My column in Compliance Week this month provides an insider’s analysis of a controversial new SEC tactic, issuing subpoenas for so-called “electronic storage devices” (ESDs). Here is an excerpt:
“The SEC is an exceptional federal government agency—staffed with a dedicated corps of highly-credentialed professionals, inspired by a noble sense of mission, and rich with an 80+ year history of investor advocacy.
But sometimes the SEC gets carried away and needs a quick reality check. This is the case with the SEC’s recent use of subpoenas demanding production from witnesses of their so-called ESDs, which stands for electronic storage devices.
The SEC’s authority for subpoenas is derived from Section 21 of the Securities Exchange Act of 1934, the same act that established the SEC on June 6th, of that year. The Act specifically states:
‘For the purpose of any such investigation, or any other proceeding under this title, any member of the Commission or any officer designated by it, is empowered to administer oaths and affirmations, subpoena witnesses, compel their attendance, take evidence, and require the production of any books, papers, correspondence, memoranda, or other records which the Commission deems relevant or material to the inquiry…’ (emphasis added)
The SEC staff’s right to access ‘‘records’’ clearly contemplates something akin to a document and nowhere in any statute, rule or regulation is the staff granted authority to access physical equipment such as a file cabinet containing documents, whether that file cabinet is made of metal, wood or circuitry. This means that the SEC’s subpoena for ESD is more akin to an unlawful seizure than a rightful document demand.
In addition to the questionable legality of the practice of subpoenaing devices, the risks of turning over a device to the SEC without defense counsel’s proper review of that device are considerable.
First, the so-called “active data” on these devices could include irrelevant private and personal information of the user, as well as the user’s friends, family, colleagues, clients, customers, etc. The devices could also include information protected by domestic or foreign statute or requiring notice of disclosure per contract. Information loaded onto the machine by another user, or privileged communications with counsel or attorney work product could also be on the machine.
Second, most users have no idea of the contents of the so-called inactive data on their ESDs, such as deleted recoverable files, or data located in the hard drive’s unallocated space or slack space, found during a digital forensic deep dive of a hard drive.”