SEC Brings First Enforcement Action Challenging Employee Confidentiality Agreement Alleged to Impede Whistleblowers

April 2, 2015

On April 1, 2015, the Securities and Exchange Commission announced its first enforcement action against a company for including "improperly restrictive language in confidentiality agreements," SEC Press Release 2015-54, which the SEC asserted "impede[d]" employees from reporting possible securities violations to the Commission.  In re KBR, Inc., Exchange Act Release No. 74619 (Apr. 1, 2015).  In a settled administrative proceeding against Houston technology firm KBR, Inc., the SEC found that the company violated SEC Rule 21F-17, promulgated under the whistleblower provisions of the Dodd-Frank Act.  That Rule provides in pertinent part that "[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement. . . with respect to such communications."  Without admitting or denying the allegations, KBR agreed to pay a $130,000 civil penalty and take other remedial actions.

The SEC’s unprecedented action follows months of statements by the agency expressing concern about provisions in employment confidentiality, severance, and other agreements that the SEC has said could discourage employees from reporting possible securities violations by their employers to the Commission.  The agency has recently conducted a "sweep" of public companies’, broker-dealers’, and private funds’ confidentiality agreements to identify potential candidates for enforcement action, and the head of the SEC’s Office of the Whistleblower, Sean McKessy, has said that "bring[ing] a case" based on such agreements is "the new thing that I’ve got people really enthusiastic for."  Stephanie Russell-Kraft, SEC Whistleblower Head to Punish Cos. That Silence Tipsters, Law360 (Oct. 17, 2014).  In re KBR is the first such case, and confirms that the Commission intends to take an aggressive approach to interpreting and enforcing Rule 21F-17. 

A question remains how far the Commission’s enforcement activity will extend beyond confidentiality agreements–like KBR’s–that concern internal company investigations of potential compliance concerns, as distinguished from confidentiality provisions in general employment contracts, for example.  Nonetheless, public companies and others will want to examine their existing agreements and practices in light of the SEC’s reading of the Rule, while recognizing that the SEC’s surprisingly broad interpretation of the Rule has not been accepted by any court, and may be at odds with companies’ legitimate interests in protecting trade secrets and other confidential information.

The KBR Action And Settlement

According to the SEC’s administrative order (available at, KBR required any employee interviewed as part of an internal investigation into potential legal violations or unethical conduct to sign a confidentiality statement.  By signing, the employee acknowledged that he was "prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department," and that "the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment." 

The Commission asserted that by including this language in the confidentiality statement, the company had violated SEC Rule 21F-17.  Specifically, the SEC stated, "This language undermines the purpose of Section 21F and Rule 21F-17(a), which is to ‘encourag[e] individuals to report to the Commission.’"

Notably, the SEC acknowledged that it was "unaware of any instances" in which a KBR employee had actually been deterred from communicating with the SEC, or where KBR had attempted to enforce the confidentiality agreements.  Nor was there any indication that KBR had acted with the intent to impede employees from communicating with the Commission.

According to the SEC, as part of a settlement of the enforcement action KBR has amended its confidentiality agreement to expressly provide that nothing in the agreement prohibits employees "from reporting possible violations of federal law or regulation to any governmental agency or entity," and to state that any employee making such a report did not need to seek prior authorization from or to notify the company.  Under the terms of the settlement, in addition to the $130,000 civil penalty, KBR was ordered to provide a copy of the SEC order to employees who had signed the prior confidentiality agreement and to inform them that they did not need to seek permission to communicate with the government about possible legal violations.

Confidentiality Provisions Post-KBR

The SEC’s case against KBR, its recent rhetoric, and investigative activity demonstrate the agency’s aggressive and far-reaching position on the permissibility of employment confidentiality, severance, and other agreements that include language seeking to prevent the unauthorized disclosure of confidential company information.  However, it should be emphasized that the SEC’s action was filed as a settled proceeding, and it is far from clear that the Commission’s position would ultimately be upheld if tested in a litigated case.  For example, the Commission admitted that KBR had taken no actions against whistleblowers, as well as no actions to enforce the confidentiality statements.  In fact, it appears that the only "conduct" that formed the basis for the SEC’s enforcement action was KBR’s inclusion of the confidentiality language in the statements; in explaining its action, the Commission said only that the confidentiality language "undermine[d] the purpose" of Dodd-Frank and the SEC’s whistleblower rule. 

The SEC’s position is thus arguably inconsistent with the very text of Rule 21F-17, which expressly requires an "action to impede" whistleblowing activity.  Here, KBR did not take any actions that fell within the terms of the Rule.  Thus, should the SEC take further steps to enforce its sweeping position on confidentiality agreements, its position may not withstand scrutiny in the courts. 

It should also be noted that the context of this first enforcement action may reflect the Commission’s own recognition that Rule 21F-17 is much narrower than some of the SEC’s public statements have suggested.  The agency targeted only KBR’s use of confidentiality statements in internal investigations that in some instances conceivably could concern alleged securities violations–the Commission does not appear to have required the company to revise all its confidentiality agreements with employees.  This suggests that the SEC’s actual enforcement activity in this area may be limited to contexts with some relationship to potential whistleblowing, rather than extending to all employment confidentiality agreements–at least for now.  Nonetheless, to avoid becoming the next test case for future SEC Division of Enforcement attacks on employee confidentiality agreements, there are several actions that companies should take post-KBR:

  • First, companies should seek legal counsel in evaluating whether, and to what extent, they should revise their employment agreements and policies to conform to the SEC’s position.  Settlement agreements with "whistleblowers," for example, can appropriately carve out reporting to the government to make clear that the company is not paying the employee to prevent disclosure of legal violations.  On the other hand, companies have a legitimate interest in protecting their confidential business information, and in having the Commission follow processes that protect appropriately asserted privileges and confidentiality interests under the Freedom of Information Act, including through the use of subpoenas to obtain documents where appropriate.  Companies will want to balance these interests as they review their policies. 
  • Second, and related, companies should ensure that they do not inadvertently deter internal whistleblowing through any revisions to confidentiality language.  Internal reporting remains key to a robust culture of compliance, and is a practice the SEC has said it seeks to encourage (i.e., by providing that employees who first attempt to report potential misconduct internally may be entitled to a higher whistleblower bounty than those who go directly to the government).  Care should be taken so that employees are incentivized to report issues within the company, while doing so in a way that is not construed as improperly deterring them from contacting the government.
  • Third, companies should review their compliance programs to ensure, among other things, that they have effective and robust internal employee training and whistleblowing procedures.  Promptly and effectively responding to complaints can minimize the risk of a whistleblower seeking government intervention.  Additional training should also be provided to employees in supervisory positions to ensure that they are aware of proper practices in dealing with known whistleblowers and do not engage in activity that could be perceived as retaliatory.  While KBR signals the SEC’s interest in confidentiality agreements even in the absence of retaliation, a finding that the company in fact retaliated against a whistleblower is likely to have far more serious repercussions for the company.
  • Fourth, companies should consider whether there are circumstances where it may be necessary to contest the Commission’s reading of the Rule and the Dodd-Frank Act.  The Act’s prohibition on whistleblower retaliation does not give the Commission the right to use whistleblowers to obtain unfettered access to company records.

*          *          *

After KBR, many employers may struggle to reconcile their need to protect sensitive business information with the SEC’s broad stance on what constitutes permissible confidentiality language.  KBR is not the last word on the matter, however, and employers may be able to challenge–successfully–the SEC’s position. 

Gibson, Dunn & Crutcher LLP     

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment or Securities Enforcement practice groups, or the authors:

Marc J. Fagel – San Francisco (415-393-8332, [email protected])
Eugene Scalia – Washington, D.C. (202-955-8206, [email protected])
Barry R. Goldsmith – New York (212-351-2440, [email protected])
Rachel E. Mondl – Washington, D.C. (202-887-3624, [email protected]

Labor and Employment Group:
Eugene Scalia – Co-Chair, Washington, D.C. (202-955-8206, [email protected])
Catherine A. Conway – Co-Chair, Los Angeles (213-229-7822, [email protected])
William J. Kilberg P.C. – Washington, D.C. (202-955-8573, [email protected])
Jason C. Schwartz – Washington, D.C. (202-955-8242, [email protected])
Karl G. Nelson – Dallas (214-698-3203, [email protected])
Jessica Brown – Denver (303-298-5944, [email protected])
Scott A. Kruse – Los Angeles (213-229-7970, [email protected])
Michele L. Maryott – Orange County (949-451-3945, [email protected])
Jesse A. Cripps – Los Angeles (213-229-7792, [email protected])
Katherine V.A. Smith – Los Angeles (213-229-7107, [email protected])

Securities Enforcement Group:
Barry R. Goldsmith – Co-Chair, New York (212-351-2440, [email protected])
Mark K. Schonfeld – Co-Chair, New York (212-351-2433, [email protected])
Michael Li-Ming Wong – Co-Chair, San Francisco (415-393-8234, [email protected])
Marc J. Fagel – San Francisco (415-393-8332, [email protected]

© 2015 Gibson, Dunn & Crutcher LLP

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.