SEC Slaps Generic, Non-Specific Whitewash Over Database Scandal

April 6, 2022

When the opening sentence of any governmental report informs you that some bureaucracy has "identified a control deficiency," you know that what follows will require cases of toilet paper and gallons of deodorizer. Frankly -- sadly --  a recent SEC Statement is little more than a generic, non-specific bit of whitewash that stains the federal regulator's reputation. At issue is the improper access by the SEC's Enforcement staff of the SEC's Adjudication database. One is supposed to be walled off from the other. Think of it as if a federal prosecutor had the password to the database of the federal judge hearing a criminal case -- but the defense didn't. The SEC didn't rush to promptly inform the public about what looks like a breach of its confidential files by its own staff. Yet again, we have a government acting one way while insisting that we act another.

The April 5, 2022 SEC Statement

On April 5, 2022, the SEC published "Commission Statement Relating to Certain Administrative Adjudications" (the "SEC Statement") 
https://www.sec.gov/news/statement/commission-statement-relating-certain-administrative-adjudications in which we are initially advised that:

The Commission has identified a control deficiency related to the separation of its enforcement and adjudicatory functions within its system for administrative adjudications.  When this deficiency was identified, the Chair immediately notified the other Commissioners and directed the staff to undertake remedial measures and commence a comprehensive internal review to assess the scope and potential impact of the issue. We are now releasing the findings of that review as it relates to two adjudicatory matters currently in litigation in federal court. In both matters, the review found that agency enforcement staff had access to certain adjudicatory memoranda, but that this access did not impact the actions taken by the staff investigating and prosecuting the cases or the Commission's decision-making in the matters.

Given the SEC's penchant, some might say mandate, to demand Plain English in the myriad of corporate filings that come into its oversight, the SEC Statement is far from plain and seems more calculated to defuse and dissemble. Sadly, the SEC Statement is little more than a generic, non-specific bit of whitewash that stains the federal regulator's reputation and renders a disservice to the investing public.

WHEN -- as in a specific date

Among the very first aspects of the SEC Statement that is unacceptable is the failure of the document to identify a specific date when the purported deficiency was identified. In a fairly obvious attempt to muddy the waters, the SEC Statement resorts to asserting that "When this deficiency was identified, the Chair immediately notified the other Commissioners and directed the staff to undertake remedial measures and commence a comprehensive internal review to assess the scope and potential impact of the issue."

"When" is not a date certain.

The SEC Statement alleges that the "Chair immediately notified the other Commissioners and directed the staff to undertake remedial measures . . ." At this late date, that assertion is just not going to cut it. Since the SEC has carefully manicured the Statement to avoid setting out the exact date when the SEC first became aware of the cited deficiencies and the exact date, thereafter, when the Chair became aware of the cited deficiencies, it is impossible to determine if Chair Gensler's notification took place "immediately." Having deprived us of a continuum against which to get what folks knew, when they knew it, and how quickly they reacted, the SEC has likely accomplished exactly what it wanted with its Statement. We are given the appearance of sincerity without the underlying substance.

I'm sorry but I will not grant the SEC any benefit of the doubt. 

As a federal regulator, the SEC often displays its own high dudgeon when charging respondents/defendants with misconduct involving what they knew, when they knew it, and how timely they acted to remediate the issue. 

The very issue of timely so-called self-reporting is a critical component in the SEC's investigative and prosecutorial considerations. 

Timeliness in filing a tip is often a major factor when determining eligibility for whistleblower awards. Notably, the SEC continues to be criticized for its own foot-dragging when it comes to the belated processing of Whistleblower Forms WB-APP by which claims for a Dodd-Frank Whistleblower Award are filed. Queries from whistleblowers and their counsel for the status of their claims are frequently rebuffed by Staff. 

So, you know, don't try to blow smoke up my ass with your clever (but transparent) resort to "when" and "immediately."

Emailed and Uploaded

Similarly, where the hell does the SEC get off taking its goddamn time in order to get its own house in order? How dare the SEC only first release the findings of its review after determining that:

for a period of time, certain databases maintained by the Commission's Office of the Secretary were not configured to restrict access by Enforcement personnel to memoranda drafted by Adjudication staff.  As a result, in a number of adjudicatory matters, administrative support personnel from Enforcement, who were responsible for maintaining Enforcement's case files, accessed Adjudication memoranda via the Office of the Secretary's databases.  Those individuals then emailed Adjudication memoranda to other administrative staff who in many cases uploaded the files into Enforcement databases.

Are you kidding me? "For a period of time . . ."??

24 Hours or Four Business Days -- Did SEC Satisfy Either Deadline?

Why the hell didn't the SEC immediately publish a Press Release within 24 hours of when the federal regulator learned about the improper database configurations? 

Imagine if a public company insisted that it would first conduct a private, in-house investigation of a massive hack into personal, confidential shareholder files and, after a period of time, then opted to issue a Statement noting that a "control deficiency" had been identified. Consider this bit of hypocrisy [Ed: footnotes omitted]:

There is growing concern that material cybersecurity incidents are underreported and that existing reporting may not be sufficiently timely. We are proposing to address these concerns by requiring registrants to disclose material cybersecurity incidents in a current report on Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident.

at Page 20 of  "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure" (SEC Proposed Rule / March 9, 2022) https://www.sec.gov/rules/proposed/2022/33-11038.pdf

Enforcement Staff Accessed Adjudication Memoranda and Transmitted to Other Enforcement Staff

Unaddressed in the SEC Statement is why Enforcement Staff had ANY access to the Adjudication database. What I do see is disconcerting "spin" by the SEC:

[I]n each case, the team determined that Enforcement administrative personnel accessed one or more Adjudication memoranda via the Office of the Secretary databases and sent those materials to other administrative personnel who in a number of instances uploaded the memoranda into a database that is accessible to all Enforcement staff.  As a result, certain Adjudication memoranda were, for a period of time, accessible to all Enforcement staff, including attorneys investigating and prosecuting the enforcement matters discussed in those Adjudication memoranda.

However, as detailed below, while the Enforcement staff assigned to investigate and prosecute those two matters would have been able to access certain Adjudication memoranda that pertained to those matters, the review team has found no evidence that those Enforcement staff in fact reviewed the memoranda.  In addition, the timeline of filings and Commission actions in each matter shows that access to the Adjudication memoranda would not have affected any Enforcement filings.  Enforcement staff prosecuting the matters did not file any documents in the proceedings between the dates that the Adjudication memoranda were accessed by the Enforcement administrative personnel and the dates of the corresponding Commission orders.

How nice! How comforting!! How reassuring!!! The SEC appointed a hand-picked "team," which determined that Enforcement staff had, in fact, accessed Adjudication memoranda. 

First question: Why the hell was Enforcement staff even attempting to access Adjudication's database?  

Second question: Didn't it seem "wrong" to Enforcement Staff to be accessing the Adjudication database? 

Third question: If Enforcement Staff recognized that it didn't belong poking around in the Adjudication database, what does it say of Staff's ethics to learn that they, nonetheless, "sent those materials to other administrative personnel?"  

Apparently, the SEC is unwilling to recognize that a key problem here is not that there was a "control deficiency" but that it may have been exploited by Enforcement Staff. That the SEC's "team" didn't find evidence that Enforcement "reviewed" various materials on Adjudication's database, isn't the point. The point is just what the hell was Enforcement doing on Adjudication's database in the first place -- shouldn't it have been apparent that there was some form of trespass underway in violation of confidentiality protocols? All of which dredges up that trenchant quote of Friedrich Nietzsche: "It's not that you lied to me but that I no longer believe you has shaken me."