Expert Legal Services



By Dennis A. Stubblefield of Shustak Reynolds & Partners, P.C.

We just posted our overview of the SEC Hack here. The agency has thus far specified just EDGAR as being compromised.  However, the SEC should also quickly evaluate what accountability it should demonstrate to the varied constituents who get caught up in its enforcement apparatus, i.e., any and all companies and individuals---extending way beyond regulated entities like broker-dealers and investment advisers---who come within reach of the investigative powers of its Division of Enforcement.

Enforcement can command the production of documents and the furnishing of testimony from any “person,” (including entities) and it does so regularly and aggressively.  Such information reflects and reveals a broad swath of data ranging from documents containing social security, bank, brokerage and telephone numbers to witnesses’ testimony about anything and everything relevant to investigations. Such investigations are “non-public,” and documents are routinely submitted by companies and persons with the clear notation, usually on each and every page, “Confidential Treatment Requested.”

It is true that the Commission has broad discretion to share and release information, even the most valuable and sensitive, and even when clearly flagged as confidential, consistent with its obligations under the Freedom of Information and Privacy Acts. Nonetheless, enforcement defense practitioners have long assumed that the SEC has a reasonably solid system and process underlying the exercise of such discretion.  Perhaps this assumption should be reexamined in light of the hack. After all, what is the worth and sufficiency of an agency determination to release or not release information if the basic integrity of its own system and process surrounding that information is called into question?

It is already daunting enough for individuals and companies to deal with the fact that sensitive information is routinely shared with DOJ, its United States Attorneys, FINRA and other governmental and quasi-governmental agencies. This concern is particularly compelling for “Good Citizen Boy Scouts and Girls” who have done nothing wrong yet have had to discharge their legal obligation when commanded by the government, often at considerable burden to them in terms of lost productive time and significant attorneys’ fees.

But is it too much to ask that such good citizens -- and indeed each and every person and company cooperating with the Commission -- have some sort of decent comfort level that information furnished by them is at least reasonably safe from the prying eyes of predators ranging from identity thieves to market manipulators?

The answer of course is a resounding “No.” 

Anyone who has furnished such information to the Enforcement Staff should consider asking the Staff Attorney assigned to the investigation whether such information has been compromised. You will very likely not get an answer, but, whatever the response, consider documenting it. That way you will have “made a record,” in case you need it later.

As of press time, the SEC’s website had no mention of the hack, much less any guidance on what affected parties may wish to consider doing about it.

Ryan Baesemann