Is Your Confidentiality Agreement a Ticking Time Bomb? SEC’s First Action Over Dodd-Frank Whistleblower Protections Targets Company’s Internal Investigations

For the first time in the nearly five years since Dodd-Frank went into effect, the SEC last week took action against a company over concerns that the company was preventing its employees from potentially blowing the whistle on illegal activity.  The action is significant because the SEC was targeting seemingly innocuous language in a confidentiality agreement and there were no allegations that the company, KBR, Inc., was otherwise breaking the law.

The Dodd-Frank Act amended the Securities Exchange Act to provide for whistleblower incentives and protections in order to encourage individuals to report possible violations of securities laws, but the new law goes further than merely encouraging reporting.  Under SEC Rule 21F-17, companies may not take action to impede individuals from communicating with SEC staff about possible law violations, “including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”

Like many large companies, global contractor KBR has a compliance program which is structured to process complaints from employees concerning potentially unethical or illegal conduct.  KBR has its own investigators who review these complaints and interview witnesses, including the individual who made the allegations.  Going back to before Rule 21F-17 went into effect, KBR was using a form confidentiality agreement in connection with its internal investigations.  Though the form itself was not required by KBR policy, it was included in the company’s Code of Business Conduct Investigation Procedures, and KBR’s investigators asked witnesses to sign the statement at the beginning of an interview.  In what would only later become significant, the confidentiality agreement provided as follows:

I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.

Prior to Dodd-Frank’s whistleblower provisions, this language would not have drawn SEC scrutiny, and the requirement of prior authorization from the company’s legal department likely sought to protect the company’s privileged attorney-client communications, not stifle reporting.

But Dodd-Frank and Rule 21F-17 changed everything.  Despite finding that (1) no employee was actually prevented form reporting potential law violations to the SEC, and (2) KBR had not tried to enforce the confidentiality agreement, the SEC nonetheless found that the offending language “undermines the purpose of Section 21F,” which is to encourage individuals to report to the SEC.

Without admitting wrongdoing, KBR agreed to (1) contact employees who had previously signed the agreement and advise them that they do not need permission from KBR’s legal department to report potential illegal activity to the government, (2) refrain from further violations , and (3) pay a $130,000 civil monetary penalty.

The SEC’s order in this case is potentially significant for several reasons.  In particular, many companies with compliance and internal-investigation programs may have similar, otherwise innocuous confidentiality provisions which are intended to protect privileged communications, not prevent employees from reporting potential law violations to the SEC.  Moreover, the fact that the SEC’s first action in this area involved a company not even accused of actually preventing such reporting may signal just how aggressive the SEC intends to be in searching out similar provisions in confidentiality agreements used by other companies.