Amy Greer is a partner at Reed Smith LLP where she divides her time between the firm’s Philadelphia and New York offices. She is co-leader of the firm’s Securities Litigation and Enforcement practice.
Last week, the Second Circuit decided SEC v. Dorozhko, vacating the decision of the district court and holding that an alleged computer hacker who had traded on information stolen for that purpose, while not liable for insider trading, may still have violated Section 10(b) of the Exchange Act even absent a finding that he had breached a fiduciary duty. The Court of Appeals concluded that where a computer hacker employs a deceptive, fraudulent misrepresentation to steal information, and then uses that information to purchase or sell securities, he may be liable under Section 10(b).
In its Dorozhko opinion, the Court stopped short of analyzing the facts, leaving it to the district court, on remand, to determine whether this hack included a fraudulent misrepresentation. However, this decision vindicates a theory that the SEC has used before, in SEC v. Lohmus Haavel & Viisemann, No. 05-CV-9259 (S.D.N.Y.) (settled); SEC v. Blue Bottle Ltd., No. 07-CV-01380 (S.D.N.Y)(default); and SEC v. Stummer, No. 08-CV-03671 (S.D.N.Y.)(settled), and given the prevalence of computer hacking, other technology-based frauds, and the SEC’s never-ending challenge to apply decades-old statutes to novel fraudulent schemes, this case represents an important precedent for the agency.
Dorozhko, a Ukranian national and resident, had opened an on-line brokerage account, deposited about a year’s worth of his income, and on October 17, 2007, bet nearly all of it on risky, out-of-the-money and at-the-money put options on the stock of IMS Health, Inc. See generally Dorozhko Complaint; see also SEC v. Dorozhko, No. 08-0201 (2d Cir. July 22, 2009) (“Opinion”) at pp. 2-4. That day after trading closed, IMS Health announced it would miss earnings estimates by 28%, and the stock took its steepest tumble ever. Id. The next morning, Dorozhko sold all of the options, realizing profits of over $280,000. Id. According to its investigation, the SEC found that, also on October 17, just prior to Dorozhko’s options purchases, Thomson Financial, which had hosted the IMS Health investor relations website, had been the victim of a computer hacker who, covered his identity with a location hiding technique called “spoofing,” somehow overcame the security barriers at the hacked site to gain unauthorized access to the confidential information on the secure site, and then departed the compromised site, leaving no traces of having been there. See SEC Opening (Appellate) Brief at pp. 4-7, 26-28.
Following a path it had started down in the prior cited cases, when it sued Dorozhko, the SEC did not charge insider trading, instead pleading that he had committed securities fraud, violative of Section 10(b) and Rule 10b-5, based on Dorozhko’s alleged computer hacking, and its attendant deceptive conduct, which was effected in connection with the purchase or sale of securities. This direct application of Section 10(b) fully reclaims the breadth of what the statute’s legislative history describes as the “catchall” provision against all types of securities fraud. Moreover, these cases can now be fully distinguished from the insider trading cases they seem to resemble factually, but from which they importantly differ.
Judge José A. Cabranes, writing for the Second Circuit panel, opined that the conduct alleged in Dorozhko is not insider trading and is distinguishable both from the conduct routinely recited in the standard insider trading canon, where the trader first obtains the material non-public information through neither deception nor misrepresentation, and the other cited Section 10(b) cases that involved failures to disclose, where the actor committing the fraud does not speak in the face of a duty to reveal his actions. “While Chiarella, O’Hagen, and Zandford all dealt with fraud qua silence, an affirmative misrepresentation is a distinct species of fraud.” Opinion at p. 10. Thus, computer hacking, as affirmative conduct, can be an actionable “deceptive device,” under Section 10(b), which requires no breach of a fiduciary or disclosure duty be identified.
“In this case . . . the SEC argues that defendant affirmatively misrepresented himself in order to gain access to material, nonpublic information, which he then used to trade. We are aware of no precedent of the Supreme Court or of our Court that forecloses or prohibits the SEC’s straightforward theory of fraud.” Opinion at p. 11. And this is, of course, as it must be, given the language and the purpose of the statute and the rule. As Justice William O. Douglas noted, writing for a unanimous Supreme Court, “We believe that § 10(b) and Rule 10b-5 prohibit all fraudulent schemes in connection with the purchase or sale of securities, whether the artifices employed involve a garden type variety fraud, or present a novel form of deception. Novel or atypical methods should not provide immunity from the securities laws.” Superintendent of Insurance v. Bankers Life and Casualty Co., 404 U.S. 6, 10 n. 7 (1971).
The Second Circuit has remanded Dorozkho for a determination of whether the conduct was indeed deceptive within the meaning of the statute and rule. “In our view, misrepresenting one’s identity in order to gain access to information that is otherwise off limits, and then stealing that information is plainly “deceptive” within the ordinary meaning of the word. It is unclear, however, that exploiting a weakness in an electronic code to gain unauthorized access is “deceptive,” rather than being mere theft.” Opinion at p. 13.
Whether the district court will find that Dorozhko engaged in the requisite level of deception in connection with his hacking conduct remains unclear. However, one wonders whether the Second Circuit’s opinion hasn’t put too fine a point on the distinction, stepping onto that famous slippery slope. Gaining “unauthorized access,” after all, presupposes some deception or trick resulting in confidential information being provided that should not have been disclosed. When a computer system is hacked – conduct criminalized under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et seq. – to obtain confidential information, expressly for the purpose of trading on that information, such facts would appear to mandate a conclusion that such a deception violates the Section 10(b) and Rule 10b-5, just as the Second Circuit concluded in Dorozhko. But like so much precedent in this area, while it does offer some vindication for the SEC’s position, rather than offering certainty, Dorozhko appears merely to offer structure for the analysis of all the questions still to come.