SEC Recordkeeping v. Privacy: Recent Opinion Stirs Debate
Summary
In 2018, an investment professional sued the firm he co-founded for wrongful termination and federal privacy law violations associated with the former employer’s remote accessing into a desktop computer it had purchased for him.1
On March 24, 2023, after four-and-a-half years of litigation, a Southern District of New York court substantially eliminated all of the plaintiff’s claims. The one remaining claim, which was brought under the Stored Communications Act, survived because the court expressly rejected the claim of the former employer (a U.S. Securities and Exchange Commission (SEC)-registered investment adviser) that its regulatory recordkeeping obligations trumped a potential federal privacy law violation.
This opinion arrives during a seminal moment for the investment management industry, with several large fund managers facing an SEC Enforcement investigation associated with so-called “off-channel” communications—which is in part grounded in an assertion that registered (and perhaps all) investment advisers have a (perhaps absolute) obligation to capture all “business-related” written and electronic communications.
The Iacovacci Case
Paul Iacovacci, an investment professional, sued his former employer, an SEC-registered investment adviser, for alleged violations of a variety of federal and state privacy statutes and common law rights. Iacovacci alleged that, after he was terminated in 2016, his former employer remotely accessed his computer (which the former employer had purchased for him) and, without his knowledge or consent, downloaded documents, including information stored on Iacovacci’s personal external hard drives, and took a screenshot of his personal Yahoo! email account. The former employer denied any unauthorized access, relying in part on its recordkeeping obligations under the federal securities laws. It then asserted a variety of counterclaims against Iacovacci, and both parties moved for summary judgment.
The court granted a substantial portion of the former employer’s motion for summary judgment, substantially eliminating all of Iacovacci’s claims. The claims that were eliminated were dismissed, in general, because the court concluded that the pleadings did not adequately support each element of the various federal and state laws that were invoked.
The exception to this was Iacovacci’s claim under the Stored Communications Act (SCA), because it found genuine disputes of material fact as to several elements of the claim. The court explained that to prove a violation of the SCA as a matter of law, Iacovacci must show that the former employer intentionally accessed, without sufficient authorization, a facility through which an electronic communication service is provided and thereby obtained a wire or electronic communication from electronic storage.2 The judge then found a factual dispute as to whether the defendants “obtained” Iacovacci’s personal email, pointing to evidence showing that the defendants viewed Iacovacci’s personal email account and took a screenshot of a folder within Iacovacci’s Yahoo! account inbox, which captured subject lines and sender information of some email communications.3
Notably, the court rejected the former employer’s argument that the access was authorized by its regulatory obligations to maintain books and records, stating that “Defendants provide no authority indicating that their regulatory obligations justify otherwise unlawful acts.” The court also highlighted evidence suggesting that the former employer’s access may not have been motivated by compliance purposes, such as the fact that compliance personnel were not involved in the decision to access the computer.
The Focus on Electronic Communications for Private Fund Managers
Investment advisers routinely adopt and administer policies that require the retention of electronic communications, which are expressly or implicitly based upon obligations found in Rule 204-2 (the “books and records rule”),4 other provisions of the Investment Advisers Act and the rules adopted thereunder or general fiduciary and oversight obligations.
The SEC’s Division of Examinations (EXAMS) consistently focuses on adviser compliance with the books and records rule and compliance with internal recordkeeping policies. On February 7, 2023, EXAMS released its 2023 examination priorities,5 which highlighted that the SEC intends to conduct sweep examinations into electronic communications and recordkeeping.
The EXAMS announcement followed a series of well-publicized enforcement actions by the SEC and the U.S. Commodity Futures Trading Commission against a group of large financial institutions for violations of their broker-dealer recordkeeping obligations in failing to retain and review business-related employee use of so-called “off-channel” electronic communications.6
In November 2022, it became public that the SEC’s Division of Enforcement had sent requests for information to a number of large investment advisers regarding those firms’ practices associated with employee off-channel communications for business-related activities.
Implications and Issues for Private Fund Managers after Iacovacci
With the SEC increasingly focusing on investment adviser compliance with the books and records rule and other related provisions of the Advisers Act, investment managers should not lose sight of the application of state, federal and international privacy laws when fulfilling their regulatory obligations.
For many private fund managers, compliance with their recordkeeping and electronic communications policies involves accessing, reviewing and retaining employees’ business-related electronic communications and other data. Many managers take an expansive view of the scope of this obligation, in anticipation of the SEC’s taking a similarly expansive view in a future examination or investigation.
However, irrespective of how the matter is ultimately decided, the motion practice in Iacovacci is a stern reminder that federal, state and international privacy laws that prohibit unauthorized access or interception of an individual’s devices, communications or personal information cannot be subordinated to an endeavor to satisfy SEC compliance desires or requirements. These two regimes intersect and raise issues regarding:
- Who owns the data at issue.
- Who owns and controls the accounts, channels and applications on which the communications at issue are stored.
- Whether employees received adequate notice of the employer’s monitoring where notice is required.
- Whether the employer has prior authorization to access employees’ personal communications and devices.7
Iacovacci highlights this tension: Iacovacci’s privacy and property claims were based on the fact that his former employer had accessed his personal storage devices and personal email accounts. The fact that the remote access occurred on and through his employer-purchased computer was not a dispositive factor and, at times, the judge even assumed for the sake of argument that the computer was owned as a practical matter by Iacovacci.
Next Steps
Unfortunately, the multivariate environment we are now in does not provide a clear, no-risk path for private fund managers to follow. With SEC Enforcement taking aggressive positions on a variety of topics, U.S. and foreign privacy watchdogs seeking opportunities to protect individual rights, plaintiff-side employment lawyers looking for new opportunities to acquire leverage in separation disputes and investors seeking comfort that a manager is following best practices in all areas, a private fund manager’s legal and compliance team needs to chart a careful course that takes into account Advisers Act obligations. Managers further need to strike a balance that does not inadvertently violate U.S. or foreign privacy, employment or other laws. While this can be a frustrating message, each manager needs to review its unique needs and circumstances in a post-Iacovacci environment.
1 Iacovacci v. Brevet Holdings, LLC, No. 18-08048 (S.D.N.Y.) (Sept. 4, 2018). This article provides an update to our prior article, which was published when the Iacovacci case was initiated. See https://news.bloomberglaw.com/securities-law/insight-sec-required-recordkeeping-in-an-evolving-privacy-landscape.
2 18 U.S.C. § 2701(a).
3 As an aside, the court allowed the former employer’s misappropriation of trade secrets counterclaims to proceed to trial and expressly referenced evidence that Iacovacci forwarded dozens of work emails to his personal email address, including a list of over 27,000 investor contacts, nondisclosure agreements, presentations, management reports and sourcing checklists.
4 Rule 204-2 of the Investment Advisers Act requires investment advisers to maintain books and records regarding various matters, including “originals of all written communications received and copies of all written communications sent … relating to:” investment recommendations, investment advice, the placing of buy/sell orders on behalf of a client, any receipt or disbursement of funds or securities and the performance of client accounts or recommended transactions. 17 CFR § 275.204-2(a)(7).
5 https://www.sec.gov/files/2023-exam-priorities.pdf.
6 As part of a total of $1.1 billion in penalties against more than a dozen entities in September 2022, the SEC settled Advisers Act books and records charges with one investment adviser. Press Release, U.S. Sec. & Exch. Comm’n, SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures, (Sept. 27, 2022), https://www.sec.gov/news/press-release/2022-174; Press Release, Commodity Futures Trading Comm’n, CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods, (Sept. 27, 2022), https://www.cftc.gov/PressRoom/PressReleases/8599-22.
7 See SEC Required Recordkeeping in an Evolving Privacy Landscape.