Earlier this week, the SEC announced in a first-of-its-kind enforcement action that certain KBR, Inc. confidentiality agreements violated the whistleblower protections of the Dodd-Frank Act.
The SEC found that KBR, a global technology and engineering company, had required witnesses in certain internal investigations to sign confidentiality agreements containing language that threatened discipline or firing if they discussed the substance of the investigation with anyone outside the company without prior approval of KBR’s legal department. Because the internal investigations involved allegations of securities law violations, the SEC found that the agreements violated Rule 21F-17(a) under the Securities Exchange Act, which provides that:
“No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement….”
Andrew J. Ceresney, Director of the SEC’s Division of Enforcement, stated,
“By requiring its employees and former employees to sign confidentiality agreements imposing pre-notification requirements before contacting the SEC, KBR potentially discouraged employees from reporting securities violations to us.”
Mr. Ceresney noted the prohibitions of Rule 21F-17(a) and stated that “[w]e will vigorously enforce this provision.”
KBR paid a $130,000 penalty to settle the matter and neither admitted to nor denied the SEC’s allegations.
Perhaps the most interesting thing about this enforcement action is that there were no identified instances of KBR having actually sought to prevent its current or former employees from communicating with the SEC. It was enough for SEC enforcement purposes that the existence of those provisions could chill a potential whistleblower’s willingness to report illegal conduct to the SEC.
Also interesting is that this is the SEC’s first action to enforce Rule 21F-17 and that, despite the relatively benign circumstances, Mr. Ceresney highlighted it as an area for “vigorous” future enforcement.
And while it might be a stretch to classify a $130,000 penalty with no admission of misconduct as “vigorous” enforcement, the SEC leniency in this case probably derived from the novelty of the issue and KBR’s prompt, voluntary revision of its confidentiality agreements to address the SEC’s concern.
In light of this KBR enforcement action, companies should:
- Review, and modify as necessary, any existing confidentiality or employment agreements (or related internal processes) to specifically carve out whistleblower communications to the SEC. For example, here is KBR’s revised confidentiality agreement language:
“Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.”
- Communicate the modification to any persons currently bound by a revised confidentiality agreement.
- Educate all personnel and advisors regarding the prohibition of Rule 21F-17 (which is not limited to confidentiality agreement provisions) if and when an internal investigation arises in the future.