Trade Secrets

When a Confidentiality Clause Becomes a Federal Violation: The SEC's $18 Million J.P. Morgan Whistleblower Order

The SEC's largest stand-alone Rule 21F-17(a) settlement turned a routine settlement-release clause into an enforcement event, showing that NDAs are now read for what they silence, not just what they protect.

February 15, 2026
A person signing a confidentiality agreement at a desk
A standard confidentiality release became the basis for an $18 million federal penalty. Shutterstock
Educational content, not legal advice. This article explains general legal concepts. It does not create an attorney–client relationship. For your specific situation, consult a licensed attorney.

In the Matter of J.P. Morgan Securities LLC, Administrative Proceeding File No. 3-21829, Securities Exchange Act Release No. 34-99344 (Jan. 16, 2024), is a deceptively small case with outsized consequences for anyone who drafts non-disclosure and confidentiality agreements. The Securities and Exchange Commission, acting through a settled administrative order rather than a litigated opinion, found that J.P. Morgan Securities LLC (“JPMS”) had violated Rule 21F-17(a) of the Securities Exchange Act of 1934 by asking retail brokerage customers and advisory clients to sign confidential release agreements that, on their face, impeded those clients from voluntarily reporting possible securities-law violations to the Commission. JPMS agreed to a censure, a cease-and-desist order, and an $18 million civil penalty — the largest penalty the SEC had ever imposed in a stand-alone Rule 21F-17 enforcement action. The conduct at issue ran from March 2020 through July 2023.

For a publication focused on trade secrets and confidentiality, the order matters precisely because it does not involve a misappropriation, a leak, or a competitor. It involves ordinary, defensively drafted confidentiality language — the kind that appears in settlement releases, employment separation agreements, and NDAs every day. The lesson is that a confidentiality clause is no longer evaluated solely by what it protects. It is also evaluated by what it forecloses, and a clause that forecloses contact with a regulator can convert a private contract into a public violation.

At a glance

  • Respondent: J.P. Morgan Securities LLC, a registered broker-dealer and investment adviser.
  • Forum and instrument: Settled SEC administrative proceeding; order instituting proceedings and imposing remedial sanctions, File No. 3-21829, Release No. 34-99344, dated January 16, 2024.
  • Rule violated: Exchange Act Rule 21F-17(a), which prohibits any action to impede an individual from communicating directly with SEC staff about a possible securities-law violation, “including enforcing, or threatening to enforce, a confidentiality agreement.”
  • Conduct: From March 2020 to July 2023, JPMS asked retail clients who received a credit or settlement of more than $1,000 to sign a confidential release. The release required the client to keep confidential the settlement, the underlying facts, and information relating to the account. It permitted clients to respond to inquiries from FINRA, the SEC, or other regulators, but it did not affirmatively permit clients to initiate voluntary contact with the SEC.
  • Outcome: Censure, cease-and-desist order, and an $18 million civil penalty; JPMS neither admitted nor denied the findings.
  • Significance: The Commission applied Rule 21F-17 to customer and client agreements — not just employee agreements — and treated the existence of restrictive language as the violation, without any allegation that a single whistleblower was actually silenced.

NDAs as both shield and liability: the dual nature of confidentiality language

Trade-secret practitioners are accustomed to thinking of NDAs and confidentiality agreements as protective instruments. Under the Defend Trade Secrets Act and the Uniform Trade Secrets Act, the existence of confidentiality agreements is itself evidence of the “reasonable measures” required to maintain secret status. An NDA is, in that sense, doubly useful: it both deters disclosure and supplies an independent contract claim that runs alongside (and is often easier to prove than) a misappropriation claim. The reflex of the careful drafter is therefore to make confidentiality obligations broad, durable, and comprehensive.

The J.P. Morgan order is a warning that this reflex now carries regulatory risk. The very breadth that strengthens a secrecy program — sweeping definitions of “confidential information,” prohibitions on “disclosure to any person,” and durations that extend indefinitely — is the breadth that the SEC reads as impeding protected communications. The JPMS release did not say “you may not talk to the SEC.” It said the client must keep confidential “the settlement, all underlying facts relating to the settlement, and all information relating to the account.” That is standard release language. But because “all underlying facts” plausibly includes facts a whistleblower would report, and because the carve-out permitted only responsive communications with regulators rather than voluntary ones, the Commission concluded the clause impeded reporting.

The structural point is that the two functions of an NDA — protecting secrets and an enforceable contract right — are now in tension with a third constraint: the floor that federal whistleblower law places under every confidentiality obligation. A clause can be a perfectly good secrecy measure and a perfectly good contract claim and still be unlawful, because the question Rule 21F-17 asks is orthogonal to both. It does not ask whether the information is genuinely confidential or whether the parties agreed. It asks whether the language could deter someone from picking up the phone and calling the SEC.

Overbreadth and the “responsive versus voluntary” trap

The most transferable doctrinal lesson concerns the difference between permitting responsive communications and permitting voluntary ones. Many drafters believed they had cured whistleblower concerns by adding a carve-out allowing the signatory to “respond to lawful subpoenas” or “cooperate with any government inquiry.” JPMS’s agreement contained exactly that sort of permission. The SEC’s order makes clear that this is not enough. A carve-out limited to responding to inquiries leaves the signatory unable to initiate contact — and initiation is the paradigmatic whistleblower act. The rule protects the person who decides, unprompted, to walk into the regulator’s office. A clause that lets you answer questions only if the SEC happens to find you first does not protect that person at all.

This reframes the overbreadth inquiry. In ordinary contract law, overbreadth is about scope and duration: a confidentiality covenant that lasts forever, or that sweeps in publicly available information, may be unenforceable as a restraint or simply fail for lack of a protectable interest. The Rule 21F-17 inquiry overlays a different kind of overbreadth — definitional overbreadth measured against a single protected activity. A two-year, narrowly tailored NDA can violate Rule 21F-17 if it lacks an affirmative, voluntary-reporting carve-out, while a longer agreement with the right carve-out may be fine. Duration and subject-matter tailoring, the traditional levers, are necessary but not sufficient. The new lever is an express savings clause confirming that nothing in the agreement limits the signatory’s right to voluntarily report possible violations to, or receive an award from, any government agency.

The SEC’s prophylactic theory: language alone is the violation

The feature of the order that should most alarm drafters is what the SEC did not need to prove. There was no allegation that any client was actually deterred, that JPMS ever enforced or threatened to enforce the clause against a would-be whistleblower, or that the Commission lost a tip it would otherwise have received. The violation was the existence of the language. Commentators analyzing the SEC’s broader 2024 enforcement wave have described this as a prophylactic standard: the agency’s position is that “language in an agreement alone, even without threat of enforcement or actual enforcement, creates an impediment.” In the seven settled actions the SEC announced on September 9, 2024, against public companies for similar provisions, the orders expressly noted that the Commission found “no instances in which the company took action to enforce the provisions at issue.” The provisions were enough.

That theory is significant for two reasons. First, it eliminates the usual defense that a clause is harmless because nobody was hurt by it. Under a prophylactic reading, harm is presumed from chilling potential, and chilling potential is presumed from text. Second, it dramatically lowers the SEC’s investigative burden. The agency does not need a complaining witness; it needs only a copy of the form agreement. That makes confidentiality language a self-executing source of exposure that surfaces in routine examinations, in the production of standard customer forms, and in the boilerplate of separation agreements — which is precisely why the J.P. Morgan order reached customer releases rather than the employee NDAs that had been the rule’s traditional target.

Open questions

The order resolves an enforcement posture but leaves real uncertainty. Because it is a settled order in which JPMS neither admitted nor denied the findings, it has no precedential weight and would not bind a court if the theory were litigated. Several questions remain genuinely open. First, would a federal court agree that facially restrictive language, with no enforcement and no identified deterred whistleblower, constitutes an “action to impede” within the meaning of Rule 21F-17(a)? The statutory verb “impede” arguably implies effect, and the prophylactic reading has not been tested in a contested proceeding. Second, how broad is the rule’s reach beyond securities? The SEC’s logic — confidentiality language that omits a voluntary-reporting carve-out is unlawful — has analogues at the CFTC and in other agencies’ whistleblower regimes, but the boundaries are unmapped. Third, does a robust savings clause fully immunize an otherwise broad agreement, or will the SEC scrutinize whether the carve-out is sufficiently prominent and unambiguous relative to the surrounding restrictions? The order rewards an express carve-out without defining how conspicuous it must be.

Implications

  • Audit every confidentiality template, not just employment agreements. Customer releases, settlement agreements, separation agreements, vendor NDAs, and investor side letters all fall within the SEC’s reach. The trade-secret-protective NDA is now part of the same compliance perimeter.
  • Convert “responsive” carve-outs into “voluntary” carve-outs. Add explicit language confirming that nothing in the agreement prevents the signatory from voluntarily communicating with, or reporting possible violations to, any government or regulatory authority, or from receiving a whistleblower award — and that the signatory need not notify the company first.
  • Do not rely on the absence of enforcement as a defense. Under the SEC’s prophylactic theory, the unremedied language is itself the violation; a clean enforcement history will not help.
  • Preserve the secrecy function while adding the carve-out. A whistleblower savings clause does not waive trade-secret protection or excuse misappropriation; it carves out only protected reporting. The NDA continues to serve as a reasonable secrecy measure and as an independent contract claim.
  • Treat form-agreement remediation as time-sensitive. Because violations surface from documents alone in routine exams, outdated boilerplate is a standing liability that compounds with every new signatory.

Frequently asked questions

Does this order mean broad confidentiality agreements are unenforceable? No. The order does not hold that the agreements are void or unenforceable as a matter of contract law. It holds that, by failing to permit voluntary regulatory reporting, the language violated a federal whistleblower-protection rule and exposed the firm to civil penalties. An NDA can remain enforceable between the parties and still trigger Rule 21F-17 liability; the two questions are independent.

Will a whistleblower carve-out weaken my trade-secret protection? It should not. A properly drafted carve-out exempts only protected disclosures to government authorities — not disclosures to competitors, the press, or the public. The agreement’s core secrecy obligations, and its value as evidence of “reasonable measures” to maintain secrecy and as an independent breach-of-contract claim, remain intact.

Did the SEC have to show that a whistleblower was actually silenced? No. The Commission did not allege that any client was deterred or that JPMS ever enforced the clause. Its theory is that restrictive language alone impedes potential whistleblowers. That prophylactic approach has not yet been tested in contested litigation, so its ultimate validity in court remains uncertain — but it is the SEC’s operative enforcement standard.

Authorities and sources