On April 5, the Securities and Exchange Commission (SEC) announced that two employees improperly accessed adjudicatory materials for cases being litigated in the agency’s in-house court system. The access occurred in 2017, and the SEC stated the breach “did not impact the actions taken by the staff investigating and prosecuting the cases or the commission’s decision-making in the matters.”

Under the Administrative Procedures Act (APA), the agency may preside over administrative proceedings to investigate and adjudicate violations of federal securities laws. Under the APA, investigation and adjudication responsibilities are separated. So, an employee who is investigating an adjudicatory matter may not participate in the decision-making.

In the SEC’s notice, the agency determined that certain SEC databases were misconfigured, which improperly allowed enforcement personnel to access case materials reserved for the adjudication staff. Enforcement personnel are different from adjudication personnel in line with the APA requirements and rules the SEC has promulgated. The SEC did not state how the misconfiguration was discovered.

The improperly accessed adjudicatory materials included materials that should have been restricted to commissioners and attorneys who advise the commission on decisions (e.g., investigation personnel). Some of these documents were uploaded to a database used by the enforcement division. The SEC’s review has focused on improper access as it relates to a pair of cases that started in the commission’s administrative proceedings and are now pending in federal courts.

The SEC is currently undergoing a review to determine any impact on administrative adjudicatory matters. So far, the agency has focused on two cases that are currently pending in the federal courts: SEC v. Cochran, No. 21-1239 (S. Ct.) and Jarkesy v. SEC, No. 20-61007 (5th Cir.). The SEC did not provide a timeline for when it would finish its internal review.

Takeaways

This incident highlights the importance of auditing internal configurations to ensure that only those employees with authority to access certain information can in fact access that information. Companies should continually review access and controls to sensitive information. Companies should also consider providing periodic training to staff on the proper handling, disposal, and access of data.