By Mark S. Nelson, J.D.
Lawmakers have once again introduced legislation seeking to limit the SEC’s ability to collect personally identifiable information (PII) via the consolidated audit trail (CAT), the database designed to collect information on all U.S. stock trades. The Protecting Investors’ Personally Identifiable Information Act (H.R. 2039), sponsored by Rep. Barry Loudermilk (R-Ga), would bar the SEC from requiring an exchange to provide a market participant's PII to the CAT regarding an order or reportable event, subject to an exception for when the SEC requests such information.
PII requests. The Protecting Investors’ Personally Identifiable Information Act would attempt to secure market participants’ PII by imposing a framework for the SEC to request a market participant’s PII and for exchanges to request additional time to provide such PII. As a result, the SEC could request that an exchange provide a market participant’s PII, which would be due to the SEC within 24 hours of the exchange receiving a request, unless the exchange in turn requested, and the SEC granted, a reasonable extension of time to provide the PII to the SEC. Once the SEC’s reason for requesting the PII has ended (e.g., the closing of an investigation), the SEC would have to destroy the PII it had received within one day.
"PII" would be defined as information that can be used to distinguish or trace an individual’s identity either by itself or in combination with other PII linkable to the individual. PII would include an individual's name, address, date or year of birth, Social Security number, telephone number, and email address. But PII would not include certain CAT-specific information, including a CAT-Order-ID or CAT Reporter-ID.
Representative Loudermilk and four other GOP co-sponsors worry that the SEC’s CAT poses cyber hacking risks. "The Securities and Exchange Commission’s new database called the Consolidated Audit Trail (CAT) will be a one-stop-shop for malign governments and hackers to access the personally identifiable information of every single American who invests in the stock market unless serious safeguards are put into place," said Rep. Loudermilk via press release. "The SolarWinds cyberattack in 2020, which is among the worst cyber-espionage incidents in U.S. history that resulted in multiple data breaches of the U.S. federal government and private sector, is a prime example of the dangers that exist when the government holds massive amounts of sensitive data."
The bill also has the backing of two industry groups. The American Securities Association said the bill would protect American investors from identity theft. The Securities Industry and Financial Markets Association said the bill would allow the SEC and self-regulatory organizations to perform their investigative functions while preventing the automatic aggregation of many market participants’ PII in a single database.
Ongoing attempts to curb CAT. The Loudermilk bill is the latest attempt by Congress to curb the types of information the SEC may obtain via the CAT, whose development was a regulatory response to the May 2010 "Flash Crash." The idea of the CAT is to track all securities trades so that the SEC can investigate when market volatility produces extreme ups and downs in individual stocks or the market as a whole. The presence of bipartisan support for prior legislative efforts to limit the CAT tended to turn on whether proposed laws would exclude broad categories of traders (little bipartisan support) or would require the CAT to have stronger risk controls (overwhelming bipartisan support).
Previously, the Market Data Protection Act of 2017 (H.R. 3973; H. Rep. No. 115-405), sponsored by Rep. Warren Davidson (R-Ohio), would have required the developers of the CAT to establish "comprehensive internal risk control mechanisms" to protect PII before the CAT could accept any market data or continue to accept market data if it was already operational. The House Financial Services Committee reported the bill by a vote of 59-1 and the bill passed the full House by voice vote.
By contrast, the American Customer Information Protection Act (H.R. 4785; H. Rep. No. 115-663), sponsored by Rep. Huizenga, would have barred the CAT from accepting personally identifying information. However, the bill would have created an exception from this general provision for large traders that are subject to the SEC’s large trader reporting requirements contained in Exchange Act Section 13(h).
The Huizenga bill was reported favorably by the House FSC on a party line vote but it never received a vote by the full House. House FSC Democrats, then in the minority, panned the bill as "reckless" because, although the bill would track large traders, it would exclude many other traders, including potential "spoofers" like those responsible for the Flash Crash.
Groups such as the Consumer Federation of America likewise urged lawmakers to oppose the Huizenga bill because it would exclude a large swath of trading data "without any thoughtful analysis or evidence-based justification." The CFA said it agreed with then-SEC Chair Jay Clayton who had committed to ensuring that the CAT receive only the information that was needed and that adequate safeguards be put in place to protect PII.