Employers covered by the Dodd-Frank Act should review and, if necessary, revise, their confidentiality agreements immediately to ensure that such agreements do not violate the Dodd-Frank Act’s whistleblower provisions. In a recent enforcement proceeding, the Securities and Exchange Commission (SEC) found that a company’s confidentiality agreement prohibiting employees from discussing the contents of internal investigations of securities violations violated SEC Rule 21F-17, which forbids retaliation against whistleblowers under the Dodd-Frank Act.  In re KBR, Inc., Exchange Act Release No. 74619 (Apr. 1, 2015).

In In re KBR, Inc., the SEC held, for the first time, that Rule 21F-17 prohibits “improperly restrictive language in confidentiality agreements.” Id. Rule 21F-17 provides, in relevant, part: “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”

KBR’s violation of Rule 21F-17 arouses out of its compliance program and internal investigation policies. Previously, when KBR would receive employee complaints or allegations regarding potential illegal or unethical conduct, KBR internal investigators would conduct internal investigations by interviewing the employees. At the start of these interviews, KBR investigators asked employees sign a form confidentiality statement, located in KBR’s Code of Business Conduct Investigation Procedures manual. The employees, however, were not required to sign the form confidentiality statement. KBR’s form confidentiality statement stated:

I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of [KBR’s] Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.

The SEC determined that KBR’s form confidentiality statement violated Rule 21F-17, even though the SEC did not find that (1) any KBR employee was prohibited from directly communicated with the SEC regarding possible securities violations or (2) KBR attempted in any manner to enforce the form confidentiality agreement or prevent such SEC communications. Regardless, the SEC found that from confidentiality statement’s language “impedes such communications by prohibiting employees from discussing the substance of their interview without clearance from KBR’s law department under penalty of disciplinary action including termination of employment.” Hence, the form confidentiality statement discourages employees to report potential securities violations to the SEC.

In addition to agreeing to pay a $130,000 penalty to settle the charges, KBR also agreed to modify its form confidentiality statement to include the following language:

Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.

The question arises as to whether a policy that prohibits an employee from disclosing confidential information without first coming to the employer would violate Rule 21F-17 even without the threat of discipline. The Order itself does not address this specific situation. However, the SEC, in its April 1, 2015 press release, stated that by requiring its employees to sign confidentiality agreements that require pre-notification before contacting the SEC, KBR "potentially discouraged employees from reporting securities violations." Press Release, SEC, "SEC: Companies Cannot Stifle Whistleblowers in Confidentiality Agreements" (April 1, 2015).  Thus, based solely on the press release, it appears that even absent a threat of discipline, the SEC would take the position that a pre-notification requirement itself, even without a disclaimer, may violate the law. Further, in the press release, Sean McKessy, Chief of the SEC's Office of the Whistleblower, advised that "[o]ther employers should similarly review and amend existing and historical agreements that in word or effect stop their employees from reporting potential violations to the SEC."

The Bottom Line. Covered employers may be found to have violated Rule 21F-17 based on confidentiality agreements or employee handbooks, even where no employee has alleged or claimed to have feared retaliation for SEC whistleblowing. Accordingly, employers should review their handbooks and confidentiality policies for potential violations of Rule 21F-17.