Confidentiality in Crisis: the Government Agency Assault on Company Confidentiality Policies and Agreements
Your company's confidential information may no longer be safe. Federal government agencies, including many that regulate mining companies, are aggressively scrutinizing company confidentiality policies and agreements. This scrutiny is all in the name of preventing corporations from muzzling potential whistleblowers. Although there is no evidence that confidentiality policies and agreements actually stifle whistleblower activity, this new regulatory initiative is having tangible impacts. Mining companies should take steps now to minimize the odds that they will be the next target of the regulators.
Agency Challenges To Confidentiality Policies and Agreements
The SEC's KBR Cease and Desist Order
The Securities and Exchange Commission (SEC) is the latest agency to challenge commonly used confidentiality agreements. The SEC announced this initiative in March 2014. Sean McKessy, who heads the SEC's Office of the Whistleblower (OWB), stated that his office was "actively looking for examples of confidentiality agreements, separat[ion] agreements, [and] employee agreements that ... in substance say 'as a prerequisite to get this benefit you agree you're not going to come to the commission or you're not going to report anything to a regulator.'"
This warning was amplified in the SEC's 2014 annual report on the state of the Dodd-Frank Whistleblower Program. The SEC noted there that the OWB:
is actively working with Enforcement staff to identify and investigate practices in the use of confidentiality and other kinds of agreements that may violate … Commission rule[s]. We will continue to focus on agreements that attempt to silence employees from reporting securities violations to the Commission by threatening liability or other kinds of punishment.
In February of this year, the Wall Street Journal reported that the SEC had sent letters to numerous publicly traded companies demanding production of any documents, policies, or agreements that contain provisions that may restrict an employee from reporting potential violations to the SEC. Many observers believed it was only a matter of time until the SEC initiated litigation against a company over a confidentiality policy or agreement.
That belief was vindicated when the SEC announced, on April 1, 2015, that KBR, Inc. had agreed to a cease and desist order (KBR Order) in a regulatory dispute over a confidentiality agreement that employees interviewed during an internal investigation were required by KBR to sign. The KBR Order requires the company to: (a) pay a $130,000 civil fine; (b) revise the offending policy; (c) make reasonable efforts to notify those subject to the prior policy of the change and that they are no longer subject to the prior policy; and (d) certify that it took those reasonable efforts.
The confidentiality agreement stated as follows:
I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.
The SEC asserted that the KBR agreement violated SEC Rule 21F-17. That rule, adopted by the SEC in 2011 as part of its regulations implementing the Dodd-Frank Act, states in relevant part:
(a) No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.
According to the SEC, KBR's policy of requiring pre-approval by its legal department to disclose the subject matter of the interview undermined Section 21F's purpose of "encourag[ing] individuals to report to the Commission." The SEC acknowledged that it lacked any evidence that the requirement actually stifled putative whistleblowers from reporting, or that KBR had sought to enforce that provision to prevent whistleblowing. The SEC nonetheless found the agreement violated Rule 21F-17 on its face.
The new agreement implemented by KBR as part of the settlement removes the pre-approval requirement. Employees are also not required to notify KBR that they are providing information to the SEC. The agreement now contains the following amended provisions:
Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.
In the wake of the KBR Order, several commentators have questioned whether the SEC is empowered to regulate confidentiality agreements in this manner. Because KBR settled the dispute, that question remains unanswered. In the meantime, employers subject to SEC regulation are reassessing their own confidentiality policies and agreements.
The NLRB and EEOC Adopt Similar Approaches
The KBR Order follows similar efforts made by two other federal agencies very familiar to the mining industry – the National Labor Relations Board (NLRB) and the Equal Employment Opportunity Commission (EEOC).
NLRB Targets Confidentiality Instructions in Internal Investigations
First, decisions made by the NLRB prohibit employers from uniformly barring employees from discussing ongoing internal investigations. See Banner Health Systems, 358 NLRB No. 93, slip op. at 2 (2012) (employer's "generalized concern with protecting the integrity of its investigations is insufficient to outweigh employees' Section 7 rights").
Employers instead must specifically determine that the need for a confidentiality instruction outweighs the statutory right of the employees to discuss the subject of the investigation. This determination must be made before the instruction can be given, based on the facts surrounding the particular investigation at issue. And the employer can only give the instruction if it finds that: (a) witnesses need protection; (b) destruction of evidence was possible; (c) testimony may be fabricated; or (d) there was evidence of a potential cover up. Hyundai America Shipping Agency, 357 NLRB No. 80, slip op. at 15 (2011).
The Banner Health and Hyundai rulings apply to all non-supervisory employees in all private sector companies, not just those working in unionized locations. All employers therefore must ensure they satisfy the Banner Health/Hyundai test before instructing employees to not discuss an ongoing internal investigation. In most cases, employers will be able to identify a significant risk of at least one of the four factors listed above coming true such that giving the instruction is defensible. Nevertheless, mining companies can expect the NLRB will continue to scrutinize such instructions.
The EEOC Targets Separation Agreements
In a similar vein, the EEOC filed two high-profile cases in 2014 claiming similar language in separation agreements improperly prevents employees from bringing charges of employment discrimination. See EEOC v. CVS Pharmacy, Inc., No. 14-cv-863, 2014 WL 5034657 (N.D. Ill. Oct. 7, 2014); EEOC v. CollegeAmerica Denver, Inc., No. 14-cv-01232, 2014 WL 6790011 (D. Colo. Dec. 2, 2014).
It is well settled that a separation agreement cannot include a waiver of an employee's right to file a claim of discrimination or retaliation with the EEOC. But in these recent cases the EEOC targeted confidentiality and related provisions included in most separation agreements. For example, in CVS, the EEOC argued, inter alia, that standard cooperation, non-disparagement, and confidentiality provisions improperly impeded the employee's right to bring a charge or cooperate with the EEOC.
In both cases, the courts dismissed the EEOC's relevant claims on procedural grounds at summary judgment. Neither court addressed the substantive merit of the EEOC's claims. Yet the EEOC appears undaunted by these procedural defeats; the EEOC's appeal of the CVS case is currently pending before the Seventh Circuit.
Employers should expect the EEOC will continue to target standard clauses in confidentiality policies and agreements that it claims improperly impede employees' rights to assert a claim of discrimination or retaliation.
So what should mining companies be doing now in light of these challenges to "standard" confidentiality provisions? Unfortunately, there is no one size fits all answer.
At a minimum, companies should review all policies and agreements that may arguably impede the ability of employees to act as whistleblowers. Such policies and agreements include those that regulate non-disclosure, confidentiality, non-disparagement, and cooperation. Any provisions that expressly bar cooperating with government agencies, or that require pre-approval from the employer to speak with these agencies, should be scrutinized and probably revised.
This is not to say that all mining companies should automatically adopt all of the language in the new KBR policy. In deciding whether to make any changes, employers instead should consider the likelihood of potential SEC or EEOC litigation in a manner consistent with the company's tolerance for risk. Companies may then decide to make changes to all policies and agreements that arguably relate to this issue. Conversely, some may only modify certain provisions such as confidentiality provisions in separation agreements, or agreements signed by witnesses during internal investigations.
Employers face the challenge of deciding whether and which policies and agreements to modify now without additional guidance. The courts have not yet addressed the merits of the aggressive positions of the SEC and EEOC on these issues. It is thus unclear how courts will address employers' legitimate concerns. Such concerns include: (a) protecting the confidentiality of sensitive proprietary information; (b) ensuring the company's ability to conduct an internal investigation is not compromised by an employee's disclosure; and (c) properly preparing for any agency investigation.
In the meantime, companies subject to both SEC and NLRB authority should harmonize the confidentiality instructions given during internal investigations. After first determining the Banner Health/Hyundai test is met, employers should inform employees that while they must not discuss ongoing investigations, that prohibition does not impact the employee's ability to report a possible violation of law to a relevant government agency.
Employers conducting such investigations under attorney-client privilege should also still convey proper Upjohn warnings (i.e., notifying interviewed employees that communications made in the course of the company's internal investigation are within the company's privilege). None of the agency initiatives summarized above impinge on an employer's right to protect its privileged communications. Depending on a variety of circumstances, some mining companies may consider modifying the Upjohn warning to inform witnesses that the confidentiality directive is not intended to prevent the witness from disclosing underlying facts discussed with the attorney to a government agency as part of a report of an alleged violation of any applicable law or regulation.
Companies should also consider three additional changes. First, adding an explicit prohibition on employees disclosing proprietary information in reports of alleged violations of law made to applicable federal or state law enforcement agencies. Such a provision should be clear that the employee is free to report alleged violations to an agency, but cannot disclose proprietary information in doing so.
Second, companies should consider requiring employees to notify the employer of any report of an alleged violation of law they make to a government agency either before or immediately after making the report. Requiring notification is consistent with ensuring a corporate culture of compliance, as employers cannot investigate and remedy issues of which they are unaware. If employers maintain a notification requirement, the policy should be explicit that the duty to notify the employer is solely so that the employer can: (a) protect privileged communications as needed; (b) conduct an internal investigation; and (c) properly prepare for any agency investigation.
Third, employers should ensure their applicable policies and agreements include a statement that reporting alleged violations of law to a government agency will not result in retaliation against the employee. The SEC may take issue with the prohibition on disclosing confidential information and/or notification requirement described above. But tying these provisions closely to the anti-retaliation provision may suffice to prove the policy changes are intended solely to protect the employer's legitimate concerns. Moreover, ensuring a putative whistleblower will be free of retaliation is consistent with creating the desired compliance culture, and increases the chances of an employee reporting concerns internally before going to regulators.
Finally, employers should keep a close eye on the case law as it develops and be prepared to amend any relevant policies or agreements as needed.
Other Articles in This Issue:
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.