals, employee codes, and related training materials to determine whether there are any confidentiality requirements in those documents that could likewise be misconstrued as prohibiting whistleblowing. Most companies impose confidentiality obligations on their employees with regard to company information so as to, for example, prevent insider trading. A company should evaluate whether such provisions need an express carve-out for whistleblowing.

Third, a company (and its in-house and outside lawyers) should take care regarding the form in which they issue Upjohnwarnings. As noted above, the Supreme Court's decision in Upjohn cited the confidentiality obligation imposed on employees with respect to communications with counsel as a critical factor in finding those communications to be subject to the attorney-client privilege.17 The KBR order, however, raises questions as to whether such warnings must also contain a whistleblowing carve-out. Perhaps the Commission will not require such and instead distinguish the KBR order on the ground that the investigations at issue in KBR were only part of the company's "compliance program."18 Or perhaps a Commissioner or senior staff member will, through a speech or otherwise, provide some clarification on this point. Such clarification is especially needed in light of the recent threats made by the Commission's Whistleblower Chief to seek to bar attorneys from practicing before the Commission if they run afoul of the whistleblower rules.19

In sum, the Commission's decision in KBR represents an aggressive reading of the SEC's whistleblower rules, and a company would be well advised to heed its warning. A review of company severance agreements and confidentiality policies is in order. And care in conducting internal investigations is required going forward.