Header graphic for print

Cady Bar the Door

Insight & Commentary on SEC Enforcement Actions and White Collar Crime

Martin Shkreli, Criminal Forfeiture, and the Wu-Tang Clan

Posted in Asset Forfeiture

The S&P Schadenfreude Index hit an all-time high yesterday when Martin Shkreli was arrested and indicted for securities fraud related to a hedge fund he used to run.  The SEC sued him, too.  Here’s how the Justice Department describes part of his alleged scheme:

Between September 2009 and January 2011, Shkreli and his co-conspirators falsely represented to potential investors, among other things, that: (i) MSMB Capital was a transparent investment vehicle for sophisticated investors with monthly liquidity; (ii) Shkreli would only receive a one percent management fee per year based on net assets of the partnership; (iii) Shkreli was entitled to receive twenty percent of the limited partners’ net profits for the year; and (iv) MSMB Capital had retained independent certified public accountants as auditors who would issue an audit report on the annual financial statements. Shkreli also failed to disclose to investors that he had lost all the money he managed in Elea Capital, his prior hedge fund, and that Lehman Brothers had a $2.3 million default judgment against him. Finally, Shkreli lied to his biggest investor telling him that MSMB Capital had $35 million in assets under management, when in fact MSMB Capital had less than $700 in its bank and brokerage accounts. Based on these and other false representations, Shkreli and his co-conspirators induced approximately $3 million in investments from eight investors.

Daraprim Price-Spike

You’ll remember, of course, that Shkreli is the enterprising child who entered public consciousness in September after executing a splendiferous price-raising plan with an immune system drug known as Daraprim.  As Bloomberg says, Shkreli’s company, Turing Pharmaceuticals AG, bought the drug, moved it to a closed distribution system, and instantly rasied the price over 5,000%.  Shkreli’s plan united Hillary Clinton, Donald Trump, and Bernie Sanders in their condemnation.

Once upon a Time in Shaolin

Meanwhile, earlier this year the Wu-Tang Clan published its seventh album, Once upon a Time in Shaolin.  I didn’t say “released” because they really didn’t release it.  They created a single copy, not to be further exploited commercially for 88 years, and auctioned it for what turned out to be $2 million.  The high bidder gloriously turned out to be Martin Shkreli.  Wu-Tang leader RZA was sad about that, saying, “The sale of Once Upon a Time in Shaolin was agreed upon in May, well before Martin Shkreli’s business practices came to light. We decided to give a significant portion of the proceeds to charity.”  That, in turn, saddened Shkreli, who said, among other things, “If I hand you $2 million, f***ing show me some respect. At least have the decency to say nothing or ‘no comment.’ ”

Will the album be forfeited?

So what happens to the album now?  Lots of other people wondered the same thing yesterday.  Did FBI agents seize it in their arrest of Shkreli on Thursday morning?  The FBI apparently heard enough of these questions that it felt compelled to release this tweet on Thursday afternoon:

So the question is answered for now.  But Shkreli’s indictment does include a criminal forfeiture allegation.  Under 18 U.S.C. § 981, the government is seeking forfeiture of any property derived from proceeds traceable to Shkreli’s alleged offenses.  Now, many of the allegations relate to years-old conduct.  Maybe the proceeds of this conduct have been sent overseas, or have diminished in value, or commingled with other property such that the proceeds can’t be separated again.  In that case, the government can seek “substitute property” under 21 U.S.C. § 853(p).  All of which is to say: the album is in play!  If Shkreli is convicted, Once upon a Time in Shaolin might be subject to a criminal forfeiture order and handed over to the government.  And what then?  Will the contractual constraints that applied to Shkreli run to the government?  Will President Obama get to keep it in the White House?  Will the Attorney General get a turn with it?  We live in a glorious age.  Shimmy shimmy yah.

The Insider Trading Cartoon Series, Vol. I — Classical Theory

Posted in Insider Trading

We’re trying something new here at Cady Bar the Door.  Below is the first volume of what I hope will be a long-running animation series on insider trading.  The first episode describes and portrays the classical theory of insider trading, also known as the abstain-or-disclose theory.  We may try series on other topics as well.  Let us know what you think.

SEC Says No More Mr. Nice Guy on Investment Adviser Cybersecurity

Posted in Cybersecurity, Investment Advisers

Over the last couple years, the SEC’s cybersecurity bark has been worse than its bite.  Its Office of Compliance, Inspections, and Examinations issued examination priorities in 2014.  Commissioner Aguilar warned public company boards that they had better get smart about the topic a few months later.  The results of OCIE’s cybersecurity exam sweep were released in March of this year.  And the Investment Management Division said words, not many words, about investment advisers’ responsibilities in this area in July.

Alleged Facts

What it hasn’t done recently is sue somebody for violating Reg. S-P.  But yesterday it did.  According to the SEC’s settled administrative order:

  • St. Louis-based R.T. Jones Capital Equities Management stored sensitive personally identifiable information (PII) of clients and others on its third party-hosted web server from September 2009 to July 2013.
  • Throughout this period, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
  • An unknown hacker gained access to the firm’s web server in July 2013, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.

The Safeguards Rule

Whoops.  But while all of that sounds bad, it’s not actually what the firm is being sued over.  At issue is Reg. S-P’s Rule 30(a), the Safeguards Rule, which says, “Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”  And unfortunately, R.T. Jones allegedly failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information.  Put another way, if R.T. Jones did have written policies and procedures designed to avoid the failures bulleted above, the cyber attack might have been avoided and we wouldn’t be here.  It’s paying a $75,000 civil penalty to put this matter behind it.

Fortunately, to date, R.T. Jones has not received any indications of a client suffering financial harm as a result of the attack.  And the firm appears to have acted quickly and responsibly once it did discover the breach.

Three Thoughts

I have three quick thoughts.  First, this is a relatively easy case for the SEC to bring. RT. Jones didn’t just have inadequate policies and procedures.  According to the SEC’s order, it didn’t have any written policies and procedures reasonably designed to safeguard its clients’ PII.   Second, over 90% of the individuals whose information was compromised were not even R.T. Jones clients, but participants in an investment plan in which R.T. Jones had joined.  The information appears to have been useful to R.T. Jones in the aggregate, but perhaps not so as to individuals.  If not, the firm might have purged that information from its systems and avoided the liability from losing their data.  Finally, periodic risk assessments, firewalls, encryption, and a cybersecurity response plan seem like good ideas right now.  But you knew that already.

Nothing to See in This Story about the Electronic Communications Privacy Act

Posted in Cybersecurity, Investigations

Check out this story.  In it, we learn this:

Andrew Ceresney, director of the Division of Enforcement at the Securities and Exchange Commission, [told] the Senate’s Committee on the Judiciary at a hearing on Wednesday morning that the pending Electronic Communications Privacy Act Amendments Act would impede the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct. Ceresney testified that the bill, intended to modernize portions of the Electronic Communications Privacy Act which became law in 1986, would frustrate the SEC’s efforts to gather evidence, including communications such as emails, directly from an Internet services provider.

So.  Let’s talk about what’s really at issue here.  We’re not talking about emails collected from companies with their own domain names and servers.  If a company maintains its own emails for its own purposes, the company is not a “provider of electronic communication service” under the ECPA and those emails are subject to SEC subpoenas just like its other documents.

But take, say, Google and Yahoo, among many others.  They are providers of electronic communication services.  Here’s what 18 U.S.C. § 2703(a) says about them:

A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

In plainer English, the SEC may require Google to disclose the contents of its customer’s emails if the emails have been in storage for 181 days.  For newer emails, the government must have a search warrant, which the SEC can’t get as a civil enforcement authority.

For the SEC, the ECPA typically comes up when it is investigating people who are not using corporate email addresses.  For example, Ponzi schemes and prime bank frauds are often going to be run on hotmail.com, not citigroup.com.  The problem for the SEC is, people running Ponzi schemes tend to have few issues with deleting incriminating emails.  And Google isn’t obligated to keep those deleted emails for any particular time period.  So if some guy defrauds a bunch of people and then quickly deletes the emails explaining how the fraud happened, there’s not a lot the SEC can do about it.  So it is very, very rare when the SEC is successful in using the ECPA to get emails from “providers of electronic communication service.”  And so . . . when Andrew Ceresney tells the Senate Judiciary Committee that amendments to the ECPA could impede civil law enforcement’s ability to uncover financial fraud and other unlawful conduct, he’s sort of right.  I might make the same argument if I were in his shoes.  But he’s also saying something that is almost inconsequential.  If the ECPA is not amended, the SEC will have a very hard time getting a hold of useful gmails.  If the ECPA is amended, it will have a very hard time getting a hold of useful gmails.  Just about every other issue in data privacy and securities enforcement is more significant than this one.