Key Takeaways

• On June 22, 2023, the Securities and Exchange Commission (SEC) published a consent order against J.P. Morgan Securities LLC (JPMorgan) for an alleged failure to retain millions of electronic communications as required by Rule 17a-4 of the Securities Exchange Act of 1934 stemming from the deletion of approximately 47 million electronic communications in about 8,700 retail banking group electronic mailboxes during a data remediation project.
• According to the order, JPMorgan believed that those communications would not be permanently deleted because its archiving vendor provided written representations that the emails had been coded for preservation to comply with Rule 17a-4’s 36-month retention requirement, when that coding had in fact not been applied to data in the “Chase” communications domain.
• Consequently, the SEC imposed a $4 million fine, noting that the deletion impacted at least 12 civil securities-related investigations.

Reconciling Recordkeeping Requirements Against the Prudence of Data Remediation

As we have covered in previous alerts,[1] the SEC and other regulators have intensified their scrutiny of the retention of electronic communications. With respect to the order against JPMorgan, Rule 17a-4[2] requires broker-dealers, among other registered entities, to retain certain broad categories of communications, regardless of medium, for three years, including “[o]riginals of all communications received and copies of all communications sent . . . relating to its business as such.”[3]

Simultaneously, there is a push for companies to maintain more controlled data environments. Whether to mitigate exposure in the event of a cyberattack or improve data privacy posture, companies now increasingly seek to implement disciplined data retention practices to preserve no more than is necessary to operate their businesses – that is, companies are trying to delete no-longer-needed information. But of course, any such efforts must be attuned to existing recordkeeping regulations and be amenable to legal holds in the reasonable anticipation of litigation.[4]

JPMorgan’s Data Remediation Missteps

According to the order, JPMorgan began a data remediation project in 2016 to delete obsolete electronic documents, including materials from the 1970s and 1980s that it no longer needed. Yet it had repeated difficulties permanently deleting certain records from its information systems. In June 2019, JPMorgan attempted to troubleshoot this issue by running deletion tasks over multiple time periods, including the first quarter of 2018, believing that documents within a 36-month window were otherwise protected from permanent deletion by its archiving vendor’s default settings. But because the vendor had apparently failed to apply this setting to JPMorgan’s retail banking domain, all the retail banking emails for that period were permanently deleted if they were not already subject to a legal hold. All told, approximately 47 million emails from about 8,700 inboxes were deleted. JPMorgan discovered this issue in October 2019 and reported its findings to the SEC in January 2020.

Implications for Broker-Dealers and Other Regulated Entities

JPMorgan’s troubleshooting efforts bring into sharp relief the importance of not only memorializing data preservation procedures but also understanding the mechanics underlying such procedures, especially when they are being conducted with an outside vendor. Broker-dealers and all other regulated entities would be well advised to heed the following implications from this consent order.

• Measure Twice, Cut Once. Any entity with recordkeeping requirements should be circumspect in approaching data deletion. Before any sort of deletion script is run, the data environment should be tested to ensure the proper parameters are in place to prevent irreversible deletion of required records. Whenever dealing with critical data subject to retention obligations or otherwise important to the organization, the mantra should be validate, validate and then validate again.
• Exercise Vendor Oversight. The duty to retain records is not discharged when part or all of the obligations are outsourced to vendors. Thus, it is imperative to conduct proper due diligence and maintain oversight throughout an engagement.
• Beware the Adverse Inference. Although the deletion did not impact emails subject to legal holds, it did allegedly result in the loss of data subject to requests and subpoenas in multiple investigations, which leaves open the possibility of other consequences. For example, courts occasionally allow adverse inferences to be drawn against a party for its failure to preserve electronically stored information, but only if the party “acted with the intent to deprive another party of the information’s use in the litigation.”[5] As we have covered in a prior blog post, this issue has recently come up in the context of purportedly premature disposal of ephemeral messages and instant chats. Because courts have increasingly shown a willingness to find a requisite intent to deprive on a record of circumstantial evidence, entities should exercise due care when maintaining required records and performing data remediation projects.

[View source.]