10/24/11: In the wake of damaging revelations regarding a security breach in connection with the SEC's "Ethics Program System" for ethics compliance and conflicts checks, the Union requested that the SEC extend credit monitoring services to spouses and other affected family members of SEC employees. The agency has agreed to provide these services. The Union also has requested further discussions with the SEC regarding fundamental changes to the EPS itself to ensure the safety and security of SEC employees' sensitive personal financial information, before a new system is put in place. The SEC has responded that it is not prepared to discuss the issue further with the Union at this time, but that it will discuss options at a later date when it is prepared to take further steps regarding the EPS.
The SEC implemented the EPS back in 2009 primarily for the purpose of monitoring employees' securities trades for potential conflicts of interest. At that time, despite the Union's limited rights regarding the implementation of ethics rules at the agency, Union officials raised serious concerns about the safety and security of employees' confidential information. The SEC assured the Union, however, that the new system would be safe and secure, and that the information would only be available to a small number of employees at the contractor selected by the SEC. Those employees would be subjected to extensive background checks, and the system itself would be subject to audits and tests to further ensure security.
Despite these assurances, however, in a letter dated October 7, the SEC informed its employees that the fear of a potential security breach had been realized. According to the SEC, its contractor gave access to EPS data to a subcontractor and a consultant without agency authorization -- access that possibly occurred during the entire history of the operation of the system. While the SEC continues to assert that there is no evidence of "any actual misuse of the data," it is impossible for the agency to know for sure whether any misuse occurred or might occur in the future. For that reason, the agency offered credit monitoring services to its employees.
After the SEC sent out its first notice on October 7, the Union contacted the agency and requested that it also provide credit monitoring to employees' spouses and other family members who might have been affected by the security breach. After deliberating over this request for several days, last week the SEC agreed to extend the credit monitoring services to all affected individuals.
The SEC has suspended the EPS for the time being and the agency will be reviewing its options for moving forward. For that reason, Union officials also have requested that the SEC engage in predecisional discussions with the Union about how best to achieve its interest in ensuring compliance with ethics rules in connection with employees' securities holdings. The agency has responded that it is not prepared to engage in such a discussion with the Union at this time.
Union officials are disappointed by this response. Chapter 293 would like to engage with the SEC before any decisions are made. The Union maintains that the SEC's current model for the Ethics Program System is fundamentally deficient in three ways that need to be addressed by whatever new system the agency opts to implement.
First, the Union believes that the program should be accomplished entirely in house, on an SEC server behind the SEC's firewall. There is no reason why the agency should need to send the confidential financial information of SEC employees and their close family members out to a third-party outside contractor. It is a fundamental axiom of data security that each successive level of access to data creates additional opportunities for a security breach. In fact, the SEC's own mandatory annual training for employees on protecting personally identifiable data regularly addresses this point. Obviously, the best way to reduce the chances of a security breach is to reduce the number of entities that have access to the information. And, in fact, this major concern, which was first raised by the Union back in 2009, has been bourne out by the current fiasco.
Second, there is no need for the agency to collect all of the detailed, private, confidential financial data that it is currently insisting upon collecting. The rationale for the existence of the EPS is to ensure compliance with certain ethics rules. Those rules deal primarily with ensuring that SEC employees do not hold or exercise control over certain types of securities, and also to ensure that they do not have a conflict of interest. These concerns can be addressed by maintaining a simple internal database that lists only the names of the securities held by SEC employees, which could be updated in the event of a trade. There is no reason for the agency to collect additional, highly confidential information, including account numbers, identities of brokers and investment advisers, precise numbers of shares held, dates on which shares were acquired, etc. Maintaining this amount of much more detailed, private, confidential financial data -- information that is not necessary to ensure compliance with applicable ethics rules -- will achieve nothing more than to create the opportunity for another security breach. Such a breach not only has the potential to cause extensive harm to SEC employees and their close family members, but it will also undoubtedly damage the agency's own reputation.
Third, whatever data is required by the SEC, the ethics conflicts system should be one that works. The current EPS is a complicated, byzantine system that is extremely difficult for employees to navigate. The Union frequently receives complaints about this, and it has communicated these issues to the SEC but changes have not occurred.
All of us understand that the SEC needs a sound ethics compliance system to deal with potential conflicts of interest, but the EPS system is unnecessarily intrusive to serve this important end. It is instructive for all of us to remember that the EPS was implemented by the SEC to address what was essentially a public relations concern created by a report issued by the Office of the Inspector General. That report concerned alleged "insider trading" by two longstanding SEC employees. The Union pointedly notes that there has never been any evidence presented by anyone to support the proposition that any SEC employee has ever actually engaged in insider trading -- a fact that the Union believes should be forcefully communicated by the SEC's senior management. Instead, the SEC has chosen to create EPS, exposing to potential attack all of the private, confidential financial information of SEC employees and their families, to address senior management's public relations concerns -- rather than an insider trading issue that has never actually existed at the SEC.
Chapter 293 will continue to press the SEC for fundamental changes to the EPS.