Epstein Becker Green Labor and employment practice badge

The Securities and Exchange Commission‎ (“SEC”) has resolved its first enforcement action regarding a potentially overreaching confidentiality agreement following the “voluntary” revision of the agreement to state that it does not preclude employees from reporting possible violations of law.

The SEC has become increasingly vigilant and aggressive about what employers say in their confidentiality agreements and the context in which they say it. We previously cautioned employers when the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 14-40, which cracked down on the use of confidentiality provisions that potentially restrict employees from communicating with FINRA, the SEC, or any other self-regulatory organization or regulatory authority. After publicly announcing last fall that it would be scrutinizing confidentiality provisions, the SEC has now followed suit in In re KBR, Inc., targeting overly restrictive language in one of KBR’s confidentiality agreements.

Confidentiality Agreements That “Impede” External Whistleblowing

The Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) amended the Securities and Exchange Act to include the whistleblower incentives and protections set forth in Section 21F. Rule 21F-17 prohibits employers from taking any action to “impede” an employee from communicating with the SEC about a possible securities law violation, including enforcing or threatening to enforce a confidentiality agreement.

The SEC’s Chief of the Office of the Whistleblower, Sean McKessy, indicated that his office would be analyzing and looking to bring enforcement actions with respect to severance agreements, confidentiality agreements, and employment agreements that violate Rule 21F-17(a), part of the implementing regulations of the Dodd-Frank whistleblower incentive award program (i.e., the “bounty” program).

KBR’s Confidentiality Agreement in Internal Investigations

The SEC selected a very specific and particular type of agreement for its first publicized action: not a severance, employment, or general confidentiality agreement or policy, but rather an agreement that KBR’s compliance investigators required witnesses interviewed in connection with certain internal investigations to sign, warning them that they could face discipline or be fired if they discussed the substance of the interview with outside parties without prior approval from KBR’s legal department. KBR had begun using this form of confidentiality agreement prior to the promulgation of Rule 21F-17.

Although there was no evidence that any KBR employees were ever actually prevented from communicating with the SEC pursuant to the confidentiality agreement, or that KBR took any actions to enforce the terms of the agreement, the SEC found that KBR’s use of the confidentiality agreement was unlawful because it improperly restricted employees from communicating with the SEC about the subject of an interview without KBR’s permission, and it undermined the purpose of Section 21F through a threat of discipline.

“By requiring its employees and former employees to sign confidentiality agreements imposing pre-notification requirements before contacting the SEC, KBR potentially discouraged employees from reporting securities violations to us,” said Andrew J. Ceresney, Director of the SEC’s Division of Enforcement in the agency’s press release.

Resolution of the SEC’s Enforcement Action

KBR has agreed to pay the SEC $130,000 to settle the charges. Moreover, the company amended its confidentiality statement to expressly provide that it does not preclude employees from reporting possible violations of law or regulations to any government agency or from making other disclosures protected under federal whistleblower laws. The amended provision also clarifies that employees do not need KBR’s authorization to make such disclosures.

This should serve as a warning that blanket confidentiality provisions that arguably forbid or impede employees from communicating with regulatory agencies, or require pre-approval to do so, may run afoul of federal law—including the False Claims Act, under which the governing view of confidentiality agreements has been similar to the SEC’s position. The SEC is fully committed to prosecuting such violations, and it is very likely that additional orders will be issued in the coming months with respect to other confidentiality provisions contained in other types of agreements and/or codes of conduct. Note that the specific language that the SEC ordered KBR to use in its confidentiality agreement going forward is instructive but should not be viewed as a “safe harbor,” according to Mr. McKessy.

Attorney-Client Privilege Unaffected

As we have noted previously (see Five Key Issues Confronting Financial Services Industry Employers), the KBR decision does not interfere with confidentiality agreements that are intended to safeguard privileged and confidential attorney-client communications. The SEC’s statement simply does not address the lawfulness of confidentiality agreements that a witness might be asked to sign in connection with an internal investigation that is protected by the attorney-client privilege. Significantly, the SEC’s reference to the “chilling effect” of confidentiality provisions that prevent witnesses from discussing interviews invites inquiry into an exception built into Rule 21F-17. That exception explicitly excludes from its reach confidentiality agreements that cover information obtained through attorney-client privileged communications.

Thus, the SEC’s position with respect to the KBR confidentiality agreement would not (and should not) apply as a general proscription against the use of confidentiality agreements that apply to information learned during interviews that are part of privileged internal investigations conducted by legal counsel. As recognized in the exception to Rule 21F-17—which was conspicuously unmentioned in the SEC’s Order against KBR—a balance must be struck between the SEC’s investigatory mission and a company’s right to the attorney-client privilege.

What Employers Should Do Now

  • If your company is governed by the SEC, carefully review, and revise as necessary, all confidentiality agreements that it uses—whether in stand-alone agreements, employment agreements, separation agreements, or other policies or standards of conduct—to make certain it is clear that they do not preclude employees from reporting possible violations of law.
  • If you determine that your current confidentiality provisions may conflict with the SEC’s Order against KBR, consider providing notice to employees that they are not prohibited from reporting possible violations of federal law or regulation to any governmental agency or entity, including, but not limited to, the Department of Justice, the SEC, Congress, and any agency Inspector General, or from making other disclosures that are protected under the whistleblower provisions of federal law or regulation.
  • Review internal whistleblowing or “escalation” policies to ensure that they, too, are in compliance with Dodd-Frank and the SEC’s regulations thereunder.
  • Keep in mind that different industries are subject to different regulators, which may affect the manner in which confidentiality agreements should be revised, if at all.


For more information about this Advisory, please contact:

John F. Fullerton III
New York
Jason Kaufman
New York


Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.