New SEC Action Protects Americans’ Privacy Cybersecurity
The day for a Taxpayers Protection Alliance Foundation (TPAF) crossover episode has arrived. In a new move, the Securities and Exchange Commission (SEC) both scaled back its own overreach and strengthened American cybersecurity. TPAF’s SEC Mission Creep and App Security Project (ASP) initiatives have much to celebrate.
The SEC announced on February 10th that it would exempt personally identifiable information (PII) from collection in the Consolidated Audit Trail (CAT). This is a significant rollback of a significant abuse by the agency. The product of a 2012 SEC order, but not functional until 2020, the CAT gathered PII of all investors making moves with exchange-listed equities and options (PII gathering began in 2023). By erasing anonymity and giving regulators an intimate view of the financial transactions of bast swaths law-abiding Americans, the system did great violence to Fourth Amendment principles and the right to privacy.
The CAT fares no better when judged on concerns related to privacy and cybersecurity than it does when judged on those related to civil liberties. “The CAT will absorb information about tens of billions of trades daily, making it quite possibly the largest database in the world,” wrote the Cato Institute’s Jennifer Schulp. It created a massive treasure trove of data, ripe for hacking.
This is exactly the kind of bad policy ASP has long warned of. It is great news for Americans’ that this SEC is rolling it back. In an increasingly digital world, there is no way to prevent data breaches altogether, but policymakers can mitigate the risks. Arguing that the impossibility of totally eliminating cybercrime means that risk mitigation is pointless would be like arguing that the impossibility of totally eliminating car crashes means that everyone should drive while scrolling Instagram and with an open beer in hand. Governments must do everything possible not to create new vulnerabilities for their citizens. Like everyone else, government agencies – including the SEC – are highly susceptible to cyber incidents, after all.
Curtailing the anti-privacy and anti-cybersecurity abuse and mission creep of the CAT is a great early sign for the incoming SEC leadership. The agency must get back to the basics of ensuring that investors have information and markets remain fraud-free. Performing its core functions — and performing them well — is the right path forward for the SEC.
Published on February 18, 2025