The Securities and Exchange Commission (“SEC” or “Commission”) recently announced its first enforcement action against a company for using “improperly restrictive language” in confidentiality agreements it had its employees sign upon being interviewed in internal investigations. The Commission found the agreements had the potential to stifle whistleblowers.

The confidentiality agreement in question, used by Houston-based KBR, Inc. (“KBR”), provided:

I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.

While the SEC acknowledged being unaware of any instances in which a KBR employee actually was prevented from communicating with the SEC or in which KBR took action to enforce the confidentiality agreement or prevent employee communication with law enforcement, the Commission nonetheless found the language objectionable. The SEC asserted that the language at issue “impedes” such communications.

In its April 1 order instituting cease-and-desist proceedings, the SEC charged that the agreement specifically violated Rule 21F-17(a), which was adopted by the SEC in 2011 pursuant to its authority under the Dodd-Frank Wall Street Reform and Consumer Protection Act. The rule, adopted to implement the whistleblower protections of DoddFrank, provides that “[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement … with respect to such communications.”

Simultaneous with the entry of the SEC’s order, KBR agreed to settle the charges by paying a civil penalty of $130,000. The company also agreed to make “reasonable efforts” to contact KBR employees who had signed the confidentiality statement and provide these employees with a copy of the SEC order and a statement that KBR does not require employees to seek permission from KBR’s General Counsel before communicating with government agencies about possible violations of federal law. KBR also agreed to cease and desist from committing or causing any future violations of Rule 21F-17.

The impermissible language in KBR’s confidentiality agreement arose in the context of KBR’s internal compliance program. When KBR receives complaints or allegations of potential illegal or unethical conduct by KBR or its employees, its practice is to conduct an internal investigation concerning the allegations. In conducting these investigations, KBR investigators typically interview KBR employees, including the employee who filed the complaint. At the start of their interviews, KBR investigators had been having witnesses sign the standard confidentiality statement. Though use of the confidentiality statement was not required by KBR policy, the statement was included as an enclosure to the company’s Code of Business Conduct Investigation Procedures manual.

KBR avoided a more substantial penalty from the Commission by agreeing to amend its confidentiality statement to make clear that employees are free to report possible violations of law to the SEC or other agencies without prior authorization from KBR. In particular, KBR’s amended confidentiality statement includes the following language:

Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.

The SEC’s enforcement action already has led to demands for reform in confidentiality agreements used elsewhere. For example, United Airlines, Inc. (“United”) has come under attack from a whistleblower law firm regarding its alleged use of confidentiality agreements that “discourage[ ] employees from providing critical information to government agencies, including information affecting passenger safety to the FAA, acts of unlawful retaliation to OSHA, and perceived securities violations to the SEC.” Letter from David J. Marshall and Debra S. Katz to Brett J. Hart, President, General Counsel and Secretary, United Airlines, Inc. (Apr. 3, 2015), available here. A letter sent by the firm to the airline and the SEC, which the firm also made publicly available, “insist[s]” that United revise its confidentiality agreements used in the context of the company’s internal investigations. Id.


Protection of whistleblowers has proved to be an area in which the SEC will act particularly aggressively. The KBR confidentiality agreement made no specific mention of contact with law enforcement and had never actually been used to discourage contact with law enforcement. Nonetheless, KBR found itself the subject of an enforcement action.

The SEC’s action in the KBR case follows prior public remarks from the SEC that the agency was looking for creatively drafted contracts, such as confidentiality agreements, separation agreements, and employee agreements, that attempted to discourage company whistleblowers from bringing alleged wrongdoing to the Commission’s attention. The Commission provided a very public warning in this regard and then followed through on its threats. The SEC has adopted a broad interpretation of Dodd-Frank’s whistleblower protections and will likely continue to push the language of the law to protect whistleblowers from what the Commission views as employer interference.


Companies should carefully review any confidentiality provisions they are using in conducting internal investigations. More broadly, confidentiality language used by companies in any context should be scrubbed for any suggestion that contact with law enforcement is discouraged. As the chief of the SEC’s Office of the Whistleblower himself has warned, employers should review and amend “existing and historical agreements that in word or effect stop their employees from reporting potential violations to the SEC.”

At the same time, confidentiality is a vital aspect of conducting internal investigations and is protected by the attorney-client privilege and well-established case law. Companies should not needlessly cede their right to confidentiality and their substantial interest in conducting nonpublic self-assessments. If you have any questions regarding your current confidentiality agreements or internal investigation practices, please contact us.