Once upon a time, the major enforcement risk a company faced for discouraging employees from reporting misconduct to the government came from the False Claims Act, where a worker might allege retaliation for being fired after exercising legally protected whistleblower rights.

Well, so much for those days.

Not only has the Securities and Exchange Commission fired a warning shot to Corporate America by fining KBR Inc. $130,000 for “pre-taliation” in its employee confidentiality agreements. Other government agencies are focusing on the issue as well, looking at policies of their major contractors to ensure that even the faintest whiff of language that might sound like pre-taliation is removed.

The State Department, for example, released a report from its inspector general at the end of March analyzing the confidentiality agreements of the 30 largest highest-grossing State Department contractors, including Aegis Group, Computer Sciences Corp., DynCorp International, General Dynamics, and others.    

According to the Office of Inspector General, 13 of those 30 contractors have provisions that might cause a “chilling effect” on employees who wish to report fraud, waste, or abuse to a federal official, because they require employees to notify the company if they are contacted by a government auditor or investigator. For example, “the code of business conduct of one contractor states that if a government official ‘seeks copies of documents or access to files,’ the request must be referred to the corporate compliance office and the company’s attorneys,” the OIG stated.

“This is really a new focus for these agencies, and the first time that we’re seeing any sort of liability being imposed on any company for having these sort of agreements,” says Christopher Calsyn, a labor lawyer at law firm Crowell Moring.

The SEC’s action against KBR, announced on April 1, put an even sharper point on the issue. According to the SEC’s complaint, KBR required witnesses who were interviewed in certain internal investigations to sign confidentiality statements with language warning that they could face discipline and be fired if they discussed the matters with outside parties without the prior approval of KBR’s legal department. 

The SEC said that although KBR didn’t specifically prevent employees from going to the government, it still violated whistleblower protection Rule 21F-17 under the Dodd-Frank Act, which prohibits employers from taking any action that may silence potential whistleblowers from reporting securities law violations to the agency.

“By requiring its employees and former employees to sign confidentiality agreements imposing pre-notification requirements before contacting the SEC, KBR potentially discouraged employees from reporting securities violations to us,” said Andrew Ceresney, director of the SEC’s Enforcement Division.  “We will vigorously enforce this provision.”

Sean McKessy, chief of the SEC’s Office of the Whistleblower, cautioned that “other employers should similarly review and amend existing and historical agreements that in word, or effect, stop their employees from reporting potential violations to the SEC.”

At the State Department, the OIG expressed concern about non-disparagement agreements or policies, used by at least five contractors cited in the report. Two such provisions were in a separation agreement; three were in consulting or employment agreements. One separation agreement, for example, required a former employee to agree to “not in any way disparage [the company], including, but not limited to, its current and former owners, officers, directors, and employees, or make or solicit any comments, statements, or the like to the media or to others that may be considered to be derogatory or detrimental to the good name or business reputation” of the company.

“This is really a new focus for these agencies and the first time that we’re seeing any sort of liability being imposed on any company for having these sorts of agreements.”
Christopher Calsyn, Counsel, Labor Group, Crowell Moring

Like KBR, none of the companies in the OIG report said they had ever actually enforced these provisions. Furthermore, all 30 contractors said they had a policy in place that encourages the reporting of fraud or legal and ethical violations, and provide one or more ways for employees to do so.

Interestingly, one particular policy OIG referenced in its report had the exact same policy as KBR: that employees interviewed following a report of a violation of the company’s Code of Business Conduct have to sign an agreement prohibiting them from “discussing any particulars regarding this interview and the subject matter discussed during the interview, without the specific advance authorization of counsel.” The agreement also noted that “the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.”

The sort of language cited in the OIG report is “pretty standard, boilerplate language,” Calsyn says, that companies have included in their agreements for years—language that has even been considered best practice as a way to protect attorney-client privilege and other sensitive business information.


Below is the text of KBR’s confidentiality agreement both before and after the Securities and Exchange Commission’s enforcement action.
Prior to the SEC’s enforcement action, KBR’s confidentiality agreement contained the following restrictive language:
“I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.”
Following the SEC’s order, KBR revised its confidentiality agreement to state:
“Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.”
Source: SEC Order.

In that case, compliance officers would do well to review the language in their own confidentiality agreements, which may be hold-overs drafted by the legal department long before the current climate of encouraging whistleblowers to come forward. “You can’t simply assume that the language you’ve been using for years is going to pass muster,” says Rebecca Springer, counsel at Crowell Moring.

Getting Ahead of the Issue

Lisa Noller, a partner with law firm Foley & Lardner, says compliance officers can walk that tightrope between a company’s right to keep proprietary business information confidential and the government’s right to obtain evidence of fraud and misconduct. “The two don’t have to be in conflict with each other,” she says.

One way to achieve that, Noller says: If you have a non-disclosure provision in an agreement or a company policy, include a carve-out that informs employees of their right to report potential misconduct directly to the government. The same policy should apply to notification provisions; if a government investigator reaches out to an employee, the company cannot mandate that the employee inform the company, but it certainly can encourage that, she says.

In its report, OIG recommended other practices that it deemed as “useful in encouraging employees to report fraud, waste, or abuse,” including:

Use of an internal hotline with an anonymous option;

Display of hotline posters in the workplace;

A policy that advises employees of their right to contact the government directly if they have knowledge of fraud, waste, or abuse;

Notification to employees of the statutory protections against retaliation; and

A corporate policy that endorses cooperation with a government audit or investigation.

In addition to the OIG’s recommendations, Calsyn says the revised language contained in KBR’s confidentiality agreement also “could serve as a template for other employers.”

Any agreements regarding confidentiality should be coupled with non-retaliation agreements, “which most companies do,” Springer says, “but I think that’s becoming increasingly important in making the argument that the language that you have is not chilling because you have a specifically said, ‘If you do tell us about this, there will be no retaliation against you’.”

“It’s a lot less expensive to review your own policies and employee contracts and severance agreements to determine whether they affirmatively discourage whistleblowing,” Noller says, “than it is to respond to a whistleblower investigation once somebody has filed a lawsuit or issued you a subpoena.”

The news isn’t all bad. Although the SEC has been warning companies for more than a year now that it intended to scrutinize restrictive language in employee agreements more closely, so far KBR is the only actual enforcement action to happen. That may be a sign that the agency is “willing to work with companies that self-disclose,” Noller says, “and that’s a positive development.”