On April 12, the Securities and Exchange Commission (the “SEC” or the “Commission”) announced settled charges against David Hansen, the co-founder and former Chief Information Officer of a Las Vegas technology company, for violations of Rule 21F-17(a). In settling the charges, Hansen agreed to pay a civil penalty of $97,523. The action, which garnered a spirited dissent from Commissioner Hester Peirce, offers a few important takeaways for companies hoping to avoid running afoul of Rule 21F-17(a) should an employee share concerns about conduct that potentially violates the securities laws.

Rule 21F-17(a). Rule 21F-17(a) prohibits “any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”

The SEC’s Findings. In 2018 and 2019, an employee of Hansen’s company, NS8, Inc. (“NS8”), raised concerns to Hansen and other employees that NS8 overstated the number of paying customers. NS8, which was a technology company that offered fraud detection and prevention software, allegedly used these inflated customer and monthly revenue numbers in creating external communications that were sent to potential and existing investors.

The employee submitted a tip to the SEC in July of 2019. One month later, when discussing the issue with both Hansen and the employee’s own supervisor, the employee allegedly explained that if the company did not take action to address the incorrect data, he would “reveal his allegations to NS8’s customers, investors, and any other interested parties.” According to the SEC Order, Hansen understood that the employee’s concerns constituted potential securities laws violations, including fraud against its investors.

The SEC alleged that Hansen proceeded to bring the employee’s concerns to the CEO. At that point, both executives took steps to cut off the employee’s access to NS8’s computer systems, with the CEO informing Hansen that he removed the employee’s administrative privileges while allowing read-only access “so it looks like an error.” Hansen also told the CEO that he had the ability to monitor the employee’s laptop screen if necessary. The following day, Hansen utilized his administrative account to access the employee’s computer and later gave the employee’s laptop and password to the CEO. The SEC Order implies, but does not expressly find, that Hansen, the CEO, or someone acting under their direction accessed the employee’s personal email and social media accounts. The CEO then fired the employee that same week.

As a result of this conduct, the SEC found that Hansen violated Rule 21F-17(a). In addition, NS8’s CEO pleaded guilty to criminal securities fraud charges in the Southern District of New York. The CEO admitted to using “fraudulent financial data to obtain over $123 million in financing for NS8, of which he personally obtained approximately $17.5 million.”

Commissioner Peirce’s Dissent. Commissioner Peirce wasted no time responding to what she saw as an “undisciplined interpretation and application of Rule 21F-17(a).” Noting that the employee’s tip preceded the allegedly unlawful conduct by a month, Commissioner Peirce remarked that Hansen’s actions “did not hinder the [employee’s] communications with the Commission regarding his already-submitted tip,” and that furthermore, the SEC Order shows no evidence that Hansen knew about the employee’s whistleblower complaint in the first place. She explained that such knowledge might have resulted in his actions implicating Rule 21F-17(a) or the anti-retaliation rules but that it is not present in the SEC Order.

Under such a “broad interpretation of Rule 21F-17(a),” Peirce expressed concern that companies could be prevented from limiting employees’ access to data, which is a “common element in cybersecurity programs.” In this case, the SEC’s allegations only indicate that Hansen was aware of a “sweeping disclosure threat” by the employee in question to leak company information. Peirce noted that companies hold “troves of data about their customers, assets, and business practices” which they must protect, and that the application of Rule 21F-17(a) in this case “adds unnecessary legal risk to that burden.”

Takeaways. The SEC Order arguably represents a broad view of Rule 21F-17(a). As the SEC Order is written, there is no suggestion that Hansen, the CEO, or anyone else at NS8 knew that the employee had submitted a tip to the SEC. The company’s revocation of the disgruntled employee’s administrator privileges could therefore be interpreted as a sensible attempt to safeguard company data in response to a threatened, unauthorized disclosure. However, from the SEC’s perspective, the CEO’s comment that the revocation of privileges was carried out so as to look like an “error” may have put the company’s conduct over the line.

Companies that find themselves faced with a possible whistleblower complaint should therefore ensure that they document the business reasons for any actions taken after concerns are brought to their attention. If the company is concerned about potential data theft or misappropriation of confidential information, contemporaneous records should reflect those rationales. Nevertheless, with a majority of Commissioners supporting this broad interpretation of Rule 21F-17(a), even the best-intentioned businesses may find themselves in a tenuous position when faced with a possible whistleblower complaint and disclosures.

Companies should keep in mind, however, that Rule 21F-17(a) should only cover actions taken in connection with an employee’s disclosure to the Commission. The SEC Order is silent as to whether the “interested parties” to whom the employee considered disclosing inflated data referenced the Commission or other third parties. Based on this most recent enforcement action, if the recipients of a potential disclosure are uncertain or may reasonably include the Commission, the SEC may seek to enforce a violation of Rule 21F-17(a).

Speaking more generally, the age-old advice that companies should have clear, direct channels for escalating internal complaints—while providing would-be whistleblowers with the knowledge that complaints will be seriously considered—holds true. And, when addressing such concerns, companies should operate under a presumption that employees have reported or will report to the Commission or other relevant regulators perceived violations. As the SEC Order is written, there is no suggestion that the company gave the employee’s concerns the requisite attention or that the report of misconduct would be meaningfully addressed and, if appropriate, remediated. In light of the criminal charges against NS8’s CEO, the egregiousness of the conduct that the employee brought to Hansen’s attention, and the significant investor harm, the lack of investigation and remediation may explain why the SEC saw it necessary to pursue charges via a broad interpretation of Rule 21F-17(a)’s scope on these facts.

Finally, this case is notable as a rare instance alleging an individual, and not corporate, violation of Rule 21F-17(a). Enforcement actions brought pursuant to Rule 21F-17(a) have averaged fewer than three per year since the first case was brought in 2015. Enforcement actions against individuals are even more rare in this space.

This post comes to us from Debevoise & Plimpton LLP. It is based on the firm’s memorandum, “Lessons from the Recent Enforcement Action Highlighting the SEC’s Broad Interpretation of Whistleblower-Related Rules,” dated April 20, 2022, and available here.