Nondisclosure in breach of a fiduciary duty satisfies § 10(b) of the Securities Exchange Act of 1934's, 15 U.S.C.S. § 78j(b), requirement of a deceptive device or contrivance. However, an affirmative misrepresentation is a distinct species of fraud. Even if a person does not have a fiduciary duty to disclose or abstain from trading, there is nonetheless an affirmative obligation in commercial dealings not to mislead.
On October 17, an anonymous computer hacker attempted to gain access to the IMS earnings report by hacking into a secure server at Thomson prior to the report's official release. On the same day, Thomson received the IMS data--that hacker successfully located and downloaded the IMS data from Thomson's secure server. Defendant--who had not previously used his Interactive Brokers account to trade--purchased $ 41,670.90 worth of IMS "put" options that would expire on October 25 and 30, 2007. These purchases represented approximately 90% of all purchases of "put" options for IMS stock for the six weeks prior to October 17. October 18, at 9:30 a.m., IMS's stock price sank approximately 28% almost immediately--from $ 29.56 to $ 21.20 per share. Within six minutes of the market opening, defendant had sold all of his IMS options, realizing a net profit of $ 286,456.59 overnight. Interactive Brokers noticed the irregular trading activity and referred the matter to the SEC, which now alleges that defendant was the hacker.
The District Court denied the SEC's request for a preliminary injunction because the SEC had not shown a likelihood of success. The District Court reasoned that since defendant was a corporate outsider with no special relationship to IMS or Thomson, he owed no fiduciary duty to either. Although computer hacking might be fraudulent and might violate a number of federal and state criminal statutes, the District Court concluded that this behavior did not violate Section 10(b) without an accompanying breach of a fiduciary duty.
This appeal followed. The SEC's claim is nonetheless based on a claim of fraud, and we turn our attention to whether this fraud is "deceptive" within the meaning of Section 10(b).
In a civil enforcement lawsuit brought by the United States Securities and Exchange Commission ("SEC") under Section 10(b) of the Securities Exchange Act of 1934 ("Section 10(b)"), May computer hacking be "deceptive" where the hacker did not breach a fiduciary duty in fraudulently obtaining material, nonpublic information used in connection with the purchase or sale of securities
None of the Supreme Court opinions relied upon by the District Court--much less the sum of all three opinions--establishes a fiduciary-duty requirement as an element of every violation of Section 10(b). In Chiarella, O'Hagan, and Zandford, the theory of fraud was silence or nondisclosure, not an affirmative misrepresentation. The Supreme Court held that remaining silent was actionable only where there was a duty to speak, arising from a fiduciary relationship. In Chiarella, the Supreme Court held that there was no deception in an employee's silence because he did not have duty to speak. In O'Hagan, an attorney who traded on client secrets had a fiduciary duty to inform his firm that he was trading on the basis of the confidential information. Even in Zandford, which dealt principally with the statutory requirement that a deceptive device be used "in connection with" the purchase or sale of a security, the defendant's fraud consisted of not telling his brokerage client--to whom he owed a fiduciary duty--that he was stealing assets from the account.
In the view of this Court, misrepresenting one's identity in order to gain access to information that is otherwise off limits, and then stealing that information is plainly "deceptive" within the ordinary meaning of the word. It is unclear, however, that exploiting a weakness in an electronic code to gain unauthorized access is "deceptive," rather than being mere theft. Accordingly, depending on how the hacker gained access, it seems to us entirely possible that computer hacking could be, by definition, a "deceptive device or contrivance" that is prohibited by Section 10(b) and Rule 10b-5.
Thus, having established that the SEC need not demonstrate a breach of fiduciary duty, the Court now remand to the District Court to consider, in the first instance, whether the computer hacking in this case involved a fraudulent misrepresentation that was "deceptive" within the ordinary meaning of Section 10(b).