Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 1 of 53
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE WESTERN DISTRICT OF TEXAS
`WACO DIVISION
`
`ERIK DAVIDSON,
`
`&
`
`JOHN RESTIVO,
`
`&
`
`NATIONAL CENTER FOR PUBLIC
`POLICY RESEARCH,
`
`Plaintiffs,
`
`v.
`
`
`GARY GENSLER,
`
`in His Official Capacity as
`Chairman, U.S. SECURITIES
`AND EXCHANGE COMMISSION,
`
`&
`
`U.S. SECURITIES AND EXCHANGE
`COMMISSION,
`
`&
`
`CONSOLIDATED AUDIT TRAIL, LLC,
`
`Defendants.
`
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`:
`
`CIVIL ACTION NO.: (cid:25)(cid:29)(cid:21)(cid:23)(cid:16)(cid:70)(cid:89)(cid:16)(cid:19)(cid:19)(cid:20)(cid:28)(cid:26)
`
`CLASS-ACTION COMPLAINT FOR
`DECLARATORY, INJUNCTIVE,
`AND MANDAMUS RELIEF
`
`COMPLAINT
`
`This lawsuit concerns an unprecedented scheme by an administrative agency, the Securities
`
`and Exchange Commission (SEC), to unilaterally set in motion one of the greatest government-
`
`mandated mass collections of personal financial data in United States history: the Consolidated
`
`Audit Trail (CAT). Without any statutory authority, SEC adopted a regulation, Rule 613, that
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 2 of 53
`
`
`
`forces brokers, exchanges, clearing agencies, and alternative trading systems (ATS) to capture data
`
`on every investor’s trades, from inception to completion. The data is then stored in a centralized
`
`database that SEC and private regulators can mine for data and analyze in perpetuity. Thousands
`
`of people—many of them not even in the government—will have access to this information.1 No
`
`one can opt out of this forced disclosure. Brokers cannot opt out, and neither can Americans
`
`executing their own trades, unless they stop trading in U.S. markets. This surveillance database
`
`reportedly would be the largest database of securities data ever created,2 and the largest database
`
`outside the NSA.3 Unlike NSA, however, SEC entirely lacks the authority, history, or special
`
`oversight structure that permits it to engage in the seizure and surveillance of private information.
`
`The Panopticon Is Here
`
`At the time of the French Revolution, the British philosopher Jeremy Bentham coined the
`
`term “Panopticon” to describe the terror of a prison wherein all inmates would be subject to 24-
`
`hour surveillance by an unseen observer.4 Such a system was unthinkable for free people, yet today
`
`SEC’s scheme frighteningly seizes the personally identifiable record of “every order, cancellation,
`
`modification and trade execution for all exchange-listed equities and options across all U.S.
`
`
`1 Oversight of the Status of the Consolidated Audit Trail, Hearing Before the S. Comm. on Banking,
`Hous., and Urb. Affs., 116th Cong. (2019) (Testimony of Shelly Bohlin, COO of FINRA CAT
`LLC), available at https://perma.cc/G49S-GR3G
`2 Secs. Indus. and Fin. Mkts. Ass’n (“SIFMA”) , Comment Letter Addressing Notice of Filing
`Amendment to the Nat’l Mkt. Sys. Plan Governing the Consolidated Audit Trail at 2 (Jun. 30,
`2022), available at https://perma.cc/2Y5Y-AK4H.
`3 Implementation and Cybersecurity Protocols of the Consolidated Audit Trail: Hearing Before
`the Subcomm. on Cap. Mkts, Secs, and Inv., H. Comm. On Fin. Servs., 115th Cong. 2 (Nov. 30,
`2017) (statement of Rep. Bill Huizenga, Chairman, Subcomm. on Cap. Mkts, Securities and
`Investment),
`https://www.govinfo.gov/content/pkg/CHRG-
`available
`at
`115hhrg31288/pdf/CHRG-115hhrg31288.pdf.
`4 Jeremy Bentham, Panopticon; or, the Inspection House (1791).
`2
`
`
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 3 of 53
`
`
`
`markets”5 for everyone who trades on an American exchange—at least the Panopticon applied
`
`only to persons imprisoned for a crime. Nothing in the securities laws gives the SEC power to
`
`regulate investment decisions of Americans nor to gather all investment data from them or their
`
`brokers.
`
`Historically, a government that wished to track its citizens had to devote large resources to
`
`having them followed. That is no longer the case: modern surveillance tools enable mass tracking
`
`of individuals’ every movement, every transaction, every purchase, sale, or transfer of securities
`
`at low cost while powerful computer algorithms can process that information to reveal personal
`
`and private details of each person’s financial life or investment strategy. With technological
`
`surveillance and data-processing technology becoming ever cheaper and increasing exponentially
`
`in power—witness the growth in the power of AI and bots over our electronic lives—the only
`
`things that stand in the way of this Orwellian “Big Brother” are our laws and our courts. This class-
`
`action complaint challenges SEC’s shocking arrogation of power to impose dystopian surveillance,
`
`suspicionless seizures, and real or potential searches on millions of American investors.
`
`The Founders’ Vision
`
`The Framers of the Constitution ensured protection of “persons, houses, papers, and
`
`effects” from “unreasonable searches and seizures.” U.S. CONST. amend. IV. Knowing all too well
`
`how such seizure of papers imperiled their own liberty, the Framers would scarcely believe the
`
`unbridled power SEC seeks to exert through the CAT. By seizing innocent Americans’ private
`
`financial information and storing it in a giant database that allows broad access by government and
`
`non-governmental persons or entities alike, SEC—a mere administrative agency—has conjured
`
`
`5 Press Release, SEC Approves New Rule Requiring Consolidated Audit Trail to Monitor and
`Analyze Trading Activity (July 11, 2012), available at https://perma.cc/R9H3-V5QD.
`3
`
`
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 4 of 53
`
`
`
`into being exactly what the Constitution was written to prevent. Equally troubling and
`
`unreasonable, this vulnerable warehouse of seized information also exposes data lawlessly
`
`extracted from every investing American to easy onslaught from known cybersecurity threats,
`
`domestic and foreign, including even the possible theft of their holdings.6 These assets comprise
`
`the core of Main Street investors’ financial security, which is essential to their individual liberty,
`
`wealth, well-being, and personal security. The government has no license to put these interests at
`
`risk. To the contrary, the Constitution expressly prohibits uncaging this CAT.
`
`“The Fourth Amendment refers to ‘papers’ because the Founders understood the seizure of
`
`papers to be an outrageous abuse distinct from general warrants.” Donald A. Dripps, “Dearest
`
`Property”: Digital Evidence and the History of Private “Papers” As Special Objects of Search
`
`and Seizure, 103 J. Crim. L. & Criminology 49, 52 (2013). Thus, “[i]f one goes back to the early
`
`Republic … it is difficult to find any federal executive body that could bind subjects to appear,
`
`testify, or produce records.” Philip Hamburger, Is Administrative Law Unlawful? 221 (Univ. of
`
`Chi. Press 2014). Indeed, it was so well established at common law that “[p]apers are the owner’s
`
`goods and chattels” and “are his dearest property” that “it may be confidently asserted that [these]
`
`propositions were in the minds of those who framed the fourth amendment to the constitution, and
`
`were considered as sufficiently explanatory of what was meant by unreasonable searches and
`
`seizures.” Boyd v. United States, 116 U.S. 616, 626-28 (1886) (first and second quotations quoting
`
`Entick v. Carrington, 19 How. St. Tr. 1029 (1765)). The Supreme Court therefore recognized that
`
`“a compulsory production of a man’s private papers” is the same as “[b]reaking into a house and
`
`
`6 Letter from Seven Senators to SEC Chair (July 24, 2019), available at https://perma.cc/3KSA-
`WEPT.
`
`
`
`
`4
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 5 of 53
`
`
`
`opening boxes and drawers,” and constitutes an unlawful “invasion of his indefeasible right of
`
`personal security, personal liberty and private property[.]” Id. at 622, 630.
`
`While the Constitution made clear the government lacks the authority to peek into—much
`
`less seize and keep a permanent record of the content of—a person’s private papers without a
`
`warrant, SEC has now arrogated the power to demand government seizure of everyone’s private
`
`trading information without any judicial process.
`
`The Stakes Are High
`
`
`
`This case requires this court to exercise its Article III duties to declare CAT
`
`unconstitutional under the Vesting Clause, art. I, §1; the Taxing and Appropriations Clauses of
`
`Article I; and the First, Fourth, and Fifth Amendments. Where Americans and American entities,
`
`like Erik Davidson, John Restivo (“Individual Plaintiffs”), and NCPPR, invest in the securities
`
`markets, they do not “‘voluntarily assume[] the risk’ of [the party] turning over” the details of their
`
`personal investment activity for review by SEC. Carpenter v. United States, 138 S. Ct. 2206, 2220
`
`(2018) (first alteration in original) (quoting Smith v. Maryland, 442 U.S. 735, 745 (1979)). Indeed,
`
`Americans expect and have thus far enjoyed the opposite assumption—that the third party and the
`
`government will respect their contractual and constitutional rights. Defendants have unlawfully
`
`violated those rights, liberties, and expectations, in defiance of the Constitution, as set forth below.
`
`Further, the CAT scheme is unlawful because no statute confers authority on SEC to engage
`
`in this conduct at all. Indeed, no statute could confer such authority—the First, Fourth, and Fifth
`
`Amendments forbid it.
`
`Appropriations and Spending by the Executive
`
`The CAT scheme further violates the Constitution and laws of the United States because it
`
`bypasses Congress’ power of the purse and erects a multi-billion-dollar scheme in which SEC self-
`
`
`
`5
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 6 of 53
`
`
`
`appropriates these billions by extracting funds from self-regulatory organizations, or SROs, such
`
`as Financial Industry Regulatory Authority, also known as FINRA, to fund and operate a scheme
`
`never authorized by Congress. This scheme of spending without appropriation imposes enormous
`
`costs on American capital markets (reported to be at least $2.4 billion to implement and $1.7 billion
`
`to operate each year as of the last detailed report in 2016)7 and is a brazen end-run around the
`
`Constitution and laws of the United States, including the Anti-Deficiency Act and the
`
`Miscellaneous Receipts Act, which dictate that the legislature alone can raise, receive or spend
`
`money or contributions. Alexander Hamilton explained that in a constitutional order that assigns
`
`the lawmaking and appropriations powers to the legislature, “no money can be expended, but for
`
`an object, to an extent, and out of a fund, which the laws have prescribed.” (Emphases in original).
`
`Alexander Hamilton, Explanation, in The Works of Alexander Hamilton, Vol. 8, p.128 (Henry
`
`Cabot Lodge ed., 2d ed. 1903).
`
`This lawless enterprise has been many years in the planning, with a record of misfeasance,
`
`malfeasance and incompetence that alone would justify its cessation.8 Whether it could ever be
`
`
`7 Joint Industry Plan; Order Approving the Nat’l Mkt. Sys. Plan Governing the Consolidated Audit
`Trail, Release No. 34-79318 (Nov. 15, 2016), 81 Fed. Reg. 84,696, 84,863 (Nov. 23, 2016). Initial
`estimates for the costs of implementation and maintenance of the Consolidated Audit Trail have
`climbed considerably and have become more opaque. See Examining the Agenda of Regulators,
`SROs, and Standards-Setters for Accounting, Auditing: Hearing Before the H. Subcomm. on Cap.
`Mkts, 118th Cong. (2023) (Testimony of Robert Cook, President and CEO, FINRA) (“The initial
`estimates for CAT were based on an assumption about how much volume there would be,
`essentially. Those estimates turned out to be way off. We are now seeing volumes that are ten
`times what they were estimated to be, and of course volume translates to processing costs, storage
`costs
`for
`data,
`and
`so
`naturally
`the
`costs
`are
`higher.”)
`https://www.youtube.com/live/aduHWUfuLJg?si=HEzBeVZhWBFjca3n&t=5877 (beginning at
`1:37:57)).
`8 See, e.g., James Rundle & Anthony Malakian, CAT’s Tale: How Thesys, the SROs and the
`SEC Mishandled the Consolidated Audit Trail, WatersTechnology (Feb. 14, 2019) (setting
`forth a detailed and disturbing history of a scheme that never had any lawful basis for its
`inception), https://perma.cc/V8VJ-ZTUK.
`
`
`
`6
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 7 of 53
`
`
`
`successfully launched was in doubt for the better part of a decade. As late as October 2019, SEC
`
`Commissioner Hester Peirce warned that “[i]mplementation is now on course to begin soon.” She
`
`sounded the warning: “but it is not too late to change course.”9
`
`Defendants are now finalizing and instituting this lawless and ill-advised enforcement
`
`regime. Defendants’ unconstitutional, unlawful, and ultra vires conduct violates the civil liberties
`
`of Plaintiffs and inflicts on-going, and imminent future irreparable harm on Plaintiffs, our
`
`Constitution, and the civil liberties of all Americans. Accordingly, plaintiffs, as named Class
`
`Representatives, bring this facial and as-applied challenge seeking injunctive and mandamus relief
`
`on behalf of themselves and a class of similarly situated individuals.
`
`SEC’s Violations Injure a Large Class of Plaintiffs
`
`Plaintiffs, as named Class Representatives, bring this action on behalf of a class of
`
`similarly situated individuals: all individuals for whom the CAT database contains any securities
`
`transaction information, or any personally identifiable information, that refers or relates to the
`
`individual or to a securities account associated with the individual.
`
`PARTIES
`
`1.
`
`Plaintiff National Center for Public Policy Research (“NCPPR”) is organized under
`
`the laws of Delaware and has its principal place of business in Washington, DC. NCPPR, through
`
`its Free Enterprise Project, invests in securities traded on U.S. exchanges, and NCPPR’s private
`
`investment information has been, and will continue to be, unconstitutionally seized by Defendants.
`
`2.
`
`Plaintiffs Erik Davidson and John Restivo are natural persons and residents of the
`
`State of Texas. Each of them invests in securities traded on U.S. exchanges and the each’s private
`
`
`9 Hester Peirce, This Cat is a Dangerous Dog, RealClearPolicy (Oct. 9, 2019), available at
`https://perma.cc/B5BJ-A6RF.
`
`
`
`7
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 8 of 53
`
`
`
`investment information has been, is expected to be, and/or will continue to be unconstitutionally
`
`seized by Defendants.
`
`3.
`
`Defendant Gary Gensler is the Chairman of the Securities and Exchange
`
`Commission and is sued in his official capacity.
`
`4.
`
`Defendant SEC is an agency of the United States, which has forced the
`
`unreasonable seizure of Plaintiffs’ private financial information.
`
`5.
`
`Defendant Consolidated Audit Trail, LLC (CAT LLC) is Delaware limited liability
`
`corporation formed on August 29, 2019, to administer the CAT on behalf of the SEC. CAT LLC
`
`is sued as a Defendant and in the alternative, if CAT LLC did not engage in state action as an agent
`
`of SEC, as a Relief Defendant.
`
`JURISDICTION AND VENUE
`
`6.
`
`This Court has federal question jurisdiction pursuant to 28 U.S.C. §§ 1331 (federal
`
`question) and 1361 (actions in the nature of mandamus).
`
`7.
`
`This Court has the authority to grant declaratory and injunctive relief in this matter
`
`pursuant to 28 U.S.C. §§ 2201 and 2202.
`
`8.
`
`Venue for this action properly lies in this district pursuant to 28 U.S.C.
`
`§§ 1391(b)(2), (e)(1)(C) because the Individual Plaintiffs reside in this judicial district, a
`
`substantial part of the events or omissions giving rise to the claim occurred in this judicial district,
`
`and because the owners of the property at issue in this action are situated in this judicial district.
`
`
`
`8
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 9 of 53
`
`
`
`I.
`
`THE CONSOLIDATED AUDIT TRAIL
`
`STATEMENT OF FACTS
`
`A.
`
`9.
`
`SEC’s Limited Statutory & Investigative Authority
`
`In 1934, Congress established SEC to “protect[] investors, maintain[] fair, orderly,
`
`and efficient markets, and [to] facilitate[e] capital formation.”10 Nothing in this organic statute, or
`
`any subsequent enactment of Congress, authorizes the lawless and unconstitutional CAT scheme.
`
`10.
`
`From the day in 1934 when Congress created SEC, the agency’s ability to obtain
`
`private citizens’ confidential information has been carefully constrained—limited by substantive
`
`and procedural requirements. Those requirements also reflect the constitutional imperative that the
`
`only authority SEC possesses is the authority Congress granted it by statute.
`
`11.
`
`True to those limitations, for the past 50 years the primary procedure for SEC to
`
`obtain some information about private citizens’ stock trading has been to make valid “blue sheet
`
`requests” to broker-dealers. See SEC Enforcement Manual § 3.2.2 (Nov. 28, 2017) (“Blue sheets”).
`
`To make a valid blue-sheet request, SEC first must have an articulable basis to investigate possible
`
`violations of the securities laws, id., a basis it can develop from reviewing the extensive daily
`
`market surveillance data that is available to it. The scope of the underlying investigation limits the
`
`scope of the blue-sheet request because each request is limited to the securities and the time frame
`
`on which the investigation focuses. Id. This lawsuit does not challenge SEC’s use of blue sheets.
`
`12.
`
`Historically, SEC also obtained trading information by issuing investigative
`
`subpoenas. By statute, Congress expressly authorized—and limited—this process. See, e.g.,
`
`Securities Act of 1933, Pub. L. No. 73-22, 48 Stat. 74 § 19(c) (2023) (codified at 15 U.S.C.
`
`§ 77s(c)); Exchange Act of 1934, Pub. L. No. 73-291, 48 Stat. 881 § 21(b) (2023) (codified at 15
`
`
`10 SEC Mission Statement, SEC
`https://www.sec.gov/about/mission.
`
`(last visited Mar. 18, 2024), available at
`
`
`
`9
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 10 of 53
`
`
`
`U.S.C. § 78u(b)). As with the blue sheets, SEC must begin with some facts indicating a possible
`
`violation of the law. See, e.g., Securities Act of 1933, § 19(c), 15 U.S.C. § 77s(c) (referring to
`
`“investigations”); Exchange Act § 21(b), 15 U.S.C. § 78u(b) (same). Under its procedures, SEC
`
`then can issue a “formal order of investigation,” followed by an investigative subpoena. See SEC
`
`Enforcement Manual § 2.3.3. By statute, each subpoena’s scope is limited to “books, papers, or
`
`other documents” that are “material to the inquiry.” See, e.g., Securities Act § 19(c), 15 U.S.C.
`
`§ 77s(c) (referring to “investigations”); Exchange Act § 21(b), 15 U.S.C. § 78u(b) (same). Also,
`
`by statute, to enforce a subpoena, SEC must file a court action and obtain an order from a federal
`
`judge. See Exchange Act § 21(c), 15 U.S.C. § 78u(c). This lawsuit does not challenge SEC’s use
`
`of investigative subpoenas.
`
`B.
`
`13.
`
`Rule 613 and the Flash Crash
`
`In 2010, SEC saw an opportunity to bypass these longstanding safeguards. On May
`
`6 of that year, the securities markets experienced the “Flash Crash,” during which major stock
`
`indices plunged as much as 15% in a few minutes, before rebounding almost as quickly.
`
`14.
`
`In a September 30, 2010, report entitled Findings Regarding the Market Events of
`
`May 6, 2010, SEC attributed the Flash Crash to a mutual fund complex using an algorithm to hedge
`
`existing equity positions.11
`
`15.
`
`Just 20 days after the Flash Crash, and prior to issuing its Report on the Flash Crash,
`
`SEC issued a 203-page release proposing Rule 613 and the creation of the Consolidated Audit
`
`Trail. Exchange Act Release No. 34-62174, File No. S7-11-10 (May 26, 2010). SEC issued the
`
`
`11 Findings Regarding the Market Events of May 6, 2010, Report of the Staffs of the CFTC and
`SEC to the Joint Advisory Committee on Emerging Regulatory Issues at 2-3 (Sept. 30, 2010),
`available at https://perma.cc/FPG7-4LN6.
`
`
`
`10
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 11 of 53
`
`
`
`final rule two years later. Consolidated Audit Trail, Exchange Act Release No. 34-67457 (July 18,
`
`2012), 77 Fed. Reg. 45722 (Aug. 1, 2022) (codified at 17 C.F.R. § 242.613).
`
`16.
`
`Rule 613 represented a radical break from the historical limitations on SEC’s access
`
`to confidential trading information. The rule mandated the creation of a vast database of an
`
`unprecedented scale. As SEC’s press release explained, the database would track “every order,
`
`cancellation, modification and trade execution for all exchange-listed equities and equity options
`
`across all U.S. markets.”12
`
`17.
`
`Equally groundbreaking, but left unmentioned in SEC’s press release, Rule 613
`
`granted SEC real-time access to this data—without any need to obtain a warrant, issue a subpoena,
`
`or even have cause to suspect an investor of wrongdoing.
`
`18.
`
`In short, the CAT enables SEC “to watch investors’ every move in real time.”
`
`Hester Peirce, Statement in Response to Release No. 34-88890; File No. S7-13-19 at 7 (May 15,
`
`2020).13
`
`19.
`
`This fundamental change in its access to trading information was necessary,
`
`according to SEC, because “the regulatory data infrastructure” was “outdated” and “inadequate to
`
`effectively oversee a complex, dispersed, and highly automated national market system.” 77 Fed.
`
`Reg. at 45723. A key underlying change, according to SEC, was that during the decades since the
`
`formation of the National Market System in 1975, equities trading has fragmented to numerous
`
`exchanges and trading venues. Id. at 45736.
`
`
`12 Press Release, SEC Approves New Rule Requiring Consolidated Audit Trail to Monitor and
`Analyze Trading Activity (July 11, 2012), available at https://perma.cc/R9H3-V5QD.
`13 Available at https://www.sec.gov/news/public-statement/peirce-statement-response-release-34-
`88890-051520
`
`
`
`11
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 12 of 53
`
`
`
`20.
`
`As SEC Commissioner Peirce has forcefully argued, see supra, n.9, Americans
`
`would not for a moment tolerate government organizations partnered with private firms to collect
`
`complete information on everything they buy, nor a program where the government received a
`
`“direct feed” of movements from their cars’ GPS. Yet CAT proposes to do just that with the far
`
`more valuable, and therefore vulnerable, database of their investments and retirement savings.
`
`21.
`
`Further, Americans’ civil liberty to be free of suspicionless government seizures
`
`has been casually extinguished by an unelected group of bureaucrats, not Congress. Such unlimited
`
`access to data allows the government to create post hoc theories of enforcement that threaten our
`
`civil liberties to be free of government intrusion in the conduct of our lives. Right now, investors’
`
`investment strategies and trading activity are private and proprietary. The CAT would now allow
`
`for the first time ever government (or its employees) to track and replicate successful, proprietary
`
`trading strategies. It could even allow government (or its agents) to actively undermine a particular
`
`target’s trades.
`
`22.
`
`SEC’s justification for the program does not withstand reasoned scrutiny.
`
`Commissioner Peirce notes that SEC’s enforcement division “already has sufficient tools to get
`
`the information it needs to pursue credible leads about market misconduct and to do so quickly.”14
`
`Specifically, the individual exchanges all maintain their own separate audit trails.
`
`23.
`
`SEC was frustrated, though, that, to monitor all U.S. equities markets, it had to
`
`“cobble together” data from multiple information systems. 77 Fed. Reg. at 45723. In SEC’s view,
`
`even when combined, those audit trails did not capture all the market information SEC would like.
`
`See id. at 45723, 45726-33.
`
`14 Peirce, supra n.9.
`
`
`
`
`
`12
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 13 of 53
`
`
`
`24.
`
`Further, according to the Adopting Release, SEC’s information needs were not met
`
`by the blue-sheet process because that process required SEC to make a specific request to a broker-
`
`dealer “for specific securities during specified timeframes.” Id. at 45727.
`
`25.
`
`In SEC’s words, the blue-sheet process “is generally only used by regulators in
`
`narrowly-focused enforcement investigations that generally involve trading in particular securities
`
`on particular days or with particular broker-dealers.” Id. at 45728. Also, a complete response can
`
`take “days or weeks.” Id.
`
`26. While SEC’s Adopting Release did not expressly highlight the issue, it surely
`
`viewed as a further limitation of the blue-sheet process that, to request a blue sheet, SEC’s
`
`Enforcement Manual required SEC to have an articulable basis to conduct a regulatory
`
`investigation and then the blue-sheet requests were limited to the scope of the investigation. See
`
`SEC Enforcement Manual § 3.2.2.
`
`27. Moreover, even though SEC isolated the cause of the Flash Crash to a mutual fund
`
`complex,15 and even though SEC cited a possible future flash crash to justify Rule 613, 77 Fed.
`
`Reg. at 45733, Rule 613 is not limited to data from mutual fund complexes trading to accumulate
`
`or reduce a net long or short position. Instead, and despite this limited justification for Rule 613,
`
`the regulation requires the collection of data for trades, even by retail investors—and it requires
`
`the collection of privately identifiable information not collected by standard blue-sheet requests.
`
`28.
`
`Furthermore, this amassing of information does nothing to avert a flash crash: In
`
`short, the CAT was conceived on a pretext that is simply erroneous and illegitimate.16
`
`
`15 Findings Regarding the Market Events of May 6, 2010, Report of the Staffs of the CFTC and
`SEC to the Joint Advisory Committee on Emerging Regulatory Issues at 2-3 (Sept. 30, 2010).
`16 Peirce, supra n.9 (“A more limited version of the program that looked only at the trades of large
`institutional investors would be almost as useful for reconstructing market events and would not
`
`
`
`
`13
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 14 of 53
`
`
`
`29.
`
`Yet under this scheme as it is now being implemented, all information about all
`
`trades by all Americans is transmitted to the SEC within a day without any law or law enforcement
`
`justification.
`
`C.
`
`30.
`
`SEC Co-Opts SROs to Seize Private Information Pursuant to CAT
`
`SEC, through Rule 613, outsourced the collection of this information to SROs—
`
`FINRA and national securities exchanges—which it ordered to propose for SEC a “joint
`
`National Market System Plan” (“CAT NMS Plan”) for “the creation, implementation, and
`
`maintenance of a consolidated audit trail and central repository” of the CAT data. 17 C.F.R.
`
`§ 242.613(a)(1).
`
`31.
`
`Rule 613 provided only a broad framework to guide the SROs in designing,
`
`creating, and implementing the CAT NMS Plan, 17 C.F.R. § 242.613(b), but mandated the SROs
`
`collect and make available to SEC specified categories of information. See Id. at (c)(7).
`
`32.
`
`Among other details, Rule 613 required the SROs to create a unique “Customer-
`
`ID” for every customer, Id. at (j)(5), who trades in securities on a U.S. exchange, and provide
`
`details on every “reportable event,” which is defined as “the original receipt, or origination,
`
`modification, cancellation, routing, and execution,” of an order for a security on a U.S. exchange.
`
`Id. at (j)(9).
`
`33.
`
`For each original receipt or origination of an order, SEC required the collection of
`
`“information of sufficient detail to identify the customer,” the date and times of orders placed, the
`
`material terms of the orders, and details concerning the broker-dealer processing the order. Id. at
`
`(c)(7).
`
`
`violate the privacy interests of specific individuals. The risk that a bus driver placing a trade for
`her daughter’s college fund will cause market turbulence is outweighed by the invasion of privacy
`and the attendant risk that cybercriminals will deplete the college education fund.”).
`14
`
`
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 15 of 53
`
`
`
`34.
`
` The rule instructed the SROs to expand this list, requiring them to “add[]
`
`granularity and details regarding the scope and nature of Customer-ID[].” Id. at (b)(6)(ii).
`
`35.
`
`SEC explained it intends to use this confidential data for several purposes, but
`
`primarily for surveillance and enforcement—for “investigations of potential securities law
`
`violations.” 77 Fed. Reg. at 45,727. SEC Commissioner Peirce has expressed alarm about the
`
`“emphasis that is being placed on the [CAT] database’s ultimate utility as an enforcement tool.”17
`
`36.
`
`This alarm is well-founded, because the database will hold confidential data from
`
`more than 100 million private citizens. According to knowledgeable commentators, it will be the
`
`largest securities database anywhere,18 and the largest database of any kind outside of the National
`
`Security Agency.19 Some experts believe it will be the largest database of any kind ever built.20
`
`D.
`
`37.
`
`The CAT’s Arrested Development
`
`Following promulgation of Rule 613, the SROs worked on their assignment for
`
`two years, before submitting a proposed plan in 2014. Two years later, in November 2016,
`
`SEC adopted a version of the SROs’ Plan. See Joint Industry Plan; Order Approving the Nat’l
`
`Mkt. Sys. Plan Governing the Consolidated Audit Trail, Exchange Act Release No. 34-79318,
`
`File No. 4-698 (Nov. 15, 2016).
`
`38. Under the CAT NMS Plan adopted by SEC in 2016, each SRO must require its
`
`members to record and report extensive information for every trading order or cancellation.
`
`Complying with Rule 613’s instruction to add details to the requirements to provide customer
`
`
`17 Hester Peirce, Intellectual Siren Song, Remarks at the 7th Annual Conference on Financial
`Market Regulations (May 20, 2020), available at https://perma.cc/WKG6-EVW8.
`18 CAT NMS Provides Progress Update on the Consolidated Audit Trail, Business Wire (Oct. 26,
`2018), available at https://perma.cc/2YPZ-QSX3.
`19 See supra n.3.
`20 Bob Pisani, It’s Google vs. Amazon to Create the Biggest Database in History, CNBC (April
`27, 2016), available at https://perma.cc/2QZ3-VTF2.
`15
`
`
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1 Filed 04/16/24 Page 16 of 53
`
`
`
`information, see 17 C.F.R. § 242.613(b)(6)(ii), the Plan required the creation of a unique
`
`“Designated ID” for each customer making an order.
`
`39.
`
`The CAT NMS Plan also required categories of information labeled “Customer
`
`Account Information” and “Customer Identifying Information.” SEC Approved CAT NMS
`
`Plan §6.4(d)(ii) (Nov. 15, 2016).
`
`40.
`
`“Customer Account Information” included data fields such as the unique
`
`customer account number and the date the account was opened. Id. at § 1.1
`
`41.
`
`“Customer Identifying Information” includes several pieces of personal identifying
`
`information or PII:
`
`[I]nformation of sufficient detail to identify a Customer, including, but not limited
`to, (a) with respect to individuals: name, address, date of birth, individual taxpayer
`identification number (“ITIN”)/social security number (“SSN”), [and the]
`individual’s role in the account (e.g., primary holder, joint holder, guardian, trustee,
`person with the power of attorney) … .
`
`Id.
`
`42.
`
`In the years since SEC approved the initial Plan, the CAT has run into one
`
`unanticipated setback after another, slowing the project. Some of the obstacles have been technical
`
`challenges created by the database’s sheer size and complexity. But the main impediment dragging
`
`implementation of the CAT scheme concerned issues related to violations of privacy and the
`
`exposure of investor information to inevitable cybersecurity breaches—and who was on the hook
`
`for such losses—important details that ultimately impact whether SEC’s seizure of information,
`
`even if lawful (which it is not), was reasonably executed.
`
`43. Data breaches will expose investors’ PII to third parties. Breaches also will
`
`expose them to catastrophic financial loss, because hackers or faithless permissive interlopers
`
`could use brokerage information to steal investors’ portfolios.
`
`
`
`16
`
`

`

`Case 6:24-cv-00197-ADA-DTG Document 1