On April 1, 2015, the United States Securities and Exchange Commission (“SEC” or “Commission”) filed its first enforcement action under Section 21F of the Securities Exchange Act of 1934 (“Exchange Act”) and Exchange Act Rule 21F-17 promulgated thereunder, which is intended to prevent issuers from taking steps that impede employees from reporting potential federal securities law violations to the SEC. In a settled administrative proceeding, the Commission alleged that KBR, Inc. (“KBR”) required employees, during internal investigation interviews, to sign a confidentiality statement containing “improperly restrictive language” that could be read to discourage employees from reporting potential violations of the federal securities laws to the SEC. It should be noted that the SEC brought this enforcement action even though it acknowledged that it did not know of any efforts by KBR to enforce these confidentiality provisions. Nor was the Commission aware of any employees who had in fact been dissuaded from becoming whistleblowers. This enforcement action is the latest indication of the Enforcement Division’s aggressive stance against confidentiality agreements that are perceived as restricting whistleblowers from reporting potential federal securities law violations to the SEC.
Exchange Act Rule 21F-17 Prohibits Restrictive Confidentiality Agreements
The Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) includes provisions that protect whistleblowers from retaliation for certain whistleblowing activities and provides financial incentives for employees to blow the whistle on their employers. In 2011, the SEC enacted Exchange Act Rule 21F-17 to implement these whistleblower-protection provisions. The SEC explained that Exchange Act Rule 21F-17 was intended to achieve the congressional purpose of “encourag[ing] whistleblowers to report possible violations of the securities laws by providing financial incentives, prohibiting employment-related retaliation, and providing various confidentiality guarantees.” 1 Broadly, Exchange Act Rule 21F-17 prohibits “imped[ing] an individual from communicating directly with SEC staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement” that prohibits whistleblowers from communicating with the SEC.
The KBR Enforcement Action
According to the Commission’s order, KBR, a global technology and engineering firm based in Houston, Texas, routinely required employees to sign confidentiality agreements when it conducted investigative interviews regarding potential illegal or unethical conduct. KBR reportedly used such confidentiality provisions before the SEC implemented Exchange Act Rule 21F-17 and continued to use them after the rule’s adoption. Employees promised in these statements not to disclose any aspect of the investigation or the interview without prior authorization from the company’s legal department. In particular, the statements included the following provision:
I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.
Notably, the form agreements did not expressly prohibit communication with law enforcement or other regulators. Indeed, the SEC did not suggest that the stated intention of the confidentiality provision—to “protect the integrity of the review” at issue—was improper or not the provision’s actual purpose. Critically, the SEC acknowledged that it did not know of any efforts by KBR to enforce these confidentiality provisions, nor was it aware of any employees who had in fact been dissuaded from becoming whistleblowers by these confidentiality statements. It is therefore debatable whether standard confidentiality agreements such as KBR’s should properly be understood as a violation of Exchange Act Rule 21F-17. Even so, the SEC claimed that requiring employees to agree to the broad confidentiality language violated Exchange Act Rule 21F-17 by potentially disincentivizing employees from reporting possible federal securities law violations to the SEC. In particular, the SEC emphasized that KBR’s policy expressly provided that employees could face discipline or termination if they discussed internal investigations with outside parties without receiving approval from KBR’s legal department. KBR settled the SEC’s allegations without admitting or denying liability.
As part of its settlement with the SEC, KBR agreed to (i) pay a civil penalty of $130,000, (ii) revise the language of its confidentiality statements to make clear that it does not prohibit an employee from reporting possible violations of federal law or regulation to the government, (iii) undertake to contact employees that signed the prior confidentiality statements since Exchange Act Rule 21F-17 went into effect to clarify that the statements did not preclude whistleblowing, and (iv) cease and desist from violating Exchange Act Rule 21F-17. Specifically, as part of these steps, KBR agreed to revise its confidentiality statements to include the following language:
Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.
Given the small civil penalty imposed and the lack of prior clear guidance on how the SEC would view such standard confidentiality agreements, some may question whether the SEC should instead have issued a Section 21A Report under Section 21(a) of the Exchange Act putting issuers on notice that certain restrictive language in confidentiality agreements might subject them to future enforcement action. But the KBR settlement effectively served that purpose, and is merely the latest indication that the SEC is taking an expansive view of Dodd-Frank’s whistleblower protections and has begun to incorporate this area into its enforcement efforts. While KBR has been at the center of the SEC’s Exchange Act Rule 21F-17 enforcement efforts since at least June 2014, after the company’s confidentiality agreements reportedly came to light in a lawsuit brought by a former employee accusing the company of violating Dodd-Frank Act’s anti-retaliation provision,2 the SEC has more recently demonstrated a broader interest in this area.
In February 2015, it was widely reported that the SEC’s Enforcement Division sent inquiries to dozens of public companies asking for nondisclosure agreements, employment contracts, severance agreements, and other employment-related documents containing confidentiality provisions so that the Commission could investigate whether companies were suppressing whistleblowing through unduly restrictive agreements and policies. 3
Commenting on yesterday’s settlement, SEC whistleblower chief Sean McKessy warned that companies should “review and amend existing and historical agreements” to ensure that the language does not inhibit—even impliedly—an employee’s ability or incentive to report securities violations to the SEC. Enforcement Director Andrew Ceresny likewise promised that the SEC would continue to “vigorously enforce” Exchange Act Rule 21F-17.
The revised language that KBR agreed to with the SEC may provide (and may implicitly have been intended to provide) a template for carve-out provisions that companies can consider including in the confidentiality provisions of their employment agreements or in any other instances in which they require employees to sign confidentiality statements. Companies should consult with counsel about whether there is a need to make such changes to any of their employment-related agreements and, if so, the most advisable strategy for doing so. Because KBR’s agreement here arose in the context of an internal investigation, companies should also consider and discuss with counsel how their processes for conducting internal investigations, and the confidentiality of information discussed therein, might be impacted by Exchange Act Rule 21F-17. This rule, however, expressly excludes agreements concerning the attorney-client privilege from its restrictions. It remains to be seen how many more enforcement actions will result from the SEC’s sweep.