Back in the Game: Recent SEC Settlement Makes Unprecedented Extension of Whistleblower Protection Rule into Realm of Data Security

April 26, 2022 Advisory

Since its initial run of 12 enforcement actions prior to the U.S. Supreme Court’s rejection of a key provision of the Securities and Exchange Commission’s (SEC) Whistleblower protection rules in 2018, the SEC’s policing of its Whistleblower rules under Rule 21F languished. The SEC brought just one stand-alone Rule 21F enforcement action since then. Recently, though, the SEC announced that it is not only willing to enforce Rule 21F but expand its reach to new territory.

A key feature of the SEC’s Whistleblower protection regime has been Rule 21F-17(a). Exchange Act Rule 21F-17(a), promulgated under the Dodd-Frank Act, prohibits taking “any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”

Previously, the SEC had taken a prophylactic approach to interpreting Rule 21F-17(a). The SEC applied Rule 21F-17(a) to routine confidentiality agreements, anti-disparagement clauses or internal policies that could theoretically discourage potential whistleblowers from bringing their concerns to the SEC. From the SEC’s view, it simply did not matter that there was no proof that any person ever had a concern or in any way felt discouraged from contacting the SEC about potential securities law violations.

The SEC’s recent enforcement action in In re David Hansen has taken this already broad application of Rule 21F-17(a) into uncharted territory. There, the SEC charged David Hansen, a co-founder and former Chief Information Officer of a nonpublic technology company, NS8, with violating Rule 21F-17(a). According to the settlement accepted by the SEC, in August 2019, an NS8 employee raised concerns to Hansen and others at NS8 that the company was overstating its numbers of paying customers. During the course of the conversation, the NS8 employee told Hansen that unless NS8 addressed this inflated customer data, he would reveal his allegations to NS8’s customers, investors and any other interested parties. Respondent suggested that the NS8 employee raise his concerns directly to his supervisor or the CEO.

Hansen notified NS8’s CEO of the employee's concerns. Rather than address the employee’s concerns, the focus was turned on the employee. Hansen’s CEO changed the employee’s network access from full administrative rights to “read-only,” so if the employee noticed, they could blame it on an administrative error. In addition, Hansen and the CEO used an “agent” previously installed on the employee’s company computer so that they could monitor his communications in real-time. Through the remote access, they also accessed the employee’s passwords that were saved in a company application to log in to the employee’s accounts—both work and personal. They accessed and reviewed his personal email and social media accounts to see what the employee was communicating. Ultimately, the CEO fired the employee. Ironically, the SEC did not charge Hansen, the CEO or the company with the anti-retaliation provisions under Rule 21F-2. Instead, they concluded that Hansen’s actions violated Rule 21F-17(a), discouraging activity that could potentially impede a whistleblower from bringing their concerns to the SEC,  and imposed a civil penalty in the amount of $97,523.

Notably, the SEC’s Order did not allege that the employee was even aware of the monitoring, the restrictions on company network data or access to his personal communications located off-network. Nor were there any findings that anyone, including Hansen, sought to hinder or obstruct any communications between the employee and the Commission.

The SEC’s unprecedented extension of 21F-17(a) did not go unnoticed during Commission consideration of the settlement. Rather than the Commission’s rubber stamp of a Division of Enforcement settlement recommendation, the settlement prompted a rare dissent from a Commissioner. Commissioner Hester M. Pierce spotlighted the novel and far-reaching new application of Rule 21F-17(a), noting:

At most, these actions affected the content of what the NS8 Employee could communicate, not whether he could communicate. Rule 21F-17(a) ensures the whistleblower’s entitlement to speak directly to the Commission, and NS8 did not prevent the NS8 Employee from doing so. Actions that limit access to company data do not necessarily limit access to the Commission. Mr. Hansen’s actions, as reported in the Order, did not hinder the NS8 Employee’s communications with the Commission regarding his already-submitted tip.

Commissioner Pierce further noted that:

A plausible inference, based on the facts recited in the Order, is that Mr. Hansen was concerned about the NS8 Employee’s threat to disclose confidential company data “to NS8’s customers, investors, and any other interested parties.” Rule 21F-17(a) by its plain terms applies only to communications with the Commission. We should not read it in a manner that complicates a company’s ability to act to protect its data in the face of sweeping disclosure threats, even well-intentioned ones by concerned employees. Companies hold troves of data about their customers, assets, and business practices. They and their customers have a keen interest in protecting those data. We should not engage in an undisciplined interpretation and application of Rule 21F-17(a) that adds unnecessary legal risk to that burden.

Armstrong Takeaways

Commissioner Pierce’s dissent highlights the Commission’s overreaching and application of the whistleblower protection rules into uncharted territory. Notably, a broad interpretation of Rule 21F-17(a) could prohibit companies from limiting employees’ access to data. Limiting access to sensitive data is a common element in cybersecurity programs. Likewise, this settled order thrusts into question the policing of its computer equipment and data by any company with outside investors, public or private.

The SEC’s action also serves as a reminder that when faced with internal complaints raising potential company integrity or legal compliance, companies should focus on the concerns raised. Investigating or “shooting the messenger” should be avoided.

Armstrong Teasdale’s Litigation attorneys are skilled in helping clients navigate issues related to compliance with whistleblower issues arising out of federal and state statutory schemes. Please contact your regular AT attorney or one of our authors listed below for assistance in your specific situation.

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1200
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware