TechLaw

The Securities and Exchange Commission's bid to establish a cause of action for "hacking and trading" under Section 10(b) of the Exchange Act suffered a setback earlier this week, when Judge Naomi Reice Buchwald held that there could be no violation of the insider trading statute without proof that the defendant breached a fiduciary or similar duty in obtaining the information he traded on.

The court rejected the SEC's argument that Section 10(b) reached conduct that could be considered deceptive, or manipulative, of otherwise fraudulent.

Oleksandr Dorozhko was alleged to have hacked into a computer network operated by Thomson Financial, a publisher of business information that is also in the business of hosting investor relations Web sites.  Sometime between the time that IMS Health Inc. uploaded an unfavorable earnings announcement to Thomson Financial's servers (appox. 2:01 p.m.) and the publicly announced release time (5 p.m.), Dorozhko  hacked into the Thomson Financial server, obtained the earnings report, and began to make trades based on the assumption that IMS Health's stock price would plummet in the wake of the public release of the earnings report. Dorozhko was right: The market reacted negatively to the IMS numbers, and Dorozhko made a $286,456.59 profit overnight. His initial investment was roughly $40,000 in put options.

Judge Buchwald remarked that securities markets not only need, but require, informational disparities in order to operate. Moreover, Congress has rejected fairness-based regulation of the securities markets. The task of the judiciary, Judge Buchwald wrote, is to decide how to draw the line separating "proper and improper informational disparities in the securities markets." After a thoughtful and scholarly review of the available court opinions and law review articles that populate this murky area of the law, Judge Buchwald concluded that the existence of a fiduciary duty establishes the line between lawful and unlawful conduct.

"[T]here are policy considerations that weigh ... against discarding the fiduciary requirement and/or extending the SEC's jurisdiction to cover `hacking and trading.' As discussed above, In regulating insider trading, at the margins it becomes difficult to distinguish information that is properly obtained from that which is improperly obtained. The fiduciary requirement serves as an important delineation, a kind of shorthand that courts, market  participants, and regulators may use to make that distinction. The presence of a fiduciary relationship ensures that the traded on information is available only to insiders. Without the fiduciary requirement, the question of when market participants may trade on information disparities becomes much more difficult."

Judge Buchwald stayed the effect of her order until Jan. 14, to allow the SEC time to seek a stay pending appeal from the Second Circuit.

I wonder (at the risk of exposing an unforgivable ignorance of these things) whether or not Thomson Financial or IMS Health have potential liability for negligently safeguarding the IMS Health earnings report in advance of its public release. Does either company owe a duty of care to IMS Health shareholders? Have IMS Health shareholders suffered the kind of loss that would support a negligence claim? Certainly they have suffered more of a loss than the mere-fear-of-identity-theft that courts in prior data breach cases have found insufficient to support a cause of action. The SEC might have regulations that cover information security practices for this situation, but I am not aware of them.

The case is Securities and Exchange Commission v. Dorozhko, No. 07 Civ. 9606 (S.D.N.Y., Jan. 7, 2008)