In a Senate Judiciary Committee meeting held on September 16, 2015, Securities and Exchange Commission Enforcement Director Andrew Ceresney expressed his frustration over the entity’s lack of access to stored emails. See Video and Written Testimony Here.
Mr. Ceresney and the SEC’s irritation stems from proposed amendments to the Electronic Communications Privacy Act (ECPA), a 1986 law created when the Internet was a toddler. ECPA was designed with the ambitious goal of preventing unauthorized government access to private electronic communications.
However, in practice, ECPA has created a troublesome regime regarding compelled disclosure of communications content. As amended by subsequent pieces of legislation such as the USA PATRIOT Act, ECPA authorizes the government to compel a service provider to disclose the contents of an email that is older than 180 days with simply a subpoena and notice to the user. Only if the email is less than or exactly 180 days old is the government required to obtain a search warrant.
In 2010, the Sixth Circuit effectively eliminated the 180-day distinction in its interpretation of the Fourth Amendment in United States v. Warshak, 631 F.3d 266 (6th Cir. 2010). As a result, Internet-related service providers like Google have decided to follow Warshak by demanding that the government obtain a warrant to “seize” all email files.
And why should they not protect users by insisting that the government satisfy a higher burden of proof? In this day and age, email accounts contain some of the most personal information we possess, including medical information, financial statements, and highly confidential communications. Put simply, ECPA, as it is currently written, frustrates users’ reasonable expectation of privacy (the touchstone of Fourth Amendment rights). Files stored online should enjoy the same Fourth Amendment protections as files stored in a cabinet at home or in the office.
Virtually everyone supports an amendment to ECPA, but there is much contention regarding the level of Fourth Amendment protection that should be granted. Hence Mr. Ceresney and the SEC’s frustration.
A recent proposed amendment to ECPA (“S. 356”), sponsored by Senators Leahy (D-Vermont) and Lee (R-Utah), effectively codifies the Warshak decision by implementing a bright-line “warrant-for-content” rule. Unsurprisingly, the government opposes the amendment.
Mr. Ceresney suggested that since the SEC does nothave warrant authority, the proposed amendment should allow civil government agencies to bypass the warrant requirement. Under his proposal, they would be provided with an exception to access information through other legal processes, with a lower burden of proof than a warrant.
In his testimony, Mr. Ceresney told the committee: “I can’t talk about the details of ongoing investigations, but I can say that there a number of investigations in which, if we were exercising our authority … to obtain emails from [internet service providers], we would do that.”
Well of course you would. Pardon my cynicism, but I believe that Mr. Cereseney’s arguments are disingenuous.
First, the SEC has been operating just fine for decades by issuing subpoenas directly to the targets of or witnesses in its investigations. Users’ reasonable expectations of privacy should not be compromised simply because it would be easier for the government to investigate them. If that were the case, we would be giving civil enforcement agencies unprecedented latitude.
Moreover, there is insufficient evidence to show that the warrant-for-content rule would hinder the SEC’s investigations. In a 2013 letter from SEC Chairman Mary Jo White to Senator Leahy, the SEC cited one example where it ostensibly could not have brought a case but for the ability to serve a subpoena directly a provider to obtain email content about the target. Yet the Center for Democracy and Technology examined the record and concluded that the cited case “actually shows that the need for new authority is greatly overstated, if not totally unjustified,” and that it “illustrated precisely the risk of indiscriminate production of personal emails that we have warned about.”
Second, if targets or witnesses of SEC investigations fail to cooperate, the SEC has a variety of ways to compel compliance, including enforcement of subpoenas, which can lead to sanctions, fines, default judgments, and jail time. Talk about punitive power – the SEC holds the cards here.
Third, were the SEC allowed largely unencumbered access to emails through internet service providers, the chances of privileged or otherwise protected material being turned over to authorities are extraordinarily high.
Fourth, the SEC and DOJ often work hand-in-hand on investigations, particularly in the realm of the FCPA. If the SEC were granted an exception under S. 356, who is to say that SEC would not just obtain information by bypassing the warrant-for-content rule and passing it along to DOJ?
As I skim my emails that keep me apprised of the SEC’s near-daily enforcement actions, I have no doubt that the SEC will still function as it previously had without an exception to make its civil discovery process easier.