Mar. 31, 2023
March 31, 2023
March 31, 2023
As an SEC employees who is a Certified Information Systems Security Professional (CISSP) and privacy analyst supporting the SEC Senior Agency Official for Privacy, I strongly agree with the concerns expressed by SEC employees, in submitted comments, about the portion of this proposed rule that seeks to collect employee financial brokerage account numbers for potential direct access by the SEC Ethics Office compliance team or a third-party solution to conduct the compliance review for the SEC Annual Certification of Holdings (COH). From a privacy perspective, the information provided in Supplementary Information, II. Proposed Amendments, section C. Automated Reporting of Purchases, Sales, Acquisitions, and Dispositions of Securities of the proposed rule does not speak to principles of The Fair Information Practice Principles (FIPPs) (based on the tenants of the Privacy Act of 1974). The description in Section C does not address the following three (of eight) FIPPS:
Minimization. Agencies should only create, collect, use, process, store, maintain, disseminate, or disclose PII that is directly relevant and necessary to accomplish a legally authorized purpose, and should only maintain PII for as long as is necessary to accomplish the purpose.
Individual Participation. Agencies should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the creation, collection, use, processing, storage, maintenance, dissemination, or disclosure of PII.
Security. Agencies should establish administrative, technical, and physical safeguards to protect PII commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss, destruction, dissemination, or disclosure.
I am extremely concerned about the proposal of collection of brokerage account numbers from employees to automate the annual COH process for the following reasons:
Brokerage account number (or any financial account number) is sensitive Personally Identifiable Information (PII). Section C of the proposed rule does not imply that any consideration is being given to the minimization of collection of brokerage account information for the purpose of automating the annual COH process. Could some
Storing brokerage account numbers in an SEC or third-party system puts SEC employees, who have such accounts, at further risk for another system containing their financial information to be hacked and the possibility of nefarious account transactions that would adversely affect them and their families.
The length of time the account number would be stored in the system is not communicated in Section C of the proposed rule. For example, the brokerage account information should be removed immediately when an employee leaves the agency.
Last, but certainly not least of my concerns, is security. Section C of the proposed rule does not speak to the responsibility for securing employee brokerage account information especially if the SEC were to outsource the automation of the compliance review of employee annual COH to a third party. It appears the SEC desires an annual COH process that promotes convenience to compliance reviews rather than keeping an existing system in place that gives employees the option to redact the account information, thus minimizing the collection of employee sensitive PII and minimizing risk to employee financial information.