A dilemma facing the Securities and Exchange Commission: how to balance the need to secure the smoking gun e-mails needed to bolster enforcement efforts with growing privacy concerns and pending legislation that intends to curtail its subpoena authority.

To obtain paper documents, the SEC has the authority to subpoena the person or entity that possesses them. When it comes to e-mail, however, the Commission can rely on the Electronic Communications Privacy Act of 1986 to bypass those direct demands and require an internet service provider—such as Google, Yahoo, or Comcast—to dig the desired correspondence out of their servers.

The current law does not require the SEC, or other federal enforcement agencies, to obtain a warrant to read emails or other forms of online communication—including chat messages, texts, and documents deposited on a cloud-based service—if they are more than 180 days old. Instead, they can rely upon civil subpoena powers and a much lower threshold of judicial approval and due process.

Critics say that the 1986 law—enacted when many were still using AOL and CompuServe for e-mail—is outdated and must be modernized in light of court decisions that the Fourth Amendment generally protects e-mail privacy. To that end, Rep. Kevin (R-Wis.) and Rep. Jared Polis (D-Colo.) have authored H.R. 699, the Email Privacy Act, to hold electronic communications to the same standards as paper-based mail and documents. Introduced in February, it currently has bipartisan support and 261 co-sponsors.

Calls to change the 1986 law are nothing new. But, while the Justice Department and other agencies have supporting revisions and amendments, the SEC has been the lone, persistent holdout.

During a budget hearing before Financial Services Appropriations Subcommittee last week, SEC Chairwoman Mary Jo White reiterated the agency’s concerns but admitted that while it has vigorously fought to maintain subpoena power over ISPs, it has not used it under her watch. “We have not, to date and to my knowledge, continued to subpoena the ISPs,” she said.

White explained that the SEC’s current policy is to first go to the individual or company being investigated with a subpoena for sought after communications. If investigators are told the e-mails or documents were deleted, or cannot be produced for any other reason, it will then, and only then, subpoena an ISP and give notice to the subscriber that it has done so.

Yoder’s bill, in his own words, would ensure that “when you use the subpoena process in civil proceedings, the subpoena is served on the individual, not on the internet service provider.” White is concerned by that approach. “We have civil enforcement powers, we do not have the warrant power,” White told the committee. “If a bill were to pass that required a warrant to obtain emails that had been deleted by the subscriber from the ISP, we could not get them.”

“I didn’t think it was the right thing to do, as we were discussing balancing privacy and law enforcement, to go ahead and serve subpoenas on ISPs,” White added. “But I worry about it. We have always served subpoenas on the individuals—sometimes we get documents and sometimes we don’t. Sometimes we are told they deleted them all or an entire month is missing. If it is still on the ISP, that’s critical evidence. I worry about what we are missing.”

In a statement following the hearing, Yoder called White’s decision not to pursue ISP subpoenas for the time being as “a welcome change.” “We may have cleared a major hurdle in digital privacy reform, as the SEC was the lone government-agency holdout engaging in this practice,” he said.  

Yoder extended an invitation to White, one she accepted, to have her staff offer changes or amendments to his bill in an effort to reach a compromise between privacy and enforcement concerns.