Press releases

WASHINGTON – Sen. John Kennedy (R-La.), a member of the Senate Banking Committee, today introduced the Protecting Investors’ Personally Identifiable Information Act, which would protect information that could reveal the identity of American investors. The legislation would prohibit the Securities and Exchange Commission (SEC) from requiring brokers to submit investors’ personally identifiable information to its Consolidated Audit Trail (CAT).

Sens. John Boozman (R-Ark.), Jerry Moran (R-Kan.), Tom Cotton (R-Ark.), Steve Daines (R-Mont.), Katie Britt (R-Ala.), Mike Rounds (R-S.D.) and Tommy Tuberville (R-Ala.) are original cosponsors of the bill.

Rep. Barry Loudermilk (R-Ga.) has authored companion legislation in the House of Representatives.

“Investors trust the U.S. stock market with their savings and their privacy, but the SEC’s Consolidated Audit Trail would expose every American investor’s Social Security number and personal data to malicious hackers. The CAT is unconstitutional, and it hoards personal information it doesn’t need. My bill would make sure that the SEC only houses information it needs, and only while it needs it. As long as hackers and foreign enemies keep targeting Americans, the government shouldn’t endanger their personal information by creating one great, big, centralized target for bad actors,” said Kennedy. 

“The federal government has two huge problems when it comes to cyber security: they collect way too much personally identifiable information (PII), and they have a poor track record of protecting the information from hackers. This is why I introduced the Protecting Investors’ Personally Identifiable Information Act in the House, which will help prevent a breach by restricting the SEC’s ability to collect this data in the first place. Among its provisions, the SEC would only be able to request this data if investigating or enforcing violations of federal securities law. Thank you, Senator John Kennedy, for introducing the Senate companion to my bill,” Loudermilk said.

The SEC’s CAT will be fully operational between 2024 and 2025, making it the largest government database of its kind. The CAT will collect all customer and order information for equity securities and listed options, including data that might be considered personally identifiable information.  

The SEC is implementing the CAT despite concerns from investor protection groups and the securities industry and in the wake of vulnerabilities that recent cyber-attacks have revealed at federal agencies.  

This bill would prohibit the SEC from requiring market participants to submit investors’ personally identifiable information to the CAT. Under this legislation, the SEC can obtain personally identifiable information related to investors only by requesting it on a case-by-case basis. Companies and investors trading on the U.S. stock exchanges would need to fulfill the SEC’s request for this information within 24 hours, though additional time may be requested.  

The bill would also require the SEC to delete personally identifiable information once the agency resolves the investigation or issue that required that information. 

The CAT is a sitting duck that makes every American investor and retirement saver’s personal and financial information an easy target for Chinese hackers. We thank Senator Kennedy for his leadership in protecting America’s mom-and-pop investors by introducing this important legislation to remove their personal and financial information from the CAT,” said American Securities Association CEO Chris Iacovella.

Text of the Protecting Investors’ Personally Identifiable Information Act is available here