Overblown? SEC's Aggressive Enforcement of Rule 21F-17 for Whistleblower Protection
Section 21F, titled "Whistleblower Incentives and Protection," is a set of provisions within the Securities Exchange Act of 1934 that govern, among other things, the rights and obligations of SEC whistleblowers and the procedures for determining SEC whistleblower awards. Rule 21F-17 (Rule) was promulgated in July 2010 to ensure that companies could not interfere with an individual's efforts to communicate concerns about possible securities violations to the SEC.
Specifically, Rule 21F-17 prohibits any person from "imped[ing] an individual from communicating directly with the [SEC] about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement…." 17 C.F.R. § 240.21F–17(a). Additionally, if the individual who has initiated communications with the SEC works for an entity that has counsel, Rule 21F-17 states that the SEC may communicate directly with that individual without the consent of the entity's counsel. 17 C.F.R. § 240.21F–17(b).
In light of the SEC's recent enforcement activity involving Rule 21F-17, this post aims to provide a brief overview of the rule's purpose, history and enforcement evolution.
Why Does Rule 21F-17 Matter to the SEC?
Rule 21F-17 is significant because the SEC has stated that whistleblowing is critical to its enforcement program, and therefore has adopted a strong policy favoring both the prophylactic and reactive protection of whistleblowers. See, e.g., Office of the Whistleblower, U.S. Securities and Exchange Commission (last updated Jan. 21, 2022) ("Assistance and information from a whistleblower who knows of possible securities law violations can be among the most powerful weapons in the law enforcement arsenal" of the SEC.). The Rule aims to remove barriers to an employee's disclosure about potential securities violations and penalize retaliatory actions, including:
- company requirements that employees must receive consent from the legal or compliance department before approaching the SEC
- the threat of a lawsuit alleging breach of confidentiality agreement
- threats of liability for liquidated damages or attorney's fees in the event of a disclosure that breaches a confidentiality agreement
- waiver of an individual's ability to obtain monetary awards from the SEC's whistleblower program
- termination of employment due to disclosure
By removing the barriers to reporting and the threats of retaliation for whistleblowers, individuals may be more likely to contact the SEC with "original information" (a term of art defined in 15 USC § 78u-6(a)(3)). As a result, the SEC may be able to identify possible fraud and other securities violations much earlier than otherwise would be possible. Consequently, Rule 21F-17 was promulgated to effectuate the dual goals of facilitating disclosure and protecting whistleblowers.
Brief History of SEC Enforcement
Though the Rule was promulgated in 2010, the SEC's enforcement of Rule 21F-17 did not begin until April 2015 when the SEC charged KBR Inc., a global defense contractor, with violating Rule 21F-17. The alleged violation stemmed from language within KBR's confidentiality agreements and business manual. The documents contained provisions that prohibited employees from disclosing the facts underlying the company's investigations into illegal employee conduct to any third party without the consent of KBR's legal department. The SEC determined that the language could be read to prohibit employees from communicating with the SEC, which would have "a potential chilling effect on whistleblowers' willingness to report illegal conduct to the SEC." See SEC, Companies Cannot Stifle Whistleblowers in Confidentiality Agreements (April 1, 2015). Thus, even though there was no specific instance in which KBR was alleged to have deterred employees from communicating with the SEC, KBR settled with the SEC and agreed to, among other things, revise the language in its confidentiality agreement to explicitly state that individuals were not prevented from reporting possible securities law violations to the SEC.
Since 2015, the SEC has brought several enforcement actions related to Rule 21F-17, many of which took a similarly aggressively approach in enforcing the terms and purpose of Rule 21F-17. See, e.g. In re Guggenheim Securities LLC, Release No. 92237, 2021 WL 2581714 (June 23, 2021) (investment firm's compliance manual violated the Rule where the manual required employees to obtain approval from the firm's legal or compliance department before initiating contact with SEC); In re SandRidge Energy, Inc., Release No. 79607 (Dec. 20, 2016) (form employment separation agreement that precluded former employees from 1) voluntarily cooperating with government agencies in any complaint or investigation concerning the company, and 2) disclosing confidential company information to a government agency was found to violate Rule 21F-17, particularly in light of several requests by employees and officers to modify the language after Rule 21F-17's adoption); In re BlueLinx Holdings, Inc., Release No. 78528 (Aug. 10, 2016) (company severance agreement violated the Rule where former employees were prohibited from sharing confidential information concerning the company that the employee had learned while employed unless compelled to do so by law).
In sum, the SEC's Rule 21F-17 enforcement actions have focused on a prophylactic approach to Rule 21F-17 interpretation – specifically, with respect to confidentiality agreements, anti-disparagement clauses or internal policies could potentially discourage or impede individuals from voicing concerns to the SEC.
Back on Division of Enforcement's Radar
The SEC's most recent enforcement actions in the Rule 21F-17 arena have been as aggressive as actions brought in years past – arguably, even more so. For example, in In re David Hansen, the CIO of nonpublic technology company purportedly violated the Rule by monitoring an employee's communications following the employee's confidential whistleblower tip to the SEC concerning the company's financial data. The company ultimately fired the employee. The unique aspect about the Hansen case is that there was no indication that anyone at the company sought to prevent or "impede" the employee from directly speaking to the SEC, which is what 21F-17 specifically covers. Instead, the CEO and Hansen removed the employee's administrative privileges on company computer systems and accessed the employee's computer to retrieve the employee's password after the employee had submitted a tip to the SEC in July 2019.
In the wake of In re Hansen and other similar, recent enforcement cases, SEC Commissioner Hester Peirce has repeatedly noted the breadth of the SEC's findings and warned that the agency "must be cautious about using the settlement process to obtain voluntary compliance with requirements that it lacks statutory authority to impose." Characterizing the Hansen decision as an "undisciplined interpretation and application of Rule 21F-17(a)," Commissioner Peirce pointed out that the employee's tip preceded the allegedly unlawful conduct by a month and that there was no evidence that Hansen knew about the employee's tip. For the time being, however, it appears that the SEC will continue to interpret Rule 21F-17 in an expansive manner and will accordingly bring enforcement actions against companies that are seemingly noncompliant.
Companies should be aware that any contract or policy that restricts the free flow of information about its operations or financials may be subject to Rule 21F-17 and, therefore, to SEC scrutiny and enforcement. It is important to understand that the SEC will employ a broad approach to Rule 21F-17, and companies should therefore review all relevant documents and contracts for compliance, such as:
- employee handbooks
- confidentiality agreements
- employment and/or separation/severance agreements
- litigation releases
Even an unintentional violation subjects a company to the risk of an SEC action, so a prophylactic approach to reviewing important contracts and documents for compliance is key. In each Rule 21F-17 action, there is a lesson to learn about the SEC's interpretation of the Rule and about the specific language that makes a document or contract Rule 21F-17 compliant or not. For this reason, monitoring historic SEC enforcement actions alleging violations of Rule 21F-17 – and particularly understanding the various provisions and documents in which they were located – is critical to mitigating risk on this issue.
The SECond Opinions Blog will continue to monitor the agency's activity in this space and provide further updates. If you need any additional information on this topic – or anything related to SEC enforcement – please contact the authors or another member of Holland & Knight's Securities Enforcement Defense Team.