The Social Network Unhinged:
#TopSocialMediaEnforcementIssuesinthe
SecuritiesIndustry
By Brian L. Rubin and Caroline A. Crenshaw
SEAN PARKER: We lived on farms and then we
lived in cities and now we’re gonna live on the Internet.1
The movie The Social Network introduced the
world to Mark Zuckerberg and the cast of characters who created, developed, and fought over the
social media sensation, Facebook. In the movie, Sean
Parker, an investor and early executive of Facebook,
predicted that Facebook would change the way we
live our lives. Regardless of whether he proves to be
correct about Facebook, it appears that now we are
living on the Internet, which presents regulators and
financial service firms with new opportunities and
new challenges.
For example, broker-dealers (BDs), investment advisers (IAs), and their representatives have access to clients
through new forums that provide unprecedented marketing opportunities; clients have virtually unlimited
access to their accounts and information about securities products and services; and regulators can review
data not previously accessible. On the other hand, new
forums for communications, such as Tumblr, Facebook,
Instagram, blogs, LinkedIn, and Twitter, may cause representatives to be less careful in their word choice and
more susceptible to misinterpretation, or lead them
to think their statements will fly under the radar of
their firms or the regulators. BDs and IAs may find
it harder to supervise, review, maintain, and protect
information disseminated over so many channels and
stored on so-called clouds. Finally, regulators such as
the Securities and Exchange Commission (SEC) and
Brian L. Rubin is a partner in the Washington, DC office of
Sutherland Asbill and Brennan, LLP, and is head of Sutherland’s
Securities Enforcement and Litigation Practice Team. He was
formerly Deputy Chief Counsel of Enforcement with NASD and
was Senior Counsel with the SEC’s Division of Enforcement.
Caroline A. Crenshaw is a member of Sutherland’s Litigation
Practice Group, where she focuses on securities enforcement
and litigation. She is based in Washington, DC.
Volume 32 • Number 6 • June 2013
FINRA are grappling with drafting and enforcing
regulatory requirements in an environment mutating
as rapidly as mobile phones, tablets, and Facebook’s
privacy settings.
In light of these challenges, this article reviews recent
social media enforcement actions brought by the SEC
and FINRA and discusses challenges facing the securities industry as it lives and expands on the Internet.
SEC and FINRA Enforcement Actions
Involving Social Media
ERICA [Mark’s girlfriend] to MARK
ZUCKERBERG: The Internet’s not written in pencil, Mark, it’s written in ink.2
Although Internet content does not disappear (too
easily), when it does, it can have far-reaching and longlasting effects on firms and representatives who use it.
Accordingly, without established procedures to maintain, review, and supervise communications transmitted via email, instant messages, blogs, posts, and other
forums that may yet be invented, companies and individuals can be at risk of violating regulatory obligations.
Pursuant to Rule 17a-4(b) of the Securities
Exchange Act of 1934 (Exchange Act), BDs must preserve business-related records, including social media
communications, for not less than three years, the first
two of which must be in an easily accessible place.3 In
addition, NASD Rule 3010 mandates that BDs establish and maintain a system to supervise the activities of
associated persons, and that such a system be reasonably
designed to achieve compliance with applicable federal
securities laws and FINRA rules.4 FINRA and NASD
Rules also govern supervision requirements for communications with the public.5 Pursuant to Rules 204-2
and 206(4)-7 of the Investment Advisers Act of 1940,
IAs must also maintain electronic records related to
their investment advisory businesses including, but not
Banking & Financial Services Policy Report • 1
Reprinted with permission
limited to, communications regarding recommendations, disclosure documents, and advertising.6 The IA
must keep these records in its principal office for at least
two years and then move them to a readily accessible
place for at least another three years.7
The First Social Media Cases: Email Retention
Prior to the proliferation of social media, when Mark
Zuckerberg was still an unknown teenager, regulators
made clear that BDs and IAs should retain emails. For
example, in December 2002, the SEC, NASD (now
FINRA), and the New York Stock Exchange brought
email enforcement actions against five BDs for failing
to preserve emails and for failing to establish, maintain,
and enforce supervisory systems reasonably designed
to ensure compliance with the rules and laws relating
to the retention of electronic documents.8 During the
next few years, it became clear that BDs and IAs need
to retain and review emails. In August 2007, for example,
FINRA fined a firm in a settled action for failing
to preserve, review, or retain emails sent via external
accounts.9
Advanced Social Media Cases: Personal
Accounts, Maintenance, and Access
As the Internet and technology evolved and grew,
and as regulators, particularly FINRA, brought additional email enforcement actions, a more robust
picture of the specific review and retention requirements developed. In addition to the mere retention
and review of emails, enforcement actions dealt with
firms that allegedly failed to have adequate policies and
procedures to ensure that (1) unmonitored personal
accounts were not being used for business-related
communication, (2) firms maintained their electronic
systems properly, and (3) emails were readily accessible.
For example:
• In August 2007, FINRA fined a BD in a settled
action because the firm, inter alia, failed to ensure that
all representatives used the firm’s electronic server for
business-related emails.10
• In October 2007, FINRA fined a BD in a settled
action for failing to configure its email system
properly after an upgrade, thereby failing to retain
business-related emails.11
• In November 2007, FINRA expelled a BD for failing to have any written supervisory procedures or
policies relating to email retention and allowing
2 • Banking & Financial Services Policy Report
representatives to use personal email accounts, among
other violations.12
• In January 2010, FINRA fined a BD in a settled
action because, among other things, it failed to keep
all business-related emails in an easily accessible place
and instead allowed its investment adviser clients to
keep their own emails.13
• In November 2012, FINRA fined a BD for, among
other violations, failing to review an external email
account, despite written supervisory procedures
requiring the branch auditors to do so. Had the firm
reviewed the external email, it may have detected
and prevented a representative’s fraudulent solicitation and sale of investments.14
• In January 2013, FINRA fined five affiliated BDs
in a settled action for failing to: “journal,” or copy,
emails from the exchange server to an email archive;
“configure secondary email addresses” so that they
could journal emails; journal blind carbon copies
of certain emails and emails that were encrypted;
and journal emails sent from the software provider’s
“cloud” application. Additionally, the BDs “failed to
review millions of emails that had been retained and
flagged for supervisory review.”15
Living on the Internet: Instant Messaging
and Social Media
Enforcement actions have also focused on whether
firms’ policies and procedures are reasonably designed
to ensure compliance with electronic communication
requirements, even as methods of communication have
moved from basic email to communications that “live”
on the Internet, such as instant messages and communications via social networking sites. Specifically, regulators’ concerns include the ability of firms to preserve
business-related communications sent via instant message and social media sites.
• Instant Messaging (IM)
As early as 2007, regulators began focusing on instant
message exchanges. FINRA was the first regulator to
show interest in this issue. In February 2007, for example, FINRA fined four affiliated firms in a settled action
for, among other violations, failing to preserve communications sent via instant message and Bloomberg.16 In
April 2012, FINRA fined a representative in a settled
action for, among other violations, “fail[ing] to establish, maintain and enforce a supervisory system and
Volume 32 • Number 6 • June 2013
Reprinted with permission
written procedures for [the firm] that were reasonably
designed to ensure that all electronic securities-related
business communications including … instant messaging by [the firm] representatives were reviewed and
maintained … .”17
More recently, the SEC has focused on this issue. In
July 2010, the SEC fined a BD and its chief compliance
officer (CCO) in a litigated action for, among other
violations, allowing a representative to store instant
messages on his computer, despite contrary firm guidance that required instant message programs be disabled
or kept in hard copy. The firm and CCO additionally
failed to discipline the representative for using external
instant messages, even though the representative had
signed the branch office manager questionnaire representing that he used only the firm’s email for public
communications.18 Additionally, in December 2012, the
SEC fined a BD in a settled action for a variety of regulatory violations, including failing to configure its instant
messaging system to preserve instant messages that were
business-related and used for simultaneous communication between the head office and the trading floors. The
firm had been unable to produce the vast majority of
its instant messages to the SEC staff when requested.19
• Social Media Accounts
In addition to emails and instant messaging, regulators
are bringing actions against firms and individuals who
fail to adequately supervise or preserve business-related
social media communications. For example, in April
2012, FINRA fined representatives of a firm for failing
to have procedures to ensure representatives’ compliance
with electronic communication policies. FINRA found
that representatives had used outside electronic addresses
and Twitter, among other channels, for securities-related
business and failed to provide copies to the firm.20
Even though the Internet may be “written in ink,”
the regulatory actions demonstrate that certain communications may be written in “erasable” ink. As such,
the regulatory guidance indicates that firms should
preserve all business-related communications, including
not just emails but also text messages and social media
(as well as whatever channel or forum of communication is developed by the next generation of dropouts
from Harvard College21 or Reed College22). Even if
firms have policies and procedures in place, they may
Volume 32 • Number 6 • June 2013
want to confirm that they have easy access to these
communications and could readily produce them
if necessary. Firms may want to review policies and
procedures to make sure that overlapping procedures
that apply to advertisements, client communications,
or electronic communications in general, also include
social media use.23 Finally, firms and their representatives may want to observe children’s electronic gadgets
and teenagers’ communication habits vigilantly because
financial advisers are likely to follow the communication habits of the younger generations.
Current Social Media Considerations
Disclosures
EDUARDO [Mark’s friend and original founding
member of Facebook]: Who are you gonna send it to?
MARK: Just a couple of people. The question is, who
are they gonna send it to?24
With Internet and computer technology, spreading
information (intentionally or unintentionally) can be
accomplished more rapidly than ever before. Often it
is impossible to know who will ultimately be on the
receiving end of an email or a post, or how widely the
information will spread.This type of concern prompted
the SEC to act in August 2000. At that time, due to
concerns that select investors or securities analysts were
receiving important disclosures before, and to the detriment of, the public, the SEC adopted Regulation Fair
Disclosure (Regulation FD) prohibiting issuers (which
would include certain BDs and IAs) from disclosing
material, non-public information to certain groups,
either intentionally or unintentionally, without disclosing the same information to the entire marketplace.25
Acceptable disclosures can be made through specific
filings or notices, such as a Form 8-K, that effect “broad,
non-exclusionary distribution of the information to
the public.”26 For some time it was unclear whether
companies could comply with Regulation FD’s public
disclosure mandate via social media, although the SEC
had commented that “for some companies in certain
circumstances, posting of the information on a company’s website, in and of itself, may be a sufficient method
of public disclosure” for Regulation FD purposes.27
Meanwhile, companies and executives have been
relying more and more on electronic communication
Banking & Financial Services Policy Report • 3
Reprinted with permission
to update friends, investors, and the marketplace.
For example, in March 2012, the CEO of a clothing
retailer tweeted from his private account “Board meeting. Good numbers = Happy Board.” Unfortunately
for the CEO, official earnings had not yet been
released. As a result, the CEO was fired for “improperly communicating company information through
social media.”28
In December 2012, the SEC’s Division of Enforcement issued a Wells Notice to Netflix and its CEO,
informing them that the staff intended to recommend
enforcement action based on Netflix’s social media
disclosures.29 This was the first indication of an SEC
position on whether social media announcements are
considered public disclosures. The CEO of Netflix had
written on Facebook in June 2012 that for the first time
Netflix’s monthly viewing exceeded 1 billion hours.30
Objecting to the Wells Notice, Stanford Law School
Professor and former SEC Commissioner Joseph
Grundfest wrote an article in the form of an amicus
Wells Submission, arguing that because of the post’s
“spread through social media,” it constituted a “broad
non-exclusionary distribution.”31 In other words, since
the social media post had reached a significant enough
marketplace, it was an acceptable Regulation FD disclosure. Moreover, according to Professor Grundfest,
“prosecution would also diverge dramatically from all
prior Regulation FD enforcement proceedings, and
would violate the Commission’s prior representations
not to ‘second guess’ good faith efforts to comply with
Regulation FD.”32
With the now ubiquitous use of social media, the
21(a) Report is noteworthy for the impact it could have
on the ways in which social media can be utilized by
issuers to disseminate information, and how investors
may one day obtain most of their information. Although
the SEC stated that it “encourage[s] companies to seek
out new forms of communication to better connect
with shareholders[,]” it also emphasized that “disclosures
to persons enumerated in Regulation FD, even if made
through evolving social media channels, must still be
analyzed for compliance with Regulation FD.”36
Cyber Security
ADMINISTRATOR: Mr. Zuckerberg, this is an
Administrative Board hearing. You’re being accused of
intentionally breaching security, violating copyrights,
violating individual privacy by creating the website,
WWW.FACEMASH.COM.… Before we begin with
our questioning you’re allowed to make a statement.
Would you like to do so?
MARK: Uh…I’ve, you know
(Mark stands to address the Board)
MARK (cont’d): I’ve already apologized to … any
women at Harvard who might have been insulted as I
take it that they were. As for any charges stemming from
the breach of security, I believe I deserve some recognition
from this Board.
(Mark takes his seat)
ADMINISTRATOR (pause) I’m sorry?
The SEC did not end up initiating an enforcement
action against the CEO or Netflix. Instead, on April 2,
2013, recognizing that there has been market uncertainty about the application of Regulation FD to social
media, it issued a Report of Investigation pursuant to
Section 21(a) of the Exchange Act (21(a) Report).33
The 21(a) Report confirmed that companies may use
social media, including Twitter and Facebook, to disseminate key information to investors as long as they
have been informed about which sites will be used.34
The report cautioned, however, that “disclosure of
material, nonpublic information on the personal social
media site of an individual corporate officer, without
advance notice to investors that the site may be used
for this purpose, is unlikely to qualify” as an acceptable
method of disclosure for Regulation FD purposes.35
4 • Banking & Financial Services Policy Report
MARK:Yes.
ADMINISTRATOR: I don’t understand.
MARK: Which part?
ADMINISTRATOR:You deserve recognition?
MARK: I believe I pointed out some pretty gaping
holes in your system.37
As Mark Zuckerberg arrogantly observes, the importance of sound Internet security should not be underestimated; based on a review of enforcement actions, it
appears that Harvard’s network is not the only one to
Volume 32 • Number 6 • June 2013
Reprinted with permission
have had “gaping” holes. BDs, IAs, and public companies
also have had security breaches. As discussed below, BDs
and IAs have been sanctioned for violations of Rule
30 of Regulation S-P, which requires them to have
written policies and procedures reasonably designed to
protect security and confidentiality of customer records
and information and protect against anticipated threats
to security. Specifically, regulators have fined firms for
weak passwords or encryptions, insufficient training,
and failure to install security software.
• Passwords and Encryptions
Many individuals find passwords to be an annoyance, particularly when they have to be changed every
month, and especially when so many different passwords
are being used that it becomes difficult to remember
them. Still, passwords are often critical to help protect
personal, business, and other private information. The
failure to protect such information has led to disciplinary
actions against firms and representatives. In September
2008, the SEC fined a dually registered firm in a settled
action for failing to implement adequate controls to
protect and safeguard customer records and information,
despite being on notice that, among other problems, its
password complexity and session inactivity parameters
were deficient. Its system was hacked, and the unauthorized hacker attempted to trade, or did trade, in several
customer accounts.38 Additionally, in April 2011, the
SEC fined the CCO of a BD after three laptops and a
registered representative’s computer password credentials
were stolen.The SEC found that the firm had inadequate
procedures in place to protect customer information.39
Violations of Regulation S-P for failure to encrypt
networks are also being pursued. For example, in April
2010, FINRA found that a BD violated Rule 30 after a
hacker downloaded confidential customer information
for almost 200,000 customers. The BD’s database had
not been encrypted, and the firm had never activated
a password.40
• Insufficient Training
Not only should firms have appropriately complex
passwords and encrypted databases, but they also should
train certain employees regarding customer breaches.
For example, in April 2012, FINRA fined a BD in
a settled action because, among other problems, the
Volume 32 • Number 6 • June 2013
“firm failed to provide adequate training to certain
of its employees regarding customer breaches” and,
accordingly, certain signs of unauthorized use went
unnoticed.41
• Security Software Installation
Computer software is arguably akin to a computer
system’s brain, its nervous system, and its soul (and with
Apple’s Siri, it can become a personal companion).
Firms have been sanctioned for failing to adequately
address issues related to software (although, as far as
we know, Siri has so far been insulated from action by
the securities regulators). In September 2009, the SEC
fined a dually registered firm in a settled action for
recommending, but not requiring, that the firm’s registered representatives install antivirus software on their
computers used to access the firm’s intranet. Moreover,
the firm did not have procedures in place to adequately
review its registered representatives’ computer security
measures, nor were these computers audited. A hacker
accessed the intranet and a list of 368 customer
accounts. Through several accounts, the hacker placed
unauthorized purchase orders.42
In February 2011, FINRA sanctioned another BD
for failing to “audit the representative-owned computers to confirm the installation of security software or
to monitor for potential or actual breaches” and found
that the firm’s customer information was vulnerable to
security breaches “as a result of the uncontrolled access
to and distribution of the common user names and
passwords.”43 While no breach was detected in this case,
FINRA still found that non-public information was
not adequately safeguarded.
• SEC Guidance on Cyber Attacks
Cyber attacks have become more prevalent and
dangerous, increasing the likelihood of enforcement
actions. These issues were highlighted by the SEC in
October 2011, when it issued guidance encouraging corporations to disclose potential risks of cybersecurity attacks, as well as actual attacks. The SEC had
“observed an increased level of attention focused on
cyber attacks” that included “gaining unauthorized
access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or
causing operational disruption.”44 The SEC’s guidance
Banking & Financial Services Policy Report • 5
Reprinted with permission
is more pertinent than ever. On February 18, 2013,
the New York Times reported that a Chinese military
unit had hacked more than 140 U.S. corporations in
the past few years, stealing a wide range of intellectual
property.45 In light of the October 2011 SEC guidance
and increasing media attention, these breaches could
lead to increased regulatory scrutiny of cyber-security
controls and disclosure practices, as well as possible
enforcement actions. To help address these issues, firms
may want to consider monitoring their systems more
vigilantly, reviewing their current security procedures,
and implementing additional training.
Conclusion
SEAN PARKER: The next transformative development? … [T]he true digitalization of real life.46
2. Sorkin, A., The Social Network Screenplay, at 78 (2010) available at http://flash.sonypictures.com/video/movies/thesocialnetwork/
awards/thesocialnetwork_screenplay.pdf.
3. 17 CFR § 240.17a-4(b); see also FINRA Notice 11-39 (Aug.
18, 2011), available at http://www.finra.org/web/groups/industry/
@ip/@reg/@notice/documents/notices/p124186.pdf.
4. FINRA Notice 11-39, at 2 (Aug. 18, 2011), available at http://
www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/
notices/p124186.pdf (“As part of this responsibility, a registered
principal must review prior to use any social media site that an
associated person intends to employ for a business purpose.”).
5. See NASD Rule 3010 (governing supervision); FINRA Rule
2210 (governing communications with the public). See also
FINRA Notice 11-39, at 2 (Aug. 18, 2011) (“The procedures a
firm adopts must be reasonably designed to ensure that interactive electronic communications do not violate FINRA or SEC
rules, including the content requirements of NASD Rule 2210,
such as the prohibition on misleading statements or claims and
the requirement that communications be fair and balanced.”).
6. 17 CFR § 275.204-2; 17 CFR § 275.206(4)-7.
In the Social Network, Sean Parker prophesied that
Facebook would transform our lives. Time will tell
whether he proves to be correct. (Well, maybe not
Time magazine, but more likely some Internet publication.) As account information, relationships, education,
intellectual property creations, and corporate records,
to name a few, move online, it seems as though real
life is, in fact, digitalized. Or, at the very least, the
paper world is diminishing rapidly. In the face of this
ubiquitous digitalization, BDs and IAs also are moving
online to communicate more effectively and rapidly
with clients and investors. According to the SEC, as
IAs move online, they need to “comply with various
provisions of the federal securities laws, including, but
not limited to, the antifraud provisions, compliance
provisions, and recordkeeping provisions.”47 Although
the SEC guidance was written for IAs, BDs may want
to review its guidance as well. The regulatory guidance
and enforcement actions demonstrate that executives
and the legal and compliance staff of BDs and IAs may
want to keep up to date on rule changes and regulatory
pronouncements, review their policies and procedures,
provide training to representatives, monitor changing
technologies and changing uses of older technology,
and, on occasion, catch a good flick to see how social
media is evolving and changing our lives.
Notes
1. Sorkin, A., The Social Network Screenplay, at 155 (2010) available at http://flash.sonypictures.com/video/movies/thesocialnetwork/
awards/thesocialnetwork_screenplay.pdf.
6 • Banking & Financial Services Policy Report
7. 17 CFR § 275.204-2.
8. FINRA News Rel., SEC, NYSE, NASD Fine Five Firms Total
of $8.25 Million for Failure to Preserve Emails Communications
(Dec. 3, 2002), available at http://www.finra.org/Newsroom/
NewsReleases/2002/P002873.
9. See FINRA AWC No. 2006003768501 (Aug. 6, 2007), available at
http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=12509.
10. See FINRA AWC No. 2006003901001 (Aug. 15, 2007), available at
http://disciplinaryactions.finra.org/viewDocument.aspx?DocNb=12357.
11. See FINRA AWC No. 2005002133004 (Oct. 15, 2007),
available at http://disciplinaryactions.finra.org/viewdocument.
aspx?DocNB=12570.
12. See FINRA AWC No. 2006004614201 (Nov. 9, 2007), available at
http://disciplinaryactions.finra.org/viewDocument.aspx?DocNb=11633.
13. See FINRA AWC No. 2008011737901 (Jan. 20, 2010) available at
http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=16592.
14. See FINRA AWC No. 2010025074101 (Nov. 20, 2012), available at
http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=32656.
15. See FINRA AWC No. 2012031270301 (Feb. 15, 2013), available at
http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=33091.
16. See NASD AWC No. 2005000627701 (Feb. 5, 2007), available at
http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=12163.
17. See FINRA Order Accepting Offer of Settlement No.
2008011650601 (Feb. 8, 2012), available at http://disciplinaryactions.
finra.org/viewDocument.aspx?DocNb=29728.
18. In re vFinance Investments, Inc. & Richard Campanella, Admin. Proc.
File No. 3-12918 (July 2, 2010), available at http://www.sec.gov/
litigation/opinions/2010/34-62448.pdf.
19. In re Biremis Corp, et al., Admin. Proc. File No. 3-15136, at ¶¶
73-77 (Dec. 18, 2012), available at http://www.sec.gov/litigation/
admin/2012/34-68456.pdf.
20. See FINRA Order Accepting Offer of Settlement No.
2008011650601 (Feb. 8, 2012) (finding such acts violated
Volume 32 • Number 6 • June 2013
Reprinted with permission
NASD Conduct Rules 3010(a), 3010(b), 3110, and 2110 and
FINRA Rule 2010 as well as Rule 17a-4(b)(4) of the Exchange
Act), available at http://disciplinaryactions.finra.org/viewDocument.
aspx?DocNb=29728.
21. See Mark Zuckerberg Wikipedia page, http://en.wikipedia.
org/wiki/Mark_Zuckerberg (dropped out of Harvard in 2004)
(last visited Mar. 29, 2013); Bill Gates Wikipedia page, http://
en.wikipedia.org/wiki/Bill_Gates (dropped out of Harvard in
1975) (last visited Mar. 29, 2013).
22. See Steve Jobs Wikipedia page, http://en.wikipedia.org/wiki/
Steve_Jobs (dropped out of Reed College after six months) (last
visited Mar. 29, 2013).
23. See Office of Compliance Inspections and Examinations,
National Examination Risk Alert: Investment Adviser Use of
Social Media, at 2 ( Jan. 4, 2012), available at http://www.sec.gov/
about/offices/ocie/riskalert-socialmedia.pdf.
24. Sorkin, A., The Social Network Screenplay, at 17 (2010) available at http://flash.sonypictures.com/video/movies/thesocialnetwork/
awards/thesocialnetwork_screenplay.pdf.
25. 17 CFR § 243.100.
26. 17 CFR § 243.101(e).
27. Commission Guidance on the Use of Company Web Sites,
Release No. 34-58288, at 25 (Aug. 7, 2008), available at http://
www.sec.gov/rules/interp/2008/34-58288.pdf.
28. Posting by Ryan Holmes to Harvard Business Review Blog
Network, http://blogs.hbr.org/cs/2012/08/social_media_compliance_
isnt.html (Aug. 23, 2012).
29. Davidoff, S., “In Netflix Case, A Chance to Re-Examine Old
Rules,” NY Times, Dec. 11, 2012, available at http://dealbook.
nytimes.com/2012/12/11/in-netflix-case-a-chance-for-the-s-e-c-tore-examine-old-regulation/.
30. Davidoff, S., “In Netflix Case, A Chance to Re-Examine Old
Rules,” NY Times, Dec. 11, 2012, available at http://dealbook.
nytimes.com/2012/12/11/in-netflix-case-a-chance-for-the-s-e-c-tore-examine-old-regulation/.
31. Grundfest, J. A., Regulation FD in the Age of Facebook and Twitter:
Should the SEC Sue Netflix?, at 1 (Stanford Law School and
The Rock Center for Corporate Governance, Working Paper
Series No. 131, Jan. 30, 2013), available at http://www.niri.org/
Other-Content/sampledocs/Joseph-Grundfest-Regulation-FD-in-theAge-of-Facebook-and-Twitter-Jan-2013.aspx.
32. Grundfest, J. A., Regulation FD in the Age of Facebook and Twitter:
Should the SEC Sue Netflix?, at 1 (Stanford Law School and
The Rock Center for Corporate Governance, Working Paper
Series No. 131, Jan. 30, 2013), available at http://www.niri.org/
Other-Content/sampledocs/Joseph-Grundfest-Regulation-FD-in-theAge-of-Facebook-and-Twitter-Jan-2013.aspx.
33. See Report of Investigation Pursuant to Section 21(a) of
the Exchange Act: Netflix, Inc., and Reed Hastings, Release
Volume 32 • Number 6 • June 2013
No. 69279 (Apr. 2, 2013), available at http://www.sec.gov/
litigation/investreport/34-69279.pdf.
34. See Report of Investigation Pursuant to Section 21(a) of the
Exchange Act: Netflix, Inc., and Reed Hastings, Release No.
69279 (Apr. 2, 2013), available at http://www.sec.gov/litigation/
investreport/34-69279.pdf.
35. Report of Investigation Pursuant to Section 21(a) of the
Exchange Act: Netflix, Inc., and Reed Hastings, Release No.
69279, at 7 (Apr. 2, 2013), available at http://www.sec.gov/
litigation/investreport/34-69279.pdf.
36. Report of Investigation Pursuant to Section 21(a) of the
Exchange Act: Netflix, Inc., and Reed Hastings, Release No.
69279, at 5, 8 (Apr. 2, 2013), available at http://www.sec.gov/
litigation/investreport/34-69279.pdf.
37. Sorkin, A., The Social Network Screenplay, at 27 (2010) available at http://flash.sonypictures.com/video/movies/thesocialnetwork/
awards/thesocialnetwork_screenplay.pdf.
38. In re LPL Financial Corp., Admin. Proc. No. File No. 3-13181
(Sept. 11, 2008), available at http://www.sec.gov/litigation/
admin/2008/34-58515.pdf.
39. In the Matter of Marc A. Ellis, Admin. Proc. File No. 3-14328
(Apr. 7, 2011), available at http://www.sec.gov/litigation/
admin/2011/34-64220.pdf.
40. See FINRA AWC No. 20080152998 (Apr. 9, 2010), available at http://www.finra.org/web/groups/industry/@ip/@enf/@ad/
documents/industry/p121260.pdf.
41. FINRA AWC No. 2010022554701, at 5 (Apr. 9, 2012), available at
http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=31594.
42. In re Commonwealth Equity Services LLP, Admin. Proc. File
No. 3-13631 (Sept. 29, 2009), available at http://www.sec.gov/
litigation/admin/2009/34-60733.pdf.
43. FINRA AWC No. 2009018720501, at 2,4 (Feb. 16, 2011),
available at http://disciplinaryactions.finra.org/viewdocument.
aspx?DocNB=12844.
44. Division of Corporation Finance, Securities and Exchange
Commission, CF Disclosure Guidance: Topic No. 2 Cybersecurity
(Oct. 13, 2001), available at http://www.sec.gov/divisions/corpfin/
guidance/cfguidance-topic2.htm.
45. Sanger, D. E., D. Barboza, N. Perlroth, “Chinese Army Unit Is Seen
as Tied to Hacking Against U.S.,” NY Times, Feb. 18, 2013, available
at http://www.nytimes.com/2013/02/19/technology/chinas-army-isseen-as-tied-to-hacking-against-us.html?pagewanted=all&_r=0.
46. Sorkin, A., The Social Network Screenplay, at 155 (2010) available
at http://flash.sonypictures.com/video/movies/thesocialnetwork/
awards/thesocialnetwork_screenplay.pdf.
47. Office of Compliance Inspections and Examinations, National
Examination Risk Alert: Investment Adviser Use of Social
Media, at 2 ( Jan. 4, 2012) (footnotes omitted), available at
http://www.sec.gov/about/offices/ocie/riskalert-socialmedia.pdf.
Banking & Financial Services Policy Report • 7
Reprinted with permission