Consider this scenario: A Microsoft employee sneaks into Microsoft’s CFO’s office, reads secret files about an upcoming positive earnings announcement and then buys Microsoft stock before that announcement. Is the Microsoft employee guilty of unlawful insider trading? Of course.
But suppose instead, a thief, who does not work at Microsoft, breaks into Microsoft headquarters via a basement window at midnight, reads Microsoft’s CFO’s papers about an upcoming positive earnings announcement and then buys Microsoft stock before that announcement. Is the thief guilty of insider trading? Historically, the SEC did not charge the thief with insider trading because a thief is just that, a thief, and not an insider or securities swindler.
Today, however, the SEC staff is dramatically changing course. The SEC has now begun targeting the thief, because the break-in is no longer through a basement window, instead the break-in is through a virtual window, in cyberspace.
Early in 2015, the SEC began issuing new and novel requests and subpoenas to public companies about any and all data breaches (or attempted breaches) they have experienced. The SEC apparently selected the public companies that, according to cybersecurity firm FireEye, had experienced recent data breaches targeting inside information. FireEye had previously released a December 1, 2014 report about a group of hackers called “FIN4.” The report said that Fin4 was targeting the email accounts of top executives, lawyers and others in an effort to obtain non-public information about merger and acquisition deals and major market-moving announcements.
Welcome to the latest SEC dragnet, a dragnet targeting an emerging and dangerous threat to securities markets – unlawful outsider trading.
The SEC and Insider Trading: A Jumbled Judicial Concoction
Understanding the newfangled (and innovative) SEC jurisprudence of outsider trading begins with a quick review of traditional notions of insider trading.
For starters, most insider trading is perfectly legal, such as when corporate executives buy stock in their own companies as an investment. Unlawful insider trading occurs when, for instance, executives buy stock in their own company based on material, nonpublic information learned at the office.
The rationale for policing unlawful insider trading is that for the markets to work efficiently and fairly, everyone needs to be working with the same basic information, or at least that someone with access to nonpublic information should be prevented from taking advantage of it before other investors. The prohibition on unlawful insider trading levels the playing field and protects the integrity of financial markets.
Some insider trading cases are straightforward, such as when a corporate executive trades stock in his or her company before the company’s earnings announcement. The executive has a duty to not trade on corporate information, described in the law as a “fiduciary duty or other duty of trust and confidence.”
But the outer edges of insider trading law are murky at best, especially when it is not clear whether a fiduciary duty attaches to a given person, such as when “mere thieves” or strangers, learn and trade upon confidential financial information gained through a cyber attack.
The reason for the vagaries is that SEC’s statutes, rules and regulations make no explicit mention of unlawful insider trading; the prohibition is purely a judicially concoction, advancing over time. Judges derive insider trading violations from Section 10(b) of the Securities and Exchange Act of 1934 and Rule 10b-5 promulgated thereunder (together, the “SEC’s antifraud provisions”), and are a “catchall” aimed at fraud, requiring some sort of “device, scheme or artifice to defraud” or some action which would otherwise “operate as a fraud or deceit upon a person.”
The SEC’s antifraud provisions are not intended as a specification of particular acts or practices, which constitute fraud, but rather are designed to tackle the infinite variety of devices by which undue advantage may be taken of investors and others. Indeed, the Supreme Court has held that the SEC’s anti-fraud provisions prohibit all fraudulent schemes in connection with the purchase or sale of securities, whether the artifices employed involve a garden type variety of fraud, or present a unique form of deception.
The “Classical” and “Misappropriation” Theories of Insider Trading
Courts have created two general theories to guide the application of their judicially designed insider trading doctrine.
Under the first, the classical theory, insider trading occurs when a corporate insider trades in the securities of his or her corporation on the basis of material, non-public information. A corporate insider is entrusted with confidential information by virtue of his or her position, and in return owes fiduciary duties to the shareholders not to use that information for personal gain.
Under the second and more recently decreed “misappropriation theory,” courts extended liability for securities violations beyond classical insiders to those who misappropriate material, nonpublic information for use in a securities transaction in violation of some fiduciary or fiduciary-like duty that they owe to a party.
The SEC and Outsider Trading: The New Paradigm
Outsider trading differs from both classical theory and the misappropriation theory. It differs from classical insider trading in that there is no pre-existing relationship of trust and confidence between the source of the information and the hacker who does the trading. It differs from misappropriation theory in that the “deception” usually relates directly to the hacking or unauthorized computer access and is a bit more attenuated from the securities transaction.
In other words, with cyber thieves who trade on information stolen during a data breach, the SEC is extending unlawful insider trading to a third and new category of securities miscreant — “outsiders” — who do not work for (or with) the company, and who do not owe a duty to anyone.
The SEC staff’s legal argument for charging unlawful outsider trading is that cyber thieves are masquerading as company insiders and are therefore committing securities fraud. Though a bit of a leap, there are actually a few SEC enforcement actions that have already evidenced (though not truly tested) the SEC’s adoption of its new outsider trading canon.
SEC v. Lohmus, Havel & Viisemann
The first outsider trading SEC enforcement action was SEC v. Lohmus, Havel & Viisemann, et al in 2005. The SEC charged that Lohmus, an Estonian investment bank, and two of its employees, obtained more than 360 confidential soon to be released press releases of U.S. publicly traded companies by stealthily “spidering” the BusinessWire website for material, non-public information. BusinessWire at the time was a leading commercial disseminator of news releases and regulatory filings.
A “spider” is a program that visits websites and reads their pages and other information in order to create entries for a search engine index. The major Internet search engines all employ spider programs, which are also known as “crawlers” or “bots.”
The SEC claimed that Lohmus became a client of BusinessWire for the sole purpose of gaining access to BusinessWire’s secure client website. The SEC alleged that once Lohmus had access, Lohmus surreptitiously utilized a more sophisticated and clandestine spider program, which provided unauthorized access to confidential information contained in impending nonpublic press releases of other BusinessWire clients, including their expected time of issuance.
The SEC further alleged that the information stolen by Lohmus allowed them to strategically time their trades around the public release of news involving, among other things, mergers, earnings and regulatory actions. Using several U.S. brokerage accounts, the SEC charged that Lohmus traded the stocks of the companies whose confidential press release information they had stolen, and purchased options to increase their profits.
The SEC’s outsider trading legal theory in Lohmus was never tested in court, because eventually Lohmus and the two charged Lohmus employees settled with the SEC, without admitting or denying wrongdoing. Among other relief, the final judgments ordered one of the employees to pay over $14 million and another to pay over $650,000 in disgorgement and penalties, while Lohmus was ordered to pay a penalty of $650,000.
SEC v. Blue Bottle
The next outsider trading SEC enforcement action was in early 2007 in SEC v. Blue Bottle et al. Blue Bottle was a Hong Kong accounting firm that the SEC charged engaged in a fraud very similar to Lohmus’s scheme. Specifically, the SEC alleged that Blue Bottle hacked into computers of a newswire service to view press releases before they were published and then repeatedly executed transactions in the securities of 12 public companies just prior to press releases by those companies, netting $2.7 million in trading profits.
The SEC never specified the name of the news service breached by Blue Bottle, stating only that Blue Bottle made its profits by hacking into computer networks or otherwise improperly obtaining electronic access to systems that contain information about imminent news releases. Instead, the SEC merely alleged that based on “the disparate companies” in which Blue Bottle traded, the timing of the trades and the profit they generated, the firm had tapped into a third party computer system to learn nonpublic data.
Blue Bottle’s scheme included “put” and “call” options trading, a more sophisticated trading technique. A call option is basically a contract that allows the buyer the right, but not the obligation, to buy an agreed upon amount of stock by an agreed upon date for a specific price. With call options, the buyer is betting the stock price will go up. A put option, on the other hand, is a high-stake bet that the company’s stock will drop quickly. With puts, the investor only gets a payout if the stock goes down.
In one set of trades, Blue Bottle bought 10,500 put contracts on Symantec. Blue Bottle was betting that Symantec’s stock price would drop by Jan. 20. On Jan. 16, which was the next trading day after Blue Bottle bought the puts, Symantec issued a downward revision of its third-quarter 2007 earnings and revenue forecast. Symantec also announced more “conservative guidance” for the rest of the fiscal year. Symantec’s news came out at 7:48 that morning, and Blue Bottle began selling its puts at 9:30 am, generating profits of over $1 million.
Despite Blue Bottle’s large profits, the SEC’s foray into outsider trading attracted very little attention; perhaps because, just like in the Lohmus SEC enforcement action, the Blue Bottle matter was never contested. Before any judge could opine on the SEC’s outsider trading theory, Blue Bottle defaulted and a final judgment was ordered, which included, among other relief, an almost $11 million penalty and disgorgement order.
SEC v. Dorozhko
An opportunity for a judicial test of the SEC’s outsider trading theory arose once again in late 2007 in SEC v. Oleksandr Dorozhko, an SEC outsider trading action that was initially dismissed, then reinstated after an SEC appeal.
The Dorozhko matter involved an Eastern European who bet nearly a year’s worth of his income that a stock price would drop in two days, realizing profits of $280,000 (more than 5 times his yearly income). The SEC alleged that Dorozhko gained access to material non-public information from a data breach into a third party information dissemination computer network and made his trades based on that stolen information.
Specifically, Dorozhko opened an online trading account in which he deposited $42,500 in October 2007. Shortly thereafter, a hacker gained access to earnings data for IMS Health, Inc. vis-a-vis the servers of Thomson Financial, Inc., the company providing investor relations and web-hosting services to IMS. According to the SEC, the hacker cloaked his identity and hid his tracks, but managed to overcome the security barriers at the site and gain unauthorized access to confidential information on the secure site.
Within an hour of the hacker’s obtaining this information, Dorozhko used his online trading account for the first time, purchasing almost $42,000 of IMS put options, essentially betting that IMS stock would decline significantly in the near future. Later the same day, IMS announced that its earnings were 28% below analysts’ expectations. When the market opened the next morning, the price of IMS stock dropped by about a third and Dorozhko sold his put options, realizing a profit of approximately $286,000. The SEC alleged that the hacker was Dorozhko, and charged him with outsider trading.
The District Court in the Dorozhko matter then dismissed the SEC action, holding that absent a fiduciary duty, Dorozhko’s conduct did not amount to any kind of securities fraud. The Court noted that Dorozhko’s trading was not “deceptive” and that Dorozhko was not an officer, director, representative or agent of IMS Health, Thompson Financial, or any other relevant party, so Dorozhko owed no fiduciary duty to anyone. The district court found that Dorozhko was merely a hacker, an outsider with no relationship to IMS or Thomson, and he could not be liable for unlawful insider trading.
The district court rejected the SEC’s outsider trading theory and held that computer hackers who steal and use information may be criminally liable for theft and computer crime, but it was too much of a stretch to charge them with any kind of securities fraud.
The SEC appealed the Dorozhko district court decision and the United States Court of Appeals for the Second Circuit overturned the District Court’s Dorozhko decision. The Second Circuit noted that the SEC did not need to prove the existence of a fiduciary duty because Dorozhko affirmatively misrepresented himself in obtaining the confidential information. The Second Circuit recognized that when a cyber attacker trades on stolen, exfiltrated confidential information, the SEC could charge the cyber attacker with outsider trading.
Some might argue that Dorozhko was the first formal judicial recognition of outsider trading, but there was a slight snag to the Second Circuit’s reversal. The Second Circuit remanded the case to the district court for further proceedings as to the nature of Dorozhko’s hacking process — noting that hacking might not be a securities fraud if, for instance, it was based on discovering weaknesses in software rather than, a deception, such as a hacker using hijacked employee credentials.
The new Dorozhko trial result could have perhaps hardened outsider trading theory but, alas, after Dorozhko’s attorney confirmed he was unable to get in touch with Dorozhko, the District Court granted summary judgment to the SEC and, among other relief, ordered Dorozhko to pay a civil penalty of approximately $286,000, Dorozhko’s net profit from trading the IMS put options.
Thus, the theory of outsider trading, while partially vetted by the Second Circuit, still remains arguably untested i.e. the question remains whether exploiting a weakness in securities code is a mere theft or is instead a deception and therefore unlawful outsider trading.
SEC v. M.A.S.
The last outsider trading SEC matter was filed in 2008 and involved a rather primitive version of hacking and computer intrusion. The matter, SEC v. M.A.S., also dubbed by the media as the “Brother-in-law from Hell: Wall Street Edition,” involved a day trader who: 1) snuck into his brother-in-law’s bedroom during a family get together; 2) stole his brother-in-law’s computer password; 3) logged on to his brother-in-law’s computer; 4) reviewed on the computer material, nonpublic information about a possible tender offer by the brother-in-law’s private equity firm (CI Capital Partners) of a public company (Ryan’s Restaurant Group); and 5) made profitable trades based on that information.
Like the other outsider trading matters before, the matter was also never contested. The defendant settled with the SEC without admitting or denying wrongdoing, and paid about a $46,000 penalty and $46,000 in disgorgement of his ill-gotten trading gains.
Securities markets face a dynamic and challenging threat in the cyber thief. No longer are social security numbers, credit card information and the like the primary focuses of hackers. Information is the target – and public companies (and their vendors) have a lot of it. For the first time in history, thieves from anywhere on the planet can use their cyber-wares to orchestrate corporate espionage and remotely trade stock based on stolen secrets.
As the Internet became a critical part of public company operations, the SEC suddenly faced a dilemma: how to sojourn cyber thieves who were not insiders yet were accessing and trading upon, nonpublic information obtained vis-à-vis a data breach.
Thus began the SEC ‘s slow and quiet assent to confront outsider trading with the Lohmus Havel, Blue Bottle, Dorozhko and even M.A.S. enforcement actions. But now the gloves are clearly off. Given the recent round of SEC requests to public companies, the SEC enforcement staff are moving forward full-throttle to combat unlawful outsider trading by cyber thieves.
The enforcement staff are probably inspired by the 40 year-old seminal Supreme Court decision written by Supreme Court Justice (and former SEC Chairman) William O’Douglas and captioned Superintendent of Insurance v. Bankers Life and Casualty Co. In that decision, Justice O’Douglas opined,
We believe that section 10(b) and Rule 10b-5 prohibit all fraudulent schemes in connection with the purchase or sale of securities, whether the artifices employed involve a garden type variety fraud, or present a unique form of deception. Novel or atypical methods should not provide immunity from the securities laws.
Perhaps congratulations go to the SEC for stepping up to protect the integrity of the global financial marketplace from outsider trading, a hi-tech category of wrongdoing that the SEC staff is best suited to scrutinize, appreciate, understand and bring to justice. Or perhaps not.
Unfortunately, there is also significant fallout from the SEC’s newly minted outsider trading initiative; it exacts a double whammy for public companies caught up in its dragnet. Not only must the public company respond to the SEC request, but the company must also independently investigate, report, contain and remediate any data breach the SEC identifies.
Moreover, receipt of an SEC “data breach” subpoena will undoubtedly come as a shock to a public company and be far more costly than responding to more typical SEC requests. The typical SEC insider trading subpoena pertains to an event a company already has knowledge of (such as a merger, an earnings announcement, a takeover, etc.), but these new SEC “data breach” subpoenas pertain to a data breach that may be previously unknown to a public company.
In the end, the SEC’s dragnet targeting outsider trading, under any theory (even a far-fetched one), may indeed be good for investors and healthy for capital markets. However, the new SEC data breach subpoenas and requests are also yet another unwelcome and unanticipated expense for public companies, many of which may also be skeptical of the SEC’s jurisdictional expansion and ambitious cybersecurity swagger.