Data breaches are increasingly common in our world. While computers and the Internet have created new opportunities to collect, store, and transmit information, they have also created new vulnerabilities. Data breaches occur regularly, and that is unlikely to stop anytime soon. Even the government has been susceptible to these types of cyberattacks. For instance, in May 2016, hackers exploited a weakness in the software employed by the United States Securities and Exchange Commission (‘SEC’) to maintain its Electronic Data Gathering, Analysis, and Retrieval (‘EDGAR’) system and gained access to non-public information contained within it. Because data breaches involve wrongfully obtaining information, such behaviour creates concerns about insider trading. Unfortunately, insider trading regulation in the United States is ill-equipped to address these concerns.
In my new article, ‘Schrödinger’s Hacker: Insider Trading and Data Breaches’, I explore the application of section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5, the primary provisions governing insider trading under United States securities law, to data breaches. In cases governed by the Cady Roberts rule, which applies to situations involving failure to disclose material non-public information prior to trading, a breach of fiduciary duty to the source of the information is required, and a hacker in most situations will not have such a duty. If the hacker uses a deception to gain access to the information, however, the individual has still violated section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5, assuming the other elements have been met because fraud has still occurred based upon a material misrepresentation being used for financial gain. Nevertheless, if a hacker merely exploits a weakness in software to obtain material non-public information, the law is uncertain whether this is a violation of section 10(b) and Rule 10b-5.
The leading case on this topic is SEC v Dorozhko. In that case, Oleksandr Dorozhko, a Ukrainian hacker, was held liable for violating section 10(b) and Rule 10b-5. Dorozhko exercised his Fifth Amendment right against self-incrimination, and the District Court ultimately granted the SEC’s unopposed motion for summary judgment, which casts doubt upon how he gained access to the information involved. As a consequence, depending on whether he used a misrepresentation to obtain the information, he may or may not have actually violated section 10(b) and Rule 10b-5. How a hacker obtains material non-public information seems as though it ought to be trivial in regard to lawfulness under the federal securities law because the hacker is stealing information and poses a danger to the capital markets in the United States in all instances. Similar to the Schrödinger’s cat thought experiment, however, the relatively trivial issue of how the hacker obtains the information creates unacceptable large-scale uncertainty as to whether such behaviour is punishable.
As a consequence, I propose that the SEC should promulgate a rule interpreting the language of section 10(b) and Rule 10b5 to include all hacking as ‘deceptive acts or contrivances’. The proposed rule should be modeled upon 18 U.S.C. § 1030, which is commonly known as the Computer Fraud and Abuse Act. Such a rule would clarify the coverage of section 10(b) and Rule 10b-5 and would help to promote market confidence and stability by addressing the evils of hacking. Promulgating such a rule is within the scope of the SEC’s authority under the United States federal securities laws, and it deserves to be included within them to help encourage investor confidence and market stability.
Eric C. Chaffee is a Distinguished University Professor at the University of Toledo College of Law.