US public companies and SEC regulated entities should re-examine their forms and policies.

On April 1, 2015, the US Securities and Exchange Commission filed its first whistleblower protection case involving confidentiality obligations imposed on employees. 1 The SEC charged Houston-based technology and engineering firm KBR Inc. with violating Rule 21F-17, which prohibits all persons, including companies, from taking any action to impede an individual from communicating with the SEC staff about a possible securities law violation, including by enforcing, or threatening to enforce, a confidentiality agreement. In a press release, the SEC Enforcement staff warned, as they have numerous times in the past, that they will vigorously enforce this provision.

What KBR Allegedly Did, and What It Settled To

KBR allegedly required interviewees in internal investigations to sign confidentiality statements that contained language warning that they could face discipline and even be fired if they discussed the matter with outside parties without the prior approval of KBR’s legal department. Because these investigations related to possible securities law violations, the SEC found that this language violated Rule 21F-17. The SEC’s greatest concern was that the restrictive language potentially discouraged employees from reporting securities law violations to the SEC. The SEC found no instances in which KBR specifically prevented employees from communicating with the SEC about specific securities law violations.

KBR agreed to cease and desist from violating Rule 21F-17 and to pay a US$130,000 penalty. KBR also amended its confidentiality statement.

New Language Blessed by the SEC

KBR amended its confidentiality statement to make clear to current and former employees that they will not have to fear termination or retribution or seek approval from company lawyers before contacting the SEC and other authorities. The SEC’s press release stated that employers should similarly amend existing and historical agreements that in word or effect stop their employees from reporting potential violations to the SEC.

This is the specific language KBR added to its confidentiality statement:

“Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.”

Our Suggestions to US Public Companies and SEC Regulated Entities

  • Do not take any action to impede a whistleblower from communicating directly with the SEC about a possible securities law violation, including by enforcing or threatening to enforce a confidentiality agreement.
  • Eliminate language in forms and policies that expressly requires employees to report internally before reporting to US authorities.
  • Consider adding language similar to the new KBR language to relevant forms and policies.
  • Do not ask or require employees to waive or limit their whistleblower anti-retaliation rights.