You are on page 1of 1

LOS ANGELES

www.dailyjournal.com

FRIDAY, OCTOBER 2, 2015

PERSPECTIVE

When is computer hacking fraud?


By Mary Ellen Callahan ket where they had access to nonpublic On appeal, the 2nd U.S. Circuit Court
and Michael K. Lowman information. The Cady Roberts rule of Appeals created a new category of PIG Tales

I
n August, the Securities and Ex- was agnostic as to how the nonpub- insider trading. The court reasoned that This regular column is devoted to issues
change Commission brought the lic information found its way into the showing a breach of a duty to the source of critical importance to the Privacy and
largest enforcement action against hands of the person that traded on that of the nonpublic information was not the Information Governance (PIG) communi-
32 defendants alleging they hacked into information. only way to commit fraud under Section ties. Provided by the former Chief Privacy
the networks of at least two newswire Fortunately for the SEC hacking de- 10(b). A defendants use of misstate- Officer of the U.S. Department of Home-
land Security, PIG Tales discusses cutting
services, stealing their crown jewels fendants, Cady Roberts is no longer the ments or misrepresentations to obtain
edge issues while offering valuable
previously undisclosed information law. In 1980, the Supreme Court express- nonpublic information may also violate insight and practical advice to companies
about U.S. public companies and ly rejected the Cady Roberts rule in the Section 10(b) the information through. on how to collect, use, store, protect and
trading on the stolen material nonpub- case of Chiarella v. United States. There, The court then set out to determine if share their sensitive data in an efficient,
lic information before it was commu- the Supreme Court rejected that parity of hacking constitutes fraud or deception. effective, and compliant manner.
nicated to the public. While the stolen information rule and found that Section The 2nd Circuit recognized that there
information did not involve credit card 10(b) liability must sound in fraud. Un- were essentially two flavors of hacking: fraud? The law is clear that that simply
or banking information of U.S. citizens, der Chiarella and later Supreme Court (1) using employee log in credentials so using nonpublic information to trade is
the information was just as valuable, al- precedent, there is no Section 10(b) vi- that the hacker masquerades as a legit- not fraudulent. Also, exploits designed to
lowing the defendants realize over $100 olation unless the nonpublic information imate user or (2) exploiting weaknesses gain access to a network are not fraudu-
million. was obtained in violation of a duty of in program code to cause the program to lent. That leaves the use of stolen cre-
At first blush, this is a feel good story. trust and confidence owed to the source malfunction and allow otherwise unau- dentials. This is akin to a valet stealing a
The good guys swoop in and break up of the nonpublic information and traded thorized access to the network. The 2nd customers keys to later steal the car. The
an ongoing crime. Money was frozen, on in violation of that duty. Simple theft Circuit remanded the case, asking the use of the key is theft, not fraud. Given
and the bad guys were charged with vi- of nonpublic information was not a vio- trial court to decide whether the type of that, is the use of a stolen virtual key any
olating the federal securities laws civilly lation of Section 10(b). hacking used in the case was deceptive. different? Any other result would create a
and criminally. However, there is one While the basic tenets of insider The court did note that in its view, hack- legal fiction that fraud can be perpetuated
major rub: The conduct, as alleged, may trading law sprouted before the cyber ing that misrepresents a persons identity against computers; unless the computer
not have violated the federal securities age, the value of nonpublic information to gain access to a computer network ap- is Scarlett Johansson in Her, the SEC
laws. (To be clear, there is no doubt that makes it a promising target to hackers peared plainly deceptive, while hack- will have a tough time proving fraud
the conduct involved may have violated and the impact on the U.S.s securi- ing that exploited internal code weak- against a computer.
other federal criminal statutes such as the ties markets is unquestioned. Not sur- nesses was more akin to simple theft.
Computer Fraud and Abuse Act, which prisingly, the SEC has in recent years Regrettably, Mr. Dorozhko never Mary Ellen Callahan chairs Jenner &
vest the Department of Justice with sole sought to punish those bent on enriching defended the case on remand. We will Blocks Privacy and Information Gover-
prosecutorial authority, not the SEC). themselves through illegal access to and never know what type of hack he used or nance Practice and provides privacy and
How can that be? For one, no statute use of nonpublic information. whether that hack was fraudulent in na- data security counseling to a broad range
expressly makes insider trading illegal. But does the SEC have the authority ture. Even under the 2nd Circuits view of clients, including some of the most vis-
Instead, the SEC relies on the securi- to pursue such cases? That question turns of the facts, questions remain as to what ited Internet websites. She served as chief
ties laws general antifraud provision, on whether the pre-cyber age tools avail- forms of hacking are fraudulent ver- privacy officer of the U.S. Department of
Section 10(b) of the Securities and Ex- able to the SEC permit the agency to po- sus mere exploits amounting to simple Homeland Security from 2009 until Au-
change Act of 1934 and a web of court- lice hackers actions. Like other areas of theft. The bare use of employee log-in gust 2012 and received the 2013 Privacy
made law to police insider trading. For the law that developed before the advent credentials standing alone does not end Vanguard Award. You can reach her at me-
the most part, this approach has worked. of the era of big data, the answer lies in the query. There is a fundamental differ- callahan@jenner.com.
Todays insider trading law makes it il- what real-world analogies courts adopt in ence between obtaining an employees
legal to pilfer and use nonpublic infor- looking at the problem. Is hacking anal- security credentials by social engineer- Michael K. Lowman is a partner in Jen-
mation where the person obtained the ogous to breaking into someones home ing or tricking an employee to provide ner & Blocks Litigation and Enforcement
information in violation of a duty of or defeating a car lock (which is akin to her credentials, and a brute force attack practice, where he represents public com-
trust or confidence to the source of the theft) or is hacking a form of deceptive that deduces the same information. The panies and their officers and directors in
information. conduct akin to a company misrepre- former approaches are likely deceptive. SEC investigations, securities class ac-
Hacking of a computer network does senting its financial performance so that The later is akin to stealing someone tions, individual suits by securities hold-
not fit the typical model that led to the investors will keep buying its stock? keys to their home and later using that ers and derivative actions. He previously
development of the insider trading laws. Only one federal court of appeals key to steal their belongings. served as an attorney at the SECs Divi-
The judicial extension of Section 10(b) to has weighed in on this issue. In SEC v. So where does that leave the SECs sion of Enforcement. You can reach him at
cover insider trading began in 1961. That Dorozhko, the SEC brought an insider latest insider trading action against the mlowman@jenner.com.
year, the SEC brought the case called In trading case against a hacker for gaining hackers? According to the SEC, the de-
re Cady, Roberts & Co. In Cady Roberts, access to a press release maintained on fendants are liable for insider trading
a director of a publicly traded company the servers of a newswire service pro- because they traded on the information
told his broker that his company would vider. There, the SEC alleged that the in the stolen press releases before the
be cutting its normal dividend payments, act of hacking because it involved information was available to the public.
mistakenly believing that the information an electronic means to trick or bypass The SEC alleged that the defendants
had already been disclosed. The broker computer security was inherently obtained this information by using: (1)
traded on the information and the SEC deceptive and fraudulent misconduct. using stolen login credentials to pose as
sued him for insider trading. The Cady The trial court disagreed finding that the authorized network users; and (2) back-
Roberts decision adopted a parity of in- SEC failed to prove that the hacking at door access modules to gain network
formation rule. Under this rule, it was issue was constituted fraud under Sec- access. A review of these allegations MARY ELLEN CALLAHAN MICHAEL LOWMAN
illegal for a person to trade with the mar- tion 10(b). The SEC appealed. begs the essential question: where is the Jenner & Block Jenner & Block

Reprinted with permission from the Daily Journal. 2015 Daily Journal Corporation. All rights reserved. Reprinted by ReprintPros 949-702-5390

You might also like