Header graphic for print

Cady Bar the Door

Insight & Commentary on SEC Enforcement Actions and White Collar Crime

The Insider Trading Cartoon Series, Vol. I — Classical Theory

Posted in Insider Trading

We’re trying something new here at Cady Bar the Door.  Below is the first volume of what I hope will be a long-running animation series on insider trading.  The first episode describes and portrays the classical theory of insider trading, also known as the abstain-or-disclose theory.  We may try series on other topics as well.  Let us know what you think.

SEC Says No More Mr. Nice Guy on Investment Adviser Cybersecurity

Posted in Cybersecurity, Investment Advisers

Over the last couple years, the SEC’s cybersecurity bark has been worse than its bite.  Its Office of Compliance, Inspections, and Examinations issued examination priorities in 2014.  Commissioner Aguilar warned public company boards that they had better get smart about the topic a few months later.  The results of OCIE’s cybersecurity exam sweep were released in March of this year.  And the Investment Management Division said words, not many words, about investment advisers’ responsibilities in this area in July.

Alleged Facts

What it hasn’t done recently is sue somebody for violating Reg. S-P.  But yesterday it did.  According to the SEC’s settled administrative order:

  • St. Louis-based R.T. Jones Capital Equities Management stored sensitive personally identifiable information (PII) of clients and others on its third party-hosted web server from September 2009 to July 2013.
  • Throughout this period, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
  • An unknown hacker gained access to the firm’s web server in July 2013, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.

The Safeguards Rule

Whoops.  But while all of that sounds bad, it’s not actually what the firm is being sued over.  At issue is Reg. S-P’s Rule 30(a), the Safeguards Rule, which says, “Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”  And unfortunately, R.T. Jones allegedly failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information.  Put another way, if R.T. Jones did have written policies and procedures designed to avoid the failures bulleted above, the cyber attack might have been avoided and we wouldn’t be here.  It’s paying a $75,000 civil penalty to put this matter behind it.

Fortunately, to date, R.T. Jones has not received any indications of a client suffering financial harm as a result of the attack.  And the firm appears to have acted quickly and responsibly once it did discover the breach.

Three Thoughts

I have three quick thoughts.  First, this is a relatively easy case for the SEC to bring. RT. Jones didn’t just have inadequate policies and procedures.  According to the SEC’s order, it didn’t have any written policies and procedures reasonably designed to safeguard its clients’ PII.   Second, over 90% of the individuals whose information was compromised were not even R.T. Jones clients, but participants in an investment plan in which R.T. Jones had joined.  The information appears to have been useful to R.T. Jones in the aggregate, but perhaps not so as to individuals.  If not, the firm might have purged that information from its systems and avoided the liability from losing their data.  Finally, periodic risk assessments, firewalls, encryption, and a cybersecurity response plan seem like good ideas right now.  But you knew that already.

Nothing to See in This Story about the Electronic Communications Privacy Act

Posted in Cybersecurity, Investigations

Check out this story.  In it, we learn this:

Andrew Ceresney, director of the Division of Enforcement at the Securities and Exchange Commission, [told] the Senate’s Committee on the Judiciary at a hearing on Wednesday morning that the pending Electronic Communications Privacy Act Amendments Act would impede the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct. Ceresney testified that the bill, intended to modernize portions of the Electronic Communications Privacy Act which became law in 1986, would frustrate the SEC’s efforts to gather evidence, including communications such as emails, directly from an Internet services provider.

So.  Let’s talk about what’s really at issue here.  We’re not talking about emails collected from companies with their own domain names and servers.  If a company maintains its own emails for its own purposes, the company is not a “provider of electronic communication service” under the ECPA and those emails are subject to SEC subpoenas just like its other documents.

But take, say, Google and Yahoo, among many others.  They are providers of electronic communication services.  Here’s what 18 U.S.C. § 2703(a) says about them:

A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

In plainer English, the SEC may require Google to disclose the contents of its customer’s emails if the emails have been in storage for 181 days.  For newer emails, the government must have a search warrant, which the SEC can’t get as a civil enforcement authority.

For the SEC, the ECPA typically comes up when it is investigating people who are not using corporate email addresses.  For example, Ponzi schemes and prime bank frauds are often going to be run on hotmail.com, not citigroup.com.  The problem for the SEC is, people running Ponzi schemes tend to have few issues with deleting incriminating emails.  And Google isn’t obligated to keep those deleted emails for any particular time period.  So if some guy defrauds a bunch of people and then quickly deletes the emails explaining how the fraud happened, there’s not a lot the SEC can do about it.  So it is very, very rare when the SEC is successful in using the ECPA to get emails from “providers of electronic communication service.”  And so . . . when Andrew Ceresney tells the Senate Judiciary Committee that amendments to the ECPA could impede civil law enforcement’s ability to uncover financial fraud and other unlawful conduct, he’s sort of right.  I might make the same argument if I were in his shoes.  But he’s also saying something that is almost inconsequential.  If the ECPA is not amended, the SEC will have a very hard time getting a hold of useful gmails.  If the ECPA is amended, it will have a very hard time getting a hold of useful gmails.  Just about every other issue in data privacy and securities enforcement is more significant than this one.

Second Circuit Expands Scope of Dodd-Frank Anti-Retaliation Provisions, Sets up Chance for Supreme Court Review

Posted in Whistleblowers

Once upon a time, Daniel Berman was the finance director of Neo@Ogilvy LLC, a subsidiary of the publicly-traded WPP Group USA, Inc.  He did not find a handsome prince or princess there.  According to the allegations of a complaint he later filed, Berman discovered various practices at Neo that amounted to accounting fraud. He also alleged that these practices violated GAAP, Sarbanes-Oxley, and Dodd-Frank, and that he had reported these violations internally.  A senior officer at Neo became angry with Berman, and he was terminated as a result of his “whistleblower” activities in April 2013. In August 2013 he reported his allegations to the WPP Audit Committee.  In October 2013, after the limitations period on one of his Sarbanes-Oxley claims had ended, he provided information to the SEC.  In January 2014, Berman sued Neo and WPP, alleging that he was discharged in violation of the whistleblower protection provisions of section 21F of Dodd-Frank and in breach of his employment contract.

Berman eventually provided his information to the SEC, so under Dodd-Frank Section 21F(b) he is eligible to collect an award from the Commission if that information leads to a successful enforcement action.  But is Berman protected by Dodd-Frank’s anti-retaliation provisions even though he didn’t give his information to the SEC until after he was fired?  Last Thursday, the Second Circuit said yes.

Statutory Provisions

Section 21F(a)(6) defines a “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission . . . .”  Section 21F(h)(1)(A) provides:

(A) In General – No employer may discharge, demote, suspend, threaten, harass, directly or indirectly, or in any other manner discriminate against, a whistleblower in the terms and conditions of employment because of any lawful act done by the whistleblower–

(i) in providing information to the Commission in accordance with this section;

(ii) in initiating, testifying in, or assisting in any investigation or judicial or administrative action of the Commission based upon or related to such information; or

(iii) in making disclosures that are required or protected under the Sarbanes-Oxley Act of 2002 (U.S.C. 7201 et seq.), this chapter [i.e., the Exchange Act], including section 78j-1(m) of this title [i.e., Section 10A(m) of the Exchange Act], section 1513(e) of Title 18, and any other law, rule, or regulation subject to the jurisdiction of the Commission.

Judge Jacobs’s Dissent

It might make sense to look at Judge Jacobs’s dissent first.  For him, the statutory provisions quoted above say what they say, and he doesn’t need much more to complete his analysis.  Which is this: because Berman didn’t report his information to the Commission before his termination in April 2013, he was not a “whistleblower” under Section 21F(a)(6).  And if he’s not a whistleblower, then his employer may, in fact, discharge, demote, suspend, threaten, harass, or in any manner discriminate against him because of his lawful acts in making his internal reports of potential securities law violations.  As unattractive as the result might be, this analysis has a simplicity that’s hard to ignore.

The Majority Opinion

Still, the SEC wants its whistleblower program to be robust.  And it doesn’t want employers to retaliate against employees when they report securities violations internally before reporting them to the SEC, as its rules generally encourage people to do.  Seeking to prevent that from happening, the SEC passed Rule 21F-2(b)(1), which says, among other things, “The anti-retaliation protections apply whether or not you satisfy the requirements, procedures and conditions to qualify for an award.”  And just last month the SEC issued an interpretive release “to clarify that, for purposes of the employment retaliation protections provided by Section 21F . . . , an individual’s status as a whistleblower does not depend on adherence to the reporting procedures specified in Exchange Act Rule 21F-9(a) [specifying procedures to be followed to qualify for a whistleblower award], but is determined solely by the terms of Exchange Act Rule 21F-2(b)(1).”

That is, the SEC doesn’t really care if an employee reports internally only.  The Commission still wants that employee to be protected by the anti-retaliation provision of Section 21F(h)(1)(A).

For the majority opinion, that’s enough to open the door to Chevron deference to the SEC’s interpretation and determine whether the statute contains enough ambiguity to allow it to defer to that interpretation.  Because while 21F(a)(6) defines a “whistleblower” as someone who reports information to the SEC, subsection (iii) of Section 21F(h)(1)(A) protects people whose information is reported internally and not necessarily to the SEC.

The court says:

First, although there may be some potential whistleblowers who will report wrongdoing simultaneously to their employer and the Commission, they are likely to be few in number. Some will surely feel that reporting only to their employer offers the prospect of having the wrongdoing ended, with little chance of retaliation, whereas reporting to a government agency creates a substantial risk of retaliation.

Second, and more significant, there are categories of whistleblowers who cannot report wrongdoing to the Commission until after they have reported the wrongdoing to their employer. Chief among these are auditors and attorneys.

Anyway, Berman’s suit for being retaliated against has been revived, and the Second Circuit is now in conflict with the Fifth Circuit’s decision in Asadi v. G.E. Energy (USA), L.L.C., 720 F.3d 620 (5th Cir. 2013).  Lots of district courts have gone both ways on this issue.  The Supreme Court might be next.

Executive Assistant Embezzles $1 Million from Hewlett Packard; as yet, SEC Doesn’t Care

Posted in Financial Fraud, Investigations, Non-scienter-based Violations

Surely you remember the SEC’s case against Polycom from this spring.  In it, the SEC alleged that Polycom CEO Andrew Miller had “created hundreds of false expense reports with bogus business descriptions for his personal use of company dollars to pay for meals, entertainment, and gifts.”  It’s hard to tell exactly how much is at issue in that case, but the complaint says “Miller obtained . . . at least $190,000 [in perks] that were not disclosed to investors.”  In addition to charging Miller in federal court, the SEC brought an administrative case against Polycom itself, partly for having inadequate internal controls over Miller’s expenses.

I thought about the Polycom matter late last month when I read about Holli Dawn Coulman, an executive assistant from Hewlett Packard, being sentenced to prison for 21 months after embezzling almost $1 million from the company.  Here’s what the Justice Department’s press release says:

The fraud was possible as Coulman was entrusted with a number of American Express corporate credit cards as a result of her position at HP. These credit cards were to be used solely for authorized and approved business expenses. Coulman, however, used the cards to support an extravagant and luxurious lifestyle, including spending: (1) in excess of $100,000 at the La Costa Resort Spa; (2) more than $43,000 at the Lodge at Pebble Beach and Casa Palmero at Pebble Beach; (3) thousands of dollars in airfare for trips to Hawaii and Europe; (4) thousands of dollars purchasing items at the Apple Store; (5) more than $33,000 in BTO Sports motocross gear; and (6) thousands of dollars in charges to Neiman Marcus and Nordstroms. In addition, Coulman admitted using the company credit cards to pay for more than $350,000 in expenses accrued by her brother’s custom painting business in Colorado.

Now, I don’t wish ill upon Hewlett Packard.  And I’m quite sympathetic to the position of a company being defrauded by one of its own employees.  That is, it’s not a lot of fun to be the victim of a crime and then be charged with violations yourself.  And, to be fair to HP, Coulman took some steps to conceal her thefts of all of those spa treatments and motocross gear.

Again to the press release:

Coulman went to great lengths to cover up her theft of company funds. Among other things, she intercepted e-mails sent from HP program administrators that questioned her various personal expenditures. After intercepting the incriminating e-mails, Coulman would often delete them before they could be reviewed by her boss, a senior vice president. Occasionally, Coulman would fabricate responses indicating that the expenses had been authorized by her boss, even going so far as to submit fabricated supporting documentation, receipts, and invoices.

On the other hand, as far as criminal schemes go, we’re not exactly talking Ocean’s Eleven-level planning here.  If the press release is to be believed, HP accounting staff (1) saw $33,000 in charges for BTO Sports motocross gear, (2) thought that was weird, (3) emailed Coulman’s boss about it, knowing Coulman probably had access to those emails, (4) didn’t get a response, and (5) said, “Meh.”  Also: fabricated receipts and invoices?  Even if Coulman produced the most impossibly pristine fake receipts for $100,000 in purchases from the La Costa Resort Spa, how could that be enough?  Some person needed to ask another person – maybe in person, but at least over the phone – what on Earth was going on with these expenses, and what they were for.  Put another way, if your typical procedures aren’t getting sufficient answers, think about what you need to do to get those answers.  It doesn’t look like anybody ever did that at Hewlett Packard.

Which brings me back to Polycom.  Obviously that case was different given that Miller is the company’s CEO and therefore brings a number of questions related to executive compensation.  But as to the company’s internal controls under Section 13(b)(2)(B) of the Exchange Act, it seems like Hewlett Packard has some issues!  Coulman spent almost $1 million of the company’s money on pretty stupid things, and I bet HP’s investors would rather have it.  I can’t tell that the SEC is investigating, but wouldn’t be shocked if another press release from the Commission appeared in the near future.

SEC Comments on Whistleblower Anti-Retaliation Provisions/Internal Reporting

Posted in SEC Litigation, Whistleblowers

In the wake of Dodd-Frank’s passage in July 2010, many companies and corporate organizations lobbied the SEC on its upcoming whistleblower rules.  One of their specific goals was to require whistleblowers, to be eligible for the awards provided in the statute, to report potential securities violations to internal compliance departments before bringing them to the Commission.  Ultimately, the SEC didn’t go along.  In writing the various provisions of Rule 21F, it built in a number of incentives to encourage internal reporting, but didn’t require it.

Years later, there’s something of a disconnect between this push for internal reporting and the whistleblower rule’s anti-retaliation provisions.  In brief, some companies are arguing in litigation that the anti-retaliation provisions don’t apply unless whistleblowers goes directly to the SEC with their tips.  Put another way, if the whistleblower makes securities law allegations to an internal corporate compliance department, the companies cannot be constrained by the anti-retaliation provisions as it deals with the whistleblower.  This position has prevailed in one federal circuit, Asadi v. G.E. Energy (USA), LLC, 720 F.3d 620 (5th Cir. 2013), and the issue is pending in another, Berman v. Neo@Ogilvy LLC, 14-4626 (2d Cir.).

It’s a little odd in that the position that’s in the best interest of an individual company in specific litigation may not be in the best interest of public companies generally.  That is, an individual company wants to stop a lawsuit against it however it can.  But more broadly, companies still want to encourage their employees to report potential securities violations internally before racing off to the SEC.  And if the Asadi position spreads to other circuits, and internal reporters are deemed not to have the protection of the anti-retaliation provisions, they won’t make internal reports.  They’ll do what’s in their self-interest, and go to the SEC directly.

The SEC’s position is that the anti-retaliation provisions do apply to whistleblowers who make internal reports.  They’ve said as much in amicus briefs, and on August 4th the Commission issued an Interpretation of the SEC’s Whistleblower Rules under Section 21F of the Securities Exchange Act of 1934.   The interpretation reaffirms this position, and is plainly designed to guide courts that consider the issue, including the Second Circuit in the upcoming Berman case.

As the issue unfolds, Companies may be pulling for the SEC to prevail in its interpretation, even if they would be fighting tooth and nail against it if they were facing the question in litigation.