Feb. 26, 2023
February 26, 2023 I oppose the portion of the proposed Supplemental Standards of Ethical Conduct for Members and Employees of the Securities and Exchange Commission (\"Proposed Rule\") that requires Commission employees, and their families, to hand over their personal financial information to a third party (\"Forced Reporting to a Third Party\"). At best, the Forced Reporting to a Third Party requirement is a policy overreach by the agency founded on a tenuous legal theory. At worst, it will cause real harm to Commission staff with little practical benefit. To be clear, all Commission employees are ALREADY required to annually submit copies of their, and their family's, brokerage account statements to the Office of Ethics Counsel (\"OEC\"). Moreover, staff ALREADY submit these highly sensitive financial documents electronically. The only difference is that, currently, staff submissions are made DIRECTLY to OEC, without any intervening non-United States Government (\"USG\") entity receiving the data. The Proposed Rule's Forced Reporting to a Third Party will insert a non-USG, contracted third party into this reporting process. But the Proposed Rule does not stop there. It further requires that Commission staff provide this unknown third party with DIRECT ACCESS to their and their family's brokerage accounts. As a result, under the Proposed Rule, staff would have no means to protect their sensitive data by redaction or other means. If the financial data of any United States citizen is a figurative gold mine for hackers (and it is), the brokerage statements of every Commission employee is platinum, diamond, and lithium mine all rolled into one. The Proposed Rule would create a treasure trove of sensitive data held and directly accessed by a non-USG entity. These data and the access afforded to this third party would be flashing red \"Welcome, please hack here\" signs to bad actors. And make no mistake, the hackers will come. When a hack of this third party occurs and Commission employees' personal brokerage statements are stolen, as is inevitable, the drafters of this ill-conceived Forced Reporting to a Third Party requirement will offer little more than an apology and a year of credit monitoring service. We know this because Commission employees have seen this movie before. BOTH the USG and the Commission have experienced numerous, significant cyber \"hacking\" breaches in the past decade that comprised incredibly sensitive information. Most significantly, in June 2015, the Office of Personnel Management (\"OPM\") announced that hackers had accessed OPM's internal databases and stolen the personal information of 21.5 million current, former, and prospective USG employees (https://www.opm.gov/cybersecurity/cybersecurity-incidents/). This gargantuan hack impacted almost every USG employee since 2000 and included names, dates of birth, social security numbers, and even 5.6 million fingerprints. Despite their sensitive nature, these data were not properly safeguarded from attack. Most notoriously, from at least May 2016 through at least October 2016, hackers infiltrated the Commission's EDGAR database and accessed non-public information about filers (https://www.sec.gov/litigation/complaints/2019/comp-pr2019-1.pdf). EDGAR data are among the most sensitive at the Commission. Nonetheless, EDGAR data were not properly safeguarded from attack. These are just two examples of the known hacks that have affected the Commission and its employees. But they are a stark warning against the Proposed Rule. Forcing Commission employees to give a third party direct access to their brokerage accounts for no good reason -- remember, these data are ALREADY submitted directly to OEC by staff -- is both ignorant and indefensible. It is also contrary to the law. The drafters of the Proposed Rule's Forced Reporting to a Third Party requirement rely on Section 107 of the Ethics in Government Act of 1978, 5 U.S.C. App. 107 as authority for the proposal. They are wrong. The statute simply does not authorize (1) the submission of financial reports to third parties, (2) the forced access by third parties of brokerage accounts, or (3) any financial reporting requirements regarding family members. Section 107(a)(1) states that \"each supervising ethics office may require officers and employees under its jurisdiction (including special Government employees as defined in section 202 of title 18, United States Code) to file confidential financial disclosure reports, in such form as the supervising ethics office may prescribe.\" Under Section 107(a)(1), the Commission's OEC can require \"officers and employees\" to \"file\" their financial records \"in such form\" as it prescribes. The provision does NOT confer upon the OEC the ability to dictate that the information be transmitted to a third party recipient, let alone that employees give a third party access to their brokerage accounts. And the Section does not authorize the OEC to impose any obligation at all on family embers. Section 106 makes clear that the required report must be filed WITH the \"designated agency ethics official or Secretary concerned\" (See 5 U.S.C. App. 106, using the phrases \"each report filed with him\" and \"transmitted to him\"). Under Section 106, OEC cannot force Commission staff to submit their reports to an intervening third party, let alone require them to give a third party their brokerage account login credentials. Moreover, OEC can only prescribe the \"form\" of the submission. Form is a commonly understood word defined as \"the shape and structure of an object\" or \"the external shape, appearance, or configuration of an object.\" OEC's Proposed Rule ignores the plain language of the statute in an effort to expand its reach. The plain meaning of the word\"form\" does not include the recipient of the form. And it does not contemplate handing over login credentials to a third party. Finally, nothing in the Ethics in Government Act purports to give the OEC domain over staff's family and children. Section 107 references \"officers and employees,\" not their families and children. It simply does not give OEC the unbridled power to force non-staff members to hand over their sensitve data and account to a non-USG third party. The Proposed Rule's Forced Reporting to a Third Party requirement is blatant overreach by the OEC that would impress Orwell. It unabashedly expands the reach of the Ethics in Government Act of 1978 to non-government employees and forces employees to hand over sensitive financial data, including account access, to non-government entities. The provision is misguided, dangerous, and unnecessary. It should be rejected on practical, ethical, and legal grounds.