In 2011, the U.S. Securities and Exchange Commission adopted Rule 21F- 17 under the Securities Exchange Act of 1934. It prevents companies from, among other things, using confidentiality agreements to impede whistleblowing to the SEC.
Under the Obama administration, the SEC repeatedly enforced this rule and broadly interpreted its scope. Enforcement actions under the rule declined under the Trump administration, but enforcement now appears to be a priority under the current administration.
To illustrate this renewed and arguably expanded risk to employers, we analyze two recent and noteworthy settlement orders.
The first order was issued against a company executive for allegedly impeding a whistleblower's communications with the SEC by restricting the employee's access to company systems. [1] Employers likely will find this concerning because the order lacks any clear indication that the employer knew of the whistleblower's attempt to communicate with the SEC.
The employer appears to have had a legitimate belief that it needed to limit the risk of the employee sharing its confidential information with third parties based on the employee's threats.
The second order was issued against a company for its use of what may appear at first blush to be a fairly standard confidentiality agreement with a liquidated damages provision. Of central importance, the agreement lacked a carveout for reports to the SEC. [2]
The SEC found the employer's awareness of Rule 21F-17 to be significant, going so far as to note that the employer received advisories from various law firms.
Given the SEC's renewed focus on Rule 21F-17 and the attendant reputational and financial risks to employers, in-house employment counsel, compliance professionals and human resources professionals should revisit their companies' confidentiality policies and agreements containing confidentiality provisions — of which there could be myriad types — to minimize the risk that they will be deemed to have impeded individuals from blowing the whistle to, or otherwise communicating with, the SEC.
Background
Rule 21F-17 prohibits
any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement ... with respect to such communications. [3]
Between April 2015 and January 2017, the SEC brought numerous actions to this rule based on claims that employers effectively limited current and/or former employees' ability to communicate with the SEC and/or obtain bounty awards in various ways. But the SEC's Rule 21F-17 enforcement actions significantly declined under the Trump administration.
Under the current administration, however, the SEC appears to have signaled that it intends to renew its scrutiny of compliance with Rule 21F-17.
The SEC recently fired two warning shots.
In the Matter of Hansen
On April 12, the SEC announced that it had settled charges against an executive for allegedly violating Rule 21F-17. [4] The executive, David Hansen, was a co-founder of NS8 Inc., and had served as its managing director of technical operations and strategy, chief of staff and chief information officer.
The SEC found that while the executive was employed by NS8, an employee had raised concerns internally that NS8 was overstating its number of paying customers, including that the information used to formulate external communications to potential and existing investors allegedly was false.
The employee also raised the concerns directly to the executive and later submitted a tip to the SEC.
After making a report to the SEC, the employee told the executive that unless the company addressed the allegedly inflated customer data, he would reveal his allegations to the company's customers, investors and any other interested parties.
The executive suggested that the employee raise his concerns directly to his supervisor or the chief executive officer. The employee then discussed his concerns with his supervisor and reiterated that he would tell the company's customers, investors and others about his concerns.
Thereafter, the executive and the CEO allegedly took steps to remove the employee's access to the company's information technology systems. The executive also allegedly used the company's administrative account to access the employee's company computer and obtain his passwords to his email and social media accounts. The company then discharged the employee.
The SEC concluded that in restricting the employee's access to the company's IT systems and in monitoring his online activities, the executive substantially interfered with the employee's ability to communicate with the SEC about his concerns in violation of Rule 21F- 17.
The executive was ordered to cease and desist from committing or causing any future violations of Rule 21F-17 and to pay a monetary penalty of $97,523.
This order has serious implications.
It could be read to reflect an exceedingly broad view of the protections afforded to SEC whistleblowers under Rule 21F-17 — protecting employees who have threatened to broadcast company information to third parties other than the SEC, such as customers or investors, or even the media.
This could jeopardize the privacy of sensitive data and other confidential information and trade secrets, which could present a range of significant risks to companies.
These concerns were highlighted in a vigorous dissent from SEC Commissioner Hester Peirce, [5] in which she characterized the SEC's order as an "undisciplined interpretation and application of Rule 21F-17(a)."
Peirce stressed that Hansen's actions plainly did not interfere with the employee's ability to communicate with the SEC. Peirce further noted that limiting access to sensitive data is a common element in cybersecurity programs, and that companies have a strong interest in protecting the troves of data held about their customers, assets and business practices.
She cautioned that Rule 21F-17 should not be read
in a manner that complicates a company's ability to act to protect its data in the face of sweeping disclosure threats, even well-intentioned ones by concerned employees. [6]
The Case of Brink's
On June 22, the SEC announced that it had settled charges against The Brink's Company for requiring employees to sign confidentiality agreements.
The SEC found that, beginning in 2015 through 2019, thousands of employees were required to sign agreements as part of their onboarding process that prohibited them from divulging confidential information about the company to any third party without the prior written authorization of a Brink's executive officer.
The agreements defined "confidential information" to include information about
current and potential customers, ... prices, costs, business plans, market research, sales, marketing, ... operational processes and techniques, [and] financial information including financial information set forth in internal records, files and ledgers or incorporated in profit and loss statements, financial reports and business plans.
The SEC further determined that although internal counsel for Brink's was aware of the commission's enforcement actions related to Rule 21F-17 and received advisories from various law firms regarding this subject, the company added a provision to the confidentiality agreement template in April 2015 imposing $75,000 in liquidated damages for violations of the confidentiality provision, along with payment of attorney fees and costs for Brink's, but that the agreement still lacked a whistleblower exemption provision.
The SEC found that by requiring current and former employees to notify the company prior to disclosing any financial or business information to third parties — and threatening them with liquidated damages and legal fees if they failed to do so — the company impeded potential whistleblowers by forcing employees to either identify themselves to the company as whistleblowers or potentially pay $75,000 and the company's legal fees.
This, according to the SEC, violated Rule 21F-17.
In light of the commission's finding that Brink's had violated Rule 21F-17, the company has undertaken to state in all confidentiality agreements that
nothing contained in this Agreement limits Employee's ability to file a charge or complaint with the Securities and Exchange Commission, or any other federal, state, or local governmental regulatory or law enforcement agency. Brink's was also assessed a monetary penalty of $400,000.
Although Peirce joined in the SEC's bottom-line finding that Brink's violated Rule 21F-17, she expressed concerns about the scope of the agreed undertaking in the order, to the extent it required Brink's to include a provision in its employment-related agreements stating that employees were free
to file a charge or complaint with the Securities and Exchange Commission, or any other federal, state, or local governmental regulatory or law enforcement agency ("Government Agencies"). [7]
Peirce cautioned that the SEC "plainly lacks statutory authority to impose such a broad requirement," and Rule 21F-17 does not purport to assert such authority.
She further noted that merely because a respondent has agreed to particularly broad language as part of a settlement
should not be misconstrued as an indication that other companies are under any obligation to use the same or similar language to avoid running afoul of Rule 21F-17.
Implications for Employers
These recent actions appear to signal that the SEC has a reinvigorated focus on enforcing Rule 21F-17, and may have even expanded its view of the scope of protections afforded to potential whistleblowers under this rule.
As a result, employers need to revisit and carefully examine company policies and employment-related agreements that address confidentiality to ensure that all contain the appropriate terms and carveouts to promote compliance with Rule 21F-17. [8]
Reproduced with permission. Originally published August 2022 "Be Ready For SEC Scrutiny Of Employee Confidentiality Pacts," Law360.
[1] In the Matter of David Hansen, Release No. 94703 (Apr. 12, 2022).
[2] In the Matter of The Brink's Co., Release No. 95138 (June 22, 2022).
[3] 17 CFR §240.21F-17.
[4] U.S. Securities and Exchange Commission, "SEC Charges Co-Founder of Technology Company for Violating Whistleblower Protection Rule," (Apr. 12, 2022), https://www.sec.gov/enforce/34-94703-s.
[5] U.S. Securities and Exchange Commission, "Statement in the Matter of David Hansen," (Apr. 12, 2022), https://www.sec.gov/news/statement/peirce-statement-david-hansen- 041222.
[6] Of course, the SEC has tools at its disposal to obtain information relevant to a whistleblower complaint from an employer after the complaint is lodged. And query whether the order could be misconstrued by a whistleblower to engage in self-help discovery on an ongoing basis after complaining to the SEC to support and expand their whistleblower report.
[7] U.S. Securities and Exchange Commission, "A Caution on the Limits of Authority: Statement Regarding In the Matter of The Brink's Company," (June 22, 2022).
[8] Some employers may be inclined to include carve-outs referenced in the Defend Trade Secrets Act in confidentiality agreements in hopes of also satisfying Rule 21F-17. The relevant DTSA provision states:
An individual shall not be held criminally or civilly liable under any Federal or State trade secret law for the disclosure of a trade secret that –
- is made –
-
- in confidence to a Federal, State, or local government official, either directly or indirectly, or to an attorney; and
- solely for the purpose of reporting or investigating a suspected violation of law; or
- is made in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal.
18 U.S.C. § 1833(b)(1). In fact, it appears (based on footnote 4 in the Brinks order) that the employer there might have used such language. But that, alone, may be insufficient to satisfy the SEC, as it does not specifically reference, among other things, a disclosure to the SEC in particular.
