We are discussing the law of insider trading and the hash made of it by the Supreme Court's decisions in Chiarella and Dirks, cases that limited insider trading to cases involving a fiduciary duty.  Some of the holes in the reasoning have been filled through the development of the misappropriation theory, something approved by the Supreme Court in O'Hagan.  Both sets of cases, however, left another gap in the law, the application of Section 10(b) liability to those who trade on stolen information.  Ironically, it is an area that may have been clarified by Stoneridge.

The latest hole created by the Supreme Court has surfaced in SEC v. Dorozhko, 2008 U.S. Dist. LEXIS 1730 (SD NY Jan. 8, 2008).  In that case, Dorozhko, a self-employed Ukranian national residing in Uzhgorod, Ukraine, allegedly hacked into a web site and stole information that was then used in purchasing put options.  In a single day, he realized proceeds of $328,000.00, or a net profit of $286,456.59.  The court agreed that the theft of the information was a "device or contrivance" and in connection with the purchase or sale of a security.  The issue turned on whether the theft could be considered "deceptive" under Rule 10b-5. The court, however, concluded that deception required "a breach of a fiduciary or similar duty of disclosure."   As the court noted:

• Even by itself, this lack of any case law supporting the SEC position is noteworthy. The Exchange Act was enacted over seventy-four years ago, and parallel situations have no doubt arisen in that time span. While the SEC attempts to paint hacking as a new challenge for the securities laws, traditional theft (e.g. breaking into an investment bank and stealing documents) is hardly a new phenomenon, and involves similar elements for purposes of our analysis here. Both hacking and traditional theft may involve "deception" in the common law sense of unauthorized access, whether by using fake ID cards or spoofed internet protocols, but typically do not involve deception in the sense of breaching a duty of disclosure.

The case is on appeal.  In the meantime, the Commission brought and settled a case with similar facts.  In SEC v. Stummer, Litigation Release No. 20529 (SD NY April 17, 2008), the same district court that decided Dorozhko, the defendant "snuck into his brother-in-law's bedroom office computer."  He guessed the password and accessed work accounts, learning about an impending takeover.   As the complaint alleged:

• Stummer engaged in fraudulent, deceptive or manipulative acts or practices in connection with the purchase and sale of RYAN's securities by (i) deceptively logging on to the brother-in-law's computer, (ii) accessing, without authorization, the Caxton server as if he were his brother-in-law, (iii) improperly accessing his brother-in-laws's work emails pertaining to the impending acquisiton of RYAN which were stored on the Caxton server, and (iv) using the material, nonpublic information he learned from those emails to purchase RYAN securities.

Stoneridge, of course, held that liability under Rule 10b-5 could be based upon behavior rather than disclosure.  128 S. Ct. at 769 ("Conduct itself can be deceptive, as respondents concede. In this case, moreover, respondents' course of conduct included both oral and written statements, such as the backdated contracts agreed to by Charter and respondents.").  In other words, the analysis in Dorozhko that required a disclosure violation and precluded conduct as a deceptive act is now superseded. 

While the insider trading cases required the existence of a duty (in order to have a duty to disclose), the cases did not involve improperly obtained information.  Secrist in Dirks received the relevant information by virtue of his status as an officer in Equity Funding.  O'Hagan obtained the relevant information by virtue of his status as a partner in the law firm.  A violation of Section 10(b) came when they allegedly made improper use of the information, O'Hagan by trading, Secrist by giving it to someone who traded on it.  See O'Hagan, 521 US at 652 (misappropriation involved "self-serving use of a principal's information to purchase or sell securities").  Thus, the deceptive act occurred at the time of the trade (or possibly at the time it was tipped to someone who was expected to trade).

In Dorozhko and Stummer, the deceptive act occurs at the time the material nonpublic information is stolen.  This does not mean that all thefts of information constitute securities fraud.  For one thing, the theft must be of material non-public information.  Moreover, it must be in connection with the purchase or sale of stock.  This occurs where theft and trading "coincide." see Zandford, 535 US at 822  ("It is enough that the scheme to defraud and the sale of securities coincide.").  "Coincide" may also cover circumstances where the thief intends to trade or tips the information to someone who will trade. 

In a statutory scheme designed to protect the integrity of the markets, it seems obvious that stealing material non-public information for use in securities activities, particularly information that has little value other than in securities activities, would qualify as deceptive behavior in connection with the purchase or sale of a security.  

Pleadings filed in SEC v. Dorozhko, 2008 U.S. Dist. LEXIS 1730 (SD NY Jan. 8, 2008) can be found at the DU Corporate Governance web site.