The Securities and Exchange Commission (SEC) recently sent letters to numerous, unnamed companies requesting every nondisclosure agreement, confidentiality agreement, severance agreement, and settlement agreement the companies have entered into with employees since the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) was enacted, as well as any other documents related to corporate training on confidentiality, in order to assess whether the documents unduly interfere with the ability of employees to report securities violations to the SEC. This closely follows a petition by a coalition of whistleblower advocates urging the SEC to curb companies’ actions that undermine the SEC’s whistleblower program, including requiring employees to enter into contracts with provisions:
- that prohibit disclosure to any third party without an exception for law enforcement and regulatory authorities;
- that require employees to notify their employers of any communication with the SEC or other regulatory authority;
- that require employees to file securities-related complaints with the company and attempt to resolve issues only internally;
- in which employees waive any right to monetary rewards associated with making a whistleblower claim; and
- in which employees represent that they have not made any prior whistleblower claims against former employers.
The SEC intends to use such agreements as evidence of retaliation by companies against whistleblowers in violation of the anti-retaliation provisions in Dodd-Frank. Indeed, on April 1, the SEC announced its first enforcement action against a company – Houston-based KBR, Inc. – for using improperly restrictive language in confidentiality agreements with the potential to stifle whistleblowers. The SEC alleged that KBR required witnesses in certain internal investigations to sign confidentiality agreements under which the employees could face disciplinary action or be fired for discussing the matters with outside parties without the prior approval of KBR’s legal department. The SEC found that these terms violated Rule 21F-17 of the Securities Exchange Act and KBR agreed to pay a US$130,000 penalty to settle the SEC’s charges without admitting or denying the charges. KBR also agreed to amend its confidentiality agreements to make it clear that its employees could report potential violations to the SEC without fear of retaliation.
The SEC’s probe clearly infringes upon a company’s ability to maintain confidentiality and may compromise privileged attorney-client communications. The SEC has also threatened in-house lawyers with disciplinary action for drafting and implementing agreements that the SEC believes interferes with employees’ ability to report perceived securities violations. As a result, companies should review and make appropriate changes to agreements, corporate policies, and codes of conduct to avoid running afoul of the SEC’s expansive Dodd-Frank enforcement policies.
Rule 21F-17(a) states that “[n]o person may take any action to impede an individual from communicating directly with the [SEC] staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement…with respect to such communications.” This provision poses numerous challenges for companies attempting to legitimately protect confidential information that may be intertwined with allegations of securities violations, such as trade secrets and other intellectual property and proprietary information. Furthermore, companies may face SEC enforcement action for taking advantage of legal gray areas, including establishing internal complaint procedures and asking employees to waive their rights to whistleblower monetary rewards, both of which do not necessarily impede employees’ ability to communicate with the SEC, but may discourage them from doing so.
The SEC’s recent request will also test the boundaries of companies’ attorney-client privilege. Rule 21F-17(b) provides that “the staff is authorized to communicate directly with [whistleblowers] regarding the possible securities law violation without seeking the consent of the entity’s counsel.” This appears to conflict with the long- established rule of professional conduct that states that “a lawyer shall not communicate about the subject of …representation with a person the lawyer knows to be represented by another lawyer in the matter, unless the lawyer has the consent of the other lawyer or is authorized to do so by law or a court order.” The SEC claims that Rule 21F-17(b) does not violate the ethical rule because it fits within the rule’s “authorized by law” exception. On the other hand, Rule 21F(b)(4)(i) does not allow the SEC to consider information “obtained…through a communication that was subject to the attorney-client privilege, unless disclosure of that information would otherwise be permitted by an attorney [under specific circumstances outlined in 17 CFR 205.3(d)(2)], the applicable state attorney conduct rules, or otherwise.” The ambiguity created by these provisions may therefore jeopardize communications thought to be protected by companies’ attorney-client privilege.
Finally, the SEC has threatened in-house lawyers with disciplinary action for drafting contracts that include mechanisms to silence potential whistleblowers. Specifically, the SEC has warned that in-house lawyers who interfere with whistleblowers’ ability to communicate with the SEC risk their ability to practice before the SEC, a critical qualification for representing registered companies.
In light of the SEC’s recent comments and actions, companies should take steps to avoid potential violations. Companies should assess whether existing contracts, corporate policies, and codes of conduct will attract SEC scrutiny by expressly or impliedly restricting employees’ ability to communicate with the SEC. Companies should specifically review agreements and policies that contain confidentiality and non-disclosure provisions, non-disparagement provisions, clauses relating to internal reporting and company notification, covenants not to sue, and releases. Companies should also draft carve-outs that explicitly state that nothing in the agreement impedes an employee’s ability to report violations to regulators. Finally, companies should consider implementing mitigation strategies that include providing anti-retaliation trainings, establishing procedures for safeguarding the identities of reporting employees, and developing processes to review compliance concerns.