This op-ed by Sen. John Kennedy (R-La.) first appeared in the Washington Examiner on November 16, 2023.
The Securities and Exchange Commission is supposed to protect investors , not stalk them. However, under a new regulation, the SEC has paved the way for the federal agency to follow an investor’s every move.
Here’s just a bit of the information the SEC is forcing brokers to fork over: their customers’ full names, birth years, addresses, which stocks they bought, which stocks they sold, and when those transactions occurred.
The SEC never had this level of access to personally identifiable information previously. The brokers would often have to store the information, and then the SEC could request the information for investigations. Now, the SEC wants all this information directly. In its own words , the SEC wants to “efficiently and accurately track all activity throughout the U.S. markets.” Every single transaction.
The SEC stops just shy of asking each investor to name their middle school crush before it receives all this customer information and stuffs it into one massive government-owned database called the Consolidated Audit Trail. The CAT is a ticking time bomb of sensitive personal information that hackers cannot wait to detonate.
The scope of the CAT takes your breath away. Investors make billions of trades each day. The CAT will be, if it isn’t already, the largest database in the world. It will contain a treasure trove of information that is specific enough to identify the purchases made by every single investor.
Managing that data would be difficult enough if we only needed to worry about the SEC’s access to the database, but that’s not the case. Government contractors have access to the CAT, too. In total, roughly 3,000 people will have access to the database. Malicious hackers couldn’t design a more vulnerable database if they tried.
The SEC has already struggled to foil hackers. In 2019, foreign hackers breached the SEC’s EDGAR filing system to get early access to corporate disclosures before the SEC made that information public. These thieves just wanted to beat the market, but the breach could have been far worse.
Beyond the threat of hackers, the CAT could deter investors from making purchases they would otherwise make. Investors could, for example, be deterred from buying stock in companies that sell guns for fear their investment would get scrutinized publicly or by the SEC in private, drawing retribution from politicians who don’t believe in the Second Amendment. Already, many people have vowed to stop using credit cards for gun purchases after major credit card companies proposed a special transaction code for gun purchases. The CAT could have the same chilling effect.
Sadly, it’s not unheard of for the federal government to weaponize data to attack the public. The Internal Revenue Service, for example, apologized in 2017 for mistreating conservative nonprofit groups. More recently, an IRS contractor pleaded guilty after leaking the tax returns of former President Donald Trump, Amazon founder Jeff Bezos, and others.
The Department of Justice has also thrown the weight of the federal bureaucracy behind investigations of concerned school parents and local Catholic churches . A privacy invasion as significant as the CAT could convince people not to make any investment that could invite the ire of government officials or politicized groups.
The SEC’s main argument for the CAT is that it was really difficult to recreate the scenario that resulted in the flash crash of 2010. The flash crash occurred when a mutual fund sold $4.1 billion, resulting in an instant loss of roughly 9% of the Dow Jones value. The SEC doesn’t argue that the CAT would have stopped the flash crash; it only argues that the CAT would make it easier to investigate those crashes.
In the United States, we don’t violate citizens’ privacy rights to make a bureaucrat’s job easier. If the SEC needs this information to track down criminals, it can get a warrant.
The SEC’s disregard for privacy is as dangerous as it is un-American. That’s why I introduced the Protecting Investors’ Personally Identifiable Information Act, a bill that would prohibit the SEC from forcing financial institutions to turn over every investor’s personally identifiable information and require the SEC to delete any information it has gathered since the agency implemented the rule.
Roughly 158 million Americans invest in the stock market. The CAT is a privacy and financial disaster waiting to happen. My colleagues in Congress should join me in working to shut down the CAT and restore the privacy of investors.
John Kennedy is a U.S. senator for Louisiana and serves on the Committee on Banking, Housing, and Urban Affairs.