Skip to Main Content

Standard Confidentiality Provisions May Be Prohibited "Pretaliation" in Eyes of SEC [Ober|Kaler]

Small Business Securities Bulletin

A periodic bulletin keeping small businesses informed about current developments in securities law and related matters.


As we discussed in our June 2011 Bulletin, available here, SEC rules promulgated under the Securities Exchange Act of 1934, as amended (Exchange Act), pursuant to Section 21F thereunder as enacted by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank), provide financial incentives for employees and others to report corporate wrongdoing to the Securities and Exchange Commission (SEC) and prohibits retaliatory actions against such “whistleblowers”; in particular, Rule 21F-17 promulgated under the Exchange Act prohibits impeding a whistleblower from communicating with the SEC about a potential securities law violation, “including enforcing, or threatening to enforce, a confidentiality agreement.” Rule 21F-17 applies to both SEC reporting companies and non-SEC reporting companies.

Recent SEC enforcement actions have made clear that the SEC may consider rather standard confidentiality provisions a violation of Rule 21F-17, even when there is no evidence that the company in question enforced, or threaten to enforce, such confidentiality provisions to thwart attempts to report potential violations to the SEC.  In other words, the mere existence of what is often standard confidentiality language in an agreement could be deemed a violation by the SEC because the potential exists that the company may enforce, or could have enforced, such provision in a manner that discouraged an employee from bringing his or her concerns to the SEC.

The first action under Rule 21F-17, In the Matter of KRB, Inc., was brought last year. This action centered on a form of confidentiality statement that KBR required its employees to sign before being interviewed as part of KBR’s internal investigations following up on complaints and allegations from its employees of potential illegal or unethical conduct. The confidentiality statement included the following provision that the SEC found troublesome: “I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.”

While the SEC acknowledged that it was unaware of any instances in which KBR employees were actually prevented from communicating with the SEC or KBR took action to enforce the provisions in the confidentiality statement or otherwise prevent such communication, it found that “the language found in the form confidentiality statement impedes such communications by prohibiting employees from discussing the substance of their interview without clearance from KBR’s law department under penalty of disciplinary action including termination of employment. This language undermines the purpose of Section 21F and Rule 21F-17, which is to ‘encourage[e] individuals to report to the Commission.’”  In addition to paying a $130,000 fine, KBR amended its confidentiality statement to make clear that nothing therein prohibited the employee from reporting possible violations of law to the SEC and other government agencies “or making other disclosures that are protected under the whistleblower provisions of federal law or regulation.”

While the SEC did not allege that KBR ever attempted to enforce such confidentiality provisions to stop employees from bringing their concerns to the SEC, the fact that the agreements in question were signed in conjunction with an ongoing investigation – where there was already the reasonable possibility of a violation - distinguished this case from the common situation where similar confidentiality language appears in employment agreements and other corporate documents.  Recent enforcement actions, however, demonstrate that the SEC continues to focus on employer conduct that may impede employees’ rights to report misconduct in accordance with Section 21F and Rule 21F-17, or “pretaliation,” and, in our view, make it prudent for companies to review their employment agreement and other corporate documents to ensure they do not violate the SEC’s interpretation of Section 21F and Rule 21F-17.

2016 Enforcement Actions

In In the Matter of Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., settled in June 2016, among other violations the SEC found that Merrill Lynch violated Rule 21F-17 as a result of its inclusion of “language in certain of its policies, procedures, and agreements with employees that unduly limited the disclosure of confidential information.” In one example, language used in certain Merrill Lynch severance agreements prohibited departing employees from disclosing Merrill Lynch’s confidential information “except pursuant to formal legal process or unless the former employee first obtained the written approval.” The agreements did permit disclosure pursuant to an order or requirement of a court, administrative agency or similar authority, but not voluntary disclosure to government agencies. Further, in 2014 Merrill Lynch added a clause to its form of severance agreement providing that the agreement did not prohibit initiating communications directly with the SEC or other authorities but that only information relating to the agreement or “its underlying facts and circumstances” could be so communicated. As with KBR, the SEC found that “the language found in certain of the … policies, procedures, and agreements operated to impede communications [with the SEC about securities law violations] by prohibiting employees from voluntarily providing information to the [SEC] without prior approval,” and thus violated Rule 21F-17. Merrill Lynch revised the confidentiality language in its agreements, policies and procedures to clarify that there is no restriction on employees’ rights to provide information to the SEC under Rule 21F-17. For example, Merrill Lynch revised its severance agreements to provide that, other than information, the disclosure of which is protected by law or privilege, nothing therein “prohibits or limits the employee or his counsel from initiating communications directly with, responding to any inquiry from, volunteering information to, or providing testimony before, among others, the [SEC] in connection with any reporting of, investigation into, or proceeding regarding suspected violations of law” or requires the permission of Merrill Lynch to do so. Merrrill Lynch also began providing annual training and notices to employees to inform them of their rights to, among other things, report potential violations of law to the SEC and other agencies.

In In the Matter of BlueLinx Holdings, Inc., settled in August 2016, the SEC found that language in BlueLinx’s severance agreements, which it entered into with employees who were leaving the company and receiving severance or other post-employment compensation, violated Rule 21F-17. According to the SEC’s Order in this matter, the severance agreements in question “contained some form of a provision that prohibited the employee from sharing with anyone confidential information concerning BlueLinx that the employee had learned while employed by the company, unless compelled to do so by law or legal process,” and required the employee to provide written notice or obtain written consent from the company’s legal department prior to providing such information even when so compelled. Two years after the adoption of Rule 21F-17, BlueLinx added language to the agreements that provided that nothing contained therein prevented the employee from “filing a charge with” the SEC and certain other government agencies “if applicable law required that the Employee is permitted to do so,” but that “Employee understands and agrees that Employee is waiving the right to any monetary recovery in connection with any such complaint or charge that Employee may file with an administrative agency.” In other words, employees could bring their concerns to the SEC and other agencies to the extent permitted under applicable whistleblowing laws, but could not accept any reward they might be eligible for having done so. The SEC found that by “[r]estricti[ng] …the ability of employees to share confidential corporate information regarding possible securities law violations with the [SEC] and to accept financial awards for providing information to the [SEC]” BlueLinx violated Rule 21F-17.  In addition to a $265,000 fine, BlueLinx agreed to add corrective language to its severance agreements, as well as other agreements that included prohibitions on the use or disclosure of confidential information relating to the company, and to contact former employees to make such corrective disclosure with respect to their existing agreements.

Finally, also in August, in In the Matter of Health Net, Inc., the SEC settled a similar action for a $340,000 fine, the addition of corrected language and the company’s agreement to contact former employees who had entered into severance agreements with the company that, while not prohibiting employees from participating in a government investigation, as in BlueLinx, prohibited them from “filing an application for, or accepting, a whistleblower award from the [SEC].” 

As in KBR, there was no evidence that Merrill Lynch, BlueLinx or Health Net actually sought to enforce the targeted provisions; their existence alone was deemed enough for the companies to be in violation of Rule 21F-17.


These SEC enforcement actions demonstrate that the SEC has taken a broad view of the anti-retaliation provisions of Dodd-Frank’s whistleblowing provisions, and we believe it is only a matter of time before the staff of the SEC’s Enforcement Division turns its attention to confidentiality provisions in employment agreements as well as internal corporate documents such as employee handbooks and codes of ethics. The language at issue in KBR, in particular, is similar to the confidentiality provisions that typically appear in employment agreements and other corporate documents. Until these recent enforcement actions and related statements by SEC Enforcement staff, the mere existence of these types of provisions, without the threat of using them to impede employees’ rights to report wrongdoing, were generally not thought to violate the anti-retaliation provisions of the Dodd-Frank whistleblowing provisions and related SEC rules. Given the enforcement actions discussed herein, however, we believe companies should review the confidentiality provisions in their employment agreements, confidentiality agreements, codes of ethics, employee handbooks, etc., and consider revising such provisions or adding language to ensure there is no suggestion that employees may not report wrongdoing to the SEC or other appropriate agencies where such conduct is protected by federal or state law.

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept