Employers have a lot to be worried about. Employees are given access to trade secrets, customer lists, financial accounts, and other highly sensitive, confidential information. Most employers attempt to deter improper use of proprietary information through confidentiality policies or agreements, sometimes included in handbooks or in separate employment agreements.
Recently, the National Labor Relations Board (NLRB) and the Equal Employment Opportunity Commission (EEOC) have cast critical eyes on overbroad employee confidentiality policies, asserting that overbroad confidentiality policies may chill or deter employee complaints that are otherwise protected by federal law. Another federal agency, the Securities and Exchange Commission (SEC) has now joined the fray.
SEC Rule 21F-17, enacted pursuant to the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, prohibits "any action to impede an individual from communicating directly with the [SEC] staff about a possible securities law violation, including enforcing or threatening to enforce, a confidentiality agreement." In the past year, Sean McKessy, Chief of the SEC's Office of the Whistleblower, has repeatedly warned against overbroad confidentiality policies that may be construed to deter an employee from going to the SEC. Now, the SEC has settled its first test case.
Houston-based KBR, Inc. used a form confidentiality statement in connection with internal investigations. KBR's statement provided that the participating employee was "prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department" and that "unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment." The SEC instituted enforcement proceedings against KBR, even though it admitted to not being aware of any instances in which the agreement actually interfered with whistleblowing to the SEC. The SEC argued that such a blanket prohibition against discussing the substance of any interview had a potential chilling effect on employees' willingness to blow the whistle to the SEC.
While KBR did not admit or deny the SEC's findings, KBR agreed to settle the charges against it. KBR agreed to pay a $130,000 fine, amend its confidentiality statement, and attempt to contact employees who signed the unmodified confidentiality statement to inform them that they are not prohibited from communicating with government agencies about possible violations of federal law. KBR's amended statement provides:
Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.
There are clear implications to the SEC's aggressive "preretaliation" enforcement action. It is apparent that the SEC is concerned with the perceived effect of confidentiality agreements, and not just with whether such agreements actually deterred whistleblowing. Simply having a policy without carve-outs as in the unmodified KBR statement could expose a covered employer to enforcement action. Further, as KBR's prior confidentiality language did not in fact explicitly prohibit communications with law enforcement, the SEC's enforcement action has effectively rejected any argument that an implicit right to contact law enforcement should be read into any confidentiality agreement.
Considering the increased scrutiny on confidentiality agreements and statements from the SEC, NLRB, and EEOC, employers must exercise caution when crafting employee confidentiality agreements. While the SEC's enforcement action against KBR was premised on a confidentiality statement KBR used in internal investigations, Rule 21F-17 is not limited to statements used in internal investigations. Thus, employers can, at a minimum, eliminate or reduce the risk of SEC enforcement action simply by revising confidentiality agreements in any form to provide safe harbors like those in KBR's amended statement. However, the SEC's enforcement action serves as a strong reminder that confidentiality policies – along with all other personnel policies – should be routinely reviewed to ensure compliance with ever-changing federal and state laws and regulations.