Commercial Litigation and Arbitration

Computer Hacker Who Trades on Illicitly-Obtained Information May Violate § 10(b) Even Though Hacker Breaches No Fiduciary Duty — Circuit Split

The computer hacker in Securities and Exchange Commission v. Dorozhko, 2009 U.S. App. LEXIS 16057 (2d Cir. July 22, 2009), made a $200,000 profit overnight by hacking into a secure server to obtain earnings information hours before it was publicly announced and buying $40,000 worth of put options. The District Court held that this illegal conduct did not render the hacker subject to a civil enforcement action brought by the SEC because the hacker breached no fiduciary duty:

The District Court concluded that in Chiarella, O'Hagan, and Zandford, the Supreme Court developed a requirement that any "deceptive device" requires a breach of a fiduciary duty. In applying that interpretation to the instant case, the District Court ruled that "[a]lthough [defendant] may have broken the law, he is not liable in a civil action under § 10(b) because he owed no fiduciary or similar duty either to the source of his information or to those he transacted with in the market." ...

[Footnote 5] Some commentators grudgingly have acknowledged that the District Court's conclusion would be compelled under a narrow reading of Section 10(b) that covers only the "disclose or abstain" requirement for corporate insiders other than fiduciaries. See, e.g., Robert A. Prentice, The Internet and Its Challenges for the Future of Insider Trading Regulation, 12 Harv. J. L. & Tech. 263, 297-98 (1999) (acknowledging that, "[t]o the extent that misappropriation liability is based solely on a breach of fiduciary duty, thieves unrelated to the source of the information could steal the information without being in violation of existing federal securities laws"); but see id. at 300 (arguing that "to hold that hackers are misappropriators is consistent with the pre-1934 common law upon which Section 10(b) was based [and] is consonant with the underlying policy of Section 10(b) — investor protection" (internal footnote omitted)).

At least one of our sister circuits has made the same observation relying on the same precedent. See Regents of the Univ. of Cal. v. Credit Suisse First Boston (USA), Inc., 482 F.3d 372, 389 (5th Cir. 2007) (discussing Chiarella and O'Hagan, and stating that "the [Supreme] Court . . . has established that a device, such as a scheme, is not 'deceptive' unless it involves breach of some duty of candid disclosure").

In our view, none of the Supreme Court opinions relied upon by the District Court — much less the sum of all three opinions — establishes a fiduciary-duty requirement as an element of every violation of Section 10(b). In Chiarella, O'Hagan, and Zandford, the theory of fraud was silence or nondisclosure, not an affirmative misrepresentation. The Supreme Court held that remaining silent was actionable only where there was a duty to speak, arising from a fiduciary relationship. ***

Chiarella, O'Hagan, and Zandford all stand for the proposition that nondisclosure in breach of a fiduciary duty "satisfies § 10(b)'s requirement . . . [of] a 'deceptive device or contrivance,'" O'Hagan, 521 U.S. at 653. However, what is sufficient is not always what is necessary, and none of the Supreme Court opinions considered by the District Court require a fiduciary relationship as an element of an actionable securities claim under Section 10(b). While Chiarella, O'Hagan, and Zandford all dealt with fraud qua silence, an affirmative misrepresentation is a distinct species of fraud. Even if a person does not have a fiduciary duty to "disclose or abstain from trading," there is nonetheless an affirmative obligation in commercial dealings not to mislead. See, e.g., Basic Inc. v. Levinson, 485 U.S. 224, 240 n.18 (1988) (distinguishing "situations where insiders have traded in abrogation of their duty to disclose or abstain," from "affirmative misrepresentations by those under no duty to disclose (but under the ever-present duty not to mislead)").

In this case, the SEC has not alleged that defendant fraudulently remained silent in the face of a "duty to disclose or abstain" from trading. Rather, the SEC argues that defendant affirmatively misrepresented himself in order to gain access to material, nonpublic information, which he then used to trade. We are aware of no precedent of the Supreme Court or our Court that forecloses or prohibits the SEC's straightforward theory of fraud. Absent a controlling precedent that "deceptive" has a more limited meaning than its ordinary meaning, we see no reason to complicate the enforcement of Section 10(b) by divining new requirements. In reaching this conclusion, we are mindful of the Supreme Court's oft-repeated instruction that Section 10(b) "should be construed not technically and restrictively, but flexibly to effectuate its remedial purposes." Zandford, 535 U.S. at 819 (internal quotation marks omitted). Accordingly, we adopt the SEC's proposed interpretation of Chiarella and its progeny: "misrepresentations are fraudulent, but . . . silence is fraudulent only if there is a duty to disclose." ...

[Footnote 6] The District Court found it "noteworthy" that in the over seventy years since the enactment of the Securities Exchange Act of 1934, "no federal court has ever held that those who steal material nonpublic information and then trade on it violate § 10(b)," even though "traditional theft (e.g. breaking into an investment bank and stealing documents) is hardly a new phenomenon, and involves similar elements for purposes of our analysis here." ... The District Court suggested that "hacking and trading" schemes have been and ought to be prosecuted under "any number of federal and/or state criminal statutes," rather than through civil enforcement actions. .... At the preliminary injunction hearing, the District Court stated that it was "very disturbing" that this case was not a federal prosecution.... We intimate no view on that question. It is enough to say that we deal with the facts presented, which in our view are sufficient to maintain a civil enforcement claim.

[Footnote 7] We are further counseled by the observations of Judge Augustus N. Hand, who reasoned over fifty years ago that had Congress intended to impose a fiduciary-duty requirement on Section 10(b) liability, it would have said so. See Birnbaum v. Newport Steel Corp., 193 F.2d 461, 464 (2d Cir. 1952) (A. Hand,J.) ("When Congress intended to protect the stockholders of a corporation against a breach of fiduciary duty by corporate insiders, it left no doubt as to its meaning. Thus Section 16(b) of the Act of 1934 . . . expressly gave the corporate issuer or its stockholders a right of action against corporate insiders using their position to profit in the sale or exchange of corporate securities. The absence of a similar provision in Section 10(b) strengthens the conclusion that [Section 10(b)] was directed solely at that type of misrepresentation or fraudulent practice usually associated with the sale or purchase of securities rather than at fraudulent mismanagement of corporate affairs, and that Rule [10b-5] extended protection only to the defrauded purchaser or seller." (internal citation omitted)). We recognize that in the instant case, the SEC is neither a purchaser nor a seller, but brings this suit in its regulatory capacity in order to "ensure honest securities markets and . . . promote investor confidence," Zandford, 535 U.S. at 819.

Having denied the SEC's application for a preliminary injunction freezing defendant's trading account on the basis of a perceived fiduciary duty requirement stemming from the Chiarella line of insider trading cases, the District Court did not decide whether the ordinary meaning of "deceptive" covers the computer hacking in this case — or, indeed, whether the computer hacking in this case involved any misrepresentation at all. Defendant invites us to remand both questions so that the District Court may decide in the first instance.

In its ordinary meaning, "deceptive" covers a wide spectrum of conduct involving cheating or trading in falsehoods. See Webster's International Dictionary 679 (2d ed. 1934) (defining "deceptive" as "tending to deceive," and defining "deceive" as "[t]o cause to believe the false, or to disbelieve the true" or "[t]o impose upon; to deal treacherously with; cheat"). Cf. Ernst & Ernst v. Hochfelder, 425 U.S. 185, 199 n.20 (1976) (consulting the 1934 edition of Webster's International Dictionary to define other relevant terms in Section 10(b)); In re Parmalat Sec. Litig., 376 F. Supp. 2d 472, 502 n.152 (S.D.N.Y. 2005) (consulting the 1934 edition of Webster's International Dictionary to define "deceptive"). In light of this ordinary meaning, it is not at all surprising that Rule 10b-5 equates "deceit" with "fraud." See 17 C.F.R. § 240.10b-5 (prohibiting "any untrue statement of a material fact . . . or . . . any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person, in connection with the purchase or sale of any security" (emphases added)). Indeed, we have previously observed that the conduct prohibited by Section 10(b) and Rule 10b-5 "irreducibly entails some act that gives the victim a false impression." United States v. Finnerty, 533 F.3d 143, 148 (2d Cir. 2008).

The District Court — summarizing the SEC's allegations — described the computer hacking in this case as "employ[ing] electronic means to trick, circumvent, or bypass computer security in order to gain unauthorized access to computer systems, networks, and information . . . and to steal such data." ... On appeal, the SEC adds a further gloss, arguing that, in general, "[computer h]ackers either (1) 'engage in false identification and masquerade as another user['] . . . or (2) 'exploit a weakness in [an electronic] code within a program to cause the program to malfunction in a way that grants the user greater privileges.'" Appellant's Br. 22-23 (quoting Orin S. Kerr, Cybercrime Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1645 (2003)). In our view, misrepresenting one's identity in order to gain access to information that is otherwise off limits, and then stealing that information is plainly "deceptive" within the ordinary meaning of the word. It is unclear, however, that exploiting a weakness in an electronic code to gain unauthorized access is "deceptive," rather than being mere theft. Accordingly, depending on how the hacker gained access, it seems to us entirely possible that computer hacking could be, by definition, a "deceptive device or contrivance" that is prohibited by Section 10(b) and Rule 10b-5.

However, we are hesitant to move from this general principle to a particular application without the benefit of the District Court's views as to whether the computer hacking in this case — as opposed to computer hacking in general — was "deceptive."

Share this article:


Recent Posts