SEC Reveals Internal Security Incident

Robyn Lin, Ronald Raether, Jr., Kamran Salour
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

On April 5, the Securities and Exchange Commission (SEC) announced that two employees improperly accessed adjudicatory materials for cases being litigated in the agency’s in-house court system. The access occurred in 2017, and the SEC stated the breach “did not impact the actions taken by the staff investigating and prosecuting the cases or the commission’s decision-making in the matters.”

Under the Administrative Procedures Act (APA), the agency may preside over administrative proceedings to investigate and adjudicate violations of federal securities laws. Under the APA, investigation and adjudication responsibilities are separated. So, an employee who is investigating an adjudicatory matter may not participate in the decision-making.

In the SEC’s notice, the agency determined that certain SEC databases were misconfigured, which improperly allowed enforcement personnel to access case materials reserved for the adjudication staff. Enforcement personnel are different from adjudication personnel in line with the APA requirements and rules the SEC has promulgated. The SEC did not state how the misconfiguration was discovered.

The improperly accessed adjudicatory materials included materials that should have been restricted to commissioners and attorneys who advise the commission on decisions (e.g., investigation personnel). Some of these documents were uploaded to a database used by the enforcement division. The SEC’s review has focused on improper access as it relates to a pair of cases that started in the commission’s administrative proceedings and are now pending in federal courts.

The SEC is currently undergoing a review to determine any impact on administrative adjudicatory matters. So far, the agency has focused on two cases that are currently pending in the federal courts: SEC v. Cochran, No. 21-1239 (S. Ct.) and Jarkesy v. SEC, No. 20-61007 (5th Cir.). The SEC did not provide a timeline for when it would finish its internal review.

Takeaways

This incident highlights the importance of auditing internal configurations to ensure that only those employees with authority to access certain information can in fact access that information. Companies should continually review access and controls to sensitive information. Companies should also consider providing periodic training to staff on the proper handling, disposal, and access of data.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide