On April 1, 2015, the Securities and Exchange Commission (“SEC”) issued a cease-and-desist order against KBR, Inc. (“KBR”) and fined KBR $130,000 for its use of a confidentiality agreement that the SEC found would discourage employees from reporting violations of federal securities laws.1 The SEC found that KBR’s confidentiality agreement violated SEC Rule 21F-17, promulgated under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”).

  1. Background

The Dodd-Frank Act amended the Securities Exchange Act of 1934 by adding Section 21F, “Whistleblower Incentives and Protection.” Pursuant to Section 21F, the SEC adopted Rule 21F-17, which became effective on August 12, 2011. Rule 21F-17(a) provides:

No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement…with respect to such communications.

Prior to the promulgation of Rule 21F-17, KBR adopted a form confidentiality statement for use in its internal investigations. The statement required witnesses to agree to the following:

I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.

KBR adopted the confidentiality statement to preserve its attorney-client privilege in internal investigations.2

  1. The Cease-and-Desist Order

The SEC found that KBR’s confidentiality statement violated Rule 21F-17(a) by impeding whistleblowers from reporting legal violations to the SEC because the statement’s plain language “prohibit[ed] employees from discussing the substance of their interview without clearance from KBR’s law department under penalty of disciplinary action including termination of employment.”3 The SEC reached this conclusion despite being “unaware of any instance in which (i) a KBR employee was in fact prevented from communicating directly with Commission Staff about potential securities law violations, or (ii) KBR took action to enforce the form confidentiality agreement or otherwise prevent such communications.”4

KBR settled the SEC’s charges without admitting or denying wrongdoing. KBR agreed to pay $130,000 and undertook “to make reasonable efforts to contact KBR employees in the United States who signed the confidentiality statement” and to provide “them with a copy of this Order and a statement that KBR does not require the employee to seek permission from the General Counsel of KBR before communicating with any governmental agency or entity…regarding possible violations of federal law or regulation.” In addition, KBR amended its confidentiality statement to include the following language:

Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower protections of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.

  1. Significance of the Order

The KBR matter is significant for companies that have used or wish to use confidentiality agreements in the course of conducting internal investigations as a safeguard against breaches of the company’s attorney-client privilege, or to preserve the integrity of ongoing investigations. The order indicates that the SEC is willing to pursue enforcement actions against companies that use confidentiality agreements that could be interpreted as discouraging whistleblowing, even when the company is not enforcing such agreements and there is no indication that whistleblowers have been chilled. SEC officials have said they are investigating other cases under Rule 21F-17(a).5 And in February 2015, the Wall Street Journal reported that the SEC “has sent letters to a number of companies asking for years of nondisclosure agreements, employment contracts and other documents.”6

Although the SEC order provides an example of a confidentiality agreement that the SEC will find violates Rule 21F-17, there remain questions about how the SEC will treat confidentiality agreements that differ from KBR’s. Notably, KBR’s agreement required employees to maintain the confidentiality of the “subject matter discussed” during internal interviews, which could be read as restricting the disclosure of non-privileged information merely because it was discussed in a privileged setting. Whether the SEC would find fault with an agreement that simply required the employee to maintain the confidentiality of the content of an interview is an open question, particularly because such a requirement appears to be in keeping with traditional notions of the attorney-client privilege and work-product protection concerning discussions between company counsel and a company employee. In addition, it is not clear whether the SEC will extend its rationale in the order to situations where the company (1) requires the employee to notify the company before speaking with a lawyer about the issue, (2) requires the employee to notify the company after speaking to the SEC, or (3) asks the employee to notify the company if the SEC on its own contacts the employee. Arguably, on their face, these circumstances should not impede an employee from “communicating directly with the Commission staff,” as provided in Rule 21F-17(a), but there remains uncertainty and little guidance from the SEC.

The timing of the SEC order coincides with a recent report by the State Department’s Office of Inspector General (“OIG”), which addressed the confidentiality policies used by the State Department’s largest contractors and may provide additional guidance. Although the OIG report was not in the context of the Dodd-Frank Act, the OIG report found that confidentiality policies used by the State Department’s largest contractors were not “overly restrictive” because they did not “specifically preclude disclosures to government agencies or officials,” but rather “simply note[d] a duty to keep company information confidential and d[id] not define ‘company information’ to include evidence of fraud, waste, or abuse.”7 The report also found, however, that some of the contractors had policies that could chill whistleblowing, including provisions “requir[ing] employees to notify company officials if they are contacted by a government auditor or investigator.”8

The KBR matter signals another new and aggressive enforcement approach by the SEC. In light of these developments, companies should consult with experienced counsel to review and, if necessary, amend company confidentiality policies, nondisclosure agreements, and protocols for conducting internal investigations.