On Wednesday, April 1, 2015, the SEC announced its first enforcement action against a company for requiring its employees to sign confidentiality agreements that contained language that had the potential to stifle the whistleblowing process. 

In a cease-and-desist order, the SEC charged Houston-based global technology and engineering firm KBR, Inc. with violating whistleblower protection Rule 21F-17 enacted under the Dodd-Frank Act. Rule 21F-17, which became effective on August 12, 2011, provides, in relevant part: 

(a) No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications. 

Both prior to and after the promulgation of Rule 21F-17, KBR required witnesses in internal investigation interviews to sign a form confidentiality statement. The language in the form confidentiality statement warned that witnesses could face disciplinary action, including termination of employment, if they discussed any particulars regarding the subject matter of an interview with anyone without the prior approval of KBR’s legal department. Despite the fact that the agreement, on its face, was designed to serve the salutary function of protecting the integrity of internal investigations by preventing witnesses from talking to other witnesses and third parties, the SEC determined that the confidentiality agreement violated Rule 21F-17 because the internal investigations to which it applied included investigations of possible securities law violations. Significantly, the SEC noted that it was not aware of any instance in which KBR had actually enforced the agreement or prevented any witness from disclosing a matter under investigation. 

Without admitting or denying any charges, KBR agreed to cease and desist from committing or causing any future violations of Rule 21F-17. KBR agreed to pay a $130,000 penalty to settle the SEC charges, and voluntarily amended its confidentiality statement to make clear that employees are free to report possible violations to the SEC and other federal agencies without approval from KBR or fear of retaliation. 

Significantly, in announcing the enforcement action, the SEC suggested that “Other employers should . . . review and amend existing and historical agreements that in word or effect stop their employees from reporting potential violations to the SEC.” The action also makes clear that it is the existence of the agreement itself—whether entered before Dodd-Frank or after—and not its enforcement that can give rise to a violation. 

The KBR matter highlights the question raised by Rule 21F-17 of whether routine employee confidentiality provisions in employment, separation or other agreements, or in company employment policies, should include appropriate carve-outs to clarify that nothing in the provision is intended to impede an individual from communicating directly with the Commission staff about a possible securities law violation. While the KBR confidentiality provision was specifically used in the context of witness interviews in internal investigations, and we suspect that the enforcement staff will not devote scarce resources to searching for overly broad confidentiality provisions in routine employment agreements, the SEC press release makes it clear that the staff intended the matter to send a message even about routine practices, saying that “SEC rules prohibit employers from taking measures through confidentiality, employment, severance, or other type of agreements that may silence potential whistleblowers before they can reach out to the SEC. We will vigorously enforce this provision.”