Don’t Blow It: Avoiding Pitfalls under the SEC’s Whistleblower Regime


  • The SEC whistleblower program is now a central part of SEC enforcement efforts, and practitioners can apply lessons from more than five years of the program’s existence.
  • Corporate law departments, compliance professionals, and independent directors must have a working command of important features of the SEC’s whistleblower program, how the SEC and courts have interpreted its authority, and the program’s potential impact on their employees and companies.
  • Not only is it important to avoid actions that could be viewed as chilling employees’ ability to provide information to the SEC or as retaliatory, but also to have robust processes in place to investigate and address reports of potential problems.

In the six years since the U.S. Securities and Exchange Commission adopted rules implementing the new whistleblower program required by the Dodd-Frank Wall Street Reform Act and Consumer Protection Act of 2010, the program has gone from a fledgling experiment to a central part of the Commission’s enforcement program. The SEC now receives thousands of tips per year, has doled out more than $160 million in rewards, and has brought multiple enforcement actions based on, or substantially assisted by, information it received from whistleblowers.

Whether the program continues to expand remains to be seen. With the election of Donald Trump as President, and the recent confirmation of SEC Chairman Jay Clayton, the SEC’s priorities regarding its whistleblower program may shift away from certain of the enforcement positions taken under former Chair Mary Jo White’s leadership.

Congress may also move to restrict the program. As part of a push to reign in protections provided by Dodd-Frank, for example, the Financial CHOICE Act would prohibit compensation to whistleblowers for tips on conduct for which they are culpable.1 After extensive debate, the proposed bill was voted out of the House of Representatives Financial Services Committee on May 4, 2017, and on June 8, 2017, the House approved it along party lines. It is now under review in the Senate Banking, Housing, and Urban Affairs committee.

None of the proposed changes would eliminate the program, however, and the momentum already attained by the SEC creates potential traps for companies that are not paying attention. As a result, corporate law departments, compliance professionals, and independent directors must have a working command of important features of the SEC’s whistleblower program, how the SEC and courts have interpreted its authority, and the program’s potential impact on their employees and companies.2

This article discusses: (a) the program’s history and rapid development; (b) the SEC’s actions to enforce Rule 21F-17, which prohibits efforts to interfere with individuals’ ability to report potential wrongdoing to the SEC; (c) the SEC’s anti-retaliation enforcement actions; and (d) advice to help companies navigate this new “normal.”

A. The SEC Whistleblower Program’s Rapid Development

The SEC’s whistleblower program has grown steadily since its 2011 inception. During FY 2016 alone, the SEC received 4,218 whistleblower tips, a more than 40-percent increase from FY 2012.3 Since 2011, the SEC has received more than 18,000 tips, with tips arising from every state in the union and 103 foreign countries.4 As of October 15, 2017, the Commission had paid 47 awards to whistleblowers totaling approximately $162 million, and whistleblower tips had resulted in financial remedies exceeding $975 million.5 Although these numbers demonstrate the program’s steady growth, comparing the number of SEC reports to the overall number of reports provided via internal company protocols demonstrates that the program still has room to expand.

As an institution, the SEC is very committed to the whistleblower program and considers it to be a strong success.6 In an April 2015 speech, then-Chair White referred to the SEC as the “whistleblower’s advocate” and described the program as a “game-changer.” In September 2016, Andrew Ceresney, then-director of the SEC’s Enforcement Division, gave a speech in which he touted the “transformative impact” that the whistleblower program has had on the SEC’s enforcement program. Ceresney identified issuer reporting and disclosure, Foreign Corrupt Practices Act (FCPA), and offering frauds as types of cases in which whistleblower assistance has been particularly valuable to the staff. Ceresney closed his remarks by stating that he “anticipate[d] that the whistleblower program will continue to be a game changer in future years.”7

B. The SEC’s Enforcement of Exchange Act Rule 21F-17(a)

Although a company has a right to maintain the confidentiality of its proprietary information, Dodd-Frank and the SEC’s rules encourage potential whistleblowers, both inside and outside of companies, to provide confidential company information within their control to the government in support of a tip or complaint. Furthermore, the SEC has aggressively enforced its rule prohibiting actions that may “impede” potential whistleblowers.

Exchange Act Rule 21F-17(a) provides that no action may be taken “to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing or threatening to enforce, a confidentiality agreement . . . with respect to such communications.” The Commission has now brought eight settled enforcement actions against public companies and regulated entities, finding that they violated Rule 21F-17(a) by including language in confidentiality and severance agreements that purported to limit employees’ ability to communicate with the SEC staff about potential securities law violations. Importantly, these cases show that the SEC staff is focused on what used to be relatively standard language used frequently in severance and employment agreements, and will recommend cases where that language has the potential to chill communications with the SEC, even if there is no showing that it had any such impact.

The Commission’s emphasis on this issue also is demonstrated by the Office of Compliance Inspections and Examinations’ (OCIE) announcement in an October 24, 2016 Risk Alert that it would be examining regulated entities’ compliance manuals, codes of ethics, employment agreements, and severance agreements, among other things, to assess compliance with Rule 21F-17.8 In addition to looking for language in agreements that (a) purport to limit the types of information that an employee may convey to the Commission or other authorities, and (b) require employees to waive their rights to any monetary recovery in connection with reporting wrongdoing to the government, the Risk Alert indicated that OCIE also would be looking for provisions that:

a) require an employee to represent that he or she has not assisted in any investigation involving the registrant;

b) prohibit any and all disclosures of confidential information, without any exception for voluntary communications with the Commission concerning possible securities laws violations;

c) require an employee to notify and/or obtain consent from the registrant prior to disclosing confidential information, without any exception for voluntary communications with the Commission concerning possible securities laws violations; or

d) purport to permit disclosures of confidential information only as required by law, without any exception for voluntary communications with the Commission concerning possible securities laws violations.9

Because OCIE examines hundreds of registered investment advisers and broker-dealers each year, and because it will be relatively straightforward for the staff to review the language10 in a regulated entity’s compliance manual, code of ethics, and employment and severance agreements, it is reasonable to expect that OCIE’s initiative may result in numerous deficiency letters and enforcement referrals.

Law departments that have not yet modified their standard severance and confidentiality agreements to ensure they do not run afoul of the SEC’s restrictions on impeding whistleblowers should do so promptly. In addition to reducing the likelihood of SEC enforcement, taking prompt action will reduce the likelihood of exposure to civil damages in shareholder derivative actions. The securities-plaintiff’s bar is reviewing corporate filings and issuing derivative demands to companies at risk in this area, asserting that companies that have not remediated this exposure have breached their fiduciary duties to shareholders, and seeking damages or legal fees for spotting the issue and prompting corporations to correct it.

The SEC’s enforcement actions to date on this topic highlight various ways in which the SEC has asserted that companies impeded—or at least risked impeding—whistleblowers in violation of Rule 21F-17. These matters also provide a roadmap for some of the types of whistleblower protections the SEC expects public companies and regulated entities to enact.

1. KBR

On April 1, 2015, the SEC instituted its first enforcement action for violations of Rule 21F-17, finding that KBR Inc. violated the rule by requiring employees in internal investigations to sign a confidentiality agreement containing what the SEC deemed to be overly restrictive language. KBR’s confidentiality agreements provided that employees were prohibited from discussing their interviews or the subject matter of the internal investigation without the permission of the company’s law department. Specifically, the language that the Commission found to violate Rule 21F-17 read:

I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.

The SEC acknowledged that KBR did not actually impede any whistleblowers, finding “no apparent instances in which KBR specifically prevented employees from communicating with the SEC about specific securities law violations.” Even so, the SEC concluded that “the blanket prohibition against witnesses discussing the substance of the interview has a potential chilling effect on whistleblowers’ willingness to report illegal conduct to the SEC.” KBR paid a $130,000 penalty to resolve the action, amended the language in its confidentiality agreement to include a statement that nothing in the agreement prohibited the signor from reporting possible violations of law to the government, without the prior authorization of or notification to the Law Department, and agreed to make reasonable efforts to contact former employees who had signed the confidentiality agreements to notify them that they were not required to obtain permission before providing information to the SEC.

2. Kenneth W. Crumbley, Jr.

In January 2016, the SEC filed an emergency district court action against Sedona Oil and Gas Corp. and its president, Crumbley, alleging that they were engaging in a fraudulent offering of oil and gas investments. In addition to the allegations of underlying fraudulent conduct, the SEC’s complaint also alleged that Crumbley violated Rule 21F-17 by threatening to terminate company employees who spoke with the Commission staff or other government authorities. The SEC’s action is still pending.11 This is the only action to date in which the SEC alleged that an individual violated the anti-impeding provisions of the federal securities laws.

3. Merrill Lynch

On June 23, 2016, the SEC instituted a settled enforcement action against Merrill Lynch, Pierce, Fenner & Smith Inc., and Merrill Lynch Professional Clearing Corp. (collectively, Merrill) in which Merrill agreed to pay $415 million in penalties, disgorgement, and prejudgment interest and admit liability for violating the Customer Protection Rule, Rule 21F-17, and other provisions.12 Although the case focused primarily on the Customer Protection Rule violations, the order also found that Merrill used language in certain severance agreements that prohibited former employees from disclosing the confidential information or trade secrets of Merrill to any person outside the firm, except pursuant to formal legal process or with the permission of an authorized Merrill representative. The agreement permitted departing employees to disclose confidential information if compelled by a court, administrative agency, or other authority, but it did not permit former employees to voluntarily disclose such information to these entities. In 2014, Merrill added language to its standard severance agreement providing that a departing employee was permitted to initiate communications directly with the SEC or other authorities, but limited the type of information that could be shared to (a) information relating to the severance agreement itself, or (b) the “underlying facts and circumstances” relating to the agreement.

The SEC charged Merrill with violating Rule 21F-17 even though the Commission’s order made clear there was no evidence that any Merrill employee actually was prevented from communicating with the Commission staff, and there was no evidence that Merrill took any action to enforce the confidentiality provisions so as to prevent an employee from communicating with the SEC. The order also cited Merrill’s substantial remedial acts, which included modifying the confidentiality provisions in its policies, procedures, and agreements. The new language clarifies that, with the exception of information that is protected from disclosure by an applicable law or privilege, nothing in Merrill’s updated language prohibits an employee from sharing information with the Commission without prior authorization or notice to the company. In addition, Merrill now requires employees to undergo annual training concerning their rights (a) to report possible violations of law to the Commission or other authorities without permission or notice to Merrill; (b) to report possible violations anonymously; and (c) to cooperate voluntarily with or respond to any inquiry from the Commission or other authorities.13

4. BlueLinx Holdings

On August 10, 2016, the SEC announced a settled action charging BlueLinx with violating Rule 21F-17 by using severance agreements that prohibited employees from disclosing confidential information unless compelled to do so by law or legal process, and required employees to either provide notice or obtain the legal department’s consent before making any such disclosure, without providing an exception that allowed employees to provide information voluntarily to the Commission or other authorities. In addition, the order found that BlueLinx required outgoing employees to waive their rights to monetary recovery if they submitted a whistleblower complaint to the SEC or another federal agency. According to the SEC’s order, BlueLinx added the latter provision to all of its severance agreements in mid-2013, nearly two years after the SEC’s adoption of Rule 21F-17. BlueLinx’s restrictive language forced employees leaving the company to waive possible whistleblower awards or risk losing their severance payments and other post-employment benefits. BlueLinx agreed to pay a $265,000 penalty, amend the language of its agreements, and make reasonable efforts to contact former employees who had executed severance agreements to notify them that the company did not prohibit former employees from providing documents or other information to the SEC staff without notice to the company or from accepting SEC whistleblower awards.

5. Health Net Inc.

Similarly, on August 16, 2016, Health Net Inc. agreed to pay a $340,000 penalty and consent to the entry of an order finding that the company violated Rule 21F-17 by using severance agreements that required outgoing employees who wanted to receive severance payments and other post-employment benefits to waive the ability to file applications for SEC whistleblower awards.14 According to the order, Health Net added the provision in August 2011 after the SEC adopted Rule 21F-17. Health Net removed the SEC-specific language from its severance agreements in June 2013, but retained restrictive language that removed the financial incentive for reporting information until finally striking all such restrictive language in 2015. The SEC’s order provided that the Commission found no evidence that HealthNet took action to enforce these provisions or that the provisions dissuaded an employee from providing information to the Commission. As part of the settlement, the company agreed to make reasonable efforts to contact former employees who had executed severance agreements to notify them that the company did not prohibit former employees from providing information to the SEC staff or from seeking and accepting SEC whistleblower awards.

6. AB InBev

On September 28, 2016, the SEC announced a settlement in which Anheuser-Busch InBev SA/NV (AB InBev) agreed to pay $6 million to settle charges that it violated the FCPA and violated Rule 21F-17 when its subsidiary entered into a separation agreement that stopped an employee from communicating with the SEC staff about the underlying conduct.15 According to the Commission’s order, the employee reported the potential FCPA violations to AB InBev personnel in 2010 and 2011. In 2012, AB InBev’s subsidiary terminated the employee. Later that year, following mediation of the employee’s potential employment law claims, AB InBev’s subsidiary and the employee entered into a separation agreement that prohibited the employee from disclosing the subsidiary’s confidential information, prohibited the employee from disclosing information concerning the substance of the separation agreement “except to the extent such disclosure may be required for accounting or tax purposes or as otherwise required by law,” and provided that the employee would be obligated to pay the subsidiary $250,000 as liquidated damages if he breached the separation agreement. The order provided that AB InBev had “used the same or similar language in other agreements in the past.” According to the order, the employee previously had been voluntarily communicating with the Commission staff, but stopped doing so because he believed the separation agreement prohibited him from doing so. The order stated that the employee only resumed speaking with the staff after receiving an administrative subpoena for documents and testimony. The order noted that, in 2015, AB InBev amended the separation agreements used for departing employees of its U.S. entities to make clear that the employees were not prohibited from reporting possible violations of law to governmental authorities or required to provide notice to the company.

7. NeuStar

On December 19, 2016, the Commission announced another Rule 21F-17 settlement, this time with NeuStar Inc., which agreed to pay a $180,000 penalty to resolve the charges.16 According to the order, between 2008 and May 2015, NeuStar entered into severance agreements with employees leaving the company that contained a nondisparagement clause. The clause prohibited employees from engaging in any communication that disparaged NeuStar with, among others, the SEC. The severance agreements also contained a forfeiture clause, which required employees to forfeit all but $100 of their severance compensation if they breached the nondisparagement clause. According to the order, the Commission did not find evidence that NeuStar took steps to enforce the nondisparagement clause, but found that the clause impeded at least one former employee from communicating with the Commission. The company revised its severance agreement template shortly after the Commission initiated an investigation, and undertook as part of the settlement to make reasonable efforts to contact former employees to notify them about the settlement and state that NeuStar did not prohibit them from communicating with the SEC about potential violations, without notice to or approval by the company.

8. BlackRock, Inc.

On January 17, 2017, the SEC announced a settlement with BlackRock, Inc. in which BlackRock agreed to pay a $340,000 penalty to resolve charges that it violated Rule 21F-17.17 According to the order, after the SEC adopted Rule 21F-17, BlackRock revised its separation agreements to include a clause requiring departing employees to waive recovery of incentives received for reporting misconduct to the government under Dodd-Frank or other provisions. More than 1,000 employees signed this version of the agreement. The agreement did not prohibit communication with the government, and BlackRock revised the agreement to remove the language in 2016 as part of an annual review before being contacted by the SEC. In addition, the order also stated that BlackRock was not aware of any employees impacted by the provision and took no action to enforce it. Nevertheless, the Commission found that BlackRock had “directly targeted the SEC’s whistleblower program by removing the critically important financial incentives that are intended to encourage persons to communicate directly with the Commission staff about possible securities law violations.” As part of its remedial efforts, BlackRock now conducts annual training on its updated “Global Policy for Reporting Illegal or Unethical Conduct,” which describes employees’ rights under the whistleblower provisions. The policy includes the right to report potential violations to the government without permission from BlackRock, the right to report potential violations to BlackRock anonymously, and the right to cooperate voluntarily with government inquiries. The policy also provides that employees will not be retaliated against for reporting potential violations.

9. HomeStreet Inc.

On January 19, 2016, the SEC announced a settlement with HomeStreet, Inc. in which HomeStreet agreed to pay a $500,000 penalty to resolve charges that it violated the books and records provisions in connection with its hedge accounting and took actions to impede potential whistleblowers who were knowledgeable about the violations from communicating with the SEC.18 In addition, the order found that HomeStreet included language in some of its severance agreements that although the release did not prohibit employees from speaking with the government, it “shall be considered a waiver of any damages or monetary recovery therefrom.” The order noted that the Commission was not aware of any instances of current or former employees impeded from communication with SEC staff.

According to the order, after the SEC served a document request on HomeStreet, executives at the company believed that a whistleblower had been the source of the SEC’s investigation and took actions to determine which employee had provided the SEC with information. The order found that HomeStreet violated Rule 21F-17 by asking certain employees whether they had been the whistleblower and stating that it might not indemnify the legal fees of a former executive that the company suspected to be the whistleblower.

As part of its remedial efforts, HomeStreet voluntarily revised the severance agreement to include language that nothing in the agreement limited the employee’s ability to communicate with any government agency, including providing documents or other information without notice to the Company, or the employee’s right to receive an award.

C. The SEC’s Anti-Retaliation Enforcement

Another way the SEC is looking to prevent a chilling effect on would-be whistleblowers is anti-retaliation enforcement actions. In the post-Dodd-Frank world, whistleblowers can now initiate a private action in federal court alleging retaliation and may even be able to inspire the SEC to initiate an enforcement action charging retaliation. Increased training on retaliation concepts can help companies avoid making a bad situation worse.

Section 21F(h)(1) of the Exchange Act prohibits employers from “discharg[ing], demot[ing], suspend[ing], threaten[ing], harass[ing], directly or indirectly, or in any other manner discriminat[ing] against, a whistleblower in the terms and conditions of employment” as a result of the whistleblower providing information to the SEC, and Section 21F(h)(2) of the Exchange Act creates a private right of action for the discharged individual. Rule 21F-2(b)(1)(iii) explicitly states that the anti-retaliation protections apply “whether or not [the whistleblower] satisf[ies] the requirements, procedures and conditions to qualify for an award.” In addition, Rule 21F-2(b)(2) provides that violations of the anti-retaliation provisions are enforceable by the Commission.

To date, the SEC has brought enforcement actions against several companies for retaliating against whistleblowers, including when the whistleblowers never blew the whistle to the SEC. Again, these cases provide some insight on what the SEC considers inappropriate corporate behavior in response to whistleblower complaints.

1. Paradigm Capital

The first enforcement case in this area was announced in June 2014 when the SEC instituted and settled a cease and desist proceeding against Paradigm Capital Management. The enforcement action focused primarily on improper principal transactions, but the SEC also made findings that Paradigm retaliated against the trader who reported the underlying conduct internally and to the SEC. The SEC found that when Paradigm’s head trader reported the prohibited transactions internally to Paradigm, he was removed from his position, assigned to investigate the conduct in a compliance assistant role, prohibited from accessing his e-mail and other internal resources needed to conduct the investigation, and otherwise marginalized before he eventually resigned from the firm. Paradigm’s owner also was charged with causing the trading-related violations, but not with retaliation. Paradigm agreed to pay disgorgement of $1.7 million, a civil monetary penalty of $300,000, and prejudgment interest of $181,771.19

In April 2015, the SEC paid an award to the whistleblower in this case. The SEC noted that the whistleblower received the maximum award possible—30 percent of the amounts collected—and added that the whistleblower “suffered unique hardships, including retaliation, as a result of reporting to the Commission.” The SEC used the announcement of this award to underscore its commitment to protecting whistleblowers against retaliation and to encourage potential whistleblowers to come forward with information.20

2. IGT

On September 29, 2016, the SEC announced a settled cease and desist proceeding with International Game Technology (IGT). IGT agreed to pay a $500,000 penalty to settle charges that it violated Exchange Act section 21F(h) when it terminated an employee after he raised concerns about pricing methodology used for parts.21 According to the order, the employee, who had positive performance evaluations throughout his time at IGT, raised concerns through IGT’s whistleblower hotline about IGT’s accounting for refurbished parts. The day after he reported internally, the whistleblower submitted a complaint to the Commission and advised IGT he had done so. After an internal investigation conducted with help from outside counsel, IGT determined there was no issue with its accounting. While the investigation was ongoing, the whistleblower was removed from two important professional activities, and his employment was terminated once the investigation was complete. In its press release, the SEC highlighted this as its first stand-alone retaliation case and does not indicate that the investigation is ongoing into any potential violations.22

3. SandRidge

On December 20, 2016, the SEC announced another cease and desist proceeding in this area, this time against SandRidge Energy, Inc. for violating both the anti-retaliation prohibition in section 21F(h) of the Exchange Act and the anti-impeding restriction in Rule 21F-17.23 SandRidge agreed to pay a penalty of $1.4 million to settle the enforcement action. According to the order, SandRidge’s separation agreement used between August 2011 and April 2015 included one or more of the following: a clause that prohibited voluntary cooperation with government agencies in any proceeding or investigation about SandRidge, a clause that prohibited sharing confidential information with the government, absent written agreement from SandRidge, and/or an anti-defamation clause which included prohibitions against criticizing SandRidge in communications with the government. At the request of employees or their counsel, this language was modified or deleted on a case-by-case basis.

Almost 900 former SandRidge employees received the form agreement with one or more of these clauses, including more than 100 after SandRidge became aware of the SEC enforcement action regarding KBR’s use of similar provisions. At the time many of these agreements were put into place, SandRidge was under investigation by the SEC.

After a request from Commission staff, SandRidge modified its form agreement, communicated the amendments to former employees, and amended corporate codes and policies as part of the update. The SEC’s order found that one former employee refused to speak with Commission staff based on the agreement, even after receiving the amendments.

In addition, the order found that SandRidge retaliated against a whistleblower who raised concerns about the company’s accounting for oil and gas reserves. After searching the whistleblower’s e-mails for external communications containing disparaging remarks about SandRidge, and without investigating the concerns outside of an incomplete review by internal audit, SandRidge terminated the whistleblower as part of a large-scale reduction in force. The separation agreement provided to the whistleblower contained the violative provisions, and when the whistleblower’s counsel objected to the provisions, SandRidge would not agree to remove them until it had reviewed the matter, including interviewing the whistleblower.

4. Circuit Split on the Need for Reporting to the SEC

As discussed, Dodd-Frank added protections that prohibit employers from “discharg[ing], demot[ing], suspend[ing], threaten[ing], harass[ing], directly or indirectly, or in any other manner discriminat[ing] against, a whistleblower in the terms and conditions of employment”24 as a result of the whistleblower providing information to the SEC. This section, however, does not define whether to qualify a putative whistleblower must report to the government, as is required to receive an award, or whether internal reporting alone is sufficient. This ambiguity led both to the SEC issuing a clarifying statement and to a circuit split on how this language should be read. The Supreme Court has agreed to resolve the split and will hear arguments on the case from the Ninth Circuit in the next term.

On July 17, 2013, the Fifth Circuit was the first federal circuit court to weigh in on this issue. Its decision in Asadi v. G.E. Energy LLC held that in order to receive retaliation protection, a whistleblower must report to the SEC, not just internally to the company.25 In response to this decision, on August 4, 2015, the SEC announced its view that under the retaliation provisions of Dodd-Frank and the Sarbanes-Oxley Act of 2002, a whistleblower who reported internally need not have reported to the SEC in order to be protected against retaliation.26

Then, shortly after the SEC issued its interpretive release, on September 10, 2015, the Second Circuit decided Berman v. Neo@Ogilvy LLC, adopting the SEC’s definition of “whistleblower” in relation to the anti-retaliation provisions of Dodd-Frank as including individuals who report violations internally within their company, and not to the SEC itself.27 The Second Circuit’s opinion created a circuit split.

On January 13, 2017, the Sixth Circuit affirmed the lower court’s decision in Verble v. Morgan Stanley Smith Barney that the former employee at issue did not garner whistleblower protection.28 However, unlike the district court, which had dismissed Verble’s Dodd-Frank retaliation claim because he did not report to the SEC prior to termination, the Sixth Circuit found that the complaint filed in the district court did not contain adequate factual information about Verble’s cooperation with the FBI or any other law enforcement agency. Because of defects in Verble’s complaint, the Sixth Circuit declined to reach the question of whether the whistleblower had garnered protection even if he did not report to the government. As a result, the Sixth Circuit has not yet weighed in on either side of the argument.

Similarly, on April 12, 2017, in an opinion marked nonprecedential, the Third Circuit in Danon v. Vanguard Group Inc. vacated a district court’s dismissal of Danon’s retaliation claim under Dodd-Frank (while upholding dismissal of claims under Sarbanes-Oxley and Pennsylvania whistleblower law) and sent the case back to the district court.29 Like the Sixth Circuit, the Third Circuit did not weigh in on whether a whistleblower is required to report to the SEC in order to receive protection under Dodd-Frank.

Meanwhile, however, on March 8, 2017, the Ninth Circuit entered the debate with its decision in Somers v. Digital Realty Trust, Inc., following the Second Circuit and holding that whistleblowers that make only internal disclosures are protected as well as those who make disclosures to the SEC.30 The SEC filed amicus briefs in Verble, Somers, and Danon, as well as in Berman, all in support of its view in the interpretive release.

After declining Verble’s request for certiorari on the merits of the case, including whether his internal reporting afforded him protection from retaliation,31 on June 26, 2017, the Supreme Court granted certiorari on Digital Realty Trust’s petition. Digital Realty Trust petitioned the Supreme Court to decide “[w]hether the anti-retaliation provision for ‘whistleblowers’ in the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 extends to individuals who have not reported alleged misconduct to the Securities and Exchange Commission and thus fall outside the Act’s definition of a ‘whistleblower.’”32

D. Best Practices for Complying with the SEC’s Whistleblower Rules

Company counsel and compliance officers can apply lessons from more than five years of the SEC’s whistleblower program in three areas: (1) protecting confidential information without “impeding” whistleblowers; (2) dealing responsibly with possible whistleblowers without retaliating; and (3) assessing how the whistleblower program impacts decisions about whether to self-report information concerning possible federal securities law violations. Corporate directors may want to consider asking about steps their companies have taken in these areas in order to help protect against future SEC enforcement liability and to take action before derivative plaintiffs inspire it (and seek payment for doing so).

1. Protecting Confidential Information without “Impeding”

The current state of affairs appears to be that although a company can maintain commercial confidential information from its competitors, if an individual believes there is a violation of law and that commercial secrets must be exposed to demonstrate the violation, that individual cannot be impeded from reporting to the government. Of course, if that happens and the information is contained in nonprivileged documents produced to the SEC, this information could be subject to Freedom of Information Act (FOIA) requests or subpoenas in civil litigations. Although FOIA offers some protections from disclosure for documents and information that contain trade secrets and confidential information, or documents that are related to an ongoing government investigation, a whistleblower’s production of this information to the SEC increases the risk that such information will be disclosed because the whistleblower will almost certainly not request FOIA confidential treatment, and there is the chance that a company will not receive notice of, and thus will not have an opportunity to contest, a FOIA request.33 Consequently, regulated entities and public companies should periodically review their employment, confidentiality, and severance agreements, as well as their policies, procedures, and practices, to determine how best to protect their commercial secrets while not impeding current or former employees from communicating with the SEC staff about potential securities law violations.

a. Review Language of Employment, Confidentiality, and Severance Agreements

The Commission’s Rule 21F-17 cases provide several clear lessons to apply when reviewing the language of template employment, confidentiality, and separation agreements.

  • DON’T impose blanket prohibitions on disclosing the particulars of an interview conducted as part of an internal investigation, or the subject matter covered during that interview. (KBR)
  • DON’T restrict the kinds of information that employees may voluntarily disclose to the SEC. (Merrill Lynch)
  • DON’T require employees to provide notice or obtain permission before sharing confidential information with the SEC. (BlueLinx)
  • DON’T require employees to waive their rights to a monetary award if they provide information to the SEC or other authorities. (BlueLinx, HealthNet)
  • DON’T require employees to pay liquidated damages or forfeit severance compensation if they breach their separation agreements by disclosing confidential information to the SEC. (AB InBev, NeuStar)

In addition to spelling out problematic practices, the Commission’s orders also have positively described remedial steps and language changes made by the settling parties. Given the Commission’s favorable comments, regulated entities and public companies should evaluate whether these steps make sense for their own templates, including:

  • DO make clear in internal trainings, and potentially even in agreements themselves, that employees may voluntarily disclose confidential information to the SEC, and are not limited to doing so only when compelled by law or legal process.

b. Revisit Practices Regarding the Sharing and Treatment of Confidential or Legally Privileged Information

Regulated entities and companies also may want to consider more carefully who has a need to access confidential or legally privileged information within a company. This applies to oral conversations as well as written documents because in jurisdictions that require only single-party consent for recording, counsel for whistleblowers have reported receiving surreptitiously recorded conversations, which then may become a part of the whistleblower’s claim.

Of course, there is only so much that a company can do to prevent an employee from taking documents, including privileged ones, without authorization and providing them to the SEC. Although the SEC’s whistleblower regulations removes information obtained “by a means or in a manner that is determined by a United States court to violate applicable federal or state criminal law” from the definition of “original information” that makes a whistleblower eligible for an award,34 the government’s desire for quality tips seems to outweigh its skepticism for the integrity of individuals who steal documents from their employers, and supporting documents can bolster the credibility of a whistleblower’s allegations. Confidentiality agreements can provide an additional layer of protection35 and can serve as a reminder to employees.

To its credit, if the SEC staff is aware that materials provided by purported whistleblowers may contain communications protected by the attorney-client privilege, the SEC staff may use “taint teams” to review materials and to isolate them from the main investigative team.36 This is an imperfect solution at best because it does nothing to prevent disclosure of confidential or competitively sensitive materials, and evaluating potential privilege claims often requires detailed factual information from parties with whom the taint team has no contact. The best defense against the risk of having privileged corporate information revealed in an SEC enforcement investigation is to train individuals who interact with counsel on how to identify and label privileged materials. In the event that any such documents were to be provided to the SEC without authorization, this practice will assist the SEC’s taint teams to more easily identify and segregate potentially privileged information.

2. Responsibly Address Internal Reports of Potential Misconduct without Retaliating

Prohibitions on retaliation against whistleblowers are not new, and company managers have been trained on this topic for many years. For example, in the wake of another comprehensive business statute, the Sarbanes Oxley Act of 2002, many companies thoroughly reviewed, and in some instances restructured, their policies and procedures for handling whistleblower claims, including prohibitions on retaliation and how whistleblower complaints should be reported to a board-level committee. Given the growth and greater visibility of the SEC’s whistleblower program, however, and the SEC’s power under Dodd Frank to bring enforcement actions alleging retaliation, it is more important than ever to pay attention to this important area of corporate governance.

Although there is a circuit split as to whether a potential whistleblower must report concerns to the SEC in order to be eligible for protection from retaliation, the SEC itself has remained clear that even whistleblowers who merely report their concerns internally to their supervisors or others in the company qualify for anti-retaliation protection.37 Accordingly, it is best to treat concerns raised carefully and seriously every time.

In fact, studies show this issue presents itself frequently. One 2015 study reported that “the average whistleblower is someone who most likely went to the company first. A staggering 92% of reporters turn to somebody inside the company when they first report misconduct.”38 In addition, the SEC’s 2016 Annual Report indicates that “[o]f the award recipients who were current or former employees of the entity, approximately 80% raised their concerns internally to their supervisors or compliance personnel, or understood that their supervisor or relevant compliance personnel knew of the violations, before reporting their information of wrongdoing to the Commission.” Potential whistleblowers can be motivated by a concern that the law was violated, yet may have a limited perspective within the company and lack the information necessary to see why inferences about apparent misconduct are not correct. Today’s policies and procedures could address this challenge by institutionalizing and facilitating communications with the whistleblowers about steps taken to investigate and address the concern. Knowing action is being taken, and understanding the bigger picture where appropriate, may alleviate the potential whistleblower’s worry.

Of course, whistleblowers also may be motivated by a desire to maximize their leverage in an already existing employment disagreement. This makes strong training for supervisors especially valuable. The SEC’s rules prohibit “discharg[ing], demot[ing], suspend[ing], threaten[ing], harass[ing], directly or indirectly, or in any other manner discriminat[ing] against, a whistleblower in the terms and conditions of employment because of any lawful act done by the whistleblower.”39 When a whistleblower is under stress, many actions that are benign and completely justified in the normal course can be viewed as retaliatory by the whistleblower and potentially by the SEC.

Managing the whistleblower reporting process internally is crucial. It is important that companies set the right tone, get back to people who raise issues where possible, or let them know not to expect a response and why. To help guard against taking any actions that could be perceived as retaliatory, companies should consider the following precautions. First, it is critical that supervisors are trained to recognize potential whistleblower complaints and how to handle them. Supervisors often treat complaints as routine in the ordinary course of the employee’s job or simply the result of a disgruntled employee, and as such, companies may not have the opportunity to adequately investigate and address the complaint at an early stage.

Maintaining the confidentiality of whistleblower reports is of the utmost importance. Information about whistleblower reports should be shared on a need-to-know basis, and care should be taken to screen off any senior managers who are alleged to have been involved in the reported violations from employment decisions about the whistleblower. In situations involving anonymous whistleblower reports, business leaders may push to identify the source of the complaint. Counsel and compliance officers should resist such efforts to avoid the potential for retaliation or actions that could be perceived as retaliatory. Companies should have formal processes to track whistleblower complaints and to ensure the correct level of coordination between the whistleblower process and human resources when it comes to both performance reviews and personnel actions.

3. The Whistleblower Program’s Impact on Whether to Self-Report Potential Violations

Under former Chair White and former Enforcement Director Ceresney, the SEC launched a number of initiatives designed to encourage companies and regulated entities to self-report potential violations. These initiatives include, among others, requiring entities to self-report potential FCPA violations to be eligible for deferred prosecution agreements (DPAs) or Non-Prosecution Agreements (NPAs),40 the Municipalities Continuing Disclosure Cooperation (MCDC) Initiative, and the Customer Protection Rule Initiative. To promote these efforts, the Commission has used a combination of carrots, including the possibility of quicker investigations and more lenient sanctions for entities that self-report, as well as sticks, including the threat of larger, more time-consuming investigations that result in significantly greater sanctions. It remains to be seen whether new leadership at the SEC will maintain the emphasis on the importance of self-reporting. Until the Commission or its staff provide new guidance, however, it would be prudent for companies, regulated entities, and their counsel to operate as though the same policies and approaches remain in effect.

Throughout his tenure as director, Ceresney reinforced how, in the staff’s view, the existence of the whistleblower program should incentivize companies and regulated entities to self-report violations.41 For example, in his September 14, 2016 speech about the whistleblower program, Ceresney specifically noted that tips about FCPA violations and accounting and offering frauds were particularly helpful to the staff. He particularly emphasized the impact of the whistleblower program on FCPA enforcement and self-reporting:

Here, though, I want to highlight a subsidiary benefit of the whistleblower program. We are often alerted to FCPA violations by companies self-reporting violations. The program has vastly increased the incentives for companies to self-report misconduct to us, as companies are aware that we may receive information from other sources if they are not forthcoming with us, and as I have emphasized before, if we learn the company made the decision not to self-report after learning of misconduct, there will be consequences. So even before the tips are sent, the impact of the program manifests in other ways as well.42

As a result, companies and regulated entities that do not self-report run increased risks that whistleblowers will bring information to the SEC staff first, undermining the entities’ ability to receive cooperation credit.

Of course, there are costs as well as benefits to self-reporting, and it would be ill-advised for companies and regulated entities to self-report to the SEC every time an employee raises questions about an issue. For example, under the official DPA and NPA policy for FCPA cases, if a whistleblower beats a company through the door in reporting to the SEC, the company loses outcome opportunities. On the other hand, companies also must consider that early self-reporting could lead to incurring unnecessary investigation costs if it is later determined that there was no actual violation, or to unrealistic expectations of significant cooperation credit from self-reporting when the circumstances made the company an unlikely candidate for a DPA or NPA.

Accordingly, companies and regulated entities must make concerted efforts to monitor internal reporting mechanisms, evaluate whether they are sufficiently triaging these reports with the appropriate sense of urgency, and consider consulting with sophisticated counsel to determine whether and when to report potential misconduct.

E. Conclusion

Although companies and their counsel may feel the whistleblower program goes too far in encouraging employees to go straight to the SEC with their concerns, rather than raising them internally, the program has become a well-established part of the Commission’s enforcement program that seems to be here to stay. As a result, companies and their counsel must pay careful attention to how they handle internal reports of potential problems. Not only is it important to avoid actions that could be viewed as chilling employees’ ability to provide information to the SEC or as retaliatory, it is important to have robust processes in place to investigate and address reports of potential problems. If employers create a climate in which employees feel confident that if they raise concerns internally, those concerns will be addressed, and they will be protected from retaliation, the data shows that they will be much less likely to contact the SEC.


1. Financial CHOICE Act of 2017, H.R. 10, 115th Cong. § 828 (2017). Currently, whistleblowers who are criminally convicted for related conduct are barred from receiving an award, 15 U.S.C. § 21F(c)(2)(B), and for all whistleblowers, culpability is a factor in determining the award amount. 17 CFR § 240.21F-16. The SEC has awarded money to at least three whistleblowers that it described as culpable in the award orders. See Whistleblower Award Proceeding No. 2016.7, Exchange Act Release No. 77530 (Apr. 5, 2016) (claimant 1’s award offset by amounts outstanding from judgment against claimant); Whistleblower Award Proceeding No. 2016-16, Exchange Act Release No. 78719 (Aug, 30, 2016) (noting that factors mitigating the claimant’s culpability were considered in arriving at the award amount); and Whistleblower Award Proceeding No. 2017-7, Exchange Act No. 80115 (Feb. 28, 2017) (noting that claimant’s award was reduced due to culpability and delay in reporting).

2. Of course, the SEC’s whistleblower reward program is only one of many in the federal government. See, e.g., programs at the U.S. Commodities and Futures Trading Commission, the Internal Revenue Service, and a new program set up in the Fixing America’s Surface Transportation Act of 2016 to provide incentives for reporting information on motor vehicle defects or noncompliance with reporting requirements, as well as the longstanding False Claims Act program administered by the Department of Justice. The SEC’s program has paved the way for creative rulemaking and enforcement by these other agencies, however, and is both important in its own right and important for what it portends in potential expansions in other government programs.

3. 2016 Annual Report to Congress on the Dodd-Frank Whistleblower Program (2016 Annual Report), at 23.

4. 2016 Annual Report, at 23–26.

5See Whistleblower Awards Over $150 Million for Tips Resulting in Enforcement Actions. In order to be eligible for an award, a whistleblower must “voluntarily” provide information that is “original” and that leads to a “successful enforcement action” with monetary sanctions exceeding $1 million. Awards range between 10 and 30 percent of the total sanctions, which may be divided among multiple whistleblowers.

6. See Chair Mary Jo White, The SEC as the Whistleblower’s Advocate, Speech at the Ray Garrett, Jr. Corporate and Securities Law Institute-Northwestern University School of Law, Chicago, Illinois (Apr. 30, 2015).

7. See Andrew Ceresney, Director, Division of Enforcement, The SEC’s Whistleblower Program: The Successful Early Years, Speech at the Sixteenth Annual Taxpayers Against Fraud Conference (Sept. 14, 2016) (hereinafter September 14, 2016 Ceresney Speech).

8. National Exam Program Risk Alert, Examining Whistleblower Rule Compliance (Oct. 24, 2016).

9. Id.

10. In the Matter of KBR, Inc., Exchange Act Release No. 74619 (Apr. 1, 2015).

11. SEC v. Crumbley, et al., Civil Action No. 3:16-CV-00172 (N.D. Tex.) (Jan. 21, 2016).

12. In the Matter of Merrill Lynch, Pierce, Fenner & Smith Inc., et al., Exchange Act Release No. 78141 (June 23, 2016).

13. In the Matter of BlueLinx Holdings Inc., Exchange Act Release No. 78528 (Aug. 10, 2016).

14. In the Matter of Health Net Inc., Exchange Act Release No. 78590 (Aug. 16, 2016).

15. In the Matter of Anheuser-Busch InBev SA/NV, Exchange Act Release No. 78957 (Sept. 28, 2016).

16. In the Matter of NeuStar, Inc., Exchange Act Release No. 79593 (Dec. 19, 2016).

17. In the Matter of BlackRock, Inc., Exchange Act Release No. 79804 (Jan. 17, 2017).

18. In the Matter of HomeStreet Inc. & Van Amen., Exchange Act Release No. 79844 (Jan. 19, 2017).

19. In the Matter of Paradigm Capital Management, Inc., et al., Exchange Act Release No. 72393 (June 16, 2014).

20. Press Release No. 2015-75, SEC Announces Award to Whistleblower in First Retaliation Case (Apr. 28, 2015).

21. In the Matter of International Game Technology, Exchange Act Release No. 78991 (Sept. 29, 2016).

22. Press Release No. 2016-204, SEC: Casino-Gaming Company Retaliated Against Whistleblower (Sept. 29, 2016).

23. In the Matter of SandRidge Energy, Inc., Exchange Act Release No. 79607 (Dec. 20, 2016).

24. Section 21F(h)(1) of the Exchange Act.

25Asadi v. G.E. Energy, LLC, 720 F.3d 620 (5th Cir. 2013).

26. See Interpretation of the SEC’s Whistleblower Rules under Section 21F of the Securities Exchange Act of 1934, Exchange Act Release No. 75592 (Aug. 4, 2015).

27. Berman v. Neo@Ogilvy LLC, 801 F.3d 145 (2d Cir. 2015).

28. Verble v. Morgan Stanley Smith Barney, No. 15-6397 (6th. Cir. Jan 13, 2017).

29. Danon v. Vanguard Group, Inc., No. 16-2881 (3d Cir. Apr. 12, 2017).

30. Somers v. Digital Realty Trust, Inc., No. 15-17352 (9th Cir. Mar. 8, 2017).

31. Supreme Court Order List, Mar. 20, 2017, at 4.

32. Petition for Writ of Certiorari, Digital Realty Trust, Inc. v. Somers, No. 16-1276 (Apr. 25. 2017).

33. Freedom of Information Act, 5 U.S.C. § 552. “Trade secrets and commercial or financial information obtained from a person and privileged or confidential” are protected from disclosure by an exception. 5 U.S.C. § 552(b)(4). However, the limits of “commercial or financial information obtained from a person and privileged or confidential” are not clearly delineated.

34. 17 C.F.R. § 240.21F-4(b)(4)(iv).

35. In other contexts, courts have held that whistleblower laws do not allow employees unfettered access to documents in order to blow the whistle. See JDS Uniphase Corp. v. Jennings, 473 F. Supp. 2d 697, 702 (E.D. Va. 2007) (“By no means can the policy fairly be said to authorize disgruntled employees to pilfer a wheelbarrow full of an employer’s proprietary documents in violation of their contract merely because it might help them blow the whistle on an employer’s violations of law, real or imagined. Endorsing such theft or conversion would effectively invalidate most confidentiality agreements, as employees would feel free to haul away proprietary documents, computers, or hard drives, in contravention of their confidentiality agreements, knowing they could later argue they needed the documents to pursue suits against employers under a variety of statutes protecting employees from retaliation for publicly reporting wrongdoing, such as Sarbanes-Oxley, the False Claims Act, and the Fair Labor Standards Act, or other statutes prohibiting retaliation for activity in opposition to discrimination.” (Internal citations omitted)); Xyngular Corp. v. Schenkel, 200 F. Supp. 3d 1273, 1318–19 (D. Ut. 2016) (noting that “federal courts have been leery to protect whistleblowers who improperly acquired their employers’ property” and that even if defendant was acting “solely as a sincere whistleblower, he likely would not have enjoyed an unfettered ability to collect documents” from his employer).

36.  Whistleblower guides published by law firms who represent whistleblowers address the issue of attorney-client privileged information and caution against its provision to the government. See, e.g. SEC WHISTLEBLOWER PROGRAM, Tips from SEC Whistleblower Attorneys to Maximize an SEC Whistleblower Award, at 15, Zuckerman Law (“Finally, whistleblowers should not provide all types of evidence. The SEC does not want, for example, information that may violate the company’s attorney-client privilege. If a whistleblower has questionable evidence, he or she should consult with an attorney and should potentially notify the SEC to have its taint team handle the evidence.); Marshall, David, The SEC Whistleblower Practice Guide, at 22 (“Do not include attorney-client privileged communications in your client’s submission to the SEC. The Commission will not consider the information, and its receipt of such communications will in itself delay or even discourage the SEC’s consideration of the submission as a whole. If unsure about potentially privileged materials, speak with the Office of the Whistleblower and/or Enforcement staff assigned to the investigation about the possibility of having an SEC ‘filter’ team screen certain documents to prevent staff involved in the investigation from viewing privilege materials, possibly resulting in their disqualification from the investigation.”).

37. See Interpretation of the SEC’s Whistleblower Rules under Section 21F of the Securities Exchange Act of 1934, Exchange Act Release No. 34-75592 (Aug. 5, 2015).

38. The Network, a NAVEX Global Company, Embracing Whistleblowers: Understand the Real Risk and Cultivate a Culture of Reporting, at 4. See also 2016 Annual Report, at 18 (“Of the award recipients who were current or former employees of the entity, approximately 80% raised their concerns internally to their supervisors or compliance personnel, or understood that their supervisor or relevant compliance personnel knew of the violations, before reporting their information of wrongdoing to the Commission.”).

39.  15 U.S.C. § 78u-6 (h)(1)(A) (2010).

40. Andrew Ceresney, Director, SEC Division of Enforcement, Keynote Address at ACI’s 32nd FCPA Conference (Nov. 17, 2015).

41. Speaking a conference on corporate accountability, then-chief of the Fraud Section of the Department of Justice Andrew Weissmann said that the DOJ was focused on encouraging companies to voluntarily disclose wrongdoing of their own volition, rather than waiting to hear the “loud footsteps” of the government.  See Adam Dobrik, We’ll improve incentives for early self-disclosure, says DoJ fraud chief, Global Investigations Review (Jun. 4, 2015) available at:

42. See September 14, 2016 Ceresney Speech.


Connect with a global network of over 30,000 business law professionals


Login or Registration Required

You need to be logged in to complete that action.