Alleged workplace misconduct—and the obligation to collect information and report up about it—rears its head again in yet another case, this time involving Activision Blizzard, Inc. Just last month, in In re McDonald’s Corporation, the former “Chief People Officer” of McDonald’s Corporation was alleged to have breached his fiduciary duty of oversight by consciously ignoring red flags about sexual harassment and misconduct in the workplace. According to the court in that case, the defendant “had an obligation to make a good faith effort to put in place reasonable information systems so that he obtained the information necessary to do his job and report to the CEO and the board, and he could not consciously ignore red flags indicating that the corporation was going to suffer harm.” (See this PubCo post.) Now, the SEC has issued an Order in connection with a settled action alleging that Activision Blizzard, Inc., a videogame developer and publisher, violated the Exchange Act’s disclosure controls rule because it “lacked controls and procedures designed to ensure that information related to employee complaints of workplace misconduct would be communicated to Activision Blizzard’s disclosure personnel to allow for timely assessment on its disclosures.” In addition, the SEC alleged that the company violated the whistleblower protection rules by requiring, in separation agreements, that former employees “notify the company if they received a request from a government administrative agency in connection with a report or complaint.” As a result, Activision Blizzard agreed to pay a $35 million civil penalty. These cases suggest that company actions (or lack thereof) around workplace misconduct and information gathering and reporting about it have resonance far beyond employment law. It’s also noteworthy that this Order represents yet another case (see this PubCo post) where a “control failure” is a lever used by SEC Enforcement to bring charges against a company notwithstanding the absence of any specific allegations of material misrepresentation or misleading disclosure, a point underscored by Commissioner Hester Peirce in her dissenting statement, discussed below.
Disclosure controls and procedures. Rule 13a-15(a) requires public companies to maintain disclosure controls and procedures: that is, controls and procedures “designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the [Exchange] Act is accumulated and communicated to the issuer’s management . . . to allow timely decisions regarding required disclosure.” In the absence of effective disclosure controls and procedures, the underlying theory is, management may not have sufficient information to judge whether its public disclosures are accurate, complete and not misleading.
According to the SEC’s Order, the company included in its Forms 10-K for the years 2017 through 2020 risk factors that emphasized the importance to its business of attracting, retaining and motivating skilled personnel, especially in light of the competitive recruiting characteristic of the industry. Similar cautionary language appeared in company Forms 10-Q throughout the period. However, the SEC alleged, the company lacked the “controls and procedures designed to ensure that it captured and assessed—from a disclosure perspective—certain information related to these risk factors. This included lacking controls and procedures among its separate business units designed to collect or analyze employee complaints of workplace misconduct.” Although the company did have in place controls requiring business unit leaders to report to a Disclosure Committee about “certain categories of potentially material information,” those “categories did not include information relevant to Activision Blizzard’s ability to retain employees, such as employee complaints or incidents of workplace misconduct.” As a result, the Order alleged, management and disclosure personnel “did not have sufficient information to understand the volume and substance of employee complaints of workplace misconduct, [or] to assess related risks to the company’s business, whether material issues existed that warranted disclosure to investors,” or whether any of the disclosures the company did make were accurate and complete. Between May 2020 and May 2022, the Order stated, the company did implement “structural changes and policies” that enhanced reporting of employee complaints to senior management and disclosure personnel. The SEC did not allege that any particular statement was materially inaccurate or misleading.
Whistleblower protection rules. Section 21F of the Exchange Act, “Whistleblower Incentives and Protection,” provides that “[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.” Beginning in 2016, the company’s template separation agreements with departing employees provided that former employees must notify the company of any requests from an administrative agency in connection with a report or complaint. More specifically, the provision permitted the former employees to make “truthful representations in connection with a report or complaint to an administrative agency (but only if [the employee] notif[ies] the Company of a disclosure obligation or request within one business day after[the employee] learn[s] of it and permit[s] the Company to take all steps it deems to be appropriate to prevent or limit the required disclosure).” In 2022, the company removed that language. Many of the agreements also stated that “[n]othing in this Release prevents me from . . . giving truthful testimony, or truthfully responding to a valid subpoena, or communicating or filing a charge with government or regulatory entities (such as the Equal Employment Opportunity Commission, National Labor Relations Board, Department of Labor, or Securities and Exchange Commission).” Although the SEC stated that it was “not aware of any specific instances in which a former Activision Blizzard employee was prevented from communicating with Commission staff about potential violations of securities laws or in which Activision Blizzard took action to enforce the notification clause or otherwise prevent such communications,” the SEC nevertheless concluded that the language in the agreements “undermines the purpose of Section 21F and Rule 21F-17(a) to ‘encourag[e] individuals to report to the Commission.’”
The SEC determined that Activision Blizzard had violated the disclosure controls and procedures provision of Exchange Act Rule 13a-15(a), as well as the whistleblower protection provisions of Exchange Act Rule 21F-17(a). As a result, Activision Blizzard was required to pay a civil monetary penalty of $35 million.
Peirce dissenting statement. As noted above, Commissioner Peirce dissented from the decision “because the Order does not articulate any securities law violations.” According to Peirce, the SEC “alleges no fraud, misrepresentations, omissions, or investor harm. The settled enforcement action comes in the wake of public reports of rampant workplace misconduct at Activision Blizzard, which the Commission believes was not adequately tracked and reported to the people within the company responsible for SEC disclosures.” She noted that the SEC also charged the company with “undermin[ing] the purpose of Section 21F and Rule 21F-17(a) to ‘encourag[e] individuals to report to the Commission.’” She disagreed on both charges.
While she viewed the reports of widespread workplace harassment, if accurate, to be “deeply concerning,” it was, she observed, not the SEC’s concern. In her view, the SEC’s Order “contorts the securities laws to reach for a nexus, but never fully makes the connection.” As she interpreted the Order, the SEC considered the company’s risk factor regarding the importance of recruiting and retention of skilled personnel to require “the company to ‘collect or analyze employee complaints of workplace misconduct.’” Peirce read the rule to require disclosure controls and procedures to apply only to “information that is required to be disclosed.” However, she observed, in the Order, the SEC indicates that the required disclosure controls and procedures must also capture “an additional, vaguely defined category—information ‘relevant’ to a company’s determination about whether a risk or other issue reaches the threshold where it is ‘required to be disclosed.’”
Quoting from the relevant risk factor, Peirce emphasized that the “Order nowhere claims that this disclosure was misleading, either by affirmative misstatement or by omission”; rather, the Order faults the company for lacking controls and failing to provide workplace misconduct-related information to management and the board. But was that data, among a multitude of factors, relevant to the disclosure regarding recruiting and retaining the workforce? The Order, she noted, did not “allege that workplace misconduct was in fact affecting worker retention and recruitment during the relevant time period.” If it had been relevant, she suggests, you would expect the SEC to have determined that the disclosure was incomplete and misleading. But there was no such charge.
Significantly, she saw no boundaries to the Order:
“It is also difficult to see where the logic of this Order stops. When the SEC gets this granular, the limits are not clear. If workplace misconduct must be reported to the disclosure committee, so too must changes in any number of workplace amenities and workplace requirements, and so too must any multitude of factors relevant to other risk factors. The requirement cannot be that a company’s disclosure controls and procedures must capture potentially relevant, but ultimately—for purposes of disclosure—unimportant information. As I read it, in this Order, the SEC once again has sat down at the gaming console to play its new favorite game ‘Corporate Manager.’ Using disclosure controls and procedures as its tool, it seeks to nudge companies to manage themselves according to the metrics the SEC finds interesting at the moment. For Activision Blizzard, today, that metric is workplace misconduct statistics, but other issues will follow. In this level of the enforcement game, the SEC has added $35,000,000 to its point total despite the Order not identifying any investor harm. For companies, though, setting up internal data tracking systems with an eye toward placating the SEC is not a game. It may distract management from collecting the data it actually needs to provide material information to investors and impose additional, unnecessary costs on investors who will not benefit from the company’s collection of data points that the SEC highlights, but are not necessary for good disclosure at the particular company.”
Peirce also thought the Order “strain[ed] to read a violation into Activision Blizzard’s separation agreements,” but did not explain the violation—how communication was actually impeded. Although the separation agreements expressly stated that there was no prohibition on truthful representations to administrative agencies, she said, the Order treats the qualification to notify the company as sufficient to violate Rule 21F-17. Peirce, though, did “not believe that this is a fair reading of the separation agreement.” How did that provision impede former employees from communicating with the SEC? The Order itself acknowledges that, to the SEC’s knowledge, there were no instances of Activision Blizzard’s attempting to enforce the notice requirement or of former employees who were prevented from communicating with SEC staff. In her view, “even if it were enforced, the notice requirement does not impede communication with the Commission for purposes of Rule 21F-17 because the requirement is about communications with the company, not communications with the Commission.” Peirce did not believe that Rule 21F-17, “prohibit[ed] all actions that ‘undermine’ the statutory purpose by possibly discouraging reporting to the Commission; it prohibits taking actions to impede communications with the Commission. If we are to find a company in violation of a rule, we at least ought to articulate clearly both what conduct violated the rule and how it did so.”
For more information about securities litigation, see the Cooley Securities Litigation + Enforcement blog.