The SEC continues to review non-disclosure agreements and other confidential business information provisions of publicly traded companies to ensure whistleblowers are not restricted from freely communicating with the agency about potential violations of securities laws or SEC rules.  The SEC is doing so pursuant to its enforcement authority under SEC Rule 21F-17, which provides:

(a) No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement (other than agreements dealing with [attorney-client privileged] information covered by § 240.21F-4(b)(4)(i) and § 240.21F-4(b)(4)(ii) of this chapter related to the legal representation of a client) with respect to such communications.

(b) If you are a director, officer, member, agent, or employee of an entity that has counsel, and you have initiated communication with the Commission relating to a possible securities law violation, the staff is authorized to communicate directly with you regarding the possible securities law violation without seeking the consent of the entity’s counsel.

The SEC has been enforcing Rule 21F-17 since 2015.¹ The SEC has ramped up its enforcement recently. 

For instance, on September 29, 2023 in D.E. Shaw & Co., L.P. (“DESCO”), the SEC issued a cease and-desist Order and imposed significant remedial sanctions against DESCO. This included issuing a $10M civil monetary penalty against DESCO, easily the largest ever—by far--for a Rule 21F-17 violation.  

In the case, the SEC alleged DESCO, a global investment and technology firm, violated Rule 21F-17. DESCO allegedly did so by including a confidential-information provision in an employment agreement prohibiting employees from voluntarily communicating with the SEC about potential securities laws violations. The problematic provision stated as follow:

Employment Agreement

[Prohibiting disclosure of] Confidential information . . .  except as may be required by any applicable court of competent jurisdiction, a regulatory or self-regulatory body, or a governmental body.

In addition, from approximately August 2011 to June 2023, the company required roughly 400 employees to sign releases upon departing the company that affirmed they had not filed any complaint with any governmental agencies. The release language read as follows and was a part of departing employees’ receipt of additional payouts that, in some instances, totaled millions of dollars:

Release

The Employee represents and warrants to the Company that the Employee has not made, filed or lodged any complaints, charges, or lawsuits or otherwise directly or indirectly commenced any proceeding against any member of the D.E. Shaw Group and/or any Covered Persons and Entities with any governmental agency, department, or official; any regulatory authority; or any court, other tribunal, or other dispute resolution body.

The SEC’s Order also noted how, unlike other recent SEC cases involving Rule 21F-17 (see below), at least one former DESCO employee was discouraged from communicating with SEC staff due to the employment agreement and release provisions. According to the SEC, the plain language of the provisions themselves also raised impediments to DESCO’s current and former employees’ filing whistleblowing complaints with the SEC about potential securities violations. The SEC noted that DESCO revised its policies and employment agreement in 2017 and 2018 to clarify that the language did not bar disclosure to governmental agencies regarding violations of the law.  However, DESCO did not change the language of the release until June 2023, during the pendency of the SEC’s investigation.

The DESCO Order comes on the heels of a September 19, 2023 decision in CBRE, Inc., where the SEC issued a cease-and-desist Order and imposed remedial sanctions against CBRE—a national commercial real estate firm—for its use of separation-agreement provisions that the SEC asserted violated the SEC’s whistleblower protection in Rule 21F-17. In addition to revisions to the separation agreement the SEC required CBRE to make, the SEC also imposed a $375,000 civil monetary sanction on the company.   

This result occurred even though CBRE immediately cooperated with the government. The CBRE cease-and-desist Order lists the company’s extensive cooperation efforts as the critical rationale for not pursuing an even larger civil penalty against the company. Cooperation the SEC noted included how CBRE: 

• Revised all separation agreements for Rule 21F-17 compliance;

• Audited and revised its employee agreements worldwide (300+ agreements globally);

• Revised and updated other documents, including policy documents, standards of business conduct, and “toolkits,” for Rule 21F-17 compliance;

• Conducted trainings for compliance teams; 

• Retrained nearly 100,000 employees globally on applicable firm policies and Rule 21F-17 language; and

• Identified, contacted, and communicated with over 880 former employees—who signed separation agreements between 2021 and 2022—to inform them that the agreements did not impede their right to communicate directly with the SEC and that such right remained intact.

The SEC nevertheless determined that the company’s separation agreements contained release language that impeded potential whistleblowers from reporting complaints to the SEC. The SEC challenged this language in the company’s separation agreement as being in violation of SEC Rule 21F-17:

Employee represents and acknowledges [t]hat Employee has not filed any complaint or charges against CBRE, or any of its respective subsidiaries, affiliates, divisions, predecessors, successors, officers, directors, shareholders, employees, representatives or agents (hereinafter collectively “Agents”), with any state or federal court or local, state or federal agency, based on the events occurring prior to the date on which this Agreement is executed by Employee.

According to the SEC, by including this language the company impeded its employees’ ability to communicate directly with the SEC and participate in the SEC’s whistleblower program. In its enforcement Order, the SEC noted that the agreement also contained language that barred the employees from executing the separation agreement prior to their termination date. So, “read together,” the two provisions required the employee contractually to represent how the employee had not filed a complaint about (i) any events that occurred at any time during the employee’s entire employment and before the employee’s termination, or (ii) any events that occurred after termination but before the signing of the separation agreement.  The SEC concluded the language “undermined the purpose of Section 21F and Rule 21F-17(a) to ‘encourag[e] individuals to report to the Commission.’”

Notably, in 2015, the SEC brought its first enforcement action under Rule 21F-17 and began to publicize its efforts to do so.  That year, the company added the following “carveout” to its separation agreements:

Nothing in this Agreement shall be construed to prohibit Employee from filing a charge with or participating in any investigation or proceeding conducted by the . . . the Securities and Exchange Commission, the Department of Justice, or a comparable federal, state or local agency.

Surprisingly, despite this addition, the SEC found that the carveout did not save the company’s agreement from violating Rule 21F-17. Instead, the SEC found the language “prospective in application and therefore did not remedy the impeding effect” of the separation agreement.

There are several key takeaways for employers in light of the SEC’s enforcement Order in these cases:

• Employers should review their separation agreements, non-disclosure agreements, employment agreements, and any confidential business information policy or requirement for any language that might run afoul of Rule 21F-17, or that could be construed to “impede” whistleblowers from contacting the SEC.  

• For separation and settlement agreements with releases, employers typically need to secure a representation that the individual asked to sign the document does not have a pending claim of discrimination, harassment, or retaliation, to determine if certain state-required language under recent #MeToo laws need to be added.  This would appear to be permissible because the clause in question above required a representation that the person asked to sign the release had not filed “any complaint or charges,” which the SEC might have considered overly broad.  Furthermore, in order to address the SEC’s objection that the disclaimer above applied only prospectively for employers, it might be prudent to expand the disclaimer for protected rights to be clear that no prior company action or policy prohibits cooperation with government agencies.

If the SEC initiates an enforcement action, plan to cooperate with the SEC. The SEC cites cooperation as a significant factor in resolving a Rule 21F-17 enforcement action.

Bottom line—publicly traded and other SEC-regulated employers should be on alert to the SEC’s ongoing attention to enforcement actions under Rule 21F-17. Indeed, the week before announcing the CBRE case, the SEC announced that it had settled virtually identical allegations against another company, which included imposing a civil penalty of $225,000.