Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

<p style="text-align: left" align="center">Every company, whether public or private, has exposure to potential data breach or theft of confidential information. When this occurs, various state and federal regulatory organizations have jurisdiction over ensuring that there is prompt, corrective, and remedial action taken by the company whose systems have been compromised. Much of the focus of articles and commentary has been on the Federal Trade Commission and its enforcement of these violations. However, another important agency to understand both its role and practices is that of the United States Securities and Exchange Commission.</p>
The SEC has jurisdiction over the policies and practices of the securities industry to ensure the integrity of the securities exchanges, to assist in capital formation, and to provide investor protection. Pursuant to its statutory authority, it conducts periodic examinations of industry participants, such as investment banks, asset managers, hedge funds, and mutual funds. As such, the SEC requires these regulated entities to perform a risk assessment of various cybersecurity risks and then to adopt written policies and procedures to combat them. As part of this process, to assist the industry in assessing cybersecurity preparedness, the SEC’s Office of Compliance Inspections and Examinations on April 15, 2014, issued a Risk Alert concerning the "<a href="http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf">OCIE Cyber Security Initiative</a>." Parallel regulatory concerns have been expressed by FINRA, through its <a href="http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p419710.pdf">2014 Annual Regulatory and Examination Priorities letter</a>, in which cybersecurity is listed as a top priority for protecting “sensitive customer data.”

These regulatory concerns, however, are not limited to the securities industry. All public companies with shares trading on a U.S. securities exchange are likewise subject to the possibility of an SEC inquiry concerning its practices and policies, albeit not through the scrutiny of an SEC examination. It seems topical, therefore, to explain the processes of the SEC, to the extent to which the agency comes knocking for information about your company's cyber security controls, practices, and breach response plan.

The Division of Enforcement of the SEC generally conducts two kinds of investigations, initially an informal one and thereafter, to the extent to which the Staff believes federal securities laws violations have occurred, a formal investigation. The main difference between an informal and formal investigation is the Staff's ability to request information through subpoena power, pursuant to an Order of Private Investigation, or document commonly known as a Formal Order. Accordingly, if you are contacted by the SEC, the first thing you should identify is which division is requesting the information. Depending on whether it is the Enforcement Division or another division of the SEC, your response may be more circumscribed. Assuming, however, it comes from the Enforcement Division, even in what appears to be an innocuous letter request for certain information about your company's policies and procedures, it is highly recommended that you give great attention and care to the manner in which you respond. This is best done through the engagement of skilled securities regulatory counsel who understand how best to deal with a civil regulatory agency of the government. As a former SEC Enforcement attorney myself, I appreciate the advantages this provides to clients.

Assuming it is the Division of Enforcement which requests information, you should understand it has the right to both subpoena documents and compel testimony during the course of a private inquiry. When such information is requested, under the rules of practice of the agency, the investigated company is entitled to receive a copy of the Formal Order. This document should always be requested immediately upon any request that your company may receive, as it will provide some general information about the nature of the investigation and the kinds of federal securities laws violations the agency is exploring. As the document is dated, it also will give you some insight into how long the investigation has been ongoing.

For any information requests, it is recommended that you withhold a natural inclination to contact the agency immediately until after you have a good handle on the extent of document production that is requested and how long it will likely take to gather. In one of your early calls with SEC Staff, it is important that you be in a position to articulate with some degree of authority and sophistication the size of the production and the amount of time gathering the production would entail. Only with such information readily available can you have a meaningful and successful dialogue with the regulator in narrowing its scope as appropriate. Calling a staff attorney to simply ask for more time, or to narrow the scope of what presumably has been a thoughtfully crafted document request or subpoena demand, will likely yield little in terms of compromise or movement by the staff member.

Of course, it is always good practice to maintain a professional and forthright level of communication with SEC Staff. Building credibility through retention of experienced civil securities regulatory counsel and by the manner in which you deal with the staff members will create a better atmosphere for all concerned. Importantly, in any response that your company provides, either through written or oral communications to the SEC, you must keep in mind that speaking the truth is paramount. There are criminal statutes applicable to making false statements to a federal officer, including an SEC staff attorney, either in writing or orally, as Martha Stewart found from her conviction arising from the ImClone insider trading criminal trial (A trial in which I represented one of the key witnesses who tipped Ms. Stewart, Douglas Faneuil). This is equally important in sworn testimony before the SEC, where failure to do so is considered perjury, as Ms. Stewart’s co-defendant, Peter Baconovic, found in his criminal conviction.

Another issue that should always be considered when responding to an information request from the SEC is to formulate a reasonable view for narrowing the scope of the request. The analysis for doing so in this context is similar to a response to any potentially overly broad, costly, and burdensome document demand or subpoena in any public civil action. The relevance of the request is to be weighed against the costs and time associated with obtaining and making the production. However, do understand that in private investigations by the SEC, there is greater latitude given to the agency in terms of the requests. Thus, there is very little practical recourse you have, ultimately, to fight the SEC in what the Staff demands. At base, you either have to make the production to which the SEC agrees, or force the SEC’s hand to go to federal court to bring a subpoena enforcement action. Given that a subpoena enforcement action becomes a public proceeding in which the SEC would advise the world it is investigating your company, and the reasons for it, it is rarely a good outcome for resolution. Accordingly, your best approach, as indicated earlier, is to work out a fair and reasonable manner in which to deal with the regulator in a professional fashion.

How to Respond to SEC Inquiries Concerning Data Breach and Data Security Policies