On Tuesday--a day early, the Fed released the minutes of its March Open Market Committee meeting to recipients on the Hill and at financial institutions and trade associations. The Fed explained that the early release was accidental and released the minutes to everybody else on Wednesday morning--earlier than it otherwise would have. There is no reason to conclude that the Tuesday release was anything other than an innocent mistake. This incident nevertheless serves as a good reminder of the dangers of assuming that sensitive nonpublic information is safe in government hands.
Another reminder came last month, when the Securities and Exchange Commission's inspector general released a report about the SEC's information controls. The report found, among other things, that there is nothing preventing SEC employees, contractors, and interns "from saving and uploading sensitive or nonpublic information on non-SEC computers." The inspector general also found that the SEC did not have proper protocols for tracking information exchanged with the Financial Stability Oversight Council, the Office of Financial Research, and other agencies. When the SEC adopted Form PF (which the SEC uses to collect data for the FSOC) in 2011, it said that "our staff is working to design controls and systems for the use and handling of Form PF data in a manner that reflects the sensitivity of this data and is consistent with the confidentiality protections established in the Dodd-Frank Act." The inspector general's report suggests that there is still work to be done.
In addition to taking tougher measures to protect nonpublic, sensitive data, regulators should think carefully about how much information they need. When they decide to collect information, they should take into account the possibility of unintentional or intentional data leaks and the potential consequences of such leaks. Sometimes, the government's need for the information will be outweighed by the harm that would occur if the information were improperly disclosed. Regulators should not simply assume that mistakes will never happen.