Speech by SEC Commissioner:
Remarks Before the CyberSecurities Fraud Forum
Commissioner Troy A. Paredes
U.S. Securities and Exchange Commission
September 23, 2008
Thank you, John [Stark], for the kind introduction. It is a pleasure to be speaking here today at the CyberSecurities Fraud Symposium. Before I begin, I must tell you that the views that I express here today are my own and do not necessarily reflect those of the U.S. Securities and Exchange Commission or of my fellow Commissioners.
It is fitting that I am speaking to an audience including many representatives from the FBI, the Department of Justice, and other law enforcement agencies. On this day, in 1875, one of the most notorious criminals in American history committed his first crime. The criminal? Henry McCarty. Perhaps you have heard of him by one of his aliases: William H. Bonney or Billy the Kid. What was the first crime of the scofflaw who evaded law enforcement for over half a decade? He stole a basket of laundry.1
You may ask, "What do Billy the Kid, a basket of laundry, and cybersecurities fraud all have in common?" In a word, plenty. Like Billy the Kid, those who commit fraud using the internet often start by committing what some may deem to be a lesser crime such as hacking into a friend's email account. Eventually, the modern internet fraudster becomes more brazen and graduates to more serious crimes. Like Billy the Kid, the modern fraudster uses tactics to evade detection and capture in an arena that some have analogized to the Wild West. While Billy the Kid utilized disguises and aliases, the modern fraudster uses technology, such as routing redirects, source routing, blind spoofing, and flooding, to prevent law enforcement from obtaining the correct IP address. Finally, as with Billy the Kid, modern law enforcement eventually catches up to the modern fraudster.
The Securities and Exchange Commission, and, in particular, the Office of Internet Enforcement (OIE), has been at the forefront of the fight against securities fraud on the internet. Established in 1998, the Office of Internet Enforcement recently celebrated its tenth anniversary in July. I commend the dedicated leadership and staff of OIE on their commitment to making cyberspace an arena of fair and efficient commerce by bringing law and order to the internet.
In the context of addressing what is a "security," the U.S. Supreme Court, in the famous Howey case, referenced the "countless and variable schemes devised by those who seek the use of the money of others."2 The SEC needs to be as nimble as the fraudsters who search for new ways to take people's money. Accordingly, the SEC should be commended for establishing OIE. That the SEC even has an Office of Internet Enforcement illustrates how federal securities regulation is able to adapt to new market and technological developments as the SEC endeavors to root out the "countless and variable schemes" of fraudsters.
Forms of Cooperation
Of course, it would be especially challenging for the SEC to make headway stemming the tide of securities fraud without cooperation among civil and criminal authorities both here and abroad. A couple of examples come to mind. The panelists may well talk about them in more depth later, but they bear mentioning here as well.
Let me start with international cooperation.
In the December 2006 civil action, SEC v. Grand Logistic, S.A. — the first international intrusion case brought by the Commission — the SEC was successful in freezing the proceeds of a stock manipulation scheme orchestrated by a Russian citizen.3 The ill-gotten funds were located in a bank in Estonia, so obtaining the freeze required extensive cooperation between the Philadelphia Regional Office of the SEC (Dan Hawke, who is the head of that office, is on a panel later today), the U.S. Department of Justice, and Estonian officials. The Estonian officials provided invaluable assistance not only with service of process, but also with developing the facts necessary to show that the defendant's "business" was nothing more than a mail drop. I commend the entire team on a job well done.
A case from 2007, SEC v. Marimuthu, also illustrates the importance of cooperation among various agencies in achieving positive results.4 That case involved three hackers in India who defrauded investors out of hundreds of thousands of dollars. The civil action, led by the Office of Internet Enforcement here at SEC headquarters, brought with the assistance of the NASD and a half dozen domestic stock exchanges, was filed in conjunction with a parallel criminal probe involving several FBI offices, the U.S. Attorney's Office for the District of Nebraska, and the Justice Department's Computer Crimes Section. One of the defendants received a two-year prison sentence and faces $360,000 in restitution, while another sits in a foreign jail awaiting extradition by authorities in Hong Kong. I am confident that the third defendant will be brought to justice too.
To the extent steps are taken toward mutual recognition with other jurisdictions, cooperation between U.S. and foreign regulators will continue to develop.
Cooperation among and between domestic agencies and organizations and their foreign counterparts is paramount to fighting fraud on the internet. Wherever they are located, fraudsters must understand two things — that we will not stand for their conduct and that there is nowhere for them to hide.
I now want to turn to say a few words about the promise of constructive cooperation between the SEC and criminal authorities.
As the D.C. Circuit acknowledged in the Dresser case, "Effective enforcement of the securities laws requires that the SEC and Justice be able to investigate possible violations simultaneously."5 However, cooperation is subject to the limits of the law and due process. The rights of the accused must be respected.
A recent decision from the United States Court of Appeals for the Ninth Circuit, United States v. Stringer, helps define the framework for the appropriate level of cooperation between criminal authorities and the SEC.6 The Ninth Circuit explained: "There is nothing improper about the government undertaking simultaneous criminal and civil investigations," provided there is no "deceit or affirmative misrepresentation."7 A government official must not "affirmatively mislead" the subject of parallel civil and criminal investigations "into believing that the investigation is exclusively civil in nature and will not lead to criminal charges."8
In Stringer, the SEC had informed the defendants in the Form 1662, a standard form sent to all witnesses subpoenaed to testify before the SEC, that "[t]he Commission often makes its files available to other governmental agencies, particularly the United States Attorneys and state prosecutors. There is a likelihood that information supplied by you will be made available to such agencies where appropriate."9 The Form 1662 further explained that the defendants had a Fifth Amendment right to refuse to answer questions. As a result of these warnings, the court held that there was no deception or affirmative misconduct on the part of the government in the course of the SEC and U.S. Attorney investigations that warranted dismissal of the indictment or suppression of any of the evidence.10
As our respective agencies continue to work together to address securities fraud on the internet, we must be mindful to avoid taking action that runs afoul of due process.
I would be remiss if I did not mention that the SEC has made great strides in recent months to ensure better cooperation with and among the self-regulatory organizations, such as the Financial Industry Regulatory Authority, Inc. (FINRA) and the various stock exchanges. I know there are several members of FINRA attending the symposium today. Last month, the SEC announced a proposed agreement among FINRA and several stock exchanges.11 The agreement is designed to improve the surveillance and detection of insider trading. In particular, for the equities markets, the arrangement is designed to centralize surveillance, investigation, and enforcement under NYSE Regulation, Inc. and FINRA.
This compares to present practice, where each stock exchange bears responsibility for surveillance of its market and for the investigations and enforcement actions involving its own members. An intention of the plan is to focus expertise and to close gaps and avoid duplication in insider trading surveillance. I applaud our staff in coordinating this important arrangement, and I look forward to reading the public comments on the agreement.
The Development of the Case Law
The area of cybersecurities enforcement has posed interesting legal challenges. Often times, cases do not fall neatly within established textbook examples of securities fraud. Take, for instance, the case of SEC v. Van T. Dinh, which was brought by the SEC's Office of Internet Enforcement in 2003.12 Mr. Dinh sent an e-mail inviting users of an online stock discussion forum to test a new stock-charting tool. The purported stock-charting tool was, in fact, a disguised version of a keystroke-logging program that permitted Dinh to monitor remotely the computer activity of users who had downloaded it.
Using the program, Dinh obtained the login and password information of a TD Waterhouse online brokerage account holder. Through his own online brokerage account, Dinh placed orders to sell his option contracts at $5 per contract and, through the victim's account, corresponding buy orders. As a result, Dinh caused the unsuspecting account holder to purchase 7,200 Cisco option contracts, saving Dinh approximately $37,000 in trading losses.13
The SEC filed civil charges against Mr. Dinh, and the U.S. Attorney for the District of Massachusetts filed criminal charges. As a result of the efforts of the SEC and the U.S. Attorney, Mr. Dinh was sentenced to prison.
The Dinh case was the first SEC fraud prosecution to allege both computer hacking and identity theft as components of the fraudulent scheme. Although the case involved unique facts and circumstances, the conduct boiled down to securities fraud under section 17(a) of the Securities Act and section 10(b) of the Exchange Act.
That case illustrates that while new schemes to defraud arise using the internet, our existing body of statutes, rules, and case law may continue to be adequate tools in our arsenal. It is important not to rush to develop new and creative theories of liability, especially when the tried-and-true ones may work just fine.
Finally, let me turn briefly to the serious challenges confronting the U.S. financial system. Although it will not be easy, I am confident that we will overcome the challenges that we face and emerge stronger than ever. One reason I am confident returns us to the core theme of my remarks: cooperation. We have witnessed an historic degree of government cooperation as the Treasury, the Federal Reserve, and the SEC, as well as others, have worked tirelessly to surmount the challenges we face. That cooperation has spanned party lines and regulatory philosophies as we work collectively to address troubles in the market.
I am especially heartened by the incredible dedication, hard work, and professionalism I have witnessed by the SEC staff. As an academic, I studied the federal securities laws and the SEC. Through my work, I developed a great deal of respect for the Commission, which I knew to be comprised of individuals committed to serving the public interest to the best of their ability.
Having now had the privilege to be a part of the Commission and to work with SEC staff during this difficult time, my respect for the agency and the individuals who work here has increased greatly. The dedication and professionalism exhibited by the staff has been inspiring.
So, to the staff members in the audience or reading this speech, I want you to know how much I appreciate all of your outstanding work. Thank you for your service to the Commission and to the country.
Thank you very much for listening. I hope you enjoy the conference today. I appreciate the opportunity to be here, and I am happy to answer a few questions.