By: Jaclyn Collier
How does the Securities and Exchange Commission (“SEC”) go after a hacker for insider trading when the hacker is neither an insider nor a trader? Despite many scholarly articles opining on this very topic, the answer is still somewhat unclear.
In August 2015, the SEC charged 32 individuals and corporate entities in a civil complaint with violating what are often referred to as the insider trading rules. (S.E.C. v. Dubovoy et al). In the complaint, the SEC alleges that the group engaged in a two-step process whereby the hackers would hack into newswire services and acquire material non-public information from press releases and other news announcements that had not yet been released to the public. They did this by using stolen usernames and passwords, concealing the identity of the computers they used to hack into the newswire services, utilizing computer code that covered the hacker’s tracks, and using something the SEC called “back-door access-modules” (which was left undefined).
The complaint further alleges that the hackers sold that information to traders who would use the information to trade in that security or derivatives of that security to make a profit. The complaint states over the span of five years this scheme may have netted the group over $100 million in illicit profits. Section 10(b) and Rule 10(b)-5 of the Securities Exchange Act are key rules that the SEC uses to prosecute insider trading cases. Section 10(b) prohibits, among other things, purchasing a security through the use of a “deceptive device.” For the most part, Section 10(b) has been interpreted as requiring a breach of fiduciary duty. That is, until the Second Circuit’s decision in SEC v. Dorozhko. (S.E.C. v. Dorozhko, 574 F.3d 42, 50 (2d Cir. 2009)). In Dorozhko, the defendant hacked into a newswire service, obtained material non-public information, and then traded on that information for a net profit of over $280,000. (Id. at 44). The court held that corporate outsiders who engaged in hacking could be in violation of Section 10(b) if the hacking included an affirmative misrepresentation (Id. at 50). The court provided some examples of what types of hacking might be considered an affirmative misrepresentation, such as gaining access to information by misrepresenting one’s identity (Id.). However, the court remanded the case for further fact finding (S.E.C. v. Dorozhko, 574 F.3d 42, 50). Interestingly, by the time the case was remanded, the defendant had disappeared, and thus summary judgment was granted to the SEC. This means that the meat of the issue here, namely, what methods of hacking are considered deceptive and therefore an affirmative misrepresentation, was left for another day.
Given the unanswered questions in Dorozhko, the issue in the Dubovoy case is going to be whether the SEC can successfully prove that the hackers engaged in conduct that amounts to an affirmative misrepresentation and a violation of Section 10(b). In my view, the SEC has a couple of significant obstacles in prosecuting this case. First of all, three of the four tactics that the SEC alleges the hackers used in obtaining the unauthorized access to the system were left unaddressed by Dorozhko. Questions like whether it is misleading to exploit a weakness in a firewall or security system, or blocking your IP address will need to be resolved. The SEC will have the burden of proving that these means were deceptive within the ordinary meaning of the word, but this may be to the SEC’s benefit. Most people (including judges), are generally unaware of the intricacies of cybercrimes and hacking. As such, the SEC may be able to use that to its advantage and help shape the law in this area in such a way that it provides the SEC with a broad definition of “deceptive” under Section 10(b) with respect to hacking.
Another potential issue is that the affected newswire services may not want to fully explore how their systems were hacked. It may seem counterintuitive, but in conjunction with the Dorozhko case, the affected newswire service decided not to explore Dorozhko’s hacking technique in order to protect certain trade secrets. If the newswire services involved in the Dubovoy case follow the same path, this could leave the SEC with less than sufficient information for the fact finder to determine whether the hacker’s techniques were deceptive. Last but not least, the fourth tactic, use of stolen usernames and passwords, was described as deceptive by the Second Circuit; however, it remains to be seen whether this device was used in every instance of hacking. If it was not, and the other tactics are determined not to be “deceptive,” then it is possible that the SEC will only be successful in those instances where it can prove the hackers used the stolen usernames. It will be interesting to watch this case unfold and see how the SEC handles these potential pitfalls.
Bio: Jaclyn Collier is a staff member on the Journal of High Technology Law. She is currently a 3L evening student at Suffolk University Law School. Jaclyn is a compliance officer at a financial services firm. She enjoys hiking, reading (thankfully), and volunteering at charity events.