The Securities and Exchange Commission frequently hammers home the message that its enforcement is focused on fraud both big and small, and individuals—whether they are boiler-room con men or high-level compliance officers—can and will be targeted.

The agency, however, might soon find that obtaining those damning e-mails and chat messages needed to build a case is harder to do. Bipartisan legislation born of privacy concerns threatens to curtail the SEC’s subpoena authority, and a recent court ruling prevents it from demanding the passcodes needed to unlock seized smartphones.

Obtaining paper documents is a relatively straightforward process for the SEC. Companies—at least larger, public ones—are usually helpful, lest they endanger the benefits that come with cooperation. If needed, the Commission has the authority to subpoena the person or entity that possesses them. When securing e-mail from an individual who won’t give up the goods, the SEC has a useful tool in the Electronic Communications Privacy Act, a law from 1986 that allows it to have Internet service providers collect the needed files from their servers.

Critics of the law, and the agency powers that come along with it, say it is past its prime and must be retooled and modernized. Not surprisingly, the SEC has steadfastly opposed any effort to do so. The latest effort to modernize the ECPA—the Electronic Communications Privacy Amendments Act (S.356)—is currently in front of the Senate Judiciary Committee.

The current law doesn’t require the SEC to obtain warrants to read e-mails, chat messages, texts, and other documents deposited on a cloud-based service if they are more than 180 days old. All the Commission has to do is exercise its civil subpoena powers, which offer a much lower threshold of judicial approval and due process than their equivalent in the world of criminal investigations.

The proposed changes would take away the 180-day clock used to declare electronic communications as “abandoned,” a holdover from the days when few would even think of hoarding all that data. Regulators and enforcement agencies looking for electronic data would need to get a court-ordered warrant, notify the target, and forward them a copy of the warrant with a written explanation of why it was sought.

Andrew Ceresney, director of the SEC’s Division of Enforcement, came out swinging against proposed changes. They “pose significant risks to the American public by impeding the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct,” he testified during a Senate Judiciary Committee hearing last month. Electronic communications “can establish timing, knowledge, or relationships,” he argued. “Establishing fraudulent intent is one of the most challenging issues in our investigations, and e-mails and other electronic messages are often the only direct evidence of that state of mind.”

Although the SEC uses the process only when necessary, turning to ISPs is nevertheless a vital enforcement tool, Ceresney said. “Depriving the SEC of authority to obtain e-mail content from an ISP would also incentivize subpoena recipients to be less forthcoming in responding to investigatory requests,” he said, “because an individual who knows that the SEC lacks the authority to obtain his e-mails may feel free to destroy or not produce them.”

The SEC’s proposed compromise: requiring civil law enforcement agencies to attempt, where possible, to get electronic communications directly from a subscriber before acquiring them from an ISP. Should seeking records from an ISP be necessary, there would be an opportunity to challenge the request through a judicial proceeding.

“What’s the difference between asking for records of insider trading through data and evidence of trades that might be on the phone and asking for passwords? That may be something the circuit court will need to take up.”
Nick Beermann, Partner, Fisher & Philips

“Some have asserted that providing civil law enforcement with an ability to obtain electronic communications from ISPs in limited circumstances would mean electronic documents enjoy less protection than paper documents,” Ceresney said. “That is not accurate. As currently drafted, S. 356 would create an unprecedented digital shelter—unavailable for paper materials—that would enable wrongdoers to conceal an entire category of evidence from the SEC and civil law enforcement.”

Getting Closer to Fraud

The ISP maneuver is typically used by the SEC in market manipulation, insider trading, and Ponzi scheme investigations, says John Zach, a former federal prosecutor and now partner at Boies, Schiller & Flexner. “Big companies are highly incentivized to work with the SEC,” he says. “Every big company in America understands that they have to preserve e-mail, and when they receive an [SEC] subpoena to review it, review its scope, and if it is attached to a case that has already been brought, to look at the underlying documents and see if the SEC is being reasonable or not and fight back that way.”

Zach sympathizes with the SEC’s dilemma. Rogue individuals have nothing to lose by destroying evidence that can’t be recovered from an intermediary. Nevertheless, the bill raises notable issues of notification and content.


The following is an overview of the Electronic Communications Privacy Act Amendments Act of 2015.
Amends the Electronic Communications Privacy Act of 1986 to prohibit a provider of remote computing service or electronic communication service to the public from knowingly divulging to a governmental entity the contents of any communication that is in electronic storage or otherwise maintained by the provider, subject to exceptions.
Revises provisions under which the government may require a provider to disclose the contents of such communications. Eliminates the different requirements applicable under current law depending on whether such communications were: (1) stored for fewer than, or more than, 180 days by an electronic communication service; or (2) held by an electronic communication service as opposed to a remote computing service.
Requires the government to obtain a warrant from a court before requiring providers to disclose the content of such communications regardless of how long the communication has been held in electronic storage by an electronic communication service or whether the information is sought from an electronic communication service or a remote computing service
Requires a law enforcement agency, within 10 days after receiving the contents of a customer's communication, or a governmental entity, within 3 days, to provide a customer whose communications were disclosed by the provider a copy of the warrant and a notice that such information was requested by, and supplied to, the government entity. Allows the government to request delays of such notifications.
Prohibits disclosure requirements that apply to providers from being construed to limit the government's authority to use an administrative or civil discovery subpoena to require: (1) an originator or recipient of an electronic communication to disclose the contents of such communication; or (2) an entity that provides electronic communication services to its employees or agents to disclose the contents of an electronic communication to or from such employee or agent if the communication is on an electronic communications system owned or operated by the entity.
Allows the government to apply for an order directing a provider, for a specified period, to refrain from notifying any other person that the provider has been required to disclose communications or records.
Directs the Comptroller General to report to Congress regarding disclosures of customer communications and records under provisions: (1) as in effect before the enactment of this Act, and (2) as amended by this Act.
Source: U.S. Congress.

“When you subpoena a big bank, their lawyers are going to look through the documents and decide what is privileged, personal, or not relevant,” he says. “When you obtain e-mail from Google or whoever, they are not doing that. You are just getting someone’s entire inbox, and there is no opportunity to first go through it and eliminate things that are not relevant to an SEC inquiry. That’s a real concern.”

Smartphones pose another complication for SEC enforcement. On Sept. 23, U.S. District Judge Mark Kearney in Pennsylvania blocked an effort by the Commission to access the company-issued devices of two former Capital One analysts.

In January, the SEC accused Bonan Huang and Nan Huang of insider trading. Expecting that information needed to build the case resided on their company-provided smartphones, the SEC wanted the phones surrendered, with access codes provided. The phones were made available by Capital One (confiscated after the men were terminated), but without the passcodes. The bank revealed that it does not require employees to document passcodes, and as a matter of policy, requires they be kept secret from everyone, company representatives included. The SEC sued the two men for access after they personally refused to cooperate.

Judge Kearney sided with the two analysts, informing the SEC that these codes are personal information, not corporate records. “We find, as the SEC is not seeking business records, but the defendants’ personal thought processes”—the defendants can invoke their Fifth Amendment rights to protect themselves from that, he said.

Just to confuse matters, separate case law holds that biometric access to a smartphone, such as a fingerprint scanner, does not enjoy a similar constitutional protection, says Nick Beermann, a labor law partner with law firm Fisher & Philips. “I don’t think the bank did a very good job exercising its electronic communications policy, especially for company-owned phones,” he says. He adds that companies that allow employees to use personal devices need a more robust policy that allows access and the ability to wipe data remotely.

“What’s the difference between asking for records of insider trading through data and evidence of trades that might be on the phone and asking for passwords? That may be something the circuit court will need to take up,” he says.