Most likely, what comes to mind when you think about companies’ impeding the ability of a whistleblower to communicate with the SEC are allegations of overly ambitious confidentiality provisions in employment agreements or company policies. Not so in this case. In April, the SEC issued an Order in connection with a settled action charging David Hansen, a co-founder and officer of NS8, Inc., a privately held fraud-detection technology company, with violating the whistleblower protections of the Exchange Act. The SEC alleged that, after an NS8 employee raised concerns to Hansen about a possible securities law violation, Hansen took action to limit the employee’s access to the company’s IT systems. The SEC charged that these actions impeded the employee’s ability to communicate with the SEC in violation of Rule 21F-17(a) and imposed a $97,000 civil penalty. SEC Commissioner Hester Peirce dissented, contending that the SEC’s Order “does not explain what, precisely, Mr. Hansen did to hinder or obstruct direct communication between the NS8 Employee and the Commission.”
According to the Order, in 2018 and 2019, an employee of NS8 raised concerns internally that the company was overstating the number of its paying customers and other customer data, including falsely inflating customer numbers and monthly revenue “used to formulate external communications—including to potential and existing investors.” In July 2019, the SEC alleged, the employee submitted a tip to the SEC about these concerns, and, in August 2019, he raised these concerns specifically to Hansen. As part of that conversation, the SEC alleged, he warned Hansen that “unless NS8 addressed this inflated customer data, he would reveal his allegations to NS8’s customers, investors, and any other interested parties. [Hansen] suggested that the NS8 employee raise his concerns directly to his supervisor or the CEO.” The employee then allegedly informed his supervisor and repeated his warning. As alleged, after the supervisor informed Hansen of the call with the employee, Hansen left an urgent message with the CEO. Hansen discussed the matter with the CEO, the SEC alleged, and, following that discussion, both he and the CEO “took steps to remove the NS8 Employee’s access to NS8’s IT systems.” According to the Order, the CEO advised Hansen that he had removed the employee’s administrator privileges for one system, while retaining “read-only access ‘so it looks like an error.’” Hansen also allegedly “used NS8’s administrative account to access the NS8 Employee’s company computer [and] then left the NS8 Employee’s computer and password in the CEO’s office.” According to the SEC, the employee’s social media and other accounts were accessed. Subsequently, according to the Order, the CEO fired the employee.
The SEC concluded that Hansen violated Rule 21F-17(a) of the Exchange Act. That Rule, adopted under Dodd-Frank, provides that no person “may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”
In her dissent, Peirce observed that the SEC identified “only two concrete actions by Mr. Hansen: (1) accessing the NS8 Employee’s computer and (2) leaving the computer and password in the CEO’s office. How did Hansen’s actions as set forth in the Order remove the NS8 Employee’s access to the IT systems, let alone stand in the way of the NS8 Employee’s direct communication with the Commission? In my view, they quite plainly did not.” Rather, she said, Hansen’s actions could be viewed to limit the content of the information he could provide to the SEC, but not his access. In her view, “[a]ctions that limit access to company data do not necessarily limit access to the Commission.” Nor did any reported actions by Hansen “hinder the NS8 Employee’s communications with the Commission regarding his already-submitted tip.” Were it clear that Hansen knew about the tip to the SEC when he acted, she said, “then his actions may have implicated Rule 21F-17(a) or the anti-retaliation rules.” But the Order did not indicate that Hansen was even aware of the tip. Possibly, she suggested, Hansen was simply worried, not about tips to the SEC, but rather about the employee’s “threat to disclose confidential company data ‘to NS8’s customers, investors, and any other interested parties.’”
Peirce expressed concern that, if the Rule is interpreted so expansively, it “could prohibit companies from limiting employees’ access to data,” which is “a common element in cybersecurity programs.” As she read the Rule, it applies only to communications with the SEC and should not be read “in a manner that complicates a company’s ability to act to protect its data in the face of sweeping disclosure threats, even well-intentioned ones by concerned employees. Companies hold troves of data about their customers, assets, and business practices. They and their customers have a keen interest in protecting those data. We should not engage in an undisciplined interpretation and application of Rule 21F-17(a) that adds unnecessary legal risk to that burden.”
As Peirce observed, companies sometimes need to limit employees’ access to company IT systems, for example, to prevent leaks of information. When do these limitations cross the line? As reported in Law360, the former chief of the SEC’s whistleblower program commented that “[o]n one hand, there is an argument that the actions…could have deterred or discouraged the whistleblower’s communications with the SEC….On the other hand, there is also the argument that this case sends a message to companies that they can not restrict access to company documents even if an employee threatens to share them with non-government third parties, such as the media. Given the current news cycle of whistleblowers doing just that,…this case sets an uneasy precedent for employers….”
You might recall that reporting to the SEC is a necessary predicate to securing the anti-retaliation protections of the Dodd-Frank whistleblower statute. In Digital Realty v. Somers, SCOTUS held that the Dodd-Frank whistleblower anti-retaliation protections apply only if the whistleblower blows the whistle all the way to the SEC; internal reporting to the company alone would not suffice. As Justice Gorsuch remarked during oral argument, the Justices were largely “stuck on the plain language” of the statute. However, by requiring SEC reporting as a predicate, it was widely thought that the decision might have a somewhat ironic impact: while the win by Digital would limit the liability of companies under Dodd-Frank for retaliation against whistleblowers who did not report to the SEC, the holding that whistleblowers were not protected unless they reported to the SEC could well discourage internal reporting and drive all securities-law whistleblowers directly to the SEC to ensure their protection from retaliation under the statute—which just might not be a consequence that many companies would favor. (See this PubCo post.)