United States: Back In The Game: Recent SEC Settlement Makes Unprecedented Extension Of Whistleblower Protection Rule Into Realm Of Data Security

Since its initial run of 12 enforcement actions prior to the U.S. Supreme Court's rejection of a key provision of the Securities and Exchange Commission's (SEC) Whistleblower protection rules in 2018, the SEC's policing of its Whistleblower rules under Rule 21F languished. The SEC brought just one stand-alone Rule 21F enforcement action since then. Recently, though, the SEC announced that it is not only willing to enforce Rule 21F but expand its reach to new territory.

A key feature of the SEC's Whistleblower protection regime has been Rule 21F-17(a). Exchange Act Rule 21F-17(a), promulgated under the Dodd-Frank Act, prohibits taking "any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications."

Previously, the SEC had taken a prophylactic approach to interpreting Rule 21F-17(a). The SEC applied Rule 21F-17(a) to routine confidentiality agreements, anti-disparagement clauses or internal policies that could theoretically discourage potential whistleblowers from bringing their concerns to the SEC. From the SEC's view, it simply did not matter that there was no proof that any person ever had a concern or in any way felt discouraged from contacting the SEC about potential securities law violations.

The SEC's recent enforcement action in In re David Hansen has taken this already broad application of Rule 21F-17(a) into uncharted territory. There, the SEC charged David Hansen, a co-founder and former Chief Information Officer of a nonpublic technology company, NS8, with violating Rule 21F-17(a). According to the settlement accepted by the SEC, in August 2019, an NS8 employee raised concerns to Hansen and others at NS8 that the company was overstating its numbers of paying customers. During the course of the conversation, the NS8 employee told Hansen that unless NS8 addressed this inflated customer data, he would reveal his allegations to NS8's customers, investors and any other interested parties. Respondent suggested that the NS8 employee raise his concerns directly to his supervisor or the CEO.

Hansen notified NS8's CEO of the employee's concerns. Rather than address the employee's concerns, the focus was turned on the employee. Hansen's CEO changed the employee's network access from full administrative rights to "read-only," so if the employee noticed, they could blame it on an administrative error. In addition, Hansen and the CEO used an "agent" previously installed on the employee's company computer so that they could monitor his communications in real-time. Through the remote access, they also accessed the employee's passwords that were saved in a company application to log in to the employee's accounts-both work and personal. They accessed and reviewed his personal email and social media accounts to see what the employee was communicating. Ultimately, the CEO fired the employee. Ironically, the SEC did not charge Hansen, the CEO or the company with the anti-retaliation provisions under Rule 21F-2. Instead, they concluded that Hansen's actions violated Rule 21F-17(a), discouraging activity that could potentially impede a whistleblower from bringing their concerns to the SEC,  and imposed a civil penalty in the amount of $97,523.

Notably, the SEC's Order did not allege that the employee was even aware of the monitoring, the restrictions on company network data or access to his personal communications located off-network. Nor were there any findings that anyone, including Hansen, sought to hinder or obstruct any communications between the employee and the Commission.

The SEC's unprecedented extension of 21F-17(a) did not go unnoticed during Commission consideration of the settlement. Rather than the Commission's rubber stamp of a Division of Enforcement settlement recommendation, the settlement prompted a rare dissent from a Commissioner. Commissioner Hester M. Pierce spotlighted the novel and far-reaching new application of Rule 21F-17(a), noting:

At most, these actions affected the content of what the NS8 Employee could communicate, not whether he could communicate. Rule 21F-17(a) ensures the whistleblower's entitlement to speak directly to the Commission, and NS8 did not prevent the NS8 Employee from doing so. Actions that limit access to company data do not necessarily limit access to the Commission. Mr. Hansen's actions, as reported in the Order, did not hinder the NS8 Employee's communications with the Commission regarding his already-submitted tip.

Commissioner Pierce further noted that:

A plausible inference, based on the facts recited in the Order, is that Mr. Hansen was concerned about the NS8 Employee's threat to disclose confidential company data "to NS8's customers, investors, and any other interested parties." Rule 21F-17(a) by its plain terms applies only to communications with the Commission. We should not read it in a manner that complicates a company's ability to act to protect its data in the face of sweeping disclosure threats, even well-intentioned ones by concerned employees. Companies hold troves of data about their customers, assets, and business practices. They and their customers have a keen interest in protecting those data. We should not engage in an undisciplined interpretation and application of Rule 21F-17(a) that adds unnecessary legal risk to that burden.

Armstrong Takeaways

Commissioner Pierce's dissent highlights the Commission's overreaching and application of the whistleblower protection rules into uncharted territory. Notably, a broad interpretation of Rule 21F-17(a) could prohibit companies from limiting employees' access to data. Limiting access to sensitive data is a common element in cybersecurity programs. Likewise, this settled order thrusts into question the policing of its computer equipment and data by any company with outside investors, public or private.

The SEC's action also serves as a reminder that when faced with internal complaints raising potential company integrity or legal compliance, companies should focus on the concerns raised. Investigating or "shooting the messenger" should be avoided.

Armstrong Teasdale's Litigation attorneys are skilled in helping clients navigate issues related to compliance with whistleblower issues arising out of federal and state statutory schemes. Please contact your regular AT attorney or one of our authors listed below for assistance in your specific situation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.