SEC’s Internet Police Turns 10 Years Old: The Birth and Evolution of the Office of Internet Enforcement

By Bruce Carton

I was a lawyer in the Securities and Exchange Commission’s Division of Enforcement from 1995 to 1997, a time perhaps most notable for being the infancy of the public’s use of the Internet. When I first arrived at the SEC, our online resources consisted of a single station that we called a “Bridge machine” that provided some basic business news and a “Ticker Room” that consisted of a couple of Bloomberg terminals.

Sometime in 1995—just around the time that most of us at the SEC were first starting to hear about the World Wide Web—an Internet terminal appeared in the Ticker Room. I recall taking turns with others clicking on links on Yahoo and trying to figure out what in the world the Web could possibly be used for.

OIE Chief John Reed Stark
OIE Chief John Reed Stark

One of our more tech-savvy colleagues in the Enforcement Division, however—a staff attorney named John Stark—quickly concluded that the Internet had the potential to pose huge new challenges to the enforcement program. Stark and another staff attorney, Dave Gionfriddo, took the bold step of drafting a memo to then-Enforcement Director Bill McLucas identifying the imminent, newfangled threat of online securities fraud.

Their memo suggested that the SEC implement a range of measures to address Internet fraud issues, including establishing an online fraud office. For his initiative, Stark was promptly named “special counsel for Internet projects” to head up the SEC’s fledgling efforts to understand the enforcement-related issues arising from the Internet and to create and train a group of lawyers at the SEC who could begin to bring cases in this area.

Initially, Stark says, he “was just one guy with a computer and a telephone” facing a sea of fraudsters growing exponentially along with the Internet. Over the course of several years, however, Stark was able to create the beginnings of an “office” of people interested in Internet-related investigations and litigation. And in July 1998, the SEC officially created the Office of Internet Enforcement (OIE); Stark became its first chief.

One of the first tools that the SEC employed in its Internet efforts was the Enforcement Complaint Center, essentially an e-mail address at the SEC to which the public could send tips. Back in 1996, Stark received only about 20 such complaints per day; now the number runs as high as 10,000. Between the ECC and the growing number of SEC attorneys surfing the Internet for fraud in the mid-1990s, Stark’s group found that it hardly had to look for fraud.

“It was everywhere and the promoters were brazen,” he now says. Stark recalls that his team could visit any investment-related message board and find dozens of fraudulent come-ons. “The fraudsters seemed more surprised to hear from us than anything else. They didn’t realize we had heard about the Net yet—and then became even more surprised to find that we were one step ahead of them.”

After the Commission formally created the OIE in 1998 and Stark started adding staff, Internet enforcement efforts became more intense. One of the OIE’s first actions was the NEI Webworld case, where it charged three California men with hyping a penny stock through message-board postings they made via a University of California Los Angeles library computer. Stark describes the NEI Webworld case as one that “had a little bit of everything” and which really helped “put OIE on the map.” The OIE cooperated closely with criminal prosecutors as well as the National Association of Securities Dealers on the case.

Another important early case was the “Dr. Noe” case. Stark says that this was the first chance the OIE had to “really come face to face with recidivists, in this case, two septuagenarian brothers running a $1.1 million Ponzi scheme.” Thanks to dogged staff work, he says, both brothers received multi-year prison sentences.

Online Enforcement in the Modern Era

Today the OIE works with every agency and group involved in policing the Internet: the Financial Industry Regulatory Authority (the successor to the NASD); the Justice Department and its various U.S. attorneys around the country; the cyber-crime division of the FBI; the Secret Service, the Postal Inspectors’ Office; and a flock of state regulatory and law enforcement agencies. The OIE has also recently been cultivating a productive relationship with the National Cyber Forensic Training Alliance, a public-private partnership working to couple private sector subject-matter experts with government regulators chasing cyber-crime.

Looking back over the last 10 years, Stark considers recent “intrusion” cases to be among the most challenging his office has handled. Intrusion cases involve fraudsters who hijack the online brokerage accounts of unwitting investors using stolen usernames and passwords, and make trades to manipulate markets for their own benefit in these accounts. Stark says that the SEC’s recent Marimuthu intrusion case involved a fairly sophisticated hack by foreign nationals, a parallel criminal investigation, and extradition issues.

Stark also points to the Boling case (aka the “Vicemail” case) as another particularly interesting OIE matter. Boling involved a scheme to falsely promote five microcap stocks using mass-broadcast voicemail messages, with fake tips about those stocks. The messages were designed to deceive the recipient into believing he or she had inadvertently received a “hot” stock tip meant for a close friend of the caller. The Vicemail case also has the distinction of generating the most complaints to the Enforcement Complaint Center e-mail box ever: approximately 1,500 complaints from people who came home to find the vicemail on their voicemail. Many people even went so far as to send the SEC the actual audio files via e-mail. (And yes, you can listen to one of the infamous “vicemails” at the SEC’s Website.)

As the OIE has grown and evolved since 1998, it has taken on cases outside of pure online enforcement. Stark says these cases run the gamut from conventional manipulation and insider trading to sophisticated account intrusions, hedge fund short sale violations, major offering disclosure violations, and violations of anti-money-laundering rules. At this point, he says, no case is too big or too small for the OIE. He sees future OIE work moving toward technologically sophisticated fraud that crosses international borders. Hacker intrusion cases, which frequently involve defendants in Eastern Europe, are among the most prominent examples of this, and Stark says the OIE benefits greatly in these cases from the expertise of the SEC’s Office of International Affairs.

Stark also says he now sees an almost unprecedented level of interest in cyber-securities fraud among regulators and industry groups. The CyberFraud Symposium hosted by OIE in September (in honor of the OIE’s 10-year anniversary), for instance, was attended by hundreds of representatives from nearly every federal and state law enforcement authority and regulatory agency. Stark expects the cooperative efforts among these entities to continue to grow in the future and believes that it will be critical to leverage the respective expertise of all areas of federal and state government to stay one step ahead of online fraud.

What is on the horizon for the OIE’s next 10 years? Stark says people clearly are doing more and more online every day, and that trend probably won’t ever stop. As a result, he says, more of our data, personal information, and wealth is going to travel online. He believes the tension between privacy and effective regulation will always be a hot frontier and that the law will need to grow and change to accommodate situations that lawmakers have never contemplated.

Originally published in Compliance Week. Reprinted with permission. © 2008 Financial Media Holdings Group, Inc. All Rights Reserved. Compliance Week can be found at http://www.complianceweek.com. Call (888) 519-9200 for more information.