Earlier this month, Andrew Ceresney, Director of the U.S. Securities and Exchange Commission (SEC) testified before the Committee on the Judiciary of the U.S. House of Representatives on Updating the Email Privacy Act (H.R.699).

While Ceresney said that modernizing portions of the Electronic Communications Privacy Act (ECPA), which became law in 1986, makes sense to account for technological advances, he fears that the bill in its current form, poses significant risks. He cautioned H.R. 699 as it now stands would impede the SEC and other civil law enforcement agencies’ ability to investigate and uncover financial fraud and other unlawful conduct.

Tracking digital footprints

“Electronic communications,” Ceresney told the House, “often provide critical evidence in our investigations, as email and other message content (e.g., text and chat room messages) can establish timing, knowledge, or relationships in certain cases, or awareness that certain statements to investors were false or misleading.  In fact,” he added, “establishing fraudulent intent is one of the most challenging issues in our investigations, and emails and other electronic messages are often the only direct evidence of that state of mind.

Historically, the SEC solicits that data via an administrative subpoena. Most recipients, Ceresney said, respond appropriately, turning over requested documentation. However, when bad actors act badly, erasing emails, tendering only select emails, blaming damaged hardware, or refusing outright to comply, the SEC needs a bigger stick — the opportunity to reach out to internet service providers (ISPs).

No stick, no compliance

This is where H.R. 699 get’s sticky, according to Ceresney. In its current form, it would require government entities like the SEC to procure a criminal warrant to get email content or other electronic communications from ISPs.

But here’s the rub…the SEC and other civil law enforcement agencies cannot obtain criminal warrants. So, H.R. 699 precludes them from gathering evidence directly from an ISP and Ceresney’s concern is that the lack of authority would incent bad actors to act even “badder.”

While technology has evolved since ECPA’s passage, Ceresney hopes the law will evolve to take account of advances in technology and protect privacy interests, even when significant law enforcement interests are also implicated. He asked the Committee to consider language that would:

• require civil law enforcement agencies to attempt, where possible, to seek electronic communications directly from a subscriber before seeking them from an ISP; and
• when seeking them from an ISP is necessary, give the subscriber or customer the opportunity to challenge the request in a judicial proceeding.

Data is still protected if…

According to Ceresney, as currently drafted, H.R. 699 creates an “unprecedented digital shelter – unavailable for paper materials – that would enable wrongdoers to conceal an entire category of evidence from the SEC and civil law enforcement.”

You’re reading this, because you are not a bad actor. You work hard to keep your ducks in a row and your documentation in order. Given the SEC’s interests, it is likely H.R. 699 will be adjusted. So you still need to be co mpliant, and produce the right documentation on request, regardless of format. Compliance already is an undertaking without end. And there’s no question, you will be doing more of it. Want more time to do your real work? Let’s talk. Ask about Patrina’s comprehensive compliance solutions specifically designed for Broker/Dealers, RIAs, and FCMs.

Let’s talk (212- 233-1155).