April 2, 2015

SEC Brings First Whistleblower Enforcement Action for Overly Restrictive Confidentiality Agreements

On April 1, 2015, the U.S. Securities and Exchange Commission (the “SEC”) announced its first enforcement action against a company for using overly restrictive language in confidentiality agreements that allegedly disrupted the whistleblowing process. KBR, Inc., a Houston-based technology and engineering firm, agreed to pay a $130,000 penalty for allegedly violating whistleblower protections established by Rule 21F-17.

Promulgated under the Securities Exchange Act of 1934 (the “Exchange Act”), pursuant to authority established by the Dodd-Frank Wall Street Reform and Consumer Protection Act, Rule 21F-17 prohibits any person or company from enforcing, or threatening to enforce, a confidentiality agreement that impedes an employee’s ability to directly communicate with the SEC about a possible securities law violation. The SEC alleged that KBR violated Rule 21F-17 by having witnesses, in internal compliance investigations, sign confidentiality statements that required the witnesses to obtain prior authorization from KBR’s legal department before discussing the matters with outside parties, including the government. The statements also noted that any unauthorized disclosures may be grounds for disciplinary action, including termination of employment.

“By requiring its employees and former employees to sign confidentiality agreements imposing pre-notification requirements before contacting the SEC, KBR potentially discouraged employees from reporting securities violations to us,” noted Andrew J. Ceresney, Director of the SEC’s Division of Enforcement. “SEC rules prohibit employers from taking measures through confidentiality, employment, severance, or other type of agreements that may silence potential whistleblowers before they can reach out to the SEC. We will vigorously enforce this provision.”

Without admitting or denying the charges, KBR agreed to cease and desist from committing or causing any future violations of Rule 21F-17. KBR also agreed to significantly amend the language of its confidentiality agreement to include the following statement:

Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.

“KBR changed its agreements to make clear that its current and former employees will not have to fear termination or retribution or seek approval from company lawyers before contacting us,” said Sean McKessy, Chief of the SEC’s Office of the Whistleblower. “Other employers should similarly review and amend existing and historical agreements that in word or effect stop their employees from reporting potential violations to the SEC.”

The first such action of its kind, the SEC’s posture in the KBR, Inc. settlement seems somewhat aggressive. In the settlement order, the SEC stated that there were no specific instances in which KBR prevented employees from directly communicating with the SEC or its staff. According to the SEC, the restrictive language in the confidentiality agreements was enough to violate Rule 21F-17 because the purpose of the rule is “to encourage individuals to report” to the SEC and “any company’s blanket prohibition against witnesses discussing the substance of the interview has a potential chilling effect on whistleblowers’ willingness to report illegal conduct to the SEC.”

This enforcement action signals the SEC’s commitment to the anti-retaliation provisions of the new whistleblower rules, creating limitations on company confidentiality agreements that interfere with the rule. Although the exact line the SEC will draw is not perfectly clear, the order does indicate that the SEC will not accept confidentiality provisions that require employer authorization or notification before contacting the SEC about a possible securities law violation. Many entities regulated by the SEC require employees to notify internal counsel or compliance if contacted by a regulator or a criminal authority. Companies should review those policies in light of the KBR order, and understand how they interact with the general whistleblower provisions of the Exchange Act.

Click here to download the article.