Mar. 31, 2023
March 31, 2023 I am writing in response to your proposing release - Supplemental Standards of Ethical Conduct for Members and Employees of the Securities and Exchange Commission (Release No. 34-96768). My primary concern is with the proposed automated third-party reporting system for the as described by C) Automated Reporting of Purchases, Sales, Acquisitions, and Dispositions of Securities. Collecting personal information. In the past, the SEC has been responsible for the loss and disclosure of employees personal information through numerous data breaches due to external parties (hackers) and by internal personnel, (HR transfers to other government agencies). These personal information data breaches/disclosures of the SEC employees personal information was addressed by providing limited credit monitoring with a muted apology. As per our training, unless there is a compelling need to collect this personal information, it should not be collected and if the personal information must be collected, it should be secured and safeguarded. The SEC is fully liable for this personnel information, as will the proposed third-party automated electronic system selected to collect/transfer this personnel information. The commission employees should have the option to redact personal information, such as account numbers, to protect themselves or minimize the damage from future data breaches.