Do I Have to Tell Employees About SEC Subpoena

There’s no legal requirement to announce an SEC subpoena to all employees. That’s the short answer. The SEC doesn’t require you to call a company-wide meeting and disclose that federal investigators are looking at your books. But here’s what will destroy you if you don’t understand it: there IS a legal requirement to preserve documents. And you can’t preserve documents without telling SOME employees. The question isn’t “do I have to tell” – it’s who do you have to tell, what do you tell them, and what can you absolutely never say.

That gap between “all employees” and “some employees” is where companies destroy themselves. Tell too few people and documents get deleted. Tell too many and you start rumors, witness coordination, and potential obstruction. Use the wrong language in your notification and you’ve just violated SEC Rule 21F-17, which prohibits impeding employees from communicating with the SEC. Companies have paid millions in penalties for language that merely APPEARED to discourage SEC communication – even when no employee was actually discouraged.

This is why the first 48 hours after receiving an SEC subpoena matter more than anything else. The decisions you make about who to tell and what to tell them will either protect you or create entirely new legal problems. Most companies get this wrong because they’re focused on the wrong question.

The Notification You Must Send

When your company receives an SEC subpoena, one thing is absolutely non-negotiable: you have to issue a litigation hold. Thats a formal instruction to preserve all documents that might be relevant to the investigation. You cant skip this. You cant delay it. The moment that subpoena arrives, your obligation to preserve evidence kicks in.

Heres the thing though. A litigation hold isn’t just a memo you file somewhere. It has to reach the people who have the documents. And thats were companies start making mistakes.

You need to notify IT to suspend automatic deletion of emails and files. You need to notify senior management. You need to notify employees who might have responsive documents – emails, texts, Slack messages, phone records, anything that could be relevant. But how do you know who has relevant documents? Sometimes you dont. Sometimes the subpoena is broad enough that “relevant” could mean half the company.

Theres no bright-line rule here. The SEC dosent tell you exactly who to notify. They just expect you to take “reasonable steps” to preserve documents. If documents get destroyed because you didn’t notify the right people, thats your problem. Courts can sanction you. Juries can be instructed to assume the destroyed documents were harmful to your case. And if the destruction looks intentional? Federal obstruction charges.

WARNING: The moment you receive a subpoena, your preservation duty begins. Every hour of delay in issuing a litigation hold is potential spoliation.

The Language That Will Get You Fined

OK so you’ve decided who to notify. Now heres were companies really destroy themselves – what they actually say in the notification.

SEC Rule 21F-17 makes it illegal to take any action that impedes employees from communicating directly with the SEC about possible securities violations. This includes “threatening to enforce” confidentiality agreements against employees who talk to regulators. It sounds simple but its not.

Look at what happened to KBR Inc. in 2015. This was the SECs first Rule 21F-17 enforcement action. KBRs confidentiality agreements required employees to get legal department approval before disclosing investigation-related information to any third party. The SEC said this violated Rule 21F-17 because it could discourage employees from reporting to the SEC.

Heres the kicker. There was no evidence that ANY KBR employee was actually deterred from contacting the SEC. Nobody complained. Nobody said “I wanted to report something but the confidentiality agreement stopped me.” Didn’t matter. The SEC still charged them because the language COULD have discouraged reporting.

Think about that. Your standard confidentiality agreements – the ones your legal team drafted years ago, the ones every employee signs – probably contain language that violates Rule 21F-17 right now. You can be fined for language that exists, even if nobody ever reads it or acts on it.

Brinks Company learned this in 2022. They required employees to sign agreements threatening liquidated damages if they disclosed information to third parties. No SEC exemption. $400,000 penalty. Activision Blizzard got hit with $35 million in 2023 for similar issues combined with workplace misconduct failures. These arent small companies making obvious mistakes. These are sophisticated organizations with large legal departments who didnt realize there agreements were problematic.

The September 2024 Wake-Up Call

If you think Rule 21F-17 enforcement is theoretical, look at what happened in September 2024. The SEC announced settled enforcement actions against seven public companies in a single day. All for Rule 21F-17 violations. All for language in there employment documents that MIGHT discourage SEC communication.

The companies: Acadia Healthcare, Brands Holding Corp, AppFolio, IDEX Corporation, LSB Industries, Smart for Life, and TransUnion. Penalties ranged from $19,500 to $1.3 million. Combined total over $3 million.

This wasnt a one-off. This was a coordinated sweep. The SEC Division of Enforcement has made Rule 21F-17 a priority. They’re actually reviewing employment agreements, confidentiality policies, separation agreements, onboarding documents – everything employees sign. Theyre looking for language that restricts communication with regulators. And when they find it, they charge you – wheather or not anyone was actually deterred.

And heres the thing that should really scare you. These seven companies weren’t being investigated for anything related to whistleblowing. They werent accused of retaliating against employees who reported to the SEC. The Rule 21F-17 violations were discovered as part of other investigations or examinations. The SEC staff are trained to look for this language now. They find it while there looking at something else entirely, and suddenly you have a whole new enforcement action.

Earlier in 2024, a registered broker-dealer and investment adviser paid $18 million – thats million with an M – for impeding clients and customers from reporting potential violations. This wasn’t about employees. This was about CUSTOMER agreements containing problematic language. The rule against impeding SEC communication applies to everyone, not just your workforce.

The message is clear. Review your documents now. Dont wait until you receive a subpoena. By then its to late – you’ve already created the liability. And dont just review employee agreements – look at customer agreements, vendor contracts, anything that might contain confidentiality language.

What You Cannot Say in a Litigation Hold

So your drafting your litigation hold notice. What can you NOT include?

• You cannot require employees to get company approval before talking to the SEC.
• You cannot threaten penalties if employees disclose information to regulators.
• You cannot require employees to notify the company if they receive SEC contact.
• You cannot include ANY language that could be interpreted as discouraging SEC communication.

This is tricky becuase most litigation holds focus on document preservation and confidentiality. Theyre designed to control information flow. But that same information-control language that feels natural to a lawyer can trigger Rule 21F-17.

Look at the NS8 case from 2022. The CIO, David Hansen, found out an employee had filed a SEC whistleblower tip. He didnt just fire the employee – he actualy accessed there personal accounts, including email passwords, to find there SEC correspondence. Then used what he found as justification for termination.

The SEC came down hard. Not becuase Hansen tried to stop the initial tip – the tip was already filed. But becuase his actions after the tip constituted impeding future communication and retaliation. The investigation and termination were themselves violations.

CRITICAL: Your litigation hold should explicitly state that employees are free to communicate with the SEC without company notification or approval. Include this language even if it feels counterintuitive.

The First 48 Hours Problem

After years of watching companies respond to SEC subpoenas, I can tell you this: the biggest mistakes happen in the first 48 hours. Panicked decisions. Rushed notifications. Poorly worded memos. These destroy cases.

Heres what actualy happens. The subpoena arrives. Someone in legal freaks out. Theres an immediate instinct to contain – limit who knows, limit what gets said, get control of the narrative. This instinct is completly wrong.

Limiting notification too much creates spoliation risk. Employees who dont know about the investigation keep deleting emails on there normal schedule. IT systems auto-purge files. By the time you realize the problem, documents are gone. And document destruction after recieving a subpoena – even accidental destruction – is obstruction.

But the opposite extreme is also dangerous. Telling everyone creates rumor mills. Employees start comparing notes, coordinating stories, speculating about who’s a target. Witnesses who should give independent testimony start aligning there accounts. Now you have potential witness tampering or obstruction of a different kind.

The answer isnt “tell everyone” or “tell no one.” The answer is careful, strategic notification with precisely worded communications that your counsel has reviewed for Rule 21F-17 compliance.

Who Actually Needs to Know

Let me break this down practicaly. Who actualy needs to know about an SEC subpoena?

Definately notify:

• Senior management (they need to know becuase strategic decisions are required)
• Board of Directors (governance obligations)
• IT department (they implement the preservation hold)
• Employees who have potentially responsive documents (they need to preserve)
• Outside counsel (obviously)

Maybe notify:

• Employees in the department being investigated (judgment call)
• HR (if employee interviews will be needed)
• Communications team (if public disclosure might be required)

Probably dont notify:

• All employees company-wide (unless investigation is company-wide)
• Employees with no connection to the subject matter
• Third parties unless subpoenaed directly

Heres the hidden trap: “employees who have potentially responsive documents” sounds specific but its actually incredibly broad. What if the investigation involves trading practices? Then anyone who trades or processes trades might have relevant documents. What if its about accounting? Then anyone who touches financial data. The scope can expand quickly.

The irony is that trying to limit notification – keeping things “need to know” – sounds smart but often creates the biggest problems. The employee you didnt notify is the one whose emails get auto-deleted. The department you didn’t include in the hold is the one with the key documents. Playing it to tight destroys cases.

The Document Destruction Trap

Lets talk about what happens when documents get destroyed. And I dont mean intentional destruction – im talking about the normal, everyday deletion that happens in every company.

Think about your own email habits for a second. You probly delete emails daily. You archive old messages, clear out your inbox, remove things you dont need anymore. Your company has retention policies – maybe 90 days, maybe a year, maybe longer – after which messages get automaticaly purged. Your phone company only keeps text messages for a limited time. Your Slack workspace ages out old conversations. This is all normal business practice. Its how modern companies operate.

Your email server probly auto-deletes messages after a certain period. Your IT system purges old files. Employees clear there inboxes. Phone companies recycle text message records. All of this is normal and legal – until theres a subpoena. Then every deletion becomes potential spoliation. Every auto-purge that happens after you know about the investigation can be characterized as destruction of evidence.

18 USC 1519 – part of the Sarbanes-Oxley Act – makes it a federal crime to destroy documents with intent to obstruct a federal investigation. Maximum penalty: 20 years in prison. This isnt a regulatory slap on the wrist. This is serious federal prison time.

And heres what makes it worse. The cover-up is almost always worse then the crime. Remember Martha Stewart? She didnt go to prison for insider trading. She went to prison for lying to investigators about allegations she was ultimately acquitted of. The underlying conduct might of been defensible. The lies and obstruction werent.

Ive seen companies were the original SEC inquiry would of resulted in minor penalties – maybe a fine, maybe some remedial measures. But becuase documents were destroyed after the subpoena arrived, the case became about obstruction instead of the original violations. People who might of walked away with civil penalties ended up facing criminal charges becuase they panicked in the first 48 hours.

This is why proper notification matters so much. You cant preserve documents if the people who have them dont know theres an investigation. Every employee you dont notify is a potential source of spoliation.

The Public Disclosure Question

One more thing to address: do you have to publicly disclose the SEC subpoena?

For most companies, theres no automatic requirement to disclose that your under SEC investigation. The SEC investigations themselves are typically non-public – the SEC doesn’t announce that your being investigated. And courts have held that issuers dont have a general duty to disclose SEC investigations in there SEC filings.

But that can change. If the investigation is material to your business, disclosure may be required. If the investigation progresses to a Wells notice (the SECs way of saying they plan to recommend enforcement action), disclosure considerations change. If you’re a registered representative or public company officer, you may have personal disclosure obligations through Form U4 or other filings.

The point is: internal notification to employees and public disclosure to investors are completely seperate questions with different rules. Dont confuse them. And dont assume that because you dont have to disclose publicly, you dont have to notify anyone internally.

The Answer Isn’t Simple

So do you have to tell employees about an SEC subpoena? The answer is yes to some, no to all, and extremely careful about what.

You must issue a litigation hold to employees with potentially relevant documents. You must notify IT to stop automatic deletions. You must inform senior management and the board. But you dont have to announce it company-wide, and you definitely shouldn’t use language that could be interpreted as discouraging SEC communication.

Your standard confidentiality agreements probly need review. The language you’ve been using for years might violate Rule 21F-17 without you knowing it. September 2024 proved the SEC is actively looking for these violations.

The first 48 hours matter enormously. Get counsel involved immediately. Dont make panicked decisions about notification. Dont use boilerplate language without having it reviewed. The mistakes you make in those first two days can transform a managable regulatory matter into criminal obstruction charges.

Get a lawyer. Before you send anything.