Disclosure Versus Privacy In The Age Of Data Mining
In 2010, the SEC published for comment a rule requiring the disclosure of certain information regarding asset-backed securities (“ABS”). The proposal, “Asset-Backed Securities,” SEC Release No. 33-9117, proposed revisions to the filing deadlines for ABS offerings and in doing so, also proposed the disclosure of specified asset-level information about each of the assets in the pool. The proposal was modified and re-proposed in 2011 to reflect changes mandated by the Dodd-Frank Act. See “Re-Proposal of Shelf Eligibility Conditions for Asset-Backed Securities,” SEC Release No. 33-9244.
Although the SEC proposals attempted to assuage privacy concerns industry participants might have with respect to the asset-level disclosure requirements, commenters noted that the proposed disclosures when combined with other publicly available sources of information could permit the identity of obligors in ABS pools to be uncovered or “re-identified.” Moreover, if an obligor in an ABS pool was identified through this process, then the obligor’s personal financial status could be determined. If obligors are re-identified then information about an obligor’s credit score, monthly income and monthly debt would be available to the general public through the EDGAR filing.
In other words, EDGAR would become a gold mine for cyber thieves.
In response to those concerns, the Division of Corporation issued a staff memorandum. Posted on the SEC’s website yesterday, the memorandum suggests that the Commissioners consider the disclosure to investors of potentially sensitive ABS asset-level information via the issuer’s website instead of EDGAR.
In other words, the staff suggests passing the buck.
To justify, their suggestion, the Division contends that issuers are better situated to identify persons that should be able to access the potentially sensitive information in a cost-efficient manner in accordance with privacy laws. Although the staff takes great pains to explain why issuers and sponsors should be capable of providing this information to investors and potential investors with appropriate safeguards, the staff acknowledges a potential hurdle: the Fair Credit Reporting Act (“FCRA”).
Certain asset-level information about an obligor that an issuer would be required to disclose under the SEC rule may be considered a “consumer report” subject to regulation under the FCRA. The staff believes, however, that the FCRA provides an exclusion for disclosure to someone who “intends to use the information, as a potential investor … in connection with a valuation of, or an assessment of the credit or repayment risks associated with an existing credit obligation.”
The SEC is accepting comments on the staff’s suggestion through March 28, 2014. See SEC Release No. 33-9552.