Last month, the Securities and Exchange Commission (“SEC”) was hit with a complaint in federal court alleging that the agency has been untimely in responding to a Freedom of Information Act (“FOIA”) request for documents related to an admitted “control deficiency” that allowed certain SEC personnel to access databases in violation of the agency’s governing regulations.  The complaint piles on to recent challenges to the SEC’s enforcement structure, at a time when the SEC is proposing issuing cybersecurity and data privacy regulations affecting private entities.

To understand the significance of the complaint and FOIA request, a brief background on the SEC’s structure is necessary.  By statute, the SEC is authorized to conduct investigations into the violations of securities laws.  See 15 U.S.C. § 78u(a).  The SEC is also statutorily enabled to adjudicate cases against violators using an “in-house” administrative proceeding instead of filing a complaint in federal district court.  See, e.g., 15 U.S.C. §§ 78u-2, 78u-3.  However, the Administrative Procedure Act and corresponding SEC regulations prohibit any employee who is part of an enforcement investigation from either participating or advising in an adjudication or from communicating with the in-house judge without the accused violator present.  See 5 U.S.C. §§ 554(d), 557(d)(1); 17 C.F.R. 201.120–.121.

Despite these attempts to separate powers within the SEC, two recent cases—Cochran and Jarkesy—have challenged the constitutionality of the SEC’s enforcement structure in federal court.  The Supreme Court will issue a decision in one of the cases this term, and the other case resulted in the Fifth Circuit holding that the SEC’s in-house system violated the accused’s Seventh Amendment right to a jury trial.  See Cochran v. SEC, 20 F.4th 194 (5th Cir. 2021), cert. granted, 142 S. Ct. 2707 (U.S. May 16, 2022); Jarkesy v. SEC, 34 F.4th 446 (5th Cir. 2022).

In April 2022, the SEC issued a statement revealing that it had “identified a control deficiency related to the separation of its enforcement and adjudicatory functions within its system for administrative adjudications.”  More specifically, “certain databases maintained by the Commission’s Office of the Secretary were not configured to restrict access by Enforcement personnel to memoranda drafted by Adjudication staff.”  The SEC stated that with respect to the two federal court challenges to the SEC structure, investigation staff “would have been able to access certain Adjudication memoranda that pertained to those matters,” but there was no evidence that enforcement staff “in fact” did so.

Following the SEC’s statement, according to the complaint, an organization called the New Civil Liberties Alliance (“NCLA”) submitted a FOIA request to the SEC seeking documents related to “the control deficiency.”  The SEC allegedly has not provided NCLA a substantive response to its request or a determination of what the SEC intends to produce and withhold within the time limit set by FOIA.  As of today, the SEC has not responded to the complaint.

The SEC’s control deficiency is not the only technical issue that has affected the agency in the past year.  The continuing litigation over the SEC’s enforcement structure comes at a time when the SEC has proposed a slew of regulations mandating cybersecurity and data privacy practices at private entities.  CPW will be monitoring this litigation along with the SEC’s cybersecurity and data privacy efforts and be here to keep you in the loop.