United States: SEC Charges KBR, Inc. With Using A Confidentiality Agreement That Could "Chill" Whistleblowing

About six months ago, the Director of the Office of the Whistleblower warned that the SEC was "going to bring a case where somebody has asked an employee or forced an employee to sign a document that in order of substance means they can't report to us." On April 1, 2015, the Enforcement Division made good on that threat, announcing a settlement with KBR, Inc. in the first enforcement action charging a company with violating Rule 21F-17, a whistleblower rule that the SEC promulgated under Section 21F of the Dodd-Frank Act.

Rule 21F-17(a)

This whistleblower rule, which became effective along with many related whistleblower provisions on August 12, 2011, states in relevant part:

No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.

In its adopting release, the SEC explained the purpose of Rule 21F-17(a) as follows:

Rule 21F-17(a) is necessary and appropriate because . . . efforts to impede an individual's direct communications with Commission staff about a possible securities law violation would conflict with the statutory purpose of encouraging individuals to report to the Commission. Thus, an attempt to enforce a confidentiality agreement against an individual to prevent his or her communications with Commission staff about a possible securities law violation could inhibit those communications even when such an agreement would be legally unenforceable, and would undermine the effectiveness of the countervailing incentives that Congress established to encourage individuals to disclose possible violations to the Commission.

KBR's Confidentiality Agreement

KBR is a publicly traded, construction, engineering and technology company that is active in many heavily regulated industries, including energy, defense and high-technology. It employs nearly 30,000 individuals worldwide. As a result, not surprisingly, KBR—like many large, complex, global operations—regularly receives complaints from employees about potential illegal or unethical conduct by other employees. Pursuant to its compliance program, KBR undertakes internal investigations of such complaints, and in connection with those investigations, KBR historically used a form confidentiality statement that required employees to agree to the following terms:

I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without prior authorization of the Law Department. I understand that unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.

Although use of the form was standard practice at KBR, the SEC stated, in its order, that it was unaware of any instance in which KBR took action to enforce the confidentiality statement or other steps to prevent any employee from communicating directly with the SEC staff about potential violations of securities laws or regulations. The Director of the SEC's Enforcement Division artfully described the violation at issue, saying that by requiring employees to sign the form confidentiality statement, KBR "potentially discouraged" whistleblowing to the SEC. Nevertheless, the SEC concluded that the offending language "impedes such communication by prohibiting employees from discussing the substance of their interview without clearance from KBR's law department under penalty of disciplinary action including termination of employment."

Civil Penalties and Remedial Measures

In order to resolve this matter, KBR agreed to sanctions that included an order to cease-and-desist from any violation of Rule 21F-17 and a civil monetary penalty of $130,000. Of greater significance for other companies, however, KBR also agreed to amend its form confidentiality statement to include the following language:

Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need prior authorization of the Law Department to make any such reports or disclosures, and I am not required to notify the company that I have made such reports or disclosures.

Further, KBR agreed to make reasonable efforts to contact all employees who had signed the form confidentiality statement on and after the date when Rule 21F-17 became effective to provide them with a copy of the SEC's order and a statement clarifying that the form does not restrict whistleblowing about potential violations of federal law and regulation to any governmental agency or entity.

More Enforcement Actions?

In announcing its action against and settlement with KBR, the SEC cautioned other companies to take heed: "Other employers should similarly review and amend existing and historical agreements that in word or effect stop their employees from reporting potential violations to the SEC." The SEC has indicated that it "will vigorously enforce" Rule 21F-17. Such policy makes sense, given the emphasis at the SEC, since the passage of the Dodd-Frank Act in 2011, on actively encouraging and financially incentivizing whistleblowers to come forward with concerns about their own employers.

The KBR case leaves many important questions unanswered. For example, why is the language that KBR adopted in its amended confidentiality statement so sweeping, going far beyond whistleblowing to the SEC about potential violations of securities laws and regulations? How should other companies adopt similar language but tailor their confidentiality agreements to their particular businesses and compliance programs? How can other companies comply with Rule 21F-17 and, at the same time, protect the attorney-client privilege in internal investigations (as KBR says its forms were intended to do). In the absence of any order or enforcement action, what must other companies do to notify employees who have signed existing confidentiality agreements? And perhaps most perplexingly, how does the SEC's policy of taking action against "improperly restrictive language in confidentiality agreements" comport with its policy of encouraging internal reporting, at least initially, by employees who might otherwise go directly to the SEC with concerns and complaints.

Until these questions are answered, we suggest that companies examine their confidentiality agreements and similar undertakings with employees to determine if the language may "chill" the potential whistleblower. If so, we suggest prompt discussion with counsel to consider modifying the text or taking other ameliorative action to reduce the chances of an enforcement action by the SEC.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.