New SEC 'Risk Alert' on Confidentiality Agreements

The Securities and Exchange Commission has announced that it considers illegal any employer-imposed limitation on employees' ability to disclose confidential trade secret information to the SEC, if the employee wants to make disclosure in pursuit of whistleblower claims. Indeed, the SEC wants employers to affirmatively advise employees of their right to do so.

On Oct. 24, 2016, the SEC Office of Compliance Inspections and Examinations released a Risk Alert specifically warning that the agency "is reviewing a variety of documents," including compliance manuals, codes of ethics, employment agreements, and severance agreements, for language that is contrary to SEC regulations on disclosure of information in pursuit of whistleblower claims.1

Specifically, these are policies that would prohibit disclosures of confidential information, require employees to notify or obtain consent from the employer prior to disclosing confidential information, or permit disclosures of confidential information only "as required by law," without providing an exception for voluntary communications with the SEC concerning possible securities laws violations.2

And, as various enforcement actions described below attest, the SEC isn't bluffing. It is going after companies that have any internal polices, practices, or agreements that contain offending language.


Those who read this column regularly know that the Sarbanes-Oxley and Dodd-Frank Acts prohibit retaliation against an employee who reports conduct that the employee "reasonably believes" constitutes mail fraud, bank fraud, wire fraud, securities fraud, a violation of the rules or regulations of the SEC, or a violation of other laws relating to fraud against shareholders.3

Sarbanes-Oxley and Dodd-Frank were drafted in the wake of the Enron scandal (in the case of Sarbanes-Oxley), and the subprime debacle (in the case of Dodd-Frank). SOX's whistleblower remedies initially applied only to publicly traded companies. Dodd-Frank added to the mix employees of various financial institutions, including those providing consumer credit, hedge funds, private equity firms, and others.

SOX's whistleblower remedies remained limited to employees of public companies until 2014, when, in Lawson v. FMR, LLC,4 the Supreme Court held that the whistleblower remedies provided by Sarbanes-Oxley also cover employees of privately owned companies performing contract services with publicly traded companies.

SEC 'Deputizes' Employees

In addition to the whistleblower remedies provided by Sarbanes-Oxley, Dodd-Frank provided new "bounty" awards to whistleblowers. Dodd-Frank essentially seeks to regulate companies from within by deputizing employees to bring to the SEC's attention alleged violations of securities laws. The statute, at Section 922, requires the SEC to pay whistleblowers, who voluntarily provide "original information" to the SEC of fraud within a company that leads to a successful enforcement action resulting in a penalty of $1 million or more, an award of no less than 10 percent and up to 30 percent of any penalty imposed or settlement reached with a company.

Dodd-Frank, in the first instance, excludes certain employees from being able to recover bounties—but the exclusions have exceptions large enough to drive through the proverbial truck. Thus, employees who obtain information as a result of their legal responsibilities, compliance and internal audit personnel, public accountants, officers, directors, trustees and partners are excluded.

But these employees may still recover if they believe disclosure may prevent substantial injury to the financial interest or property of the entity or investors; if they believe the entity is engaging in conduct that will impede an investigation; or if 120 days have passed since the whistleblower reported the information, or since the whistleblower received it, where it appears that management is aware of the information.

Private Companies

A company does not need to be publicly traded to commit securities fraud. The SEC has brought stock fraud cases against privately held companies that issue stock and commit fraud in their issuance.5 Companies that provide equity-based benefit plans to employees may also be vulnerable to SEC enforcement, regardless of whether they are publicly traded. As one commentator on an SEC action against a private company has noted: "Full disclosure is required, whether a company is private or public, in connection with the purchase or sale of securities. And, like public companies, a private company may assume a duty to update disclosure when prior statements are material and nondisclosure renders the prior statements misleading or deceptive."6

Taking Lawson to its logical conclusion, at the very least, employees may recover a bounty for disclosing insider trading based on information their employer receives from public company clients or customers.

Challenges to Language

The subject of lawful or unlawful confidentiality language has been front-and-center since the SEC's entry of a consent order in the case of the international engineering company KBR Inc. in April 2015.7 In that case, the SEC declared unlawful language that most lawyers would routinely utilize in invoking the Upjohn doctrine to preserve the attorney-client privilege in conducting an internal investigation.8

SEC Rule 21F-1(a), promulgated as part of the SEC's responsibility for enforcing the whistleblower provisions of the Dodd-Frank Act, provides: "No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement…with respect to such communications."

In In re KBR, the company's internal investigation procedure prohibited KBR employees, "to protect the integrity of the process," from "discussing any particulars regarding this interview and the subject matter discussed during the interview, without the specific advanced authorization of the company's general counsel." The SEC was unaware of any instance in which an employee was actually prevented from communicating with the SEC or where KBR took action to enforce the rule.

Nevertheless, the SEC issued a cease-and-desist order, finding that the language violated SEC Rule 21F-17(a) because it improperly "impedes [communication with the SEC] under penalty of discipline." The SEC noted that the policy contained no exception for an employee's right to communicate directly with the SEC. In addition to imposing a $130,000 fine, the SEC ordered KBR to make reasonable efforts to contact all employees who signed the statement, providing them with a copy of the order and a statement that KBR does not require permission before communicating with any government entity regarding possible violations of federal law or regulations.

Confidential Documents

KBR was only the first salvo. In August 2016, in In re BlueLinx Holdings,9 the SEC required the company to notify employees of their right to provide company documents to the SEC or any other government entity without notice to the company.

In that case, the SEC struck as illegal language that many of us would have previously regarded as routine and unremarkable in drafting an enforceable release agreement. There, the severance agreement provided that while the releasing employee retained the right to file a charge with any government entity, including the Equal Employment Opportunity Commission (EEOC), National Labor Relations Board (NLRB), Occupational Safety and Health Administration (OSHA), and the SEC, nevertheless the employee agreed that she was "waiving the right to any monetary recovery in connection with any such complaint or charge that Employee may file with an administrative agency."

The agreement also contained restrictions on use of "confidential information" which required in each instance that before disclosing such information outside the company, the employee needed to seek guidance and provide notice to the company's legal department.

The SEC held that this language violates SEC Rule 21F-17(a) and imposed a civil penalty of $265,000 and ordered BlueLinx to notify employees who signed severance agreements within the last five years of their right to file whistleblower claims with the SEC and to accept SEC whistleblower awards.

The agency also ordered the company to modify language in future severance agreements to make clear that the employee was not limited in the right to receive an award for any information provided to any government agencies, nor to communicate with any government agencies or otherwise participate in an investigation, "including providing documents or other information, without notice to the Company."10

Defend Trade Secrets Act

Another critical law highlighting the right of whistleblowers to file confidential charges with the federal government is the 2016 Defend Trade Secrets Act (DTSA).11 That statute provides a new federal cause of action for misappropriation of trade secret information. Among other things, it permits broad relief that is not always available under state law, including injunctive relief, unjust enrichment damages, and double damages for willful and malicious misappropriation. The law also provides procedures for ex parte seizure of misappropriated materials in extraordinary circumstances, such as where there is a risk of flight or of an imminent disclosure of trade secret information.

However, there is a catch. The law specifically provides, at Section 7, that no individual can be prosecuted for trade secret misappropriation, under state or federal law, if they have disclosed trade secrets to government officials or lawyers while reporting suspected illegal conduct, if the filing is made under seal. And, in order to be able to take advantage of the new civil cause of action, employers must provide notice of this whistleblower's immunity to employees, contractors and consultants, in any contract or agreement governing trade secret or confidential information.


For its part, in August 2016, the U.S. Department of Labor Occupational Safety and Health Administration (OSHA) issued guidelines on settlement agreements in whistleblower cases that seek to bar "gag" provisions that prohibit, restrict or discourage participation in protected activity, e.g., broad confidentiality or non-disparagement clauses; broad liquidated damage clauses; a requirement that an employee notify the employer before filing a government complaint; and any disclaimer of knowledge that the employer violated the law.12

The EEOC has also stepped up its activity in this area. In 2014, it sued CVS Pharmacy,13 challenging provisions in their settlement agreement in a case of alleged race and sex discrimination brought by a store manager. CVS settled with the manager, and she signed an agreement which included a release of claims, a covenant not to sue CVS in any court or agency, (but carved out the employee's right to "participate in a proceeding with any appropriate federal, state or local government agency enforcing discrimination laws") and forbade the employee from improperly using or disclosing confidential information belonging to CVS and making "any statements that disparage the business or reputation" of CVS (but clarified that the agreement did not prohibit the employee from "making truthful statements or disclosures that are required by applicable law, regulation or legal process" or "requesting or receiving confidential legal advice.")14

The agreement also required the signatory to cooperate with CVS to protect confidential company information in legal proceedings, but provided that "[n]othing in this Agreement shall be construed to prohibit Employee from testifying truthfully in any legal proceeding." If the signatory complied with these and other related covenants, she was entitled to severance pay, subsidized health insurance during the severance period, and two months of outplacement assistance. The agreement advised the terminated employee to seek legal advice before signing, allowed her 21 days to consider whether to sign, and provided a seven-day revocation period after signing.15

After signing the agreement, the manager nevertheless filed a charge of discrimination with the EEOC. The EEOC's complaint alleged that CVS was engaged in a pattern or practice of discrimination by, among other things, "conditioning the receipt of severance benefits on…employee' agreement to a Separation Agreement that deters the filing of charges and interferes with employees' ability to communicate voluntarily with the EEOC…." The EEOC's challenge was dismissed largely on technical grounds—the EEOC never sought to conciliate the matter before filing suit—but the EEOC's sentiment regarding these agreements is nevertheless clear.16


As noted above, the SEC's Risk Alert, issued on Oct. 24, 2016, makes clear the agency's continued intent to vigorously pursue these issues. And the EEOC's and other agencies' activities reinforce the need to audit internal policies, procedures, and agreements with care for necessary changes.

Employers should eliminate language that limits an employee's, or even a contractor's, right to file administrative charges or lawsuits, to provide documents and information to government agencies, or to recover damages for such claims. The rights should apply to any government agency charged with enforcement of any law, not just employment laws.

1. See SEC Office of Compliance Inspections and Examinations Risk Alert (Oct. 24, 2016), available at

2. Also prohibited is language that would require employees to represent that they have not assisted in any investigation involving the company.

3. Sarbanes-Oxley Act, 18 U.S.C. §1514A, 15 U.S.C. §78; Dodd-Frank Wall Street Reform and Consumer Protection Act, 15 U.S.C. §78u-6.

4. 134 S.Ct. 1158 (2014).

5. See, e.g., SEC v. Stiefel Laboratories, No. 11-cv-24438-WJZ (S.D. Fla. filed Dec. 12, 2011), available at .

6. R. Walter, "Private Entities: The Evolving Frontier of the Securities Law" (Washington Lawyer, November 2014), available at

7. In re KBR, File No. 3-16466 ( SEC Release No. 74619 / April 1, 2015).

8. Upjohn Co. v. United States, 449 U.S. 393 (1981) holds that a corporation's attorney-client privilege extends to investigative interviews with both management and non-management employees, so long as the investigation is undertaken at the direction of management and for the purpose of providing legal advice. To preserve the privilege, Upjohn generally requires that the interviewer advise the interviewee, among other things, (1) that she represents the employer; (2) that the investigation is being carried out at the request of counsel; (3) that the interviewer does not represent company employees and cannot render legal advice to any individual, including the interviewee; (4) that she may share portions of the interview with the company; (5) that the conversation is protected by the attorney-client privilege but that the company controls this privilege and the confidentiality of the communication, and therefore has the right to waive the privilege and disclose any portion of the conversation to third parties; and (6) in order for this discussion to be subject to the privilege, it must be kept in confidence and, with the exception of the interviewee's own attorney, the interviewee may not disclose the substance of the interview to any third party.

9. SEC File No. 3-17371 (Release No. 78528/Aug. 10, 2016).

10. Accord In re Health Net, SEC File No. 3-17396 (Release No. 78590 / Aug. 16, 2016); In re Anheuser-Busch Inbev SA/NV, SEC File No. 3-17586 (Release No. 3808/Sept. 28, 2016).

11. Public Law No: 114-153 (05/11/2016).

12. See Memorandum for Regional Administrators, Subject "New policy guidelines for approving settlement agreements in whistleblower cases" (Aug. 23, 2016), available at

13. EEOC v. CVS Pharmacy, 809 F.3d 335 (7th Cir. 2015).

14, Id. at 337.

15. Id.

16. The court also held that Title VII "does not create a broad enforcement power for the EEOC to pursue non-discriminatory employment practices that it dislikes—it simply allows the EEOC to pursue multiple violations of Title VII (i.e., unlawful employment practices involving discrimination or retaliation…in one consolidated proceeding.") Id. at 341.

Read more:

Philip M. Berkowitz is a shareholder and U.S. cochair of Littler Mendelson's international law practice. This article is reprinted with permission from the November 9, 2016 issue of the New York Law Journal. © ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.