U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
Conflicts Between Public Accountability and Individual Privacy in SEC Enforcement Actions

Remarks By

Thomas C. Newkirk, Associate Director
Richard C. Sauer, Assistant Director
Robert J. Keyes, Branch Chief

Division of Enforcement
U.S. Securities and Exchange Commission
Washington, D.C.

The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of Mr. Roye and do not necessarily reflect the views of the Commission, the Commissioners, or other members of the Commission's staff.

In the United States, as elsewhere in the world, the public interest in effective law enforcement is often in conflict with the public's concern for the privacy of personal financial and other sensitive information. During recent decades, the federal government has compiled increasing quantities of data on its citizens. This has proven necessary to determine who qualifies for various benefit programs, to monitor compliance with anti-discrimination statutes and to pursue various other social goals. In addition, improved technology has greatly improved the capability of the government to compile and retrieve information about individuals. This burgeoning governmental information gathering, however, has brought with it an increasing concern over its potential to intrude into the private lives of the citizenry.

The concern over the possible erosion of personal privacy through government action appears in many current controversies that do not directly implicate the enforcement mission of the Securities and Exchange Commission (SEC). It deeply informs, for example, the debate over when law enforcement agencies should be able to defeat electronic message encryption technology.1 It also appears in the heated resistance to attempts by U.S. banking regulators to codify certain Know Your Customer regulations intended to prevent money laundering.2

This policy conflict has also been reflected, however, in various limitations placed by Congress on the powers of the SEC to investigate instances of securities fraud. Certain of these limitations are not found in specific statutory prohibitions, but are matters of congressional omission. For example, Congress has never deigned to provide the SEC, a civil agency, with certain powers it has granted federal criminal authorities (such as the power to use wiretaps or mail covers or to obtain search warrants or grand jury subpoenas).

Other limitations on the SEC's investigative reach are matters of affirmative statutory provision. For example, the SEC is barred from obtaining federal income tax returns from the Internal Revenue Service, although it may obtain returns directly from taxpayers or their accountants.3 In addition, the Fair Credit Reporting Act4 restricts the SEC's access to information held by credit bureaus by prohibiting them from releasing information for other than business purposes (to determine credit worthiness, for example), except pursuant to a court order, which the SEC can obtain only in the context of district court litigation, or a federal grand jury subpoena, which, as a civil agency, the SEC cannot obtain at all.5

The three federal statutes that most significantly affect the SEC's access to information about individuals,6 however, are the Privacy Act of 1974,7 which mandates that the SEC staff make certain disclosures to individuals from whom we solicit information; the Right To Financial Privacy Act,8 which concerns access to certain financial records; and the Electronic Communications Privacy Act,9 which protects the contents of certain electronic communications. This article describes the operation of these three statutes and their consequences for the SEC's enforcement program. Our emphasis throughout will be on the practical question of how the SEC staff adheres to the requirements of these statutes without sacrificing our effectiveness as a law enforcement agency. We conclude with a case study illustrating the effect of these three statutes on one recent enforcement action.

The Privacy Act

The Privacy Act of 1974 does not place substantive limitations on the types of information that may be obtained by the SEC staff. It does, however, require that we make certain disclosures whenever we seek personal information from members of the public. Specifically, we must notify every individual from whom we request information:

    (a) the authority for the request;

    (b) whether providing the information is mandatory or voluntary;

    (c) the purpose for which the information is being gathered;

    (d) the uses to which the information may be put; and

    (e) the effects, if any, of the individual's failure to provide the information.

In compliance with this statute, the staff routinely includes a printed notice of "routine uses" with every subpoena and document request,10 and recites a litany of warnings when contacting people for information over the telephone.

The primary, and indeed only substantial, effect of the Privacy Act on our investigations is that it precludes the staff from conducting covert inquiries. Because the required disclosures include the agency's authority for the request, and hence its identity, the Privacy Act effectively hangs a bell on us announcing our presence as a law enforcement agency. In the great majority of cases, our identity is the first thing we wish to communicate to individuals from whom we seek information, and this requirement is therefore of little consequence. It does prove problematic, however, in certain cases in which we wish to obtain and document false statements made to prospective investors.11 Unlike the criminal authorities, the SEC cannot, for example, place a staff member undercover at a penny stock firm to determine what its brokers are telling investors to induce them to purchase dubious securities. In the area of internet stock offerings, the requirement that we announce who we are can be particularly frustrating. It has become common for "investment opportunities" to be offered over the internet through two stage communications. In the first, glowing but vague representations are made about the nature of the company and its business. Interested parties are invited to submit basic personal information to receive additional materials about the offering. Clearly, receiving an inquiry labeled as coming from the SEC is likely to alert all but the most obtuse fraud artists that they should be careful in what they say. Thus it may be difficult for the SEC staff to determine what representations are being made to actual investors.

The Right to Financial Privacy Act

Congress enacted the Right to Financial Privacy Act (RFPA) in 197812 in response to a U.S. Supreme Court decision, U.S. v. Miller,13 holding that individuals have no constitutional right to privacy in the account records maintained by their banks. Unhappy with this result, Congress through the RFPA conferred limited rights of privacy on certain bank customers. These include the right to be informed whenever a federal agency subpoenas their account records, and to challenge such subpoenas in federal court. In addition, a federal agency may not transfer to another federal agency any bank customer records obtained pursuant to the RFPA without further notice to the customer.

The statute, however, is subject to many limitations. The RFPA defines "customer" narrowly as including only individuals and small partnerships. Corporations are not within the statute's purview.14 Also, the "financial institutions" whose records are covered by the RFPA are generally banks and similar depository institutions, and not securities firms. Thus, the SEC does not need to comply with any provisions of the RFPA to obtain the brokerage account records of individuals.

Moreover, the RFPA narrowly circumscribes the grounds on which a "customer" may challenge a subpoena for his bank account records. These grounds are that:

  • the financial records sought are not relevant to the investigation, or

  • the procedural requirements of the RFPA were in some manner violated.15

In fact, so narrow are these criteria that RFPA subpoenas are rarely contested. In those cases in which motions to quash RFPA subpoenas are filed, the SEC has generally prevailed for two reasons. First, the SEC subpoenas personal financial information only when there exists a clear need for the information, and then strictly adheres to the procedural requirements of the statute. Second, the courts have generally been disinclined to second guess the SEC staff on questions of relevancy. For example, in connection with an insider trading investigation, the SEC issued RFPA subpoenas to two New York banks for the records of a resident of England. The SEC believed that the New York bank records would show fund transfers relating to the suspected insider trading. The District Court for the Southern District of New York denied the account holder's motion to quash, holding that the SEC's burden under the RFPA is satisfied if it shows "a reasonable belief that the records sought are relevant."16 Similarly, in denying a motion to quash an SEC subpoena in the recent investigation concerning Solv-Ex Corporation, the District Court for the District of Connecticut concluded that "[i]nformation sought pursuant to an agency subpoena is relevant if it `touches a matter under investigation.'"17

Therefore the RFPA, like the Privacy Act, affects the SEC's process largely through the imposition of notice requirements. And even these requirements are subject to qualification. In extending the protections of the RFPA to SEC investigations, Congress expressly authorized that customer notice may be delayed upon a showing of necessity made to a U.S. District Court. This permits the SEC to obtain bank records without first alerting the account holder by showing that, for example, notice would likely result in the transfer of funds outside the U.S.18

The Electronic Communications Privacy Act

To address privacy concerns raised by new forms of communications technology, Congress in 1986 enacted the Electronic Communications Privacy Act. "ECPA" protects from disclosure the contents of e-mails and other forms of communications that are stored by "electronic communications service providers," such as Microsoft's MSN, America Online and other commercial providers of internet access.19

Under ECPA, if an electronic communication has been stored less than 180 days, its disclosure by a service provider may be compelled only pursuant to a criminal warrant.20 Because the SEC has no ability to procure criminal warrants, this statute effectively precludes it from obtaining e-mail messages from service providers when the messages are less than 180 days old. The SEC can subpoena messages older than 180 days, after notice to the customer.21 Few service providers store e-mail messages for more than six months, however, so this power is of limited utility unless they prove willing to store messages past the 180 period when notified of the SEC's interest.

Voice-mail messages are placed completely out of bounds by ECPA. Although telephone companies in the United States did not typically provide voice-mail services at the time ECPA was originally enacted, many do now. Under ECPA, electronically stored voice messages are wire communications that may be obtained by the government only with court authorization under the wiretap provisions of the statute. This effectively prevents the SEC from obtaining the contents of voice-mail messages from third party service providers.

ECPA does permit the SEC to obtain from electronic communication service providers certain transactional information. Specifically, the SEC may, without notice to the customer, subpoena a customer's name, address, billing records, and various other identifying information, not including, of course, the actual content of the customer's electronic messages.22 Such transactional information may be highly significant when investigating internet stock manipulations. For example, ECPA permits the SEC to obtain the identity of individuals who post messages on internet bulletin boards or participate in real-time discussions in chat rooms while using "screen names" that conceal who they are.

Moreover, nothing in ECPA prevents the SEC from using its subpoena power to obtain e-mails and voice-mails from sources other than an electronic communication service provider, such as, for example, the sender or the recipient of the message. Similarly, ECPA does not pose an obstacle to governmental access to voice-mail messages maintained by a business entity on its own recording system, or to e-mails stored by an entity on its own local area network.

PairGain: A Case Study

Many of the points mentioned above are illustrated by the recent internet hoax case involving the stock of the U.S. company PairGain Corporation.23 In that matter an individual, later identified as PairGain employee Gary Dale Hoke, posted a message on an internet bulletin board maintained by Yahoo! stating that PairGain had announced its pending acquisition by an Israeli company. That message provided an electronic link to a purported Bloomberg News Service web page describing the acquisition. Although very plausible in appearance, the page was a fraud. It had been created by Hoke and the pending merger it announced was pure fiction. The share price of PairGain stock rose about 31% on heavy volume in reaction to Hoke's postings before PairGain and Bloomberg issued press releases stating that the postings were bogus.

Seeking to identify the person behind the postings, the SEC sent subpoenas to Yahoo! and to Angelfire, the provider of the web page on which the false Bloomberg story was posted, to obtain transactional and customer identifying information. As noted, ECPA does not restrict the SEC's access to this type of information. Although Hoke had used a false name and address in opening his accounts with both Yahoo and Angelfire, he inadvertently provided information to them that led to his identification.

First, Angelfire provided information indicating that the web page had been created by an individual using the free internet e-mail service HotMail. The customer information provided to open that account was also fictional, but HotMail's records included the Internet Protocol Address used to set up the account. Analogous to a telephone number, an "IP" address is a numerical code that tells the internet how to route messages. In this case it denoted a computer at PairGain itself. Specifically, it was the computer used by the company as a "firewall" between its internal computer system and the internet. Nothing in ECPA prohibits the SEC from tracing internet communications through IP addresses, even if the content of those messages is protected. The SEC's inquiry spurred an internal inquiry by PairGain that examined, among other things, the content of company hard-drives. Information produced by this inquiry and provided to the SEC indicated that the Yahoo! posting had come from an employee of PairGain's North Carolina office, Gary Hoke. Because PairGain is not an electronic communication service provider, ECPA did not restrict our ability to obtain this information.

The Angelfire web page, after its creation, had been accessed over 30 times from three IP addresses to put up and edit the phony Bloomberg page. One of these addresses was, again, the PairGain firewall. The second belonged to a high-tech company in North Carolina where Hoke was employed on a part time basis. Company records established that Hoke had been on the premises at the critical time. (None of this information engaged the protections of any federal privacy statute.)

The third IP address was from the internet service provider Mindspring. A subpoena to Mindspring specifying the activity time on the account revealed the account holder to be Gary Hoke. Mindspring had also captured the telephone number used to access the account. It was that of Hoke's residence. Again, this type of transactional and customer identifying information is available by subpoena under ECPA.

Tracing the Yahoo! posting back to its source was a similar process. The Yahoo! account was opened through the same HotMail account used to create the fake Bloomberg page. Again HotMail's system revealed that the communication had come from the internet service provider Mindspring, and again Mindspring's records tied the specific activity time for the communication to the account of Hoke.

With the subpoenas to HotMail, Angelfire, Yahoo! and Mindspring, we included a printed statement of the disclosures mandated by the Privacy Act. Otherwise that statute had no substantive effect on the investigation.

In pursuing the investigation further, we were able to obtain Hoke's brokerage account records without implicating the Right to Financial Privacy Act because a brokerage firm is not a "financial institution" covered by that Act. These records revealed that although Hoke owned PairGain stock, he had not sold any of it during the brief spike in its share price. We also obtained Hoke's telephone records to determine if he had been communicating with anyone else who might have traded stock on his behalf. Section 2703(c) of ECPA confirms the SEC's ability to subpoena such records.24 Finally, we obtained Hoke's bank records to see if he had obtained funds from any other person who might have traded in PairGain stock during the period of the manipulation and shared his profits with Hoke. Here we complied with the customer notice and other procedural requirements of the RFPA.25

The only information relevant to this investigation that we were not able to obtain by subpoena was the content of Hoke's e-mails stored at HotMail. Because these messages were less than 180 days old during the investigation, ECPA put them out of our reach. However, the FBI, which was conducting a parallel investigation, obtained those e-mails with a search warrant and was not legally precluded from making them available to the SEC.26 Illustrating that compliance with all applicable privacy requirements need not seriously impede the SEC's investigations, the staff filed a civil injunctive action against Hoke, based on an extensive evidentiary record, less than two weeks after his fraudulent internet postings.


The statutory protections of the privacy rights of individuals described above come into play in a substantial number of SEC inquiries. Nevertheless, compliance with these statutes does not, in all but a few cases, seriously impede the SEC's investigative reach. In its own investigations and in the assistance it renders to the regulators of other nations, the SEC has succeeded in respecting legitimate claims of privacy without significantly compromising its effectiveness in its law enforcement mission.


1 Encryption is the subject of a bill introduced in Congress by Rep. Bob Goodlatte, Republican of Virginia, The Security And Freedom through Encryption (SAFE) Act of 1999 (H.R. 850). According to Congressman Goodlatte's website, www.house.gov/goodlatte, the SAFE bill would permit Americans to "use any type of encryption anywhere in the world. It also prohibits the government from monitoring people's communications without their knowledge or consent." The SAFE bill enjoys broad bi-partisan support, with 143 Republican and 114 Democratic co-sponsors. The U.S. Department of Justice, however, has expressed concern that the SAFE bill would impede effective law enforcement, would pose significant risks to national security and public safety, and would be contrary to our international export control obligations. See Testimony of Ronald D. Lee, Associate Deputy Attorney General, Department of Justice, Before the House Committee on the Judiciary Subcommittee on Courts and Intellectual Property on the Security and Freedom Through Encryption Act, March 4, 1999, available on the website of the U.S. Department of Justice, www.usdoj.gov/criminal/cybercrime/leesti.htm.
2 The new regulations would have required banks and other depository institutions to establish programs intended to deter money laundering. Among other things, the Know Your Customer regulations would have required financial institutions to confirm the identity of their customers, to determine each customer's money sources and normal and expected transactions, to identify customer transactions that are unusual or suspicious, and to report suspicious customer activities to governmental authorities. See Notice of Proposed Rulemaking, Office of Thrift Supervision, U.S. Department of the Treasury, 63 Fed. Reg. 2341 (1998) (December 7, 1998) (published on the internet at www.networkusa.org/fingerprint/page1b/fp-ots-kyc-reg.htm).

Public reaction to the proposal was fast and furious, with opposition spanning the political spectrum. See Statement of Gregory T. Nojeim, Legislative Counsel, American Civil Liberties Union, Washington National Office, on Financial Privacy and the Proposed "Know Your Customer" Regulations, before the Commercial and Administrative Law Subcommittee of the House of Representatives Committee on the Judiciary (March 4, 1999) (published on the internet at www.aclu.org/congress/lg030499a.html) and Phyllis Schlafly, Monitoring Law-Abiding Americans, Eagle Forum, December 30, 1998 (available on the internet at www.eagleforum.org/column/1998/dec98/98-12-30.html). Legislation to stop Know Your Customer regulations was soon introduced in Congress. U.S. Rep. Ron Paul, Orwellian Rules Face Major Opposition (Press Release, February 2, 1999) (published at www.house.gov/paul/tst/tst99/tst020199.htm). When banking regulators withdrew their proposed regulation in March 1999, they said in a joint statement that they had received an "unprecedented" number of comments, most of which "reflect[ed] public concern over the privacy of information that would be collected and held by financial institutions . . . ." Joint Statement, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision, Proposed "Know Your Customer" Rule (March 23, 1999) (available at www.federalreserve.gov/boarddocs/press/BoardActs/1999/ 19990323/statement.htm. See also Raney, "Flood of E-Mail Credited With Halting U.S. Bank Plan," N.Y. Times, March 24, 1999.

3 26 U.S.C. § 6103. One federal appellate court has required that the government make a greater showing of investigative need to obtain personal tax returns from the taxpayer than is required for less sensitive documents. CFTC v. Collins, 997 F.2d 1230 (7th Cir. 1993).
4 15 U.S.C § 1681, et seq.
5 15 U.S.C. § 1681b.
6 The SEC's ability to assist securities regulators from other countries is largely co-extensive with its ability to obtain information for its own purposes. See Securities Exchange Act of 1934 § 21(a)(2) [15 U.S.C. §78u(a)(2)].
7 5 U.S.C. § 552a.
8 12 U.S.C. §§ 3401-22.
9 18 U.S.C. §§ 2510 et seq.
10 SEC Forms 1661 and 1662.
11 The prospective investors themselves may not always recall with clarity what representations were made to them.
12 The SEC was made subject to the RFPA by a 1980 Amendment to the Securities Exchange Act of 1934. 15 U.S.C. § 78u(h)(1) .
13 425 U.S. 435 (1976). See also U.S. v. Jerry T. O'Brien, Inc., 467 U.S. 735, 745 (1984).
14 See 12 U.S.C. §§  3401(4) and (5).
15 12 U.S.C. § 3410(a)(2).
16 In the Matter of SEC Private Investigation/Application of John Doe Re Certain Subpoenas, 1990 WL 119321 at *2, quoting 12 U.S.C. § 3410(c).
17 Mackey v. SEC, 1997 WL 114801 (D. Conn. 1997) at *2, quoting Sandsend Fin. Consultants v. Federal Home Loan Bank Board, 878 F.2d 875, 882 (5th Cir. 1989).
18 15 U.S.C. § 78u(h)(2) .
19 Less significantly, ECPA also restricts government access to electronic data stored by what the statute terms "remote computing services." Unlike e-mail and voice-mail services, remote computing services provide electronic data storage and computer processing services for their customers; they do not serve as third-party transmitters of electronic communications. For example, a remote computing service may handle the payroll data storage functions for an issuer or a broker-dealer. Under ECPA, the SEC can obtain the contents of data electronically stored by a remote computing service by administrative subpoena or by a court order, with prior notice to the customer. ECPA provides for delay in customer notice pursuant to court order when warranted by circumstances, such as when prior notice might seriously jeopardize an investigation.
20 18 U.S.C. § 2703(a).
21 Id.
22 18 U.S.C. § 2703(c)(1)(C).
23 SEC v. Gary Dale Hoke, Lit. Rel. No. 1617 (April 21, 1999). Newspaper accounts of the case include: Maremount, "Extra! Extra!: Internet Hoax, Get the Details," Wall Street Journal (April 8, 1999); Schwartz, "Anatomy of a Web Hoax," Washington Post (April 9, 1999); and Wyatt, "Fake Web Posting Leads to Fraud Charge," New York Times (April 16, 1999).
24 Under ECPA, however, we would not have been able to obtain voice mail messages stored by his telephone company.
25 Hoke, in fact, had intended to sell his PairGain stock after the price increased to a certain level. However, the hoax was discovered before the stock hit the target price, so he never sold his stock. Nor was there anyone else involved in the scheme with him.
26 Had those records been obtained pursuant to grand jury subpoena, however, the criminal authorities would not have been permitted to provide them to the SEC or any other civil agency. Federal Rule of Criminal Procedure 6(e). Hoke was prosecuted criminally by the U.S. Attorney's Office and sentenced to 5 months of home detention and 5 years probation. He was also ordered to pay restitution to investors he had injured through his conduct.


Modified: 03/22/2001