Confidentiality at Risk: Accessing Financial Filings on EDGAR

The EDGAR (Electronic Data Gathering, Analysis, and Retrieval) database, which is part of the US Securities and Exchange Commission's (SEC) website, contains the financial filings of firms that access US capital markets (EDGAR is the US equivalent of Canada's SEDAR). However, users' activities on this database are at least partially public information, due to the zealous US freedom-of-information law and culture. Fortunately, one can take steps to preserve anonymity when client confidentiality requires it. Turning the tables also appears to be possible: taxpayers with documents posted on EDGAR may want to do their own tracking of the companies (or even the tax authorities) that have accessed their data.

The academic research publication "IRS Attention" and its online appendix report that as each user accesses EDGAR, a server log file tracks (1) the IP address of the requesting user, (2) the date and time of the request, (3) a code identifying the public company whose forms were requested, and (4) the particular form or filing being accessed. This information is made public on the SEC website and is updated quarterly with a time lag of six months or more. To partially protect the user's privacy, the final eight characters of the user's IP address are replaced with three unique letters (for example, the "abc" in the fictitious IP address 123.456.789.abc). This practice eliminates the possibility of tracking the access request to a particular person, but it appears to allow the tracking of accesses to those firms that use blocks of IP addresses. Specifically, if all of a firm's assigned IP addresses differ only in the final eight characters, the firm can be identified by using public records.

Users who want to protect their privacy can use standard techniques for hiding an IP address, such as first connecting to a privacy-protecting website known as a virtual private network (VPN), and then connecting to EDGAR through that network (assuming, of course, that one can trust the VPN provider). One can also take such steps when accessing other US government websites if there is a fear that web accesses to those websites might also be made public. VPNs are best known in Canada for allowing Canadians to access websites whose content is intended to be restricted to residents of the United States.

The aim of the "IRS Attention" study was to find out which companies' filings were particularly the object of IRS research. It appears that at the time of the study (2004-2014), IRS employees were not using VPNs to obscure their IP addresses. Perhaps the IRS was not aware that the employees' access to EDGAR was observable (or did not care that it was), or perhaps it was just difficult to use a VPN within the IRS computer system.

What are the broader implications of public or semi-public access? In particular, what types of information are tax practitioners potentially disclosing when they access EDGAR? The answer may be as broad as the question posed. In accessing publicly available filings, a buyer may disclose potential interest in a seller, or a regulatory body may disclose scrutiny of an entity. While that party's exact intentions may never be known with certainty, the simple fact of access—especially multiple accesses within a short period—could provide useful insights both to the entity that is being examined and to other market players.

Alex Klyguine and Alexandra McLennan
Osler Hoskin & Harcourt LLP, Toronto
AKlyguine@osler.com
amclennanbrown@osler.com


Canadian Tax Focus
Volume 8, Number 3, August 2018
©2018, Canadian Tax Foundation