Confidentiality Agreements Rendered Unenforceable by SEC Whistleblower Rules

The SEC Whistleblower Program rules provide a number of protections against retaliation for employees who blow the whistle on securities violations. One particularly important protection is found in Rule 240.21F-17(a), which provides as follows:

No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement … with respect to such communications.

The rule applies to the great majority of confidentiality and non-disclosure agreements that employers require of employees who are in a position to know about securities violations, and comes at a time when employers and their counsel have increasingly used such agreements to harass and intimidate whistleblowers. This means that employees or former employees who are thinking about providing “tips” to the SEC under the whistleblower program can do so without fearing retaliation by their employers who might otherwise seek to hold them liable under state law for breaching confidentiality agreements.

The SEC rule trumping confidentiality agreements has no counterpart in the regulations governing the Internal Revenue Service’s whistleblower program or a qui tam relator’s communications with the government when bringing a lawsuit under the False Claims Act, although courts have refused to enforce confidentiality agreements in the FCA context and have found whistleblowing to the IRS to be protected activity under the Sarbanes-Oxley Act. See Head v. The Kane Co., 668 F.Supp.2d 146, 152 (D.D.C. 2009)(finding contractual obligations to return all company documents and not to disparage employer void as against public policy where enforcement sought to prevent employee from providing evidence to government in qui tam lawsuit). And see Vannoy v. Celanese Corporation, 2008-SOX-064, 2011 WL 4690624 (ARB Sept. 28, 2011) (whistleblower disclosures to the IRS are protected from retaliation by § 806 of the Sarbanes Oxley Act, 18 U.S.C. § 1514A).

It is also encouraging to see two recent rulings from U.S. Courts of Appeals for the Second and Ninth Circuits making it harder for employers and cooperating prosecutors to use federal criminal laws to intimidate and harass whistleblowers. Both courts dismissed cases brought by the government against former employees who had been charged with theft of their employers’ proprietary information. In the 2nd Circuit, in the case of USA v. Aleynikov, the Court found that a district court jury erred when it convicted a former employee of violating the National Stolen Property Act (“NSPA”) and the Economic Espionage Act (“EEA”). In the 9th Circuit, in the case of USA v. David Nosal, the Court, sitting en banc, upheld the district court’s dismissal of a prosecution against a former employee under the Computer Fraud and Abuse Act (“CFAA”).

In both cases, the defendant employees took digital information from their previous employers either shortly before or shortly after after their employment ended. The case in the 2nd Circuit dealt with government charges against Sergey Aleynikov, a programmer who worked for two years at Goldman Sachs, becoming one of the highest-paid coders at the company. On his last day at Goldman in 2009, Aleynikov downloaded the source code for the company’s high-frequency trading system and later shared that information with his new employer. After Goldman discovered his action, Aleynikov was tried under the NSPA and EAA, found guilty, and sentenced to eight years in prison. The Second Circuit reversed, finding that while Aleynikov likely breached his confidentiality agreement with Goldman, he should never have faced criminal charges under these laws which prohibited the theft of secrets related to goods and products.

In the Ninth Circuit case, the government brought criminal charges under the CFAA against David Nosal, a former employee at the executive search company Korn/Ferry International. The government accused Nosal of conspiring with other Korn/Ferry employees to access the company’s computers and obtain trade secrets he intended to use to form a competing company. Although Congress passed the CFAA to combat large-scale hacking into computer systems, the government argued that Nosal should be found guilty under the law’s proscription against a user “exceed[ing] authorized access” to a computer system.

The Ninth Circuit disagreed. “Basing criminal liability on violations of private computer use policies,” the court noted, “can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved.” The court pointed to chatting with friends, playing games, or watching sports highlights while at work as examples of “unauthorized access” that could lead to criminal liability under the government’s theory, and declined to expand the scope of the CFAA to such innocuous conduct on the job.

David J. Marshall, a whistleblower attorney at the D.C. law firm of Katz Banks Kumin, noted that the SEC decision and these recent court decisions mark significant victories for whistleblowers. Marshall said, “The law needs to recognize, as the SEC rule does, the difference between those employees who take employer information to benefit themselves and those who take information to share it with regulators and law enforcement in order to expose fraud on shareholders or the government, bribes of foreign officials and other such corporate misconduct.” Marshall also observed the Second and Ninth Circuit decisions were an important brake on employers and prosecutors who would use criminal prosecutions to chill the rights of whistleblowers. “All too often companies hold out these criminal statutes as threats against employee whistleblowers who are using information to blow the whistle on illegal activity,” Marshall said. “When employees can do the right thing without fear of criminal prosecution, the public reaps the benefit.”