Whistleblower Protections Trump Confidentiality Provisions: SEC Enforcement of Rule 21F-17

Non-obvious threats are the hardest ones to guard against, particularly when it comes to SEC enforcement. This week's guest blogger discusses how a severance agreement can lead to an SEC enforcement action in his latest guest post for the D&O Notebook. –Priya

In an effort to protect the companies they serve, too many employment lawyers have drafted severance agreements that are so broad that they run afoul of whistleblower provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act. In a risk alert and a series of nine enforcement actions, the Securities and Exchange Commission (SEC) has recently taken great pains to clarify what they find unacceptable.









The intent of the Whistleblower program is to encourage employees to come forward with information regarding illegal actions of companies. The program encourages whistleblowers by providing financial awards to whistleblowers who provide original information.

[A] critical component of the Whistleblower Program is the minimum payout that any individual could look towards in determining whether to take the enormous risk of blowing the whistle in calling attention to fraud.

The SEC is serious about protecting the integrity of the program. SEC Rule 21F-17(a) states that:

No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.

Rule 21F-17 became effective on August 12, 2011.

Broad Enforcement Authority

The SEC has been explicit in its belief that it has broad authority to protect the Whistleblower program. In an October 16, 2016 Risk Alert, the SEC Office of Compliance Inspections and Examinations stated that when reviewing compliance with Rule 21F-17, they will review compliance manuals, code of ethics, employment agreements and severance agreements for anything that purports to limit what an employee may convey to the SEC or anything that waives an employee’s right to a monetary recovery arising out of reporting information to the government.

SEC Enforcement Actions

On April 1, 2015, The SEC issued its first Order enforcing Rule 21F-17. They have subsequently issued eight more, with the last one being issued January 19, 2017, the day before Donald Trump was sworn in as President. A review of the nine orders provides a good road map for what companies should and should not do when it comes to Rule 21F-17.

  1. Requiring an Employee to Obtain Consent Prior to Communicating with the SEC (KBR)

When KBR received complaints regarding illegal and/or unethical actions at the company, they would conduct internal investigations that included employee interviews. At the commencement of an interview, employees were instructed to sign a confidentiality agreement that in part prohibited them from disclosing anything discussed in the interview without the prior authorization of the corporate legal department. The KBR agreements went on to state that breach of the agreement may be grounds for disciplinary action including termination of employment.

KBR’s confidentiality agreement was found to violate Rule 21F-17 and the SEC issued a cease-and-desist order instructing KBR to cease using the agreements. KBR also had to advise former employees that they are free to contact the SEC regardless of what the agreement says and was assessed a civil money penalty.

  1. Express Prohibitions Against Employees Contacting or Communicating with a Governmental Agency (Sandridge & Merrill Lynch)

One all too common confidentiality agreement foot fault is failing to expressly carve out an exception for communication with the SEC (which the SEC finds violates Rule 21F-17), as was the case in KBR. Worse were the SandRidge Energy employee severance agreements because they expressly prohibited an employee from:

. . . at any time in the future voluntarily contact or participate with any governmental agency in connection with any complaint or investigation pertaining to the Company, and [may] not be employed or otherwise act as an expert witness or consultant or in any similar paid capacity in any litigation, arbitration, regulatory or agency hearing or other adversarial or investigatory proceeding involving the Company.

Coincidentally, SandRidge was commencing a significant reduction in force on the day the KBR order was entered. In its Order, the SEC pointed out that SandRidge’s in-house counsel received multiple client alerts regarding the KBR Order and in fact instructed outside counsel to make their agreements compliant with Rule 21F-17. However, SandRidge used their non-compliant severance agreements as part of the reduction in force.

Although using language less overtly problematic than SandRidge, Merrill Lynch as part of a larger enforcement action, was also found to have policies, procedures and agreements that were violative of Rule 21F-17. Merrill Lynch permitted an employee to disclose confidential information pursuant to a court or administrative order, but prohibited employees from making a voluntary disclosure. This prohibition is unacceptable to the SEC.

  1. Prohibitions Against Collecting a Whistleblower Award (BlueLinx Holdings, BlackRock & Health Net)

Perhaps in a half-baked effort to comply with Rule 21F-17, BlueLinx Holdings amended its form severance agreement in 2013 to expressly allow an employee to voluntarily contact the SEC and other governmental agencies. However, their amendment went on to waive the employee’s right to any monetary recovery/award in connection with reporting to a governmental agency. This attempted elimination of the monetary incentive to whistleblowing was found by the SEC to violate Rule 21F-17.

BlackRock and Health Net took the same approach as BlueLinx and not surprisingly they received the same result from the SEC. These three matters confirm that complying with the letter of the law while simultaneously eviscerating the law’s incentive structure is a flawed approach.

  1. Forfeiture of Severance Payment(s) (Neustar)

In Neustar, the SEC objected to a nondisparagement provision in the company’s severance agreements that in part expressly prohibited disparaging the company to the SEC. The agreement went on to state that in the event of breach of the agreement, the employee would forfeit all but $100 of his or her severance payment(s). The SEC was not impressed.

  1. Liquidated Damages Provisions (Anheuser-Busch InBev)

Anheuser-Busch InBev’s enforcement action involved an employee who was cooperating with the SEC regarding FCPA allegations. The employee ceased cooperating once he was terminated and entered into a severance agreement that prohibited disclosure of any information to anyone. The severance agreement included a $250,000 liquidated damages provision in the event the former employee breached the agreement. No surprise, the SEC did not like this provision.

  1. Requiring an Employee to Represent That They are not a Whistleblower (Homestreet)

Homestreet found itself the subject of an SEC investigation into its alleged improper hedge accounting. Homestreet apparently assumed that the investigation was the result of a whistleblower disclosure. As part of that investigation, a former Homestreet executive received a request for information from the SEC. The executive retained an attorney who requested Homestreet advance costs under the executive’s personal indemnification agreement. Apparently as a condition precedent to advancing costs, Homestreet repeatedly requested confirmation that the executive was not a whistleblower. The executive’s attorney refused to provide the confirmation requested. He argued in part that requiring such in order to obtain advancement of costs violated Rule 21F-17. The SEC concluded that:

. . . by taking actions to determine the identity of an individual whom

HomeStreet suspected had brought the hedge accounting errors to the Commission staff, including suggesting that the terms of an indemnification agreement could allow them to deny payment to an individual who HomeStreet believed to be a whistleblower, HomeStreet acted to impede individuals from communicating directly with the Commission staff about a possible securities law violation.

With this broad survey of how companies can violate Rule 21F-17 completed, let’s look at the consequences to those companies and how to best mitigate the risk of following in their footsteps.

Consequences of Violating Rule 21F-17

In all of the matters discussed above, the companies were required to:

  • cease-and-desist from using agreements and/or policies that violate Rule 21F-17;
  • make reasonable efforts to contact former employees who signed violative agreements subsequent to August 12, 2011;
  • provide former employees with an internet link to the SEC order;
  • advise former employees that they are not prohibited from speaking with or seeking and obtaining a whistleblower award from the SEC; and
  • pay civil money penalties.

The penalties assessed against companies arising solely from Rule 21F-17 violations are set forth below:


Civil Money Penalties for Rule 21F-17 Violations

Company Penalty Date of Order
KBR, Inc. $130,000 April 1, 2015
BlueLinx Holdings Inc. $265,000 August 10, 2016
Health Net, Inc. $340,000 August 16, 2016
NeuStar, Inc. $180,000 December 19, 2016
BlackRock, Inc. $340,000 January 17, 2017


The Anheuser-Busch-InBev, Merrill Lynch, SandRidge Energy and Homestreet matters found the companies violated more than just Rule 21F-17. As a result the SEC assessed higher civil money penalties.

SEC-Acceptable Confidentiality Provisions

Usefully, several of the SEC orders include the language that the companies have started using in their confidentiality agreements subsequent to their interactions with the SEC. For example, Homestreet’s severance agreements now include the following provision:

Employee understands that nothing contained in this Agreement limits Employee’s ability to file a charge or complaint with any federal, state or local governmental agency or commission (“Government Agencies”). Employee further understands that this Agreement does not limit Employee’s ability to communicate with any Government Agencies or otherwise participate in any investigation or proceeding that may be commenced by any Government Agency including providing documents or other information without notice to the Company. This Agreement does not limit the Employee’s right to receive an award for information provided to any Government Agencies.

The Plaintiff’s Bar Response

Never wanting to be left out, the plaintiff’s bar has begun trolling SEC filings for employment agreements that they believe violate Rule 21F-17. When they find one, they are prone to write a letter purportedly on behalf of a shareholder demanding that the violative agreement be amended. Of course they also seek attorney fees for the “benefit” they have provided to shareholders. Insurers have advised us that they have seen a limited number of derivative suits filed arising out of Rule 21F-17. Receiving such a demand letter may not make any difference in how you choose to address Rule 21F-17 compliance, but be aware that the plaintiff’s bar never sleeps.

D&O Insurance

If the SEC or the plaintiff’s bar takes an interest in your confidentiality provisions, you should consult with your D&O adviser to evaluate whether coverage is available. Whether coverage is available will largely depend upon the source and form of the inquiry/demand. For example, government investigations of an entity are generally not covered by a D&O policy. However, standalone entity investigation policies are available in the market. On the other hand, most well-brokered public company D&O insurance policies will provide coverage for an individual who has to respond to an SEC inquiry.

Best Practices for Companies

Companies can take the following steps to mitigate the risk of violating Rule 21F-17:

  1. Understand the Scope of the Issue. Take inventory of all compliance manuals, code of ethics, employment agreements and severance agreements for anything that purports to limit what an employee may convey to the SEC or anything that waives an employee’s right to a monetary recovery arising out of reporting information to the government.
  2. Mitigate the Risks. Retain legal counsel to a) update the relevant provisions of your documents that are inconsistent with the intent of Rule 21F-17 and; b) advise if/how to communicate with current/former employees who executed documents with objectionable provisions on or after August 12, 2011.
  3. Get a Second Opinion. In this scenario and others, if your gut tells you that your counsel is getting cute with the law – complying with the letter of the law but disregarding its intent (e.g. allowing employees to voluntarily speak with the SEC but forbidding them from accepting a monetary incentive) – get a second legal opinion.

The SEC and now the plaintiff’s bar are clearly focused on this issue. Following these three suggestions will help you avoid a time consuming and expensive issue.


Table of Contents