When a whistleblower tips off the SEC to potential acts of fraud, should the employer be able to have the right to cut them off from access to the company, and especially its data infrastructure? Apparently the SEC Commissioner and the rest of the institution’s lawyers are at odds over this question.
On Tuesday, April 12, the U.S. Securities and Exchange Commission (SEC) fined David Hansen, the former Chief Information Officer of NS8, Inc., a Las Vegas-based fraud detection and prevention software firm, approximately $100,000 for interfering with an employee’s ability to communicate with the SEC in violation of Rule 21F-17(a). The SEC alleged that Hansen violated the rule by restricting the employee’s access to NS8’s IT systems and monitoring his use of corporate computer systems following the employee providing a tip to the SEC about NS8’s corporate practices. In dissent, SEC Commissioner Hester Peirce said that the application of Rule 21F-17(a) was inappropriate in this case, arguing that restricting the tipster’s access to IT systems and monitoring their use did not impede their ability to communicate with the SEC and was a reasonable step in preventing unauthorized disclosure of NS8’s data to private parties and the media.
Rule 21F-17 (a), implemented in 2011 as part of Dodd-Frank’s reforms, provides that “no person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation,” and is one of the primary methods for protecting whistleblowers. In 2018 and 2019, an NS8 employee ascertained and ultimately, in July of 2019, raised concerns to the SEC that the company was misrepresenting the total number of paying customers in marketing materials. This employee further demanded that unless Hansen addressed such inflated customer data, he would continue to reveal the wrongful acts to NS8’s customers, investors, and interested parties. In response, according to the SEC, Hansen and NS8’s CEO restricted the employee’s access to internal IT systems and routinely monitored his laptop and email activities. The SEC found that these actions substantially interfered with his ability to communicate with the SEC about his concerns with the marketing materials.
Commissioner Peirce disagreed. In Commissioner Peirce’s view, Hansen’s actions “plainly” did not interfere with the employee’s ability to communicate with the Commission, because “[a]t most, these actions affected the content of what the NS8 Employee could communicate, not whether he could communicate.” Commissioner Peirce further noted that regulating and monitoring an employee’s access to company data is common practice, and the company’s actions were in furtherance of an important interest in data security in the presence of the employee’s threat of disclosure. The dissent thought the Commission “should not engage in an undisciplined interpretation and application of [the rule] that complicates a company’s ability to act to protect its data in the face of sweeping disclosure.”
The fact pattern presented by this case is a common one confronted by companies in which a purported whistleblower simultaneously threatens to disclose proprietary corporate information on the one hand to regulators, which may be protected, including against retaliation, and on the other hand to media organizations and third- parties, which is usually not protected and violates corporate policies. The conflicting interpretations of Rule 21F-17(a) included in the SEC’s order and Commissioner Peirce’s dissent does little to assist companies confronted with an employee’s threat to share information with both regulators and a non-government third party. While subsequent cases may further elucidate Rule 21F-17(a) and help answer the questions raised by Commissioner Peirce, companies will need to tread carefully in the meantime between avoiding impeding protected communications and legitimately preventing other disclosures.