Mom and pop investors didn’t cause the 2010 market blip known as the “flash crash,” but the Securities and Exchange Commission is suggesting as much to justify a new government program that will collect and store the most sensitive personal information of every U.S. retail investor in a single database. This exposes investors to a high risk of identity theft. That’s why the American Securities Association, which I lead, is suing the agency.

 

We supported the SEC’s 2012 creation of the Consolidated Audit Trail database to keep track of institutional investors. But collecting sensitive personal and financial information—including address, birth year and transaction data—from retail investors has always been a solution in search of a problem. Regulators struggled to pinpoint the cause of the 2010 drop and the CAT arose as a surveillance tool to save the SEC time in future detective work. The agency claims it needs the data to prosecute insider trading. Yet the SEC has no trouble doing that now. Between 2011-2019, the SEC’s Division of Enforcement brought more than 400 cases against individuals accused of violating insider trading rules. More data may make the agency’s job easier, but in our view, invading the privacy of every small investor and exposing them to the risk of identity theft isn’t worth that marginal gain.

 

Our organization hoped the SEC would change course, but the new database has left us with a choice: expose our customers to identity theft or protect their right to privacy. We choose the latter. On Monday the American Securities Association will file a lawsuit against the SEC. We take no pleasure in suing our regulator and we didn’t come to this decision lightly. But the industry can’t abide a privacy threat to every U.S. investor. Saving and investing for retirement is hard enough. Americans shouldn’t also have to worry about cybercriminals from China and Russia.

 

Defense and intelligence agencies routinely warn that U.S. adversaries and bad actors across the globe are targeting individual Americans to steal their identities. Earlier this year a federal grand jury indicted four members of the Chinese People’s Liberation Army for stealing the personal financial data of nearly half the American population in the Equifax breach. Similar high-profile hacks compelled U.S. intelligence officials to warn the public in December 2018 that the Chinese are using cyberattacks to obtain information on susceptible Americans to try to recruit them as spies.

 

Former FBI Director James Comey issued a warning in 2014 that should worry every American: “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.” His words, not ours.

 

The SEC is not impregnable. The agency was hacked in 2016—a breach it didn’t discover until August 2017. SEC Chairman Jay Clayton warned in September 2017 after the breach that “we will face the risk of unauthorized access to the CAT’s central repository and other efforts to obtain sensitive CAT data. Through such access, intruders could potentially obtain, expose and profit from the trading activity and personally identifiable information of investors.” Despite these warnings, the SEC seems committed to collecting the personal information of everyday American investors. Only in Washington could the creation of a one-stop-shop for cyberhackers seem like a good idea.

 

The SEC is compelling us to send the data of every individual U.S. investor to an unsecure database. We’re filing this lawsuit to stand up for investors, to maintain trust and confidence in America’s equity markets, and to force the SEC to publicly defend this dangerous policy.

​

​

​

This article was originally published in The Wall Street Journal.