Disclosure Controls and Whistleblower Provisions Remain a Priority: What Activision Blizzard’s $35 Million Workplace Misconduct and Whistleblower Protection Settlement Means for Issuers

The SEC’s Factual Findings

Activision (Nasdaq: ATVI) is one of the world’s largest video game development and publishing companies, employing over 9,500 individuals worldwide through multiple business units.

In its Form 10-K filings for the fiscal years ending in 2017 through 2020, Activision disclosed that “[o]ur success depends to a significant extent on our ability to identify, attract, hire, retain, motivate, and utilize the abilities of qualified personnel . . .” The SEC’s order alleges that, despite highlighting this risk to its business in its public filings, Activision failed to implement disclosure controls and procedures designed to ensure that it captured and assessed information related to these risk factors, including controls and procedures among its separate business units to collect and analyze workplace misconduct. Further, while Activision required individual business unit leaders to report certain categories of potentially material information to the company’s disclosure committee, the SEC’s order explains that these categories did not include information relevant to the company’s ability to retain employees, such as employee complaints or incidents of workplace misconduct. As a result, this information was not accessible to Activision’s senior management or disclosure committee and was not assessed for disclosure or related risks.

The Commission also found that Activision violated a Dodd-Frank whistleblower provision by entering into separation agreements with employees that required the separated employee to provide notice to the company if they received a request for information from the Commission’s staff.

A Continued Focus on Disclosure Controls and Procedures

Exchange Act Rule 13a-15(a) requires issuers under Section 12 of the Exchange Act to maintain disclosure controls and procedures. Defined in Rule 13a-15(e), disclosure controls and procedures must be designed to ensure that the information required to be disclosed by the issuer in the reports it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified by the Commission’s rules and forms. The rule further explains that the procedures must ensure that such information is “accumulated and communicated to the issuer’s management” to allow for timely decisions regarding the disclosures. Issuers are obligated to implement communication channels that cover a broader range of information than simply that related to financial reporting so that disclosure personnel can properly and fully assess the disclosure of relevant developments and risks relating to the issuer’s business.²

Here, Activision notified investors in its Form 10-K filings that “attract[ing], retain[ing], and motivat[ing] skilled personnel…” was a risk to its business. Nonetheless, the SEC found that Activision’s internal controls were inadequate in tracking and communicating the extent of this risk to its management and disclosure personnel across the multiple business units. While the order acknowledges that Activision has since implemented several company-wide structural changes and policies to enhance the manner in which employee complaints are required to be documented, maintained, and communicated to company senior management and disclosure personnel, the SEC nonetheless found that Activision violated Rule 13a-15(a) and, together with the whistleblower violation, ordered Activision to pay a $35 million penalty.

Notification Provisions a Prima Facie Violation of Whistleblower Protections

The SEC adopted Exchange Act Rule 21F-17 as part of the Dodd-Frank whistleblower protections in 2011. Rule 21F-17 states that “[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation….” Since its enactment, the SEC has brought multiple actions charging companies with violations through the use of employment, separation, confidentiality, or other agreements that can be seen as “impeding” potential whistleblowers through notification or other provisions.

Here, the separation agreement used by Activision required a departing employee to “notify [Activision] of a disclosure obligation or request within one business day after [he or she] learn[ed] of it….” The SEC’s Order explains that requiring an employee to notify Activision of his or her communication with the SEC could deter or discourage the employee from reporting misconduct. The SEC took this position despite language in the separation agreement that expressly stated, “Nothing in this Release prevents me from … communicating or filing a charge with government or regulatory entities (such as … the Securities and Exchange Commission).”

And even though the SEC’s order states that it is not aware of any “specific instances” in which a former Activision employee was prevented from communicating with Commission staff about potential violations of the federal securities laws, or of any instances in which Activision took action to enforce the notification clause or otherwise prevent such communications, the company was charged with violating Exchange Act Rule 21F-17(a).

Takeaways for Companies and Counsel

Cases like Activision continue to evidence the Commission’s willingness to charge companies for rule violations even where no harm or fraud is alleged. Here there is no allegation of any material disruption to Activision’s business or any material omission in its disclosures caused by the allegedly insufficient controls and procedures around the workplace complaints. Similarly the SEC acknowledged that it was not aware of any instances where an Activision employee was prevented from communicating with Commission staff. And yet, Activision was charged with violations of the rules relating to disclosure controls and procedures and whistleblower protection and ordered to pay a $35 million penalty.

Commissioner Peirce filed a public statement on Activision, stating “I dissent because the Order does not articulate any securities law violations.” Commissioner Peirce adds that “[the] Commission alleges no fraud, misrepresentations, omissions, or investor harm.” Regarding the disclosure controls violation, Commissioner Peirce notes that nowhere does the Order allege that Activision’s disclosure related to its workforce was misleading, nor does the Order make a clear connection between the workplace complaints and any effect they may have had on Activision’s ability to maintain its workforce.

With the rise of ESG commitments, public companies have become quite familiar with SEC scrutiny, along with the risks of shareholder litigation, associated with generic, overbroad representations regarding “S” components of their disclosures, such as promoting a “zero tolerance” policy for workplace misconduct. With its Activision settlement, the SEC adds another layer of complexity to the issue — not only must a company confirm its public disclosures are entirely accurate, but also, it must be in a position to affirmatively demonstrate it implemented adequate controls in making such a confirmation. With respect to workplace misconduct, this may require employers to re-evaluate internal procedures for processing employment complaints. Traditionally, complaints of this nature are received, reviewed, and addressed by a limited universe of individuals within the company — typically human resources professionals and appropriate members of management, as needed. Despite customary policies of maintaining a high degree of confidentiality with respect to workplace complaints, public companies making disclosures associated with workforce stability must now consider what information should be shared, and how to share such information, with those responsible for preparing and making public disclosures.

Moreover, this settlement provides another reminder to employers that the SEC — and other government agencies — may broadly construe language used in separation agreements, and other agreements entered into with employees, as having a prohibited chilling effect on legally protected activity. Indeed, Activision’s separation agreement explicitly included part of the “carve-out” language quoted in the SEC’s order in In the matter of KBR, Inc., the Commission’s first case enforcing Rule 12F-17³ — affirmatively stating that nothing in the agreement prevented the employee from communicating with government agencies “such as … the Securities and Exchange Commission.” Yet, because it also contained the fatal language requiring a report to the Company of an agency disclosure request, Activision was charged with violations of the Rule. These SEC interpretations are reminiscent of the position taken by the Equal Employment Opportunity Commission in its 2014 lawsuit against CVS Pharmacy, Inc., which targeted, among other language, a clause in CVS’s severance agreements that required the employee to “promptly notify the Company’s General Counsel by telephone and in writing” of contacts relating to legal proceedings including an “administrative investigation” by “any investigator, attorney or any other third party….” The Activision settlement reaffirms these agency positions, and puts employers on notice that they should carefully scrutinize language used in employee separation agreements to ensure there is no potential for unlawful interference claims by government agencies.

¹ Press Release, Sec. & Exch. Comm’n, Activision Blizzard to Pay $35 Million for Failing to Maintain Disclosure Controls Related to Complaints of Workplace Misconduct and Violating Whistleblower Protection (Feb. 3, 2023), https://www.sec.gov/news/press-release/2023-22?utm_medium=email&utm_source=govdelivery.

² Order at 3.

³ See In the matter of KBR, Inc. Order at 3 (https://www.sec.gov/litigation/admin/2015/34-74619.pdf) (“Remedial Steps Taken By KBR” “KBR has amended its confidentiality statement to include the following statement: Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission . . . or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.”).