A Chill in the Air: The Compliance Risks of Confidentiality Mandates in Internal Investigations and Beyond
Last month, the Securities and Exchange Commission (SEC) announced its first enforcement action against a company for using restrictive language in confidentiality agreements with the potential to chill employee whistleblowing. The SEC charged that KBR, Inc., violated Rule 21F-17 enacted under the Dodd-Frank Act by requiring witnesses in internal investigations interviews to sign confidentiality statements with language warning that they could face discipline and even be terminated if they discussed the matters with outside parties without the prior approval of KBR’s legal department. Since these investigations included allegations of possible securities law violations, the SEC found that these terms ran afoul of Rule 21F-17’s prohibition on a company’s taking any action to impede whistleblowers from reporting possible securities violations to the SEC. The agency’s press release linking to the underlying order can be found here.
Although this enforcement action was taken under a particular regulatory framework governing only publicly traded corporations (Dodd-Frank), it potentially has much broader significance. Indeed, consider the agency’s core message, as stated in the press release:
“By requiring its employees and former employees to sign confidentiality agreements imposing pre-notification requirements before contacting the SEC, KBR potentially discouraged employees from reporting securities violations to us,” said Andrew J. Ceresney, Director of the SEC’s Division of Enforcement. “SEC rules prohibit employers from taking measures through confidentiality, employment, severance, or other type of agreements that may silence potential whistleblowers before they can reach out to the SEC. We will vigorously enforce this provision.”
Such reasoning can easily (and likely will) be adopted by other regulatory agencies seeking to ensure employer actions do not stifle potential whistleblowers under other legal regimes. This means that any firm or business—publicly traded, privately owned, or nonprofit—conducting internal investigations in a context in which whistleblower protections potentially loom needs to be cognizant of these concerns. Of course, such protections are of particular importance in the health and pharmaceutical areas.
Moreover, the SEC is not the first agency to find confidentiality agreements or mandates problematic. The Equal Employment Opportunity Commission, for example, has challenged settlement agreements between employers and employees that require confidentiality. In addition, the National Labor Relations Board has held that blanket confidentiality policies that suggest employees are barred from discussing matters relating to internal investigations with other employees can run afoul of the employees’ rights under the National Labor Relations Act to engage in “concerted activities for mutual aid and protection.” Policies that suggest employees are prohibited from reporting labor violations to the Board also are unlawful.
Thus, the SEC’s order is the latest signal that there are significant compliance risks created by standard confidentiality restrictions on disclosing internal matters. The takeaway is that companies and their counsel or internal investigators think twice before they issue blanket prohibitions—whether in the form of policies, agreements, training regimes, or statements—on discussing any matters relating to an investigation, including the substance of investigatory interviews. Nor can they utilize language that suggests (that is, from which a reasonable employee can infer) that any internal or external communication of matters related to the investigation may lead to discipline or other adverse consequences. While we often think of whistleblower violations as involving retaliation, this trend reveals a heightened focus on “preemptive” actions that interfere with whistleblowing and other protected communications.
Still, there appears to room for more narrowly crafted policies or statements that are both justified by some legitimate interest and sufficiently clear to avoid chilling effects. For example, one such justification in the investigation context might be preservation of the attorney-client privilege, although, again, such preservation does not necessitate a broad prohibition on discussing investigation-related matters. Preserving the privilege might justify a policy mandating that an employee not reveal certain communications with counsel, but not a prohibition on discussing the subject matter (rather than counsel communications themselves) underlying the investigation. And any such policy may have to describe clearly its limitations.
Indeed, KBR resolved its dispute with the SEC by agreeing to pay a $130,000 penalty and voluntarily amended its confidentiality statement by adding language making clear that employees are free to report possible violations to the SEC and other federal agencies without KBR approval or fear of retaliation. The SEC advised in its press release that other employers should similarly review and amend existing agreements that in word or effect stop their employees from reporting potential violations. Other agencies have offered similar guidance.
Ultimately, the compliance risks associated with confidentiality mandates, in the investigations context and elsewhere, are sufficiently great and unsettled that counsel probably should be involved in reviewing and crafting such policies.