Advertisement

SKIP ADVERTISEMENT

White Collar Watch

Hacking Case Raises Question on Securities Fraud

Jeh Johnson, the Secretary of Homeland Security, left, and Paul J. Fishman, United States Attorney for the District of New Jersey, center, after a news conference in Newark on Tuesday.Credit...Karsten Moran for The New York Times

The elaborate scheme described by the Justice Department and the Securities and Exchange Commission last week, which involved breaking into computer servers to obtain confidential information about impending corporate announcements, certainly looks like a classic case of insider trading. The defendants are accused of making millions of dollars in profits by using information to trade profitably.

But insider trading law as currently interpreted by the courts would not cover this case because the hackers are accused of being thieves, not insiders who breached a duty owed to the source of the information. Indeed, they are as far from a fiduciary as one could find — an important requirement for an insider trading violation. The question is whether trading on stolen information is also a type of securities fraud.

The Justice Department filed indictments in Brooklyn and in New Jersey charging nine defendants with securities fraud, wire fraud, conspiracy and computer-related violations. Two defendants operating out of Ukraine are accused of breaking into the servers of three companies — Business Wire, PR Newswire and Marketwired — to obtain news releases about publicly traded companies before they were issued. They provided the information to the other defendants who traded on it in exchange for a cut of the trading profits.

Prosecutors can avoid any potential problem about the scope of the securities laws by relying on the federal wire fraud statute, which carries a maximum penalty of 20 years in prison. Wire fraud requires only proof that the defendants obtained valuable property by means of fraud or misrepresentation.

Although the companies and news services did not lose any money from the security breach, prosecutors do not have to show any pecuniary harm to the victims. The Supreme Court found in Carpenter v. United States that “confidential business information has long been recognized as property,” so taking it through a deception can be enough for a wire fraud conviction.

Whether the trading violated the securities laws will be more of a challenge to the S.E.C., which filed parallel civil charges against 32 defendants, including the nine defendants named in the criminal cases and another eight individuals who live in Ukraine and Russia. The agency has the power to pursue only cases that fall under the securities laws and not the broader federal criminal statutes.

Securities fraud in violation of Section 10(b) of the Securities Exchange Act requires proving a “manipulative or deceptive device” was used “in connection with” the purchase or sale of a security. Insider trading fits into that provision because the Supreme Court found in Chiarella v. United States that there is a deception if a defendant breaches a duty of trust and confidence by misusing confidential information to trade or tip others.

The victim in an insider trading case is the source of the information who expected it to be kept confidential. Without a breach of duty, however, there is no violation for trading on information even though the market is unaware of it.

Stealing confidential information to trade on it before publication is nothing new, although the cases now seem rather quaint because they involved getting advanced word before print editions were delivered to subscribers. The Carpenter case involved a Wall Street Journal reporter who traded and tipped others in advance of the publication of his “Heard on the Street” columns. As recently 2006, the S.E.C. brought charges against defendants who got an employee of a printing plant to steal pages from coming issues of Businessweek so they could trade on the companies discussed in it.

The hacking is not all that different from those cases, except that these defendants did not owe a duty of trust and confidence to the news services or companies whose information they stole, unlike the reporter and the printer. So establishing a securities violation means showing their engaged in a deception in connection with securities trading despite not having any duty.

The S.E.C. has accused other hackers of violating the securities laws by trading on stolen information in advance of its release. In 2005, it sued an Estonian financial services firm and two employees for creating an account with Business Wire and then using a computer program to gain access to news releases of more than 200 companies. The defendants settled the case without any determination whether the securities laws applied to their conduct.

In 2007, the S.E.C. sued Oleksandr Dorozhko, a Ukrainian, for hacking into Thomson Financial’s server to obtain a company’s negative earnings announcement before its release and then buying put options to bet against its shares, realizing a profit of more than $280,000. The court initially dismissed the complaint because there was no breach of a duty in breaking into a computer network.

The Federal Appeals Court in Manhattan reversed the dismissal, finding that fraudulent trading is not limited to just cases in which the defendant has a duty of trust and confidence. Instead, the deception used to gain access to the information could be sufficient to show a violation of Section 10(b) once the defendant traded on it. The case was returned to the district court to ascertain whether there was any deceptive conduct, but the defendant failed to appear, so a default judgment was eventually entered.

The appeals court essentially found the following equation sufficient: stealing information + trading = securities fraud. That analysis depends on how a court interprets the requirement that the deception be “in connection with” trading in securities in a case in which the defendants are thieves who do not owe a fiduciary duty to the source.

The Supreme Court has taken a flexible approach to interpreting what is sufficient to show the requisite link between the deception and the trading. In S.E.C. v. Zandford, the justices said that the deception need only “coincide” with the trading, not requiring any closer connection. But that case involved a broker who breached a fiduciary duty to his clients by embezzling from their account. Without the presence of a duty to protect client interests, it is not clear whether any deceptive conduct that results in trading securities would be a violation.

The S.E.C. filed its complaint in the Federal District Court in New Jersey, just across the river from Manhattan. But that means the case is under the jurisdiction of the United States Court of Appeals for the Third Circuit rather than the Federal Appeals Court in Manhattan that decided the Dorozhko case. So that decision does not necessarily control the cases in the Federal District Court in New Jersey, but does govern the indictment in Brooklyn.

The New Jersey defendants are likely to argue that the computer break-in was not “in connection with” the trading, which means a necessary element to prove securities fraud is missing. For prosecutors, even if that argument succeeded, they still have the wire fraud and computer charges to obtain a conviction.

But for the S.E.C., an unfavorable decision would create an odd gap in how it enforces the securities laws. Traders accused of trading on stolen confidential information in the United States Court of Appeals for the Third Circuit, which covers New Jersey, Pennsylvania, and Delaware, might not be subject to its jurisdiction, while data theft in New York would.

No one ever said the law has to be consistent. There is an easy fix if this problem arises: Congress can adopt a statute making trading on any confidential information a violation, which would turn almost everything into insider trading.

Advertisement

SKIP ADVERTISEMENT