In a much-anticipated move, the SEC on April 1, 2015 commenced a cease-and-desist action against KBR (formerly Kellogg Brown & Root) alleging its confidentiality agreements violated Dodd-Frank’s whistleblower regulations. KBR simultaneously agreed to settle the matter for $130,000. This is the first such case brought by the SEC, which had indicated over the last year or more that it was actively seeking examples of such alleged violations in order to enforce its Rule 21F-17, which provides, “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement…” In unofficial comments, SEC staff had expressed the view that standard confidentiality and non-disparagement provisions found in many employer agreements might violate the Rule to the extent they did not have express carve-outs stating that nothing in those provisions prevented employees from going directly to the Commission with concerns.
According to the SEC’s Order, KBR used form confidentiality statements as part of its internal investigations. The statements, which were presented to witnesses to sign before interviews, stated:
“I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.”
Although on its face this language appeared to address the legitimate concern that witnesses would speak to one another during an investigation, the SEC found that the statement undermined the purpose of Dodd-Frank, which is to “encourage individuals to report to the Commission.” It reached this conclusion despite any evidence that (i) a KBR employee was actually prevented from communicating with the SEC about potential securities law violations, or (ii) KBR ever took any action to enforce the statement or otherwise prevent communications directly to the SEC.
KBR agreed in a consent order to add the following carve-out to its confidentiality statement going forward:
“Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.”
The company also agreed, among other steps, to reach out to the KBR employees who signed the statement since August 2011, the effective date of the SEC’s Rule, and provide a copy of the SEC’s Order to them.
The SEC’s enforcement action against KBR, while the first case of its kind brought by the Commission, is not the first step the SEC has taken in its effort to enforce Rule 21F-17. In February of this year, the Commission served document requests on a number of companies, seeking all of their severance agreements, Codes of Conduct, and other policies and agreements from August 2011 to the present, as well as documents reflecting any efforts by the companies to enforce confidentiality, non-disparagement, and other provisions of agreements that could be viewed by the SEC as potentially violating its Rule.
In the wake of the SEC’s recent activities, companies should review (or re-review) their Codes of Conduct, employment policies, and standard severance and confidentiality agreements to make sure they have the proper carve-outs to satisfy the SEC and other regulators, as there is no reason to believe the SEC or the plaintiff’s whistleblower bar will slow its momentum in this area. While the language that KBR agreed to as part of its consent decree will certainly satisfy the SEC in the future, it is not clear that companies need such detailed language to achieve compliance with the Dodd-Frank regulations.