I was on a flight last Wednesday when the SEC released the first of what whistleblower chief Sean McKessy has dubbed “pretaliation” cases against KBR, Inc. When I landed I had several emails from colleagues, asking, “Did you see this?” and “FYI,” etc. It’s a fairly big deal. You may know the context, but here it is anyway: Rule 21F-17, construing the whistleblower provisions of the Dodd-Frank Act, says, “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”
McKessy has been warning for almost a year that the Commission was considering filing cases to enforce this provision. Specifically, he had in mind companies that use overly restrictive language in confidentiality agreements with current or departing employees to prevent those employees from reporting corporate misconduct to the SEC. Smart corporate counsel have been thinking about these warnings for a while, but now we have the first tangible statement about what kind of language is too much for the rule.
It might not surprise you to learn I have some thoughts about it!
As I first read the order, I was happy to see it included the specifically objectionable language in KBR’s agreement. The SEC can sometimes be vague in its settled cases. The agreements here arose out of internal investigations at KBR and required witnesses in those investigations to keep quiet about what they learned from them. Here’s what the witnesses were required to agree to:
I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.
I was very glad to see that the order got into specifics so companies would have some guidance on what the SEC considered actionable.
Not Exactly Egregious
This language was written before passage of the Dodd-Frank Act in July 2010. It apparently never prevented a KBR employee from communicating with the Commission. And it doesn’t even refer to the SEC as a prohibited destination for the confidential information. As such, I imagine it was not what McKessy and others had in mind when his office launched this initiative to stamp out agreements that arose in response to the threat of Dodd-Frank whistleblowers. Tom Gorman wondered if the confidentiality agreement couldn’t have been addressed with a Report of Investigation under Section 21(a) of the Exchange Act instead of an administrative order with a $130,000 penalty. It’s hard for me not to agree.
But here we are. In the SEC’s eyes, it is not enough that the agreement doesn’t single out the Commission as an entity that cannot be told about securities violations. The general language found in KBR’s witness agreement is a sufficient threat to employees, and could be met with a civil penalty if the SEC learns about it.
How to Shape Agreements Going Forward
KBR edited its witness agreements to comply with Rule 21F-17. They now say:
Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.
If companies want guidance about what they can say in confidentiality agreements and still stay on the right side of Rule 21F-17, there it is. It’s not the only way one could comply with the rule, but it’s probably the safest. I do think it would be smart to refer expressly to the SEC as a permitted destination for information regarding potential violations of federal law. Of course, you could possibly be more vague and still comply with the rule, but I’m not sure what you would gain from doing so.