SEC And CFTC Step Up Enforcement Of Whistleblower Protection In Confidentiality Agreements

Many companies in recent years have revised the templates they use for confidentiality agreements with employees to include exceptions meant to satisfy the requirements of Securities and Exchange Commission ("SEC") Rule 21F-17, which prohibits any person from taking action "to impede an individual from communicating directly with the Commission staff about a possible securities law violation." A seminal case was brought by the SEC against KBR Inc. in 2015, followed by a slew of other settlements across industries over the next several years¹. After a quiet period, we have now seen a series of new actions and settlements focusing not only on confidentiality agreements with employees, but also on a wide variety of other things that can be construed as an "impediment" to whistleblowing activity, including confidentiality requirements set forth in compliance manuals, codes of conduct, and employee handbooks; training materials; employee affirmations and certifications; third party vendor agreements; and even settlement agreements with adversaries in litigation. In this memorandum, we provide a brief summary of the history of enforcement in this area (including a new settlement announced just last week by the Commodities Futures Trading Commission), the broader trend of expanded enforcement, and tips for companies to ensure compliance going forward.

The SEC Prohibits Impeding Communications with the Commission, Including Through Confidentiality Agreements

Passed in the wake of the 2008 financial crisis, the Dodd-Frank Wall Street Reform and Consumer Protection Act amended the federal securities laws to, among other things, include a section on "Whistleblower Incentives and Protection," which was designed to "encourage whistleblowers to report possible violations of the securities laws by providing financial incentives, prohibiting employment-related retaliation, and providing various confidentiality guarantees."²

Pursuant to this mandate, in 2011, the SEC adopted Rule 21F-17, which provides that "[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications."³ The SEC has stated that "[a]ssistance and information from a whistleblower . . . can be among the most powerful weapons in [its] law enforcement arsenal."⁴

The Expanding Scope of Rule 21F-17 Enforcement

The first major Rule 21F-17 enforcement sweep started in 2015 and included ten settlements largely targeting confidentiality agreements with employees that ether expressly forbade communications with the Commission or otherwise imposed financial consequences (such as liquidated damages) in connection with such communications. The SEC's hallmark case was brought against KBR Inc. in April 2015 and targeted form agreements that the company used at the time to enforce confidentiality in connection with internal investigations.5 The language of the agreement in question expressly prohibited discussing the content of any investigative interview (including to government agencies or regulators) without prior authorization from KBR.6 While the amount of the settlement was far from record-breaking ($130,000), the case drew substantial media attention due to its novelty and put companies on notice of their own potential exposure.⁷

The KBR enforcement action was followed by nine others in which the SEC took similar aim at confidentiality agreements and severance agreements between employers and employees. Some examples of allegedly noncompliant provisions included those:

• prohibiting employees from communicating any "confidential information" externally, whether through an explicit prohibition of such communications, or by failing to include a carve-out for government-related disclosures;⁸
• specifically prohibiting employees from "disparaging, denigrating, maligning, or impugning" the company to the SEC and other regulators;⁹
• requiring employees to seek approval from the company before speaking to regulators;¹⁰
• requiring employees to notify the company upon receiving any subpoena or other legal process;¹¹
• requiring employees to waive the right to receive whistleblower awards from the SEC.¹²
• requiring employees to affirm they would not voluntarily cooperate with any governmental agency;¹³
• imposing liquidated damages upon any confidentiality breach without carve-outs for communications with the SEC; and¹⁴
• imposing forfeiture of severance payments upon any confidentiality breach without carve-outs for communications with the SEC.¹⁵

The SEC subsequently expanded the reach of its enforcement through two more recent cases, one in 2019 and another in 2023. The first case, SEC v. Collector's Coffee, targeted confidentiality provisions in a share purchase agreement that the company entered with outside investors. This enforcement action led to an opinion from Judge Victor Marrero in the Southern District of New York holding that Rule 21F-17 covers "any individual" (not just employees), laying some groundwork for continued expansion of the SEC's enforcement prerogative:

Similarly, in SEC v. GPB Capital, the SEC targeted confidentiality provisions in consulting and transition agreements entered into with former employees who would be continuing to work for the company as contractors.¹⁷

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.