SEC Web Site Privacy and Security Policy
May 12, 2017
- Rights Under the Privacy Act of 1974
- Information Collected and Stored Automatically
- Information Collected for Website Improvement and Customization (Cookies)
- Internet Security Policy
- Vulnerability Disclosure Policy
- Personally Identifiable Information
- Sharing of Your Information
- Use of Social Media
- E-Mail Communications
- Authority for Collecting Information
- Information from Children
- False Statements and Documents
- Website Dissemination
- Links to Other Web Sites
The privacy of visitors to our web site is of the utmost importance to the SEC. We do not require you to give us personal information when browsing our website, and, beyond the automatically collected data specified below, we do not collect personal information from you unless you specifically and knowingly choose to provide such information to us.
Rights Under the Privacy Act of 1974
The Privacy Act of 1974, as amended (5 U.S.C. § 552a), prohibits the disclosure without consent of information about individuals that the federal government maintains in a system of records. Agencies are required to give the public notice of their systems of records by publication in the Federal Register. You may click here to see a list of the SEC's systems of records. The Act also provides individuals with a means by which to seek access to and amendment of their records, although such requests are subject to exemptions as set forth in the Privacy Act. In addition, the Act allows individuals to bring suit against an agency for violating the Privacy Act.
If we store information about you in a system of records from which we retrieve that information by personal identifier (e.g., name, personal email address, home mailing address, personal or mobile phone number, etc.), we will safeguard your information in accordance with the Privacy Act. The SEC adheres to Privacy Act requirements with respect to all information about individuals that it collects, maintains, uses, or disseminates in a System of Records, regardless of whether the information pertains to a U.S. Citizen, lawful permanent resident, or a non-U.S. Citizen. However, the rights to seek access to and amendment of covered records, and to bring suit for alleged violations of the Privacy Act, only extend to U.S. citizens and legal permanent residents (as defined in 5 U.S.C. § 552a(a)(2)) and citizens of designated foreign countries or regional economic organizations (as defined under the Judicial Redress Act of 2015, 5 U.S.C. § 552a note). Nonetheless, because we have an interest in maintaining records that are accurate and complete, non-U.S. citizens may seek amendment of records under the procedures described in the SEC’s Privacy Act Regulation.
The SEC’s Privacy Act Regulation can be found at: 17 C.F.R. Subpart H-Regulations Pertaining to the Privacy of Individuals and Systems of Records Maintained by the Commission.
Additional information regarding privacy safeguards for non-U.S. citizens’ personal data is available here.
Personally identifiable information not contained in a system of records is protected under the Federal Information Security Modernization Act of 2014. 44 U.S.C. §§ 3554(a)(1)(A)(i), 3552(b)(3)(B).
For the general contact information that may be submitted through www.sec.gov, we have completed a System of Records Notice (SORN) providing details about the privacy protections and redress options for information we collect from the public. For further information, please reference the documentation below.
SEC-56 Mailing, Contact, and Other Lists System of Records Notice (July 22, 2009, FR 74-36281).
Information Collected and Stored Automatically
When you visit our website to read or download information, such as filings, press releases or publications, we do not collect your name, email, mailing address or similar identifying information without your knowledge. However, towards continual improvement of our website and for site management purposes, we will automatically collect and maintain certain statistical information about your visit. This information includes:
- The date and time (with time zone) of a website visit.
- Internet Protocol (IP) address. A computer’s IP address establishes its location on the Internet and allows communications with other computers to send it content and other information.
- Type of Internet traffic associated with a specific IP address;
- Type of Internet traffic associated with a specific time or event;
- Type of technology used to access the website (such as the type of internet browser and type of operating system);
- Types of events;
- The location associated with an event (such as apparent nation of origin);
- Host names;
- Malicious software identification; and
- Caller Identification logs, which provide a caller's apparent phone number.
We use the above information to measure the number of visitors to the different sections of our website, assess system performance and to help us make the website more useful to our visitors. Additionally, portions of this data, to include partial IP addresses, are posted publicly on our website in response to frequent Freedom of Information Act (FOIA) requests. To remediate computer security incidents, such data may be manually analyzed to allow computer security specialists to identify Internet Service Providers (ISPs) and, in extreme cases, to attempt to identify the specific computer and individual involved in an attack on the SEC’s site. The section on “Security and Intrusion Detection” below further details such extreme cases.
Information Collected for Website Improvement and Customization (Cookies)
The SEC uses web measurement and customization technologies, commonly known as “cookies”, to collect information about users’ visits to our site. Use of these technologies makes our web site function better for you and allows us to better understand how the public is using the web site. Cookies are files placed on your hard drive by a web site that store information regarding your use of that site, usually without your express knowledge.
The SEC uses "session cookies” also known as “Tier 1 web measurement and customization technologies” and “persistent cookies” also known as “Tier 2 web measurement and customization technologies”. These cookies do not collect personal information on users. Session cookies are stored in memory during an active browser session, and they are erased as soon as you close your browser after visiting our web site. Persistent cookies can stay on your computer for longer periods of time unless a user deletes them.
The SEC uses third-party analytics tools (currently Google Analytics, Foresee, and Akamai) to collect and analyze anonymous statistical data. This data helps the SEC meet user needs, understand web traffic patterns and identify opportunities to improve the quality of the site. The SEC uses anonymous, aggregated data for internal purposes and discloses it to SEC employees and contractors who have a “need-to-know” in the performance of their official duties.
Google Analytics uses a persistent cookie to store a unique, randomly assigned identifier for each user. The persistent cookie remains on users’ computers for two years or until it is deleted. Additionally, Google Analytics uses session cookies to facilitate sending data to Google Analytics. Google Analytics does not receive PII through these cookies and does not combine, match, or cross-reference SEC.gov information with any other information. The data is automatically sent from your machine or device to the provider’s system which immediately aggregates that data.
Foresee gathers information through an optional survey on SEC.gov. ForeSee utilizes session and persistent cookies, none of which collect PII. If you accept the survey invitation, two session cookies store information relating to the survey control and operation. The information is submitted when you complete the Foresee survey and submit your response. If you decline the survey invitation, or do not complete the survey, this information is never submitted to Foresee. The session cookies are deleted at the end of your session on SEC.gov.
ForeSee uses a persistent cookie to prevent multiple pop-up survey invitations. If you decline the survey invitation, or if you complete the survey, this cookie will prevent additional pop-up invitations for 90 days.
Akamai uses a Tier 2 persistent cookie, which ensures your subsequent request for information from our Web site will always return to the same origin datacenter as your original request. The persistent cookie will remain on your computer for one day or until you delete it. The cookie will not collect information from you as the cookie is set at the server level to determine from what datacenter your first request originated.
You may opt-out of having the ForeSee and Akamai cookies installed on your machine or device by changing the setting of your browser to block them. For instructions on how to block cookies from common browsers and additional information please visit: http://www.usa.gov/optout_instructions.shtml.
We employ safeguards to maintain the security, confidentiality, and integrity of the information we collect on our site. To view a listing of our Privacy Impact Assessments for our electronic systems and collections, including those utilizing web measurement and customization technologies please visit our privacy page at https://www.sec.gov/about/privacy/secprivacyoffice.htm
If you choose to block these technologies you will continue to have access to comparable information and services on our web site.
Internet Security Policy
By using this site, you are agreeing to security monitoring and auditing. For security purposes, and to ensure that the public service remains available to users, this government computer system employs programs to monitor network traffic to identify unauthorized attempts to upload or change information or to otherwise cause damage, including attempts to deny service to users.
Unauthorized attempts to upload information and/or change information on any portion of this site are strictly prohibited and are subject to prosecution under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act of 1996 (see Title 18 U.S.C. §§ 1001 and 1030).
To ensure our website performs well for all users, the SEC monitors the frequency of requests for SEC.gov content to ensure automated searches do not impact the ability of others to access SEC.gov content. We reserve the right to block IP addresses that submit excessive requests. Current guidelines limit users to a total of no more than 10 requests per second, regardless of the number of machines used to submit requests.
If a user or application submits more than 10 requests per second, further requests from the IP address(es) may be limited for a brief period. Once the rate of requests has dropped below the threshold for 10 minutes, the user may resume accessing content on SEC.gov. This SEC practice is designed to limit excessive automated searches on SEC.gov and is not intended or expected to impact individuals browsing the SEC.gov website.
The SEC does not allow "unclassified" bots or automated tools to crawl the site. Any request that has been identified as part of an unclassified bot or an automated tool outside of the acceptable policy will be managed to ensure fair access for all users.
Note that this policy may change as the SEC manages SEC.gov to ensure that the website performs efficiently and remains available to all users.
Vulnerability Disclosure Policy
The SEC is committed to maintaining the security of our systems and protecting sensitive information from unauthorized disclosure. For more information, see our Vulnerability Disclosure Policy.
Personally Identifiable Information
As a general rule, the SEC does not collect PII about you when you visit our web site, unless you choose to provide such information to us. Submitting PII through our website is voluntary, and by doing so, you are giving the SEC your permission to use the information for a specific, stated purpose. However, not providing certain information may result in the SEC’s inability to provide you with the service you desire.
If you choose to provide us with PII on the SEC website, through such methods as completing a web form, we will use that information to help provide you the information or service you have requested. The information we may receive from you varies based on what you do when visiting our site.
Sharing of Your Information
If you choose to provide PII, you are consenting to the SEC’s use of that information and permitting that it be shared with SEC employees and contractors and, in limited circumstances, with third parties, to conduct official business. Such employees and contractors are subject to confidentiality restrictions to protect your PII. The information shared by the SEC with third parties is for the sole purpose of advancing the cause for which you provided the information. Third parties may include law enforcement and other federal or state government agencies. We may use your information for official business purposes when you report suspicious activity that suggests a violation of federal securities laws, the information you have provided may be shared with law enforcement and other federal or state agencies. In this situation, the primary use of your PII would be to enable the government to contact you in the event we have questions regarding the information you have reported.
Under certain circumstances, the SEC may be required by law to disclose information you submit to other authorities for official purposes, for example, to respond to a Congressional inquiry or subpoena.
Use of Social Media
The SEC uses social media sites as dynamic information sharing tools to engage in dialogue, share information and media, and collaborate with the public. Links to the SEC’s social media sites are available at http://www.sec.gov/news/socialmedia.shtml. Your activity on these social media sites is governed by the security and privacy policies of the third-party sites. The SEC does not control, moderate or endorse the comments or opinions provided by visitors to these sites. You should review the privacy policies of all websites before using them and ensure that you understand how your information may be used. You should also adjust privacy settings on your account on any third-party website to match your preferences.
The SEC does not use social media sites to actively solicit personal information from individuals. If the SEC receives your personal information through interaction with a social media site, it is required to maintain the information in accordance with the requirements of the Privacy Act and the Freedom of Information Act to ensure the greatest protection of personal privacy.
If you have an account with a third-party website, and choose to follow, like, friend, or comment on an SEC page on the third-party website, certain personal information associated with your account may be made available to us based on the privacy policies of the third-party website and your own privacy settings within that website. We do not share PII made available through these websites unless required for law enforcement purposes or by statute.
The SEC conducts Privacy Impact Assessments (PIA) for electronic systems and collections, including those utilizing social media sites. The PIA is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.
To view a listing of our Privacy Impact Assessments for our electronic systems and collections, including those utilizing social media technologies, please visit our privacy page at https://www.sec.gov/about/privacy/secprivacyoffice.htm.
Our website and many of our programs allow you to send us email messages. We will use the information you provide to respond to your inquiry. We will only send you general information via email. You should be mindful that email is not necessarily secure against interception. Therefore, we suggest that you do not send sensitive PII (such as your social security number) to us via email. With the exception of comments made specifically in response to a Request for Comments (see the Current SEC Rulemaking page), we do not share your e-mail with any other outside organizations except for authorized law enforcement investigations or in assisting investors with complaints and inquiries. Comments made in response to a Request for Comments are public information and are posted on the site in the rulemaking section.
Electronic mail messages that meet the definition of records in the Federal Records Act (44 U.S.C. § 3301) are covered under the same disposition schedules as other federal records. See 36 C.F.R. Part 1225. This means that emails you send us will be preserved and maintained for varying periods of time if those emails meet the definition of federal records. Electronic messages that are not records are deleted when no longer needed. See SORN SEC-29, Agency Correspondence Tracking System (ACTS), at Federal Register, 63 Fed. Reg. 11938-11939 (1995), as amended.
Authority for Collecting Information
The SEC is authorized to request information from you by various laws: Sections 19 and 20 of the Securities Act of 1933, Section 21 of the Securities Exchange Act of 1934, Section 321 of the Trust Indenture Act of 1939, Section 42 of the Investment Company Act of 1940, Section 209 of the Investment Advisers Act of 1940 and Title 17 of the Code of Federal Regulations, Section 202.5.
Information from Children
In compliance with the Children's Online Privacy Protection Act (COPPA), effective April 21, 2000, the SEC does not require children under 13 years old to reveal any information that could personally identify them. If, however, a child chooses to provide us with PII, through an e-mail, web form or other means, it will only be used to respond to the writer's question(s) or request(s). The information will not be retained, used for another purpose, or shared with third parties.
False Statements and Documents
If you choose to furnish us with information that you know to be false or misleading, you may be prosecuted for any violations of federal law. Section 1001(a) of Title 18 of the United States Code provides as follows:
Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully—
(1) falsifies, conceals, or covers up by any trick, scheme, or device a material fact;
(2) makes any materially false, fictitious, or fraudulent statement or representation; or
(3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry;
shall be fined under this title, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in section 2331), imprisoned not more than 8 years, or both. The information you give the SEC may be used against you in any federal, state, local or foreign administrative, civil or criminal proceeding brought by the SEC or any other agency. You may refuse, in accordance with the rights guaranteed to you by the Fifth Amendment to the Constitution of the United States, to give any information that may tend to incriminate you or subject you to fine, penalty or forfeiture.
Information presented on www.sec.gov is considered public information and may be copied or further distributed by users of the web site without the SEC’s permission. Please consider appropriate citation to the SEC as the source. Please do not use the SEC seal or any of the other logos or artwork from this site. In addition, please be advised that “SEC,” the EDGAR logo, and the names EDGAR, EDGARLink, and EDGARLink Online are the SEC's registered trademarks. You may not use them in a trade name, trademark, or domain name of an SEC- or EDGAR-related business without a license from the SEC. You may refer in text to the existence of EDGAR and the EDGAR system without a license, so long as you are not creating the impression that your business is affiliated with or approved by the SEC. For more information on the SEC’s registered trademarks or how to apply for a license, please email EDGARTrademark@sec.gov.
Links to Other Web Sites
We provide links to Federal and non-Federal websites if we think they may be useful to our visitors or necessary for the performance of agency functions. This includes commercial websites such as Facebook, Twitter, Flickr and YouTube.
When you follow a link to a non-SEC website, you will first be directed to a web page that reminds you that you are leaving SEC.gov and that the website you are about to visit is not endorsed by the SEC. These other websites are not within the SEC’s control. The SEC does not guarantee the accuracy or completeness of any information on these sites. Be aware that the privacy protection provided to you on SEC.gov will not be available at the external link. Once you link to another site, you are subject to the policies of that site.