- A former SAP account manager is breaking her NDA to speak out about a workplace sexual assault.
- Nondisclosure agreements are often used to silence employees following claims of workplace abuse.
- The use of NDAs has now expanded from employers to insurance providers.
By March of 2020, Ashley Kostial thought she'd been through the worst of it. She'd worked through months of intensive treatment for post-traumatic stress and was focused on managing her mental health and landing a new job.
It had been nearly a year since Kostial reported being raped by a colleague during a work trip for a subsidiary of the global enterprise software firm, SAP. She'd met him for the first time in May 2019, when she was an account manager, as they prepared for a sales meeting in Plano, Texas. Afterward, they got drinks at the Marriott hotel bar. The last thing Kostial remembered from that night, she later told a police detective, was getting into the elevator with him.
Her account of what happened next is based on interviews, a forensic exam, and a police report.
The next morning, Kostial woke up in a panic, fearing she'd missed her flight, only to find scratches on her body and her bra and underwear ripped. Disoriented, she walked into the bathroom and saw her colleague's credit card on the white shag carpet. She looked at her phone and realized that around 2 a.m., she'd called her then-girlfriend repeatedly, in what dawned on her were frantic cries for help.
Only later, after rushing to the airport, did another memory come back, she told police: her colleague on top of her on the hotel bed.
Surveillance footage showed her exiting the hotel elevator with her colleague that night; a rape exam conducted after she flew back home documented bruising on her shoulder, arm, and thigh, and abrasions on her pelvis.
Kostial recounted what she could piece together about that night to police in Plano, where the incident took place, and in Phoenix, where she lived. She cooperated with an HR investigation by SAP. All that was left was to sit through a grueling all-day mediation to reach a settlement agreement that would both end her employment with Ariba, the SAP subsidiary, and gag her from ever speaking about the most traumatic day of her life.
That's when the men with cameras started showing up. Men, parked outside of her house, who she came to suspect were representatives of her employer-sponsored disability insurance provider, Aetna.
Unable to work and consumed by her recovery, Kostial had filed for long-term disability care as she grappled with symptoms of PTSD that her psychologist attributed to the sexual assault. In a letter to Aetna, her psychologist had written that Kostial was experiencing insomnia, depression, emotional turmoil, dissociation, and intrusive thoughts, and she had been unable to return to work "due to clinically significant symptoms and major impairment to occupational and social functioning."
Aetna denied her claim.
It was in March 2020, after Kostial fought back, appealing Aetna's decision, that the men showed up. Kostial would spot them, or her security camera would, so often that she began to wonder whether she could take her dog for a walk without being followed. Her attorney, Brad Schleier, would later tell her it wasn't unusual for insurance companies to monitor people appealing denials. (Schleier declined to comment.)
"It was harder than the initial assault," Kostial said of being stalked. She started carrying a knife.
The men only disappeared after Aetna denied her appeal. In a lengthy phone call with Aetna, her psychologist described the details of her assault and the array of trauma symptoms that still persisted. But Aetna's representative was not swayed.
"Psychological complaints themselves are not sufficient in determining functional impairment," she wrote. A week later, in April 2020, Aetna issued its formal denial.
Kostial turned to an option of last resort, hiring Schleier to file a lawsuit alleging she'd been wrongfully denied coverage.
By the time Schleier called her with Aetna's settlement offer, in June 2021, she hadn't received a paycheck from SAP in almost two years. She was exhausted and broke, facing mounting medical bills. The offer, after attorney's fees, amounted to just a few months of her old salary — and it came with another non-disclosure agreement.
Like so many in her situation, Kostial took the money and signed.
The pair of NDAs weighed heavily on her. Her agreement with SAP specified damages of up to $20,000 "for each occurrence of a breach of this confidentiality provision," a terrifying prospect while she was out of work. The NDA with Aetna allowed the insurer to claw back the settlement money she needed to pay her mortgage, and it didn't cap the amount of additional damages the firm could seek if she broke it.
"It feels like you're wearing this bomb that's strapped to you, which could detonate at any time if you speak up," she said.
An effort to hide insurance settlements
NDAs have become ubiquitous in the workplace. The secrecy pacts, originally designed to protect sensitive intellectual property from being shared, are also used by companies to silence employees following allegations of sexual harassment, racial discrimination, and other workplace misconduct.
When Kostial entered into one with Aetna, she became one of an untold number of Americans who have agreed to NDAs in another context altogether: to hide settlement terms with an insurance provider in the wake of a coverage dispute.
The Aetna NDA only silenced her about the terms of her settlement, not the sexual assault. She remembers being stunned that she would have to sign a second NDA.
Initially, Kostial planned to return to her job at SAP once she was cleared to work again. Before the assault, she had loved working for the company, she said, and envisioned a long career with the firm. But then SAP's HR officer alerted Kostial to the results of the firm's investigation. SAP found that her colleague's conduct was "contrary" to company policy and that he "exhibited poor judgment," an email message shows, yet he would be allowed to continue working for SAP.
"That's when I knew that I couldn't work there anymore," Kostial said.
SAP and Aetna, through spokespeople, declined to comment on Kostial's case or answer questions about their use of NDAs, such as whether they remain standard practice today.
BI documented the spread of these enforced secrecy pacts in the tech industry in 2021, finding that tech companies both large and small routinely deploy NDAs in all sorts of situations, from protecting intellectual property to restricting discussion of workplace misconduct. BI reported Kostial's story then but referred to her by a pseudonym, Kira. She's decided to risk coming forward now because she views the NDAs she signed as unjust — and would like to see the use of NDAs ended for other victims of sexual assault.
At BI's request, seven employment attorneys and scholars reviewed Kostial's settlement with Aetna. Several said that while it's common for health insurance firms to include NDAs in settlement agreements as a way to maintain negotiating leverage with other insured members, there is no way to know exactly how many are reached. That's because most NDAs are subject to mandatory arbitration, a private process that creates minimal publicly available records.
"Disability insurance has a lot of leverage in these situations. The insured typically doesn't have any income," said Nina Wasow, an attorney in Berkeley, California, who often represents clients with disability claims. "It's in their best interest not to have people be well-informed about what the marketplace is for the disability settlements. They don't want people talking about how crappy they are."
Collecting data on the prevalence of NDAs is nearly impossible, legal experts said, as companies can use multiple statutes to go after breaches and the vast majority of individuals who sign such agreements never disclose them publicly.
A lack of data on the spread of NDAs
Even as NDAs have spread into more and more sectors, how often they're enforced has remained a mystery. In 2022, Congress passed the Speak Out Act, which bans the use of NDAs to gag victims of sexual abuse that were signed before the dispute arises, typically in employment agreements completed on the first day of an employee's new job. But the law doesn't prevent NDAs in settlements reached after the fact, such as the one Kostial signed.
Judges in California and New York have historically refused to enforce NDAs, legal scholars said. New state laws in Maryland, New Jersey, New Mexico and elsewhere have further limited their use in settlements where sexual harassment or discrimination in the workplace was alleged, based on where the employee lives. But Arizona, where Kostial was living at the time she was assaulted, doesn't prohibit NDAs in workplace settlements.
"Under some state laws, her employer would not be able to enforce an NDA against her for speaking out about this situation," said Jodi Short, a law professor at University of California College of the Law, San Francisco who has studied NDAs. "It seems odd that an insurer would be able to."
While the National Labor Relations Board keeps statistics on complaints related to noncompete agreements, the agency doesn't track how often companies pursue employees for violating the terms of an NDA. In a sample of more than 100 state and federal court records containing the words "nondisclosure" and "sexual harassment" reviewed by BI, none had to do with the enforcement of NDAs.
Several experts who study NDAs, including Evan Starr of the University of Maryland's business school, who co-authored a 2022 white paper examining the spread of NDAs in the workplace, told BI that their primary purpose is to intimidate signatories from speaking publicly about something that could embarrass the company.
Kostial experienced a form of this intimidation recently.
Soon after BI sought comment on her case from Aetna, an email from Schleier, the lawyer who previously represented her, landed in her inbox. Aetna's attorneys "wanted me to contact you and remind you of the confidentiality obligation in the agreement," Schleier wrote. "Look forward to hearing back from you."
After Kostial settled her case against Aetna, she began to pick up the pieces of her life. She spent nearly a year applying for jobs and landed several first-round interviews. But she was often stymied during those conversations, she said, when questions would come up about her previous employer.
"I couldn't answer the questions," Kostial recalled. Anything she said, she feared, would risk breaking the terms of her first NDA. "SAP always loomed large in the back of my mind."
Many other tech workers bound by NDAs told BI that the agreements posed similar obstacles to a new job search.
Eventually, in 2021, Kostial landed a job at a small Oakland-based software company working in data analytics, where she remained for nearly three years.
She often finds herself thinking back to the chain of events that led her to this point. Especially galling was the wall of disbelief Kostial encountered, from HR officials to police.
SAP's HR team seemingly gave credence to the claim by her alleged attacker that the two had consensual sex, ignoring Kostial's bruises and scrapes that were documented during her rape exam — and the fact that she is gay. In an email to Kostial, the detective assigned to her case from the Plano Police Department in Texas said of her alleged attacker, "I am not able to prove any part of his story that night was a lie." (No criminal charges were filed against Kostial's colleague and Plano police closed their investigation a month after the alleged assault.)
Kostial has discussed her situation with Vincent White, a New York city-based lawyer who specializes in workplace NDAs and advises signatories on the risks associated with breaking them. Kostial said that whenever she has brought up wanting to speak out about her agreement, White has reminded her that doing so could entail "inflicting self-harm," whether by triggering attempts by SAP or Aetna to claw back her settlement monies or by effectively blacklisting herself from future work in the tech industry.
Kostial's journey has led her to meet with lawmakers in Arizona and advocates in Illinois. She's participated in an international advocacy campaign, Can't Buy My Silence, led by Zelda Perkins, a former assistant of Harvey Weinstein's, and legal scholar Julie Macfarlane, to bring awareness to how NDAs are used to silence victims of assault and harassment. She's also developing an app, called Face Uncomfortable, to help employees report instances of workplace misconduct and save documentation.
Kostial recently left her software job to focus on preventing other workers from being silenced by the kinds of secrecy pacts that have shaped her life. Though she's long been engaged, the couple have put off marriage. Kostial is fearful that if they wed, her wife's finances could be affected if either SAP or Aetna pursues her for breaking her NDA.
Whenever she's seized by anxiety, Kostial reminds herself of how hard she's fought to move past the sexual assault and why she's coming forward.
"There's nothing that could happen after this that would be worse than what I've already been through," she said. "I hope that if there's one person who needs to hear this, they will."
Just two weeks ago, Kostial received another email from her former lawyer.
"Hey Ashley — Just following up," he wrote. He said he'd received another message from Aetna, reminding him about her NDA.
Kostial never replied.