Securities Regulation
advertisement
Securities Regulation & Law Report™ Reproduced with permission from Securities Regulation & Law Report, 47 SRLR 1985, 10/19/15. Copyright 姝 2015 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com ENFORCEMENT Computer Hacking and Securities Fraud BY ANDREW N. VOLLMER ith much fanfare, the Securities and Exchange Commission and federal prosecutors announced securities fraud charges in a computer hacking case. The defendants are computer hackers, mainly from the Ukraine, who used technical methods to obtain unauthorized access to corporate press releases before they were released to the public, and traders, who paid for the stolen information and used it to buy and sell securities.1 The scheme was immediately cast as an W 1 The SEC brought a civil enforcement case, and two U.S. Attorneys Offices brought criminal cases. SEC v. Dubovoy, No. 2:15-cv-06076 (D. N.J. filed August 10, 2015); United States v. Korchevsky, No. 1:15-cr-00381 (E.D.N.Y. indictment unsealed Andrew N. Vollmer is Professor of Law, General Faculty, and Director of the John W. Glynn, Jr. Law & Business Program, University of Virginia School of Law; former Deputy General Counsel of the Securities and Exchange Commission; and former partner in the securities enforcement practice of Wilmer Cutler Pickering Hale and Dorr LLP. The statements in the article are solely my own and do not necessarily reflect the views of any other person. COPYRIGHT 姝 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. insider trading ring tied to computer hackers,2 probably because the government charging documents often referred to the use of ‘‘material nonpublic information’’ to trade ahead or exploit an unfair trading advantage.3 The purpose of this paper is to consider the strength of an insider trading claim and the more general securities fraud charge on the assumption that the factual allegations are true. No doubt the defendants engaged in serious misconduct, but did they commit insider trading or securities fraud? A leading authority from the Second Circuit shows that an insider trading theory would nearly certainly fail. Prospects for the general securities fraud charges against the hackers and traders are better but only slightly. Considerable doubt hangs over the fraud claims. August 11, 2015); United States v. Turchynov, No. 15-CR-390 (D. N.J. indictment unsealed August 11, 2015). 2 See, e.g., Keri Geiger, U.S. Identifies Hacker-Linked Insider Trading Ring, Securities Law Daily (Bloomberg BNA) (August 12, 2015); Matthew Goldstein & Alexandra Stevenson, Nine Charged in Insider Trading Case Tied to Hackers, New York Times Dealbook (August 11, 2015), available at http:// www.nytimes.com/2015/08/12/business/dealbook/insidertrading-sec-hacking-case.html?_r=0; Noeleen Walder, Jonathan Stempel, & Joseph Ax, Hackers Stole Secrets for Up to $100 Million Insider-Trading Profit: U.S., Reuters (August 12, 2015), available at http://www.reuters.com/article/2015/08/12/ us-cybercybersecurity-hacking-stocks-arridUSKCN0QG1EY20150812. 3 Dubovoy 5, 6; Turchynov 1, 2, 22, 23. ISSN 0037-0665 2 The cases tell us that the SEC and federal prosecutors continue to press outward on the bounds of established securities fraud law and do so for no good law enforcement reason. U.S. authorities had a variety of more appropriate crimes they could have charged — indeed, some of them were charged. This pressure to expand the existing securities laws to capture new conduct presents dangers to defendants, future market participants, and the legal system as a whole. The courts must be steadfast in demanding that government claims stay within established legal limits. Insider Trading The Second Circuit decision in SEC v. Dorozhko4 explained why a computer hacker typically does not commit insider trading. The SEC brought a securities fraud case under Rule 10b-5 against a different Ukrainian computer hacker for conduct similar to the current cases. Dorozhko gained improper access to a secure computer server at Thomson Financial, which managed the release of earnings reports for various companies, found a still confidential negative earnings release of a health company, bought put options on the company’s stock, and then cashed out after the negative earnings report became public and the stock price declined. The district court ruled against the SEC, but the court’s analysis went astray when it concluded that every violation of Rule 10b-5 needed to involve the breach of a fiduciary duty of trust and confidence to keep information confidential or to disclose it before trading securities. The hacker did not have and therefore did not breach any such duty. He had no relationship with Thomson Financial, the health company, or market participants. For that reason, the SEC’s claim failed.5 On appeal, the SEC argued that the defendant engaged in conventional securities fraud but did not claim that the violation was insider trading (I worked on the arguments submitted to the court when I was at the SEC). The difference turned on whether the defendant made an affirmative misstatement or remained silent but had a fiduciary duty to disclose. The court of appeals agreed with the district court that the main element of a violation of Rule 10b-5 is deception but recognized that deception can occur from an affirmative misrepresentation or, in certain circumstances, silence or a failure to make a statement. Silence or the omission of a material disclosure creates securities fraud liability only when the defendant has a duty to disclose. A person engaged in insider trading does not make a statement and therefore is liable under Rule 10b-5 when he has a fiduciary duty of trust and confidence to keep information confidential and not trade on the information for personal profit. The information must be disclosed publicly before an insider with such a duty may trade. In its insider trading decisions, the Supreme Court identified the core of a case as use of information in violation of a relationship of trust and confidence.6 In Dorozhko, the court of appeals did not disagree with the district court’s conclusion that the defendant did not have a fiduciary duty to disclose or abstain from trading but, as we will discuss, left open the possibility that he committed an affirmative deception. For these same reasons, an insider trading charge against the hacker defendants in the current cases would not be successful. The heart of an insider trading case—breach of the defendant’s fiduciary duty of trust and confidence to disclose information or not trade—is missing. Securities Fraud The government also faces obstacles in proving a standard securities fraud against the hackers and the traders. For our purposes, the government must prove two principal elements: ‘‘deception’’ that occurred ‘‘in connection with’’ a securities transaction. The Hackers In Dorozhko, the SEC argued and the court accepted that computer hacking could involve deceit resembling an affirmative misrepresentation. The court also observed that hacking does not always involve deceit: In our view, misrepresenting one’s identity in order to gain access to information that is otherwise off limits, and then stealing that information is plainly ‘‘deceptive’’ within the ordinary meaning of the word. It is unclear, however, that exploiting a weakness in an electronic code to gain unauthorized access is ‘‘deceptive,’’ rather than being mere theft. Accordingly, depending on how the hacker gained access, it seems to us entirely possible that computer hacking could be, by definition, a ‘‘deceptive device or contrivance’’ that is prohibited by Section 10(b) and Rule 10b-5.7 The method a hacker used to obtain confidential information stored in another person’s computer server is therefore key. In the current cases, the government learned the lesson of Dorozhko. For example, the SEC alleged that the ‘‘hacker defendants used deceptive means to gain unauthorized access’’ to the computer systems, ‘‘employing stolen username/password information of authorized users to pose as authorized users.’’8 The Turchynov indictment alleged that hacker defendants obtained login credentials of employees of the news services and ‘‘then misrepresented their identities by using these login credentials to gain access to confidential information, including press releases.’’9 The problem is that the government allegations also refer to computer hacking methods that do not necessarily involve an intrusion by misrepresentation or deceit. The SEC complaint cited use of back-door accessmodules and, in an unfortunate slip, at one point referred to the ‘‘hacker defendants’ theft of un-published press releases.’’10 One of the criminal cases alleged that hackers used ‘‘surreptitious infiltration,’’11 which could have involved something other than the use of deceit. As a result, to satisfy the requirements of Rule 10b-5 as expressed in Dorozhko, the government will need to 7 Dorozhko, 574 F.3d at 51. Dubovoy 22. 9 Turchynov 11. 10 Dubovoy 22. 11 Korchevsky 8. 8 4 574 F.3d 42 (2d Cir. 2009). Id. at 45. 6 United States v. O’Hagan, 521 U.S. 642, 652-53 (1997). 5 10-19-15 COPYRIGHT 姝 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. SRLR ISSN 0037-0665 3 produce evidence of the deceptive methods of obtaining access. If the hackers did use deceptive methods to break into computer data, were their actions sufficiently close to a securities trade to be viewed as ‘‘securities fraud’’? The deception must have been ‘‘in connection with’’ the purchase or sale of a security. Over time, the required link between a deceit and a securities transaction has suffered enforcement bloat and grown longer and longer. The paradigm of a deceit in connection with a securities trade is when a seller of stock lies to the buyer or has a duty of disclosure and stays silent, but Supreme Court precedent enlarged the concept. ‘‘It is enough that the scheme to defraud and the sale of securities coincide.’’12 A broker who sold a customer’s security and then took the proceeds for his own personal use did not engage in just theft; he violated Rule 10b-5 because the sale of securities coincided with the failure of the broker to tell the customer of the plan to misappropriate the proceeds.13 A lawyer who secretly converted client information to his own personal use violated Rule 10b-5 when he used the information to buy securities at the same time he deceived the source of the information.14 The claim against Dorozhko, the earlier hacking case, was a stretch on this ‘‘in connection with’’ element because his trades occurred after any deceptive entry into the Thomson Financial computers. The current cases against the hackers require a construction of that element that goes even further and therefore is not covered by established law. The hackers did not mislead an innocent buyer or seller of securities and, unlike Dorozhko, did not even trade securities. They misled computer programs, stole confidential but truthful information, and then sold it to others who traded securities. Their actions were steps away from a deception coinciding with a securities trade and further from the traditional model of securities fraud. A person using affirmative deception to take advantage of confidential information must trade a security to violate Rule 10b-5 and not just put the information to another profitable use. The Rule ‘‘does not catch all conceivable forms of fraud involving confidential information; rather, it catches fraudulent means of capitalizing on such information through securities transactions.’’15 The Traders The case against the traders is weaker still. They bought and sold securities, but did they engage in a fraud or deceit in connection with those trades? The traders engaged in no deceit at all. They did not make a misstatement to a party to a securities transaction and did not use deceptive means to intrude into the computers of the news services that had the undisclosed press releases. They remained silent, but they did not have a duty to disclose the information. The traders had no relationship with the counterparties to their trades, the news services, or the companies whose confidential press releases were stolen. They therefore did not breach a duty of trust and confidence or a duty 12 SEC v. Zandford, 535 U.S. 813, 822 (2002). Id. at 820-25. O’Hagan, 521 U.S. at 655-56. Another expansive application of the ‘‘in connection with’’ requirement was in SEC v. Pirate Investor LLC, 580 F.3d 233 (4th Cir. 2009). 15 O’Hagan, 521 U.S. at 656. 13 14 SECURITIES REGULATION & LAW REPORT ISSN 0037-0665 to disclose the press release information to the market. If the traders did not commit deception, they do not have primary liability for violating Rule 10b-5. If the allegations are correct, the traders bought information they knew was stolen and used the information to make a profit. In this way, the traders look to some extent like tippees in an insider trading case, but the theory of tipping liability has not been applied outside insider trading cases. The Supreme Court created tipping liability specifically for insider trading cases: ‘‘Not only are insiders forbidden by their fiduciary relationship from personally using undisclosed corporate information to their advantage, but they also may not give such information to an outsider for the same improper purpose of exploiting the information for their personal gain.’’16 Tipping liability therefore is closely connected to insider trading. The ‘‘tippee’s duty to disclose or abstain is derivative from that of the insider’s duty.’’17 A tippee is not liable unless the tipper committed an insider trading violation by breaching a fiduciary duty of trust and confidence for a personal benefit. As already discussed, the hackers in the current cases did not breach a fiduciary duty. That means the traders are not liable on a tipping theory. The Availability of Other Criminal Charges All this is not to say that the defendants did no wrong. They engaged in reprehensible conduct if the alleged facts can be proved, and they probably committed a variety of federal and state crimes that more neatly fit the behavior.18 The hackers broke laws against computer intrusions and wire fraud (which are charges included in the Turchynov indictment) and stole financial trade secrets.19 The traders aided and induced the violations by the hackers and knowingly received stolen property.20 Lessons for the Future What is the importance of this analysis, and what does it signify for future securities law enforcement? The importance of the cases is to raise, once again, the dangers of over-zealous pursuit of securities law violations. The government had the ability to charge one or more reasonable and appropriate crimes against the hacker and trader defendants but reached out too far to include securities fraud. Success on the securities fraud claims will require enlarging current law. The securities laws should not be engorged with novel constructions21 especially when suspected misconduct falls squarely within other prohibitions. Using 16 Dirks v. SEC, 463 U.S. 646, 659 (1983). Id. 18 See Dorozhko, 574 F.3d at 45; SEC v. Dorozhko, 606 F. Supp. 2d 321 (S.D.N.Y. 2008). 19 18 U.S.C. § § 1030(a)(2) (unauthorized access to information in a computer), 1343 (wire fraud), 1832 (theft of confidential financial information), 2314 (transmission of stolen property). 20 See 18 U.S.C. § § 2 (aiding, abetting, or inducing a federal crime), 2315 (receiving stolen property). 21 See Andrew N. Vollmer, Four Ways To Improve SEC Enforcement 7-8, available at http://ssrn.com/abstract=2637913. 17 BNA 10-19-15 4 untested and broadened legal theories creates uncertainty and unpredictability about the scope of securities fraud, which can deter beneficial conduct in the markets. It treats the defendants unfairly because they do not have sufficient notice of the way the securities laws would be interpreted and applied to them. We might not have much sympathy for these particular defendants and therefore might be more accepting of new legal interpretations that reach them, but, if the government establishes liability on the securities fraud theories, these cases will create precedents that extend the reach of the securities fraud laws. In the future, the precedents could be used to trip up less culpable market participants. One person’s questionable access to information combined in some way with a distant securities transaction by another person would be enough for criminal and civil liability for both. Furthermore, siding with the SEC and criminal prosecutors in these cases encourages them to disregard the limits of settled law and threaten arbitrary claims in the future.22All of those are corrosive consequences that are entirely avoidable given the availability of more suitable criminal charges. 22 In O’Hagan, Justice Thomas expressed a series of concerns with a similar expansion of the ‘‘in connection with’’ element and the discretion it conferred on government enforcement of Rule 10b-5. O’Hagan, 521 U.S. at 680-92 (Thomas, J., concurring in the judgment in part and dissenting in part). 10-19-15 The computer hacking cases also illustrate the government’s persistent quest to use the securities antifraud provisions to outlaw informational differences in securities trades. The history of government enforcement in the insider trading area shows a drive to create rules of law mandating information symmetry in the securities markets. The Second Circuit traced part of this history in Newman and observed: ‘‘Although the Government might like the law to be different, nothing in the law requires a symmetry of information in the nation’s securities markets.’’ 23 The Supreme Court explicitly repudiated that position and stressed that ‘‘that insider trading liability is based on breaches of fiduciary duty, not on informational asymmetries.’’24 The computer hacking cases are evidence that the government has not changed course. The emphasis in the SEC complaint is on the defendants’ trading advantage from access to material, non-public information. Because of this pressure from government enforcement to treat informational differences in securities markets as illegal, the courts must remain resolute in requiring proper proof of a deception in connection with a securities trade. The securities laws and the SEC do not police the world. Some bad acts are not securities fraud. 23 United States v. Newman, 773 F.3d 438, 448-49 (2d Cir. 2014). 24 Id. COPYRIGHT 姝 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. SRLR ISSN 0037-0665
