In October 2007, Oleksandr Dorozhko, a Ukrainian national operating from Ukraine, “hacked into the computer network of Thomson Financial” and “gained access to IMS Health’s soonto- be-released negative earnings announcement.” Securities and Exchange Commission v. Dorozhko, No. 07 Civ. 9606, 2008 WL 126612, at *1 (S.D.N.Y. Jan. 8, 2008). Armed with this nonpublic knowledge of the negative earnings announcement, Dorozhko used his newly opened Internet trading account at Interactive Brokers in Greenwich, Conn., to purchase put options in IMS Health stock prior to the release of the negative earnings announcement.
Dorozhko sold the options the next day after the negative earnings were announced “for $328,571.00, a return overnight of 697 percent.” Id. On Oct. 29, U.S. District Judge Naomi Reice Buchwald of the Southern District of New York granted a U.S. Securities and Exchange Commission (SEC) motion for a temporary restraining order (TRO) “freezing the proceeds of Dorozhko’s trades.” Id.
However, on Jan. 7, Buchwald denied the SEC’s motion for a preliminary injunction, finding that the SEC could not show a likelihood of success on the merits of its assertion of a violation of ß 10(b) of the Securities Exchange Act of 1934. Based on well-established U.S. Supreme Court precedent, Buchwald held that Dorozhko’s ” ‘hacking and trading’…does not amount to a violation of ß10 (b) of the Exchange Act” because it was impossible for the SEC to prove an essential element of the statute: that Dorozhko, as a corporate outsider, breached a fiduciary duty or similar duty of candid disclosure. Id.
Dorozhko, an outsider to both IMS Health and Thomson Financial, did not owe either company a duty of disclosure. As the court correctly observed, “in the 74 years since Congress passed the Exchange Act, no federal court has ever held that the theft of material non-public information by a corporate outsider and subsequent trading on that information violates ß 10(b).” Id. Recognizing that the lifting of the TRO could “result in the release of the restrained trading proceeds,” the court reiterated its suggestion to the SEC from the preliminary injunction hearing that the matter be referred to “the United States Attorney’s Office for criminal investigation.” Id. at *2.
Corporate victims could pursue CFAA civil options
From the evidence presented at the preliminary injunction hearing, Buchwald opined that the hacking and trading appeared to violate several federal criminal statutes, including ß 1030(a)(4) of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030 et. seq., and that the U.S. attorney’s office could seek “to seize Dorozhko’s trading proceeds under 18 U.S.C. ß 981(b).” Id. The court, however, did not address the civil options for self help under the CFAA available to the corporate victims of Dorozhko’s scheme. Indeed, that might be the most viable option here if the U.S. attorney’s office views a case against an Ukrainian national as a waste of resources where it is difficult, if not impossible, to extradite the defendant to the United States.
While the CFAA is primarily a criminal statute, it also provides that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. 1030(g). From a civil perspective, there are two questions not addressed in Buchwald’s decision. First, were CFAA civil remedies available to IMS Health, whose data were stolen, and Thomson Financial, whose Web site was hacked? Second, can the CFAA be used against a corporate insider (as opposed to an outside hacker) who steals company information that is used to trade in the company’s stock? The answers to both of these issues is yes.
Section 1030(a)(4) is one of seven sections of the CFAA that can form the basis for a civil action. To succeed on a civil claim pursuant to it, a plaintiff must prove the jurisdictional prerequisite that it suffered $5,000 in “loss” within a one-year period, and that the defendant, knowingly and with intent to defraud, accessed a protected computer; the defendant did so either without authorization or by exceeding authorized access; and by means of such conduct the defendant furthered the intended fraud and obtained anything of value. 18 U.S.C. 1030(a)(5)(B)(i), (g); Physicians Interactive v. Lathian Systems Inc., No. CA 03- 1193-A, 2003 WL 23018270, at *6 (E.D. Va. Dec. 5, 2003).
The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its [prior condition], and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. 1030(e)(11). While none of the entities in question experienced an interruption in service, “federal courts have sustained actions based on allegations of costs to investigate and take remedial steps in response to a defendant’s misappropriation of data.” Modis Inc. v. Bardelli, No. 3:07cv1638, 2008 WL 191204, at *4 (D. Conn. Jan. 22, 2008). To the extent either Thomson Financial or IMS Health incurred at least $5,000 to investigate the hacking and secure its network, each is entitled to file a CFAA civil action. Interactive Brokers, which had no ownership interest in the Thomson Financial Web site or the data contained on it, could not have conducted such an investigation or have taken remedial steps. Thus, Interactive Brokers likely could not meet the jurisdictional loss prerequisite and is not entitled to sue Dorozhko for CFAA violations.
That IMS Health did not own the computer network that was the object of the hacking would not preclude it from filing a CFAA claim against Dorozhko. The 9th U.S. Circuit Court of Appeals held that there is “[n]othing in the provision’s language” to support an “ownership or control requirement.” Theofel v. Farey-Jones, 359 F.3d 1066, 1078 (9th Cir. 2004). Theofel explained that the CFAA’s civil remedy “extends to ‘[a]ny person who suffers damage or loss by reason of a violation of this section’ ” and that the “word ‘any’ has an expansive meaning.” Id. As to the elements necessary to prove a violation of ß 1030(a)(4), the Thompson Financial computer network is indisputably a “protected computer” within the meaning of the CFAA. A “protected computer” is defined in ß 1030(e)(2)(B) as one “which is used in interstate or foreign commerce or communication,” and includes “a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” There can be little doubt that this computer network conducts business and communicates with its offices and customers in interstate and foreign commerce. Also, if the computer had been located in Ukraine, it would still be a “protected computer” since it would still affect interstate and foreign commerce and communicate with the United States.
There is also no question that Dorozhko acted with intent to defraud. The proof of fraud required by the CFAA simply requires proof of wrongdoing and not proof of the common law elements of fraud. Thompson Financial and IMS Health would need only prove that the “defendant participated in dishonest methods to obtain” the data from the computer. Shurgard Storage Ctrs. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121, 1125- 26 (W.D. Wash. 2000).
On the element of unauthorized access, all federal courts that have ever considered this issue agree that hacking into a computer by a corporate outsider constitutes unauthorized access. By definition “hacking” is done “to gain unauthorized access.” Physicians Interactive, 2003 WL 23018270, at *1. Finally, Dorozhko unquestionably obtained something of value in furtherance of the fraud: the information that permitted him to obtain the hugely inflated proceeds from the sale of the IMS Health options.
A preliminary injunction is also possible under CFAA
Physicians Interactive, cited by Judge Buchwald, illustrates the type of injunctive relief a civil litigant can obtain on facts similar to Dorozhko. In that case, the district court upheld a preliminary injunction based, in part, on violations of the CFAA when a competitor “secretly hacked Physicians Interactive’s website and stole their confidential customer lists and computer software code.” Id. at *1. The defendant was enjoined from, among other things, “engaging in any activity beyond the scope of normal user or guest to Plaintiff’s website” and not “using or disclosing any information” obtained through the hacking of the Web site. Id. at *11. Similarly, there is no reason why a court could not have enjoined Dorozhko in a civil CFAA action from continuing to enter Thompson Financial’s computer network and directed a freeze of his ill-gotten gains from the sale of the IMS Health options, pending the resolution of the lawsuit.
Finally, with the exception of a few federal district court judges who are hostile to applying the statute against company insiders, the CFAA can be used against employees who access sensitive nonpublic information from a company’s computers for the purpose of trading in its stock. Unauthorized access by insiders can be established when the insider employee exceeds “expected norms of intended use” for the computer; terminates his agency relationship with his employer by entering its computer for a purpose adverse to his employer; violates company rules and policies on computer use; or violates a contractual duty such as a confidentiality agreement to access the company computer. U.S. v. Phillips, 477 F.3d 215 (5th Cir. 2007); Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); Doe v. Dartmouth-Hitchcock Medical Center, No. CIV. 00-100-M, 2001 WL 873063 (D.N.H. July 19, 2001); EF Cultural Travel B.V. v. Explorica, 274 F.3d 577 (1st Cir. 2001).
The lesson here is simple: Any company that finds itself victimized by insider trading as a result of information obtained from its computers should consider the option of self help by pursuing a civil action under the CFAA.