The Social Network Unhinged: #TopSocialMediaEnforcementIssuesinthe SecuritiesIndustry By Brian L. Rubin and Caroline A. Crenshaw SEAN PARKER: We lived on farms and then we lived in cities and now we’re gonna live on the Internet.1 The movie The Social Network introduced the world to Mark Zuckerberg and the cast of characters who created, developed, and fought over the social media sensation, Facebook. In the movie, Sean Parker, an investor and early executive of Facebook, predicted that Facebook would change the way we live our lives. Regardless of whether he proves to be correct about Facebook, it appears that now we are living on the Internet, which presents regulators and financial service firms with new opportunities and new challenges. For example, broker-dealers (BDs), investment advisers (IAs), and their representatives have access to clients through new forums that provide unprecedented marketing opportunities; clients have virtually unlimited access to their accounts and information about securities products and services; and regulators can review data not previously accessible. On the other hand, new forums for communications, such as Tumblr, Facebook, Instagram, blogs, LinkedIn, and Twitter, may cause representatives to be less careful in their word choice and more susceptible to misinterpretation, or lead them to think their statements will fly under the radar of their firms or the regulators. BDs and IAs may find it harder to supervise, review, maintain, and protect information disseminated over so many channels and stored on so-called clouds. Finally, regulators such as the Securities and Exchange Commission (SEC) and Brian L. Rubin is a partner in the Washington, DC office of Sutherland Asbill and Brennan, LLP, and is head of Sutherland’s Securities Enforcement and Litigation Practice Team. He was formerly Deputy Chief Counsel of Enforcement with NASD and was Senior Counsel with the SEC’s Division of Enforcement. Caroline A. Crenshaw is a member of Sutherland’s Litigation Practice Group, where she focuses on securities enforcement and litigation. She is based in Washington, DC. Volume 32 • Number 6 • June 2013 FINRA are grappling with drafting and enforcing regulatory requirements in an environment mutating as rapidly as mobile phones, tablets, and Facebook’s privacy settings. In light of these challenges, this article reviews recent social media enforcement actions brought by the SEC and FINRA and discusses challenges facing the securities industry as it lives and expands on the Internet. SEC and FINRA Enforcement Actions Involving Social Media ERICA [Mark’s girlfriend] to MARK ZUCKERBERG: The Internet’s not written in pencil, Mark, it’s written in ink.2 Although Internet content does not disappear (too easily), when it does, it can have far-reaching and longlasting effects on firms and representatives who use it. Accordingly, without established procedures to maintain, review, and supervise communications transmitted via email, instant messages, blogs, posts, and other forums that may yet be invented, companies and individuals can be at risk of violating regulatory obligations. Pursuant to Rule 17a-4(b) of the Securities Exchange Act of 1934 (Exchange Act), BDs must preserve business-related records, including social media communications, for not less than three years, the first two of which must be in an easily accessible place.3 In addition, NASD Rule 3010 mandates that BDs establish and maintain a system to supervise the activities of associated persons, and that such a system be reasonably designed to achieve compliance with applicable federal securities laws and FINRA rules.4 FINRA and NASD Rules also govern supervision requirements for communications with the public.5 Pursuant to Rules 204-2 and 206(4)-7 of the Investment Advisers Act of 1940, IAs must also maintain electronic records related to their investment advisory businesses including, but not Banking & Financial Services Policy Report • 1 Reprinted with permission limited to, communications regarding recommendations, disclosure documents, and advertising.6 The IA must keep these records in its principal office for at least two years and then move them to a readily accessible place for at least another three years.7 The First Social Media Cases: Email Retention Prior to the proliferation of social media, when Mark Zuckerberg was still an unknown teenager, regulators made clear that BDs and IAs should retain emails. For example, in December 2002, the SEC, NASD (now FINRA), and the New York Stock Exchange brought email enforcement actions against five BDs for failing to preserve emails and for failing to establish, maintain, and enforce supervisory systems reasonably designed to ensure compliance with the rules and laws relating to the retention of electronic documents.8 During the next few years, it became clear that BDs and IAs need to retain and review emails. In August 2007, for example, FINRA fined a firm in a settled action for failing to preserve, review, or retain emails sent via external accounts.9 Advanced Social Media Cases: Personal Accounts, Maintenance, and Access As the Internet and technology evolved and grew, and as regulators, particularly FINRA, brought additional email enforcement actions, a more robust picture of the specific review and retention requirements developed. In addition to the mere retention and review of emails, enforcement actions dealt with firms that allegedly failed to have adequate policies and procedures to ensure that (1) unmonitored personal accounts were not being used for business-related communication, (2) firms maintained their electronic systems properly, and (3) emails were readily accessible. For example: • In August 2007, FINRA fined a BD in a settled action because the firm, inter alia, failed to ensure that all representatives used the firm’s electronic server for business-related emails.10 • In October 2007, FINRA fined a BD in a settled action for failing to configure its email system properly after an upgrade, thereby failing to retain business-related emails.11 • In November 2007, FINRA expelled a BD for failing to have any written supervisory procedures or policies relating to email retention and allowing 2 • Banking & Financial Services Policy Report representatives to use personal email accounts, among other violations.12 • In January 2010, FINRA fined a BD in a settled action because, among other things, it failed to keep all business-related emails in an easily accessible place and instead allowed its investment adviser clients to keep their own emails.13 • In November 2012, FINRA fined a BD for, among other violations, failing to review an external email account, despite written supervisory procedures requiring the branch auditors to do so. Had the firm reviewed the external email, it may have detected and prevented a representative’s fraudulent solicitation and sale of investments.14 • In January 2013, FINRA fined five affiliated BDs in a settled action for failing to: “journal,” or copy, emails from the exchange server to an email archive; “configure secondary email addresses” so that they could journal emails; journal blind carbon copies of certain emails and emails that were encrypted; and journal emails sent from the software provider’s “cloud” application. Additionally, the BDs “failed to review millions of emails that had been retained and flagged for supervisory review.”15 Living on the Internet: Instant Messaging and Social Media Enforcement actions have also focused on whether firms’ policies and procedures are reasonably designed to ensure compliance with electronic communication requirements, even as methods of communication have moved from basic email to communications that “live” on the Internet, such as instant messages and communications via social networking sites. Specifically, regulators’ concerns include the ability of firms to preserve business-related communications sent via instant message and social media sites. • Instant Messaging (IM) As early as 2007, regulators began focusing on instant message exchanges. FINRA was the first regulator to show interest in this issue. In February 2007, for example, FINRA fined four affiliated firms in a settled action for, among other violations, failing to preserve communications sent via instant message and Bloomberg.16 In April 2012, FINRA fined a representative in a settled action for, among other violations, “fail[ing] to establish, maintain and enforce a supervisory system and Volume 32 • Number 6 • June 2013 Reprinted with permission written procedures for [the firm] that were reasonably designed to ensure that all electronic securities-related business communications including … instant messaging by [the firm] representatives were reviewed and maintained … .”17 More recently, the SEC has focused on this issue. In July 2010, the SEC fined a BD and its chief compliance officer (CCO) in a litigated action for, among other violations, allowing a representative to store instant messages on his computer, despite contrary firm guidance that required instant message programs be disabled or kept in hard copy. The firm and CCO additionally failed to discipline the representative for using external instant messages, even though the representative had signed the branch office manager questionnaire representing that he used only the firm’s email for public communications.18 Additionally, in December 2012, the SEC fined a BD in a settled action for a variety of regulatory violations, including failing to configure its instant messaging system to preserve instant messages that were business-related and used for simultaneous communication between the head office and the trading floors. The firm had been unable to produce the vast majority of its instant messages to the SEC staff when requested.19 • Social Media Accounts In addition to emails and instant messaging, regulators are bringing actions against firms and individuals who fail to adequately supervise or preserve business-related social media communications. For example, in April 2012, FINRA fined representatives of a firm for failing to have procedures to ensure representatives’ compliance with electronic communication policies. FINRA found that representatives had used outside electronic addresses and Twitter, among other channels, for securities-related business and failed to provide copies to the firm.20 Even though the Internet may be “written in ink,” the regulatory actions demonstrate that certain communications may be written in “erasable” ink. As such, the regulatory guidance indicates that firms should preserve all business-related communications, including not just emails but also text messages and social media (as well as whatever channel or forum of communication is developed by the next generation of dropouts from Harvard College21 or Reed College22). Even if firms have policies and procedures in place, they may Volume 32 • Number 6 • June 2013 want to confirm that they have easy access to these communications and could readily produce them if necessary. Firms may want to review policies and procedures to make sure that overlapping procedures that apply to advertisements, client communications, or electronic communications in general, also include social media use.23 Finally, firms and their representatives may want to observe children’s electronic gadgets and teenagers’ communication habits vigilantly because financial advisers are likely to follow the communication habits of the younger generations. Current Social Media Considerations Disclosures EDUARDO [Mark’s friend and original founding member of Facebook]: Who are you gonna send it to? MARK: Just a couple of people. The question is, who are they gonna send it to?24 With Internet and computer technology, spreading information (intentionally or unintentionally) can be accomplished more rapidly than ever before. Often it is impossible to know who will ultimately be on the receiving end of an email or a post, or how widely the information will spread.This type of concern prompted the SEC to act in August 2000. At that time, due to concerns that select investors or securities analysts were receiving important disclosures before, and to the detriment of, the public, the SEC adopted Regulation Fair Disclosure (Regulation FD) prohibiting issuers (which would include certain BDs and IAs) from disclosing material, non-public information to certain groups, either intentionally or unintentionally, without disclosing the same information to the entire marketplace.25 Acceptable disclosures can be made through specific filings or notices, such as a Form 8-K, that effect “broad, non-exclusionary distribution of the information to the public.”26 For some time it was unclear whether companies could comply with Regulation FD’s public disclosure mandate via social media, although the SEC had commented that “for some companies in certain circumstances, posting of the information on a company’s website, in and of itself, may be a sufficient method of public disclosure” for Regulation FD purposes.27 Meanwhile, companies and executives have been relying more and more on electronic communication Banking & Financial Services Policy Report • 3 Reprinted with permission to update friends, investors, and the marketplace. For example, in March 2012, the CEO of a clothing retailer tweeted from his private account “Board meeting. Good numbers = Happy Board.” Unfortunately for the CEO, official earnings had not yet been released. As a result, the CEO was fired for “improperly communicating company information through social media.”28 In December 2012, the SEC’s Division of Enforcement issued a Wells Notice to Netflix and its CEO, informing them that the staff intended to recommend enforcement action based on Netflix’s social media disclosures.29 This was the first indication of an SEC position on whether social media announcements are considered public disclosures. The CEO of Netflix had written on Facebook in June 2012 that for the first time Netflix’s monthly viewing exceeded 1 billion hours.30 Objecting to the Wells Notice, Stanford Law School Professor and former SEC Commissioner Joseph Grundfest wrote an article in the form of an amicus Wells Submission, arguing that because of the post’s “spread through social media,” it constituted a “broad non-exclusionary distribution.”31 In other words, since the social media post had reached a significant enough marketplace, it was an acceptable Regulation FD disclosure. Moreover, according to Professor Grundfest, “prosecution would also diverge dramatically from all prior Regulation FD enforcement proceedings, and would violate the Commission’s prior representations not to ‘second guess’ good faith efforts to comply with Regulation FD.”32 With the now ubiquitous use of social media, the 21(a) Report is noteworthy for the impact it could have on the ways in which social media can be utilized by issuers to disseminate information, and how investors may one day obtain most of their information. Although the SEC stated that it “encourage[s] companies to seek out new forms of communication to better connect with shareholders[,]” it also emphasized that “disclosures to persons enumerated in Regulation FD, even if made through evolving social media channels, must still be analyzed for compliance with Regulation FD.”36 Cyber Security ADMINISTRATOR: Mr. Zuckerberg, this is an Administrative Board hearing. You’re being accused of intentionally breaching security, violating copyrights, violating individual privacy by creating the website, WWW.FACEMASH.COM.… Before we begin with our questioning you’re allowed to make a statement. Would you like to do so? MARK: Uh…I’ve, you know (Mark stands to address the Board) MARK (cont’d): I’ve already apologized to … any women at Harvard who might have been insulted as I take it that they were. As for any charges stemming from the breach of security, I believe I deserve some recognition from this Board. (Mark takes his seat) ADMINISTRATOR (pause) I’m sorry? The SEC did not end up initiating an enforcement action against the CEO or Netflix. Instead, on April 2, 2013, recognizing that there has been market uncertainty about the application of Regulation FD to social media, it issued a Report of Investigation pursuant to Section 21(a) of the Exchange Act (21(a) Report).33 The 21(a) Report confirmed that companies may use social media, including Twitter and Facebook, to disseminate key information to investors as long as they have been informed about which sites will be used.34 The report cautioned, however, that “disclosure of material, nonpublic information on the personal social media site of an individual corporate officer, without advance notice to investors that the site may be used for this purpose, is unlikely to qualify” as an acceptable method of disclosure for Regulation FD purposes.35 4 • Banking & Financial Services Policy Report MARK:Yes. ADMINISTRATOR: I don’t understand. MARK: Which part? ADMINISTRATOR:You deserve recognition? MARK: I believe I pointed out some pretty gaping holes in your system.37 As Mark Zuckerberg arrogantly observes, the importance of sound Internet security should not be underestimated; based on a review of enforcement actions, it appears that Harvard’s network is not the only one to Volume 32 • Number 6 • June 2013 Reprinted with permission have had “gaping” holes. BDs, IAs, and public companies also have had security breaches. As discussed below, BDs and IAs have been sanctioned for violations of Rule 30 of Regulation S-P, which requires them to have written policies and procedures reasonably designed to protect security and confidentiality of customer records and information and protect against anticipated threats to security. Specifically, regulators have fined firms for weak passwords or encryptions, insufficient training, and failure to install security software. • Passwords and Encryptions Many individuals find passwords to be an annoyance, particularly when they have to be changed every month, and especially when so many different passwords are being used that it becomes difficult to remember them. Still, passwords are often critical to help protect personal, business, and other private information. The failure to protect such information has led to disciplinary actions against firms and representatives. In September 2008, the SEC fined a dually registered firm in a settled action for failing to implement adequate controls to protect and safeguard customer records and information, despite being on notice that, among other problems, its password complexity and session inactivity parameters were deficient. Its system was hacked, and the unauthorized hacker attempted to trade, or did trade, in several customer accounts.38 Additionally, in April 2011, the SEC fined the CCO of a BD after three laptops and a registered representative’s computer password credentials were stolen.The SEC found that the firm had inadequate procedures in place to protect customer information.39 Violations of Regulation S-P for failure to encrypt networks are also being pursued. For example, in April 2010, FINRA found that a BD violated Rule 30 after a hacker downloaded confidential customer information for almost 200,000 customers. The BD’s database had not been encrypted, and the firm had never activated a password.40 • Insufficient Training Not only should firms have appropriately complex passwords and encrypted databases, but they also should train certain employees regarding customer breaches. For example, in April 2012, FINRA fined a BD in a settled action because, among other problems, the Volume 32 • Number 6 • June 2013 “firm failed to provide adequate training to certain of its employees regarding customer breaches” and, accordingly, certain signs of unauthorized use went unnoticed.41 • Security Software Installation Computer software is arguably akin to a computer system’s brain, its nervous system, and its soul (and with Apple’s Siri, it can become a personal companion). Firms have been sanctioned for failing to adequately address issues related to software (although, as far as we know, Siri has so far been insulated from action by the securities regulators). In September 2009, the SEC fined a dually registered firm in a settled action for recommending, but not requiring, that the firm’s registered representatives install antivirus software on their computers used to access the firm’s intranet. Moreover, the firm did not have procedures in place to adequately review its registered representatives’ computer security measures, nor were these computers audited. A hacker accessed the intranet and a list of 368 customer accounts. Through several accounts, the hacker placed unauthorized purchase orders.42 In February 2011, FINRA sanctioned another BD for failing to “audit the representative-owned computers to confirm the installation of security software or to monitor for potential or actual breaches” and found that the firm’s customer information was vulnerable to security breaches “as a result of the uncontrolled access to and distribution of the common user names and passwords.”43 While no breach was detected in this case, FINRA still found that non-public information was not adequately safeguarded. • SEC Guidance on Cyber Attacks Cyber attacks have become more prevalent and dangerous, increasing the likelihood of enforcement actions. These issues were highlighted by the SEC in October 2011, when it issued guidance encouraging corporations to disclose potential risks of cybersecurity attacks, as well as actual attacks. The SEC had “observed an increased level of attention focused on cyber attacks” that included “gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption.”44 The SEC’s guidance Banking & Financial Services Policy Report • 5 Reprinted with permission is more pertinent than ever. On February 18, 2013, the New York Times reported that a Chinese military unit had hacked more than 140 U.S. corporations in the past few years, stealing a wide range of intellectual property.45 In light of the October 2011 SEC guidance and increasing media attention, these breaches could lead to increased regulatory scrutiny of cyber-security controls and disclosure practices, as well as possible enforcement actions. To help address these issues, firms may want to consider monitoring their systems more vigilantly, reviewing their current security procedures, and implementing additional training. Conclusion SEAN PARKER: The next transformative development? … [T]he true digitalization of real life.46 2. Sorkin, A., The Social Network Screenplay, at 78 (2010) available at http://flash.sonypictures.com/video/movies/thesocialnetwork/ awards/thesocialnetwork_screenplay.pdf. 3. 17 CFR § 240.17a-4(b); see also FINRA Notice 11-39 (Aug. 18, 2011), available at http://www.finra.org/web/groups/industry/ @ip/@reg/@notice/documents/notices/p124186.pdf. 4. FINRA Notice 11-39, at 2 (Aug. 18, 2011), available at http:// www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/ notices/p124186.pdf (“As part of this responsibility, a registered principal must review prior to use any social media site that an associated person intends to employ for a business purpose.”). 5. See NASD Rule 3010 (governing supervision); FINRA Rule 2210 (governing communications with the public). See also FINRA Notice 11-39, at 2 (Aug. 18, 2011) (“The procedures a firm adopts must be reasonably designed to ensure that interactive electronic communications do not violate FINRA or SEC rules, including the content requirements of NASD Rule 2210, such as the prohibition on misleading statements or claims and the requirement that communications be fair and balanced.”). 6. 17 CFR § 275.204-2; 17 CFR § 275.206(4)-7. In the Social Network, Sean Parker prophesied that Facebook would transform our lives. Time will tell whether he proves to be correct. (Well, maybe not Time magazine, but more likely some Internet publication.) As account information, relationships, education, intellectual property creations, and corporate records, to name a few, move online, it seems as though real life is, in fact, digitalized. Or, at the very least, the paper world is diminishing rapidly. In the face of this ubiquitous digitalization, BDs and IAs also are moving online to communicate more effectively and rapidly with clients and investors. According to the SEC, as IAs move online, they need to “comply with various provisions of the federal securities laws, including, but not limited to, the antifraud provisions, compliance provisions, and recordkeeping provisions.”47 Although the SEC guidance was written for IAs, BDs may want to review its guidance as well. The regulatory guidance and enforcement actions demonstrate that executives and the legal and compliance staff of BDs and IAs may want to keep up to date on rule changes and regulatory pronouncements, review their policies and procedures, provide training to representatives, monitor changing technologies and changing uses of older technology, and, on occasion, catch a good flick to see how social media is evolving and changing our lives. Notes 1. Sorkin, A., The Social Network Screenplay, at 155 (2010) available at http://flash.sonypictures.com/video/movies/thesocialnetwork/ awards/thesocialnetwork_screenplay.pdf. 6 • Banking & Financial Services Policy Report 7. 17 CFR § 275.204-2. 8. FINRA News Rel., SEC, NYSE, NASD Fine Five Firms Total of $8.25 Million for Failure to Preserve Emails Communications (Dec. 3, 2002), available at http://www.finra.org/Newsroom/ NewsReleases/2002/P002873. 9. See FINRA AWC No. 2006003768501 (Aug. 6, 2007), available at http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=12509. 10. See FINRA AWC No. 2006003901001 (Aug. 15, 2007), available at http://disciplinaryactions.finra.org/viewDocument.aspx?DocNb=12357. 11. See FINRA AWC No. 2005002133004 (Oct. 15, 2007), available at http://disciplinaryactions.finra.org/viewdocument. aspx?DocNB=12570. 12. See FINRA AWC No. 2006004614201 (Nov. 9, 2007), available at http://disciplinaryactions.finra.org/viewDocument.aspx?DocNb=11633. 13. See FINRA AWC No. 2008011737901 (Jan. 20, 2010) available at http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=16592. 14. See FINRA AWC No. 2010025074101 (Nov. 20, 2012), available at http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=32656. 15. See FINRA AWC No. 2012031270301 (Feb. 15, 2013), available at http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=33091. 16. See NASD AWC No. 2005000627701 (Feb. 5, 2007), available at http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=12163. 17. See FINRA Order Accepting Offer of Settlement No. 2008011650601 (Feb. 8, 2012), available at http://disciplinaryactions. finra.org/viewDocument.aspx?DocNb=29728. 18. In re vFinance Investments, Inc. & Richard Campanella, Admin. Proc. File No. 3-12918 (July 2, 2010), available at http://www.sec.gov/ litigation/opinions/2010/34-62448.pdf. 19. In re Biremis Corp, et al., Admin. Proc. File No. 3-15136, at ¶¶ 73-77 (Dec. 18, 2012), available at http://www.sec.gov/litigation/ admin/2012/34-68456.pdf. 20. See FINRA Order Accepting Offer of Settlement No. 2008011650601 (Feb. 8, 2012) (finding such acts violated Volume 32 • Number 6 • June 2013 Reprinted with permission NASD Conduct Rules 3010(a), 3010(b), 3110, and 2110 and FINRA Rule 2010 as well as Rule 17a-4(b)(4) of the Exchange Act), available at http://disciplinaryactions.finra.org/viewDocument. aspx?DocNb=29728. 21. See Mark Zuckerberg Wikipedia page, http://en.wikipedia. org/wiki/Mark_Zuckerberg (dropped out of Harvard in 2004) (last visited Mar. 29, 2013); Bill Gates Wikipedia page, http:// en.wikipedia.org/wiki/Bill_Gates (dropped out of Harvard in 1975) (last visited Mar. 29, 2013). 22. See Steve Jobs Wikipedia page, http://en.wikipedia.org/wiki/ Steve_Jobs (dropped out of Reed College after six months) (last visited Mar. 29, 2013). 23. See Office of Compliance Inspections and Examinations, National Examination Risk Alert: Investment Adviser Use of Social Media, at 2 ( Jan. 4, 2012), available at http://www.sec.gov/ about/offices/ocie/riskalert-socialmedia.pdf. 24. Sorkin, A., The Social Network Screenplay, at 17 (2010) available at http://flash.sonypictures.com/video/movies/thesocialnetwork/ awards/thesocialnetwork_screenplay.pdf. 25. 17 CFR § 243.100. 26. 17 CFR § 243.101(e). 27. Commission Guidance on the Use of Company Web Sites, Release No. 34-58288, at 25 (Aug. 7, 2008), available at http:// www.sec.gov/rules/interp/2008/34-58288.pdf. 28. Posting by Ryan Holmes to Harvard Business Review Blog Network, http://blogs.hbr.org/cs/2012/08/social_media_compliance_ isnt.html (Aug. 23, 2012). 29. Davidoff, S., “In Netflix Case, A Chance to Re-Examine Old Rules,” NY Times, Dec. 11, 2012, available at http://dealbook. nytimes.com/2012/12/11/in-netflix-case-a-chance-for-the-s-e-c-tore-examine-old-regulation/. 30. Davidoff, S., “In Netflix Case, A Chance to Re-Examine Old Rules,” NY Times, Dec. 11, 2012, available at http://dealbook. nytimes.com/2012/12/11/in-netflix-case-a-chance-for-the-s-e-c-tore-examine-old-regulation/. 31. Grundfest, J. A., Regulation FD in the Age of Facebook and Twitter: Should the SEC Sue Netflix?, at 1 (Stanford Law School and The Rock Center for Corporate Governance, Working Paper Series No. 131, Jan. 30, 2013), available at http://www.niri.org/ Other-Content/sampledocs/Joseph-Grundfest-Regulation-FD-in-theAge-of-Facebook-and-Twitter-Jan-2013.aspx. 32. Grundfest, J. A., Regulation FD in the Age of Facebook and Twitter: Should the SEC Sue Netflix?, at 1 (Stanford Law School and The Rock Center for Corporate Governance, Working Paper Series No. 131, Jan. 30, 2013), available at http://www.niri.org/ Other-Content/sampledocs/Joseph-Grundfest-Regulation-FD-in-theAge-of-Facebook-and-Twitter-Jan-2013.aspx. 33. See Report of Investigation Pursuant to Section 21(a) of the Exchange Act: Netflix, Inc., and Reed Hastings, Release Volume 32 • Number 6 • June 2013 No. 69279 (Apr. 2, 2013), available at http://www.sec.gov/ litigation/investreport/34-69279.pdf. 34. See Report of Investigation Pursuant to Section 21(a) of the Exchange Act: Netflix, Inc., and Reed Hastings, Release No. 69279 (Apr. 2, 2013), available at http://www.sec.gov/litigation/ investreport/34-69279.pdf. 35. Report of Investigation Pursuant to Section 21(a) of the Exchange Act: Netflix, Inc., and Reed Hastings, Release No. 69279, at 7 (Apr. 2, 2013), available at http://www.sec.gov/ litigation/investreport/34-69279.pdf. 36. Report of Investigation Pursuant to Section 21(a) of the Exchange Act: Netflix, Inc., and Reed Hastings, Release No. 69279, at 5, 8 (Apr. 2, 2013), available at http://www.sec.gov/ litigation/investreport/34-69279.pdf. 37. Sorkin, A., The Social Network Screenplay, at 27 (2010) available at http://flash.sonypictures.com/video/movies/thesocialnetwork/ awards/thesocialnetwork_screenplay.pdf. 38. In re LPL Financial Corp., Admin. Proc. No. File No. 3-13181 (Sept. 11, 2008), available at http://www.sec.gov/litigation/ admin/2008/34-58515.pdf. 39. In the Matter of Marc A. Ellis, Admin. Proc. File No. 3-14328 (Apr. 7, 2011), available at http://www.sec.gov/litigation/ admin/2011/34-64220.pdf. 40. See FINRA AWC No. 20080152998 (Apr. 9, 2010), available at http://www.finra.org/web/groups/industry/@ip/@enf/@ad/ documents/industry/p121260.pdf. 41. FINRA AWC No. 2010022554701, at 5 (Apr. 9, 2012), available at http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=31594. 42. In re Commonwealth Equity Services LLP, Admin. Proc. File No. 3-13631 (Sept. 29, 2009), available at http://www.sec.gov/ litigation/admin/2009/34-60733.pdf. 43. FINRA AWC No. 2009018720501, at 2,4 (Feb. 16, 2011), available at http://disciplinaryactions.finra.org/viewdocument. aspx?DocNB=12844. 44. Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2 Cybersecurity (Oct. 13, 2001), available at http://www.sec.gov/divisions/corpfin/ guidance/cfguidance-topic2.htm. 45. Sanger, D. E., D. Barboza, N. Perlroth, “Chinese Army Unit Is Seen as Tied to Hacking Against U.S.,” NY Times, Feb. 18, 2013, available at http://www.nytimes.com/2013/02/19/technology/chinas-army-isseen-as-tied-to-hacking-against-us.html?pagewanted=all&_r=0. 46. Sorkin, A., The Social Network Screenplay, at 155 (2010) available at http://flash.sonypictures.com/video/movies/thesocialnetwork/ awards/thesocialnetwork_screenplay.pdf. 47. Office of Compliance Inspections and Examinations, National Examination Risk Alert: Investment Adviser Use of Social Media, at 2 ( Jan. 4, 2012) (footnotes omitted), available at http://www.sec.gov/about/offices/ocie/riskalert-socialmedia.pdf. Banking & Financial Services Policy Report • 7 Reprinted with permission