Computer Hacking and Securities Fraud

In a recent paper, I considered the strength of securities fraud charges asserted in several computer hacker cases filed in mid-2015.[1]  Some of the defendants in the cases were the hackers who used computer methods to obtain unauthorized access to corporate press releases before they were released to the public.  Other defendants were the traders who paid for the stolen information and used it to buy and sell securities.  The press cast the scheme as an insider trading ring tied to computer hackers,[2] but the SEC and criminal authorities asserted general securities fraud charges under Rule 10b-5.

On the assumption that the factual allegations in charging documents were true, the defendants engaged in serious misconduct, but did they commit insider trading or securities fraud?  Both claims are flawed and weak.

Insider trading

The Second Circuit decision in SEC v. Dorozhko[3] explained why a computer hacker typically does not commit insider trading (I worked on the arguments submitted to the court when I was at the SEC).  A person engaged in insider trading does not make an affirmative misstatement and therefore is liable under Rule 10b-5 only when he has and breaches a fiduciary duty of trust and confidence to keep information confidential and not trade on the information for personal profit until after the information has been disclosed publicly.  A computer hacker does not commit this violation because he does not have and therefore does not breach such a fiduciary duty to the company, the shareholders, or any other person relevant to the trading.

General securities fraud

The strength of the more general securities fraud charges requires consideration of two elements:  “deception” that occurred “in connection with” a securities transaction.  The hackers and traders need to be examined separately.

The hackers

The first question is whether the hackers engaged in deceit.  In Dorozhko, the SEC argued and the court accepted that computer hacking could involve deceit resembling an affirmative misrepresentation.  The court also observed that hacking does not always involve deceit and could be “mere theft.”

In the current hacking cases, the government allegations were not decisive on the use of deceit.  Some allegations asserted deceit, such as the SEC claim that the “hacker defendants used deceptive means to gain unauthorized access” to the computer systems, “employing stolen username/password information of authorized users to pose as authorized users,”[4] but other allegations referred to computer hacking methods that did not necessarily involve an intrusion by misrepresentation or deceit.  As a result, to satisfy the requirements of Rule 10b-5 as expressed in Dorozhko, the government will need to produce evidence of the deceptive methods of obtaining access.

If the hackers did use deceptive methods to break into computer data, were their actions sufficiently close to a securities trade to be viewed as “securities fraud”?  The deception must have been “in connection with” the purchase or sale of a security.

Over time, the required link between a deceit and a securities transaction has suffered enforcement bloat and grown longer and longer.  “It is enough that the scheme to defraud and the sale of securities coincide.”[5]

Nonetheless, the current cases against the hackers require a construction of this “in connection with” element that goes further than established law.  The hackers misled computer programs, stole confidential but truthful information, and then sold it to others who traded securities.  They did not trade securities.  Their actions were steps away from a deception coinciding with a securities trade.

The traders

The case against the traders is weak for a different reason.  They bought and sold securities, but did they engage in a fraud or deceit in connection with those trades?

The traders engaged in no deceit at all.  They did not make a misstatement to a party to a securities transaction and did not use deceptive means to intrude into computers for the undisclosed press releases.  They remained silent before trading, but they did not have a duty to disclose the information.  If the traders did not commit deception, they do not have primary liability for violating Rule 10b-5.

The traders resembled tippees in an insider trading case, but the concept of tipping has been limited to that kind of case.  In these computer hacking cases, neither the hackers nor the traders had or breached a fiduciary duty of trust and confidence owed to others involved in the trading.  The misconduct was not an insider trading or tipping violation.

The availability of other criminal charges

All this is not to say that the defendants did no wrong.  They engaged in reprehensible conduct if the alleged facts can be proved, and they probably committed a variety of federal and state crimes that more neatly fit the behavior,[6] such as laws against computer intrusions, wire fraud, and aiding and abetting primary offenses.

Lessons for the future

The recent computer hacking cases are important because they create dangers from over-zealous pursuit of securities law violations.  The government had the ability to charge one or more reasonable and appropriate crimes against the hacker and trader defendants but reached out too far to include securities fraud.

Success on the securities fraud claims will require enlarging current law.  When the government uses untested and broadened legal theories in an enforcement case, it disserves the legal system.  It treats the defendants unfairly, expands the law to catch future conduct that might not be blameworthy, and encourages the SEC and criminal prosecutors to threaten arbitrary claims in the future.

The securities laws and the SEC do not police the world.  Some bad acts are not securities fraud.

ENDNOTES

[1]                 The SEC brought a civil enforcement case, and two U.S. Attorneys Offices brought criminal cases.  SEC v. Dubovoy, No. 2:15-cv-06076 (D. N.J. filed August 10, 2015); United States v. Korchevsky, No. 1:15-cr-00381 (E.D.N.Y. indictment unsealed August 11, 2015); United States v. Turchynov, No. 15-CR-390 (D. N.J. indictment unsealed August 11, 2015).

[2]                See, e.g., Keri Geiger, U.S. Identifies Hacker-Linked Insider Trading Ring, Securities Law Daily (Bloomberg BNA) (August 12, 2015); Matthew Goldstein & Alexandra Stevenson, Nine Charged in Insider Trading Case Tied to Hackers, New York Times Dealbook (August 11, 2015), available at http://www.nytimes.com/2015/08/12/business/dealbook/insider-trading-sec-hacking-case.html?_r=0; Noeleen Walder, Jonathan Stempel, & Joseph Ax, Hackers Stole Secrets for Up to $100 Million Insider-Trading Profit:  U.S., Reuters (August 12, 2015), available at http://www.reuters.com/article/2015/08/12/us-cybercybersecurity-hacking-stocks-arr-idUSKCN0QG1EY20150812.

[3]                574 F.3d 42 (2d Cir. 2009).

[4]                Dubovoy 22.

[5]                SEC v. Zandford, 535 U.S. 813, 822 (2002).  See also United States v. O’Hagan, 521 U.S. 642, 655-56 (1997); SEC v. Pirate Investor LLC, 580 F.3d 233 (4th Cir. 2009).

[6]                See Dorozhko, 574 F.3d at 45; SEC v. Dorozhko, 606 F. Supp. 2d 321 (S.D.N.Y. 2008).

The preceding post comes to us from Andrew N. Vollmer, who is Professor of Law, General Faculty, and Director of the John W. Glynn, Jr. Law & Business Program at the University of Virginia School of LawThe paper is available on SSRN and was published at 47 Sec. Reg. & L. Rep. 1985 (October 19, 2015).