Securities & Exchange Commission v. Dorozhko

08-0201-cv
SEC v. Dorozhko

UNITED STATES COURT OF APPEALS
FOR THE SECOND CIRCUIT

August Term, 2008

(Argued: April 3, 2009 Decided: July 22, 2009)

Docket No. 08-0201-cv

SECURITIES AND EXCHANGE COMMISSION ,

Plaintiff-Appellant,

v.

OLEKSANDR DOROZHKO ,

Defendant-Appellee.

Before: CABRANES, HALL, Circuit Judges, and SULLIVAN , District Judge.*

Plaintiff appeals an order of the United States District Court for the Southern District of

New York (Naomi Reice Buchwald, Judge) entered January 8, 2008, denying plaintiff’s motion for a

preliminary injunction on the grounds that the conduct alleged in the complaint—essentially,

computer hacking—cannot be “deceptive” under Section 10(b) of the Securities Exchange Act of

1934 as defined by the Supreme Court unless the conduct involved a breach of a fiduciary duty. See

SEC v. Dorozhko, 606 F. Supp. 2d 321 (S.D.N.Y. 2008). We hold that nothing in the Supreme

Court’s jurisprudence or prior decisions of our Court expressly imposes a fiduciary-duty requirement

on the ordinary meaning of “deceptive” where the alleged fraud is an affirmative misrepresentation

rather than a nondisclosure.

*
The Honorable Richard J. Sullivan, of the United States District Court for the Southern
District of New York, sitting by designation.

1
 Vacated and remanded.

MARK PENNINGTON , Assistant General Counsel (Brian G.
Cartwright, General Counsel, Andrew N. Vollmer,
Deputy General Counsel, Jacob H. Stillman, Solicitor,
and David Lisitza, Attorney, on the brief), Washington,
D.C.

CHARLES A. ROSS (Christopher L. Padurano and Stephanie
M. Carvlin, on the brief) Charles A. Ross & Assoc.,
LLC, New York, NY.

JOSÉ A. CABRANES, Circuit Judge:

We are asked to consider whether, in a civil enforcement lawsuit brought by the United

States Securities and Exchange Commission (“SEC”) under Section 10(b) of the Securities

Exchange Act of 1934 (“Section 10(b)”), computer hacking may be “deceptive” where the hacker

did not breach a fiduciary duty in fraudulently obtaining material, nonpublic information used in

connection with the purchase or sale of securities. For the reasons stated herein, we answer the

question in the affirmative.

BACKGROUND

In early October 2007, defendant Oleksandr Dorozhko, a Ukranian national and resident,

opened an online trading account with Interactive Brokers LLC (“Interactive Brokers”) and

deposited $42,500 into that account. At about the same time, IMS Health, Inc. (“IMS”) announced

that it would release its third-quarter earnings during an analyst conference call scheduled for

October 17, 2007 at 5 p.m.—that is, after the close of the securities markets in New York City. IMS

had hired Thomson Financial, Inc. (“Thomson”) to provide investor relations and web-hosting

services, which included managing the online release of IMS’s earnings reports.

Beginning at 8:06 a.m. on October 17, and continuing several times during the morning and

early afternoon, an anonymous computer hacker attempted to gain access to the IMS earnings

2
report by hacking into a secure server at Thomson prior to the report’s official release. At 2:15

p.m.—minutes after Thomson actually received the IMS data—that hacker successfully located and

downloaded the IMS data from Thomson’s secure server.

Beginning at 2:52 p.m., defendant—who had not previously used his Interactive Brokers

account to trade—purchased $41,670.90 worth of IMS “put” options that would expire on October

25 and 30, 2007.1 These purchases represented approximately 90% of all purchases of “put” options

for IMS stock for the six weeks prior to October 17. In purchasing these options, which the SEC

describes as “extremely risky,” defendant was betting that IMS’s stock price would decline

precipitously (within a two-day expiration period) and significantly (by greater than 20%).

Appellant’s Br. 2.

At 4:33 p.m.—slightly ahead of the analyst call—IMS announced that its earnings per share

were 28% below “Street” expectations, i.e., the expectations of many Wall Street analysts. When the

market opened the next morning, October 18, at 9:30 a.m., IMS’s stock price sank approximately

28% almost immediately—from $29.56 to $21.20 per share. Within six minutes of the market

opening, defendant had sold all of his IMS options, realizing a net profit of $286,456.59 overnight.

Interactive Brokers noticed the irregular trading activity and referred the matter to the SEC,

which now alleges that defendant was the hacker. See SEC v. Dorozhko, 606 F. Supp. 2d 321, 323

(S.D.N.Y. 2008) (explaining that the SEC’s theory rests on “two undisputed events: (1) the fact of

the hack, and (2) the proximity to the hack of the trades by [defendant,] who was the only individual

to trade heavily in IMS Health put options subsequent to the hack”). On October 29, 2007, the

SEC sought and received from the United States District Court for the Southern District of New

1
A “put” is “[a]n option that conveys to its holder the right, but not the obligation, to sell a
specific asset at a predetermined price until a certain date. . . . Investors purchase puts in order to
take advantage of a decline in the price of the asset.” David L. Scott, Wall Street Words 295 (2003).
3
York (Naomi Reice Buchwald, Judge) a temporary restraining order freezing the proceeds of the

“put” option transactions in defendant’s brokerage account. The District Court held a preliminary

injunction hearing on the matter on November 28, 2007, at which it heard testimony and considered

various affidavits.

On January 8, 2008, in a thoughtful and careful opinion, the District Court denied the SEC’s

request for a preliminary injunction because the SEC had not shown a likelihood of success.

Specifically, the District Court ruled that computer hacking was not “deceptive” within the meaning

of Section 10(b) as defined by the Supreme Court. According to the District Court, “a breach of a

fiduciary duty of disclosure is a required element of any ‘deceptive’ device under § 10b.” Dorozhko,

606 F. Supp. 2d at 330. The District Court reasoned that since defendant was a corporate outsider

with no special relationship to IMS or Thomson, he owed no fiduciary duty to either. Although

computer hacking might be fraudulent and might violate a number of federal and state criminal

statutes, the District Court concluded that this behavior did not violate Section 10(b) without an

accompanying breach of a fiduciary duty.

This appeal followed. On appeal, the SEC maintains its theory that the fraud in this case

consists of defendant’s alleged computer hacking, which involves various misrepresentations. The

SEC does not argue that defendant breached any fiduciary duties as part of his scheme. In this

critical regard, we recognize that the SEC’s claim against defendant—a corporate outsider who

owed no fiduciary duties to the source of the information—is not based on either of the two

generally accepted theories of insider trading. See United States v. Cusimano, 123 F.3d 83, 87 (2d Cir.

1997) (distinguishing “the traditional theory of insider trading, under which a corporate insider

trades in the securities of his own corporation on the basis of material, non-public information,”

from “the misappropriation theory, [under which] § 10(b) and Rule 10b-5 are violated whenever a

person trades while in knowing possession of material, non-public information that has been gained
4
in violation of a fiduciary duty to its source”). The SEC’s claim is nonetheless based on a claim of

fraud, and we turn our attention to whether this fraud is “deceptive” within the meaning of Section

10(b).

DISCUSSION

Standard of Review

We review the grant or denial of a preliminary injunction for abuse of discretion. E.g.,

Kickham Hanley P.C. v. Kodak Retirement Income Plan, 558 F.3d 204, 209 (2d Cir. 2009) (“[A]buse of

discretion . . . occurs when (1) its decision rests on an error of law or a clearly erroneous factual

finding, or (2) its decision—though not necessarily the product of a legal error or a clearly erroneous

factual finding—cannot be located within the range of permissible decisions.”(internal citations,

parentheticals, and quotation marks omitted)); Davis v. New York, 316 F.3d 93, 102 (2d Cir. 2002).

“Deceptive Device”

“Section 10(b) prohibits the use or employ, in connection with the purchase or sale of any

security . . . , [of] any manipulative or deceptive device or contrivance in contravention of such rules

and regulations as the [SEC] may prescribe.” 15 U.S.C. § 78j(b).2 The instant case requires us to

2
The regulation promulgated by the SEC pertinent to the instant case is Rule 10b-5, which
provides, in relevant part:

It shall be unlawful for any person, directly or indirectly . . .

(a) To employ any device, scheme, or artifice to defraud,

(b) To make any untrue statement of a material fact or to omit to state a material fact
necessary in order to make the statements made, in the light of the circumstances under
which they were made, not misleading, or

(c) To engage in any act, practice, or course of business which operates or would operate as
a fraud or deceit upon any person,

in connection with the purchase or sale of any security.

5
decide whether the “device” in this case—computer hacking—could be “deceptive.”3

In construing the text of any federal statute, we first consider the precedents that bind us as

an intermediate appellate court—namely, the holdings of the Supreme Court and those of prior

panels of this Court, which provide definitive interpretations of otherwise ambiguous language.

Insofar as those precedents fail to resolve an apparent ambiguity, we examine the text of the statute

itself, interpreting provisions in light of their ordinary meaning and their contextual setting. See

United States v. Magassouba, 544 F.3d 387, 404 (2d Cir. 2008) (“In determining whether statutory

language is ambiguous, we ‘reference . . . the language itself, the specific context in which that

language is used, and the broader context of the statute as a whole.’” (quoting Robinson v. Shell Oil

Co., 519 U.S. 337, 341 (1997))). Where the statutory language remains ambiguous, “we resort to

canons of construction and, if the meaning still remains ambiguous, to legislative history.”

Magassouba, 544 F.3d at 404 (internal alterations and quotation marks omitted).

The District Court determined that the Supreme Court has interpreted the “deceptive”

element of Section 10(b) to require a breach of a fiduciary duty. See Dorozhko, 606 F. Supp. 2d at

338 (“[T]he Supreme Court has in a number of opinions carefully established that the essential

17 C.F.R. § 240.10b-5.
3
In the District Court’s view, “the alleged ‘hacking and trading’ was a ‘device or contrivance’
within the meaning of the statute.” Dorozhko, 606 F. Supp. 2d at 328. The District Court further
observed that the scheme was “in connection with” the purchase or sale of securities because the
close temporal proximity of the hacking to the trading (everything occurred in less than twenty-four
hours) and the cohesiveness of the scheme (establishing the trading account, stealing the
confidential information within minutes of its availability, and trading on it within minutes of the
next day’s opening bell) suggest that hacking into the Thomson computers was part of a single
scheme to commit securities fraud. See id. at 328-29; see also SEC v. Zandford, 535 U.S. 813, 822
(2002) (holding that “in connection with” means “to coincide”). The District Court also concluded
that the alleged hacking was not “manipulative” because the Supreme Court has defined that word
to cover exclusively practices “intended to mislead investors by artificially affecting market activity.”
See Dorozhko, 606 F. Supp. 2d at 329 (quoting Santa Fe Indus. v. Green, 430 U.S. 462, 476 (1977)). The
parties do not challenge these conclusions in this appeal.
6
component of a § 10(b) violation is a breach of a fiduciary duty to disclose or abstain that coincides

with a securities transaction.”). The District Court reached this conclusion by relying principally on

three Supreme Court opinions: Chiarella v. United States, 445 U.S. 222 (1980), United States v. O’Hagan,

521 U.S. 642 (1997), and SEC v. Zandford, 535 U.S. 813 (2002). We consider each of these cases in

turn.

In Chiarella, the defendant was employed by a financial printer and used information passing

through his office to trade securities offered by acquiring and target companies. In a criminal

prosecution, the government alleged that the defendant committed fraud by not disclosing to the

market that he was trading on the basis of material, nonpublic information. The Supreme Court

held that defendant’s “silence,” or nondisclosure, was not fraud because he was under no obligation

to disclose his knowledge of inside information. “When an allegation of fraud is based upon

nondisclosure, there can be no fraud absent a duty to speak. We hold that a duty to disclose under

§10(b) does not arise from the mere possession of nonpublic market information.” 445 U.S. at 235;

see also United States v. Chestman, 947 F.2d 551, 575 (2d Cir. 1991) (Winter, J., concurring in part and

dissenting in part) (stating that, after Chiarella, “silence cannot constitute a fraud absent a duty to

speak owed to those who are injured”). Justice Blackmun, joined by Justice Marshall, dissented. In

their view, stealing information from an employer was fraudulent within the meaning of Section

10(b) because the statute was designed as a “catchall” provision to protect investors from unknown

risks. Id. at 246 (Blackmun, J., dissenting). According to Justice Blackmun, the majority had

“confine[d]” the meaning of fraud “by imposition of a requirement of a ‘special relationship’ akin to

fiduciary duty before the statute gives rise to a duty to disclose or to abstain from trading upon

material, nonpublic information.” Id.4

4
Although the District Court construed Justice Blackmun’s dissent to suggest that “no
breach of fiduciary duty should be required to uphold a conviction under § 10(b),” Dorozhko, 606 F.
7
 In O’Hagan, the defendant was an attorney who traded in securities based on material,

nonpublic information regarding his firm’s clients. As in Chiarella, the government alleged that the

defendant had committed fraud through “silence” because the defendant had a duty to disclose to

the source of the information (his client) that he would trade on the information. The Supreme

Court agreed, noting that “[d]eception through nondisclosure is central to the theory of liability for

which the Government seeks recognition.” 521 U.S. at 654. “[I]f the fiduciary discloses to the

source that he plans to trade on the nonpublic information, there is no ‘deceptive device’ and thus

no § 10(b) violation—although the fiduciary-turned-trader may remain liable under state law for

breach of a duty of loyalty.” Id. at 655.

In Zandford, the defendant was a securities broker who traded under a client’s account and

transferred the proceeds to his own account. The Fourth Circuit held that the defendant’s fraud was

not “in connection with” the purchase or sale of a security because it was mere theft that happened

to involve securities, rather than true securities fraud. The Supreme Court reversed in a unanimous

opinion, observing that Section 10(b) “should be construed not technically and restrictively, but

flexibly to effectuate its remedial purposes.” 535 U.S. at 819. Although the Court warned that not

“every common-law fraud that happens to involve securities [is] a violation of § 10(b),” id. at 820,

the defendant’s scheme was a single plan to deceive, rather than a series of independent frauds, and

was therefore “in connection with” the purchase or sale of a security, id. at 825. In a final footnote,

the Court offered the following observation: “[I]f the broker told his client he was stealing the

client’s assets, that breach of fiduciary duty might be in connection with a sale of securities, but it

would not involve a deceptive device or fraud.” 535 U.S. at 825 n.4. In the instant case, the District

Supp. 2d at 333, we read this dissent in light of the circumstances of Chiarella, which only considered
a fraud based on nondisclosure, not an affirmative misrepresentation. See 445 U.S. at 247
(Blackmun, J., dissenting) (“I do not agree that a failure to disclose violates . . . Rule [10b-5] only when
the responsibilities of a [fiduciary] relationship . . . have been breached.” (emphasis added)).
8
Court interpreted the Zandford footnote as an “explicit[ ] acknowledg[ment] that Zandford would

not be liable under § 10(b) if he had disclosed to Wood that he was planning to steal his money.”

Dorozhko, 606 F. Supp. 2d at 338.

The District Court concluded that in Chiarella, O’Hagan, and Zandford, the Supreme Court

developed a requirement that any “deceptive device” requires a breach of a fiduciary duty. In

applying that interpretation to the instant case, the District Court ruled that “[a]lthough [defendant]

may have broken the law, he is not liable in a civil action under § 10(b) because he owed no

fiduciary or similar duty either to the source of his information or to those he transacted with in the

market.” Dorozhko, 606 F. Supp. 2d at 324.5 At least one of our sister circuits has made the same

observation relying on the same precedent. See Regents of the Univ. of Cal. v. Credit Suisse First Boston

(USA), Inc., 482 F.3d 372, 389 (5th Cir. 2007) (discussing Chiarella and O’Hagan, and stating that “the

[Supreme] Court . . . has established that a device, such as a scheme, is not ‘deceptive’ unless it

involves breach of some duty of candid disclosure”).

In our view, none of the Supreme Court opinions relied upon by the District Court—much

less the sum of all three opinions—establishes a fiduciary-duty requirement as an element of every

violation of Section 10(b). In Chiarella, O’Hagan, and Zandford, the theory of fraud was silence or

nondisclosure, not an affirmative misrepresentation. The Supreme Court held that remaining silent

was actionable only where there was a duty to speak, arising from a fiduciary relationship. In

5
Some commentators grudgingly have acknowledged that the District Court’s conclusion
would be compelled under a narrow reading of Section 10(b) that covers only the “disclose or
abstain” requirement for corporate insiders other than fiduciaries. See, e.g., Robert A. Prentice, The
Internet and Its Challenges for the Future of Insider Trading Regulation, 12 Harv. J. L. & Tech. 263, 297-98
(1999) (acknowledging that, “[t]o the extent that misappropriation liability is based solely on a
breach of fiduciary duty, thieves unrelated to the source of the information could steal the
information without being in violation of existing federal securities laws”); but see id. at 300 (arguing
that “to hold that hackers are misappropriators is consistent with the pre-1934 common law upon
which Section 10(b) was based [and] is consonant with the underlying policy of Section
10(b)—investor protection” (internal footnote omitted)).
9
Chiarella, the Supreme Court held that there was no deception in an employee’s silence because he

did not have duty to speak. See 445 U.S. at 226 (“This case concerns the legal effect of the

petitioner’s silence.” (emphasis added)); see also id. at 227-28 (“At common law, misrepresentation

made for the purpose of inducing reliance upon the false statement is fraudulent. But one who fails to

disclose material information prior to the consummation of a transaction commits fraud only when he

is under a duty to do so.” (emphasis added)). In O’Hagan, an attorney who traded on client secrets

had a fiduciary duty to inform his firm that he was trading on the basis of the confidential

information. See 521 U.S. at 653 (noting that a “breach of a duty of trust and confidence . . . to his

law firm” was conduct that “satisfies § 10(b)’s requirement that chargeable conduct involve a

‘deceptive device or contrivance’”); see also id. at 654 (“Deception through nondisclosure is central to

the theory of liability for which the Government seeks recognition.” (emphasis added)). Even in

Zandford, which dealt principally with the statutory requirement that a deceptive device be used “in

connection with” the purchase or sale of a security, the defendant’s fraud consisted of not telling his

brokerage client—to whom he owed a fiduciary duty—that he was stealing assets from the account.

See 535 U.S. at 822 (“[Defendant’s brokerage clients] were injured as investors through [defendant’s]

deceptions, which deprived them of any compensation for the sale of their valuable securities.”); see

also id. at 823 (“[A]ny distinction between omissions and misrepresentations is illusory in the context

of a broker who has a fiduciary duty to her clients.”).

Chiarella, O’Hagan, and Zandford all stand for the proposition that nondisclosure in breach of

a fiduciary duty “satisfies § 10(b)’s requirement . . . [of] a ‘deceptive device or contrivance,’”

O’Hagan, 521 U.S. at 653. However, what is sufficient is not always what is necessary, and none of

the Supreme Court opinions considered by the District Court require a fiduciary relationship as an

element of an actionable securities claim under Section 10(b). While Chiarella, O’Hagan, and Zandford

all dealt with fraud qua silence, an affirmative misrepresentation is a distinct species of fraud. Even
10
if a person does not have a fiduciary duty to “disclose or abstain from trading,” there is nonetheless

an affirmative obligation in commercial dealings not to mislead. See, e.g., Basic Inc. v. Levinson, 485

U.S. 224, 240 n.18 (1988) (distinguishing “situations where insiders have traded in abrogation of

their duty to disclose or abstain,” from “affirmative misrepresentations by those under no duty to

disclose (but under the ever-present duty not to mislead)”).

In this case, the SEC has not alleged that defendant fraudulently remained silent in the face

of a “duty to disclose or abstain” from trading. Rather, the SEC argues that defendant affirmatively

misrepresented himself in order to gain access to material, nonpublic information, which he then

used to trade. We are aware of no precedent of the Supreme Court or our Court that forecloses or

prohibits the SEC’s straightforward theory of fraud.6 Absent a controlling precedent that

“deceptive” has a more limited meaning than its ordinary meaning, we see no reason to complicate

the enforcement of Section 10(b) by divining new requirements. In reaching this conclusion, we are

mindful of the Supreme Court’s oft-repeated instruction that Section 10(b) “should be construed

not technically and restrictively, but flexibly to effectuate its remedial purposes.” Zandford, 535 U.S.

6
The District Court found it “noteworthy” that in the over seventy years since the
enactment of the Securities Exchange Act of 1934, “no federal court has ever held that those who
steal material nonpublic information and then trade on it violate § 10(b),” even though “traditional
theft (e.g. breaking into an investment bank and stealing documents) is hardly a new phenomenon,
and involves similar elements for purposes of our analysis here.” Dorozhko, 606 F. Supp. 2d at 339.
The District Court suggested that “hacking and trading” schemes have been and ought to be
prosecuted under “any number of federal and/or state criminal statutes,” rather than through civil
enforcement actions. Id. at 323; see also id. at 324 (listing applicable federal criminal statutes). At the
preliminary injunction hearing, the District Court stated that it was “very disturbing” that this case
was not a federal prosecution, J.A. 889 Tr. of Preliminary Injunction Hearing at 129:20, SEC v.
Dorozhko, 606 F. Supp.2d. 321 (S.D.N.Y. Nov. 28, 2007) (No. 07 civ 9606). We intimate no view on
that question. It is enough to say that we deal with the facts presented, which in our view are
sufficient to maintain a civil enforcement claim.

11
at 819 (internal quotation marks omitted).7 Accordingly, we adopt the SEC’s proposed

interpretation of Chiarella and its progeny: “misrepresentations are fraudulent, but . . . silence is

fraudulent only if there is a duty to disclose.” Appellant’s Br. 44.

Having denied the SEC’s application for a preliminary injunction freezing defendant’s

trading account on the basis of a perceived fiduciary duty requirement stemming from the Chiarella

line of insider trading cases, the District Court did not decide whether the ordinary meaning of

“deceptive” covers the computer hacking in this case—or, indeed, whether the computer hacking in

this case involved any misrepresentation at all. Defendant invites us to remand both questions so

that the District Court may decide in the first instance.

In its ordinary meaning, “deceptive” covers a wide spectrum of conduct involving cheating

or trading in falsehoods. See Webster’s International Dictionary 679 (2d ed. 1934) (defining

“deceptive” as “tending to deceive,” and defining “deceive” as “[t]o cause to believe the false, or to

disbelieve the true” or “[t]o impose upon; to deal treacherously with; cheat”). Cf. Ernst & Ernst v.

Hochfelder, 425 U.S. 185, 199 n.20 (1976) (consulting the 1934 edition of Webster’s International

Dictionary to define other relevant terms in Section 10(b)); In re Parmalat Sec. Litig., 376 F. Supp. 2d

7
We are further counseled by the observations of Judge Augustus N. Hand, who reasoned
over fifty years ago that had Congress intended to impose a fiduciary-duty requirement on Section
10(b) liability, it would have said so. See Birnbaum v. Newport Steel Corp., 193 F.2d 461, 464 (2d Cir.
1952) (A. Hand, J.) (“When Congress intended to protect the stockholders of a corporation against a
breach of fiduciary duty by corporate insiders, it left no doubt as to its meaning. Thus Section 16(b)
of the Act of 1934 . . . expressly gave the corporate issuer or its stockholders a right of action against
corporate insiders using their position to profit in the sale or exchange of corporate securities. The
absence of a similar provision in Section 10(b) strengthens the conclusion that [Section 10(b)] was
directed solely at that type of misrepresentation or fraudulent practice usually associated with the
sale or purchase of securities rather than at fraudulent mismanagement of corporate affairs, and that
Rule [10b-5] extended protection only to the defrauded purchaser or seller.” (internal citation
omitted)). We recognize that in the instant case, the SEC is neither a purchaser nor a seller, but
brings this suit in its regulatory capacity in order to “ensure honest securities markets and . . .
promote investor confidence,” Zandford, 535 U.S. at 819.

12
472, 502 n.152 (S.D.N.Y. 2005) (consulting the 1934 edition of Webster’s International Dictionary

to define “deceptive”). In light of this ordinary meaning, it is not at all surprising that Rule 10b-5

equates “deceit” with “fraud.” See 17 C.F.R. § 240.10b-5 (prohibiting “any untrue statement of a

material fact . . . or . . . any act, practice, or course of business which operates or would operate as a fraud or

deceit upon any person, in connection with the purchase or sale of any security” (emphases added)).

Indeed, we have previously observed that the conduct prohibited by Section 10(b) and Rule 10b-5

“irreducibly entails some act that gives the victim a false impression.” United States v. Finnerty, 533

F.3d 143, 148 (2d Cir. 2008).

The District Court—summarizing the SEC’s allegations—described the computer hacking in

this case as “employ[ing] electronic means to trick, circumvent, or bypass computer security in order

to gain unauthorized access to computer systems, networks, and information . . . and to steal such

data.” Dorozhko, 606 F. Supp. 2d at 329. On appeal, the SEC adds a further gloss, arguing that, in

general, “[computer h]ackers either (1) ‘engage in false identification and masquerade as another

user[’] . . . or (2) ‘exploit a weakness in [an electronic] code within a program to cause the program

to malfunction in a way that grants the user greater privileges.’” Appellant’s Br. 22-23 (quoting Orin

S. Kerr, Cybercrime Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U.

L. Rev. 1596, 1645 (2003)). In our view, misrepresenting one’s identity in order to gain access to

information that is otherwise off limits, and then stealing that information is plainly “deceptive”

within the ordinary meaning of the word. It is unclear, however, that exploiting a weakness in an

electronic code to gain unauthorized access is “deceptive,” rather than being mere theft.

Accordingly, depending on how the hacker gained access, it seems to us entirely possible that

computer hacking could be, by definition, a “deceptive device or contrivance” that is prohibited by

Section 10(b) and Rule 10b-5.

However, we are hesitant to move from this general principle to a particular application
13
without the benefit of the District Court’s views as to whether the computer hacking in this

case—as opposed to computer hacking in general—was “deceptive.” Our caution is counseled by

the considerable and careful efforts the District Court has already devoted to this case, including

hearing live testimony from witnesses at a preliminary injunction hearing that covered, among other

topics, how Thomson’s secure servers were infiltrated. See, e.g., J.A. 848 Tr. of Preliminary

Injunction Hearing at 40-41, Dorozkho, 606 F. Supp.2d. 321 (No. 07 civ 9606). Having established

that the SEC need not demonstrate a breach of fiduciary duty, we now remand to the District Court

to consider, in the first instance, whether the computer hacking in this case involved a fraudulent

misrepresentation that was “deceptive” within the ordinary meaning of Section 10(b). The District

Court may, in its informed discretion, enter a new order on the basis of the existing record or

reopen the preliminary injunction hearing to consider such additional testimony regarding the nature

of the hacking in this particular case as it deems appropriate in the circumstances.

CONCLUSION

For the foregoing reasons, the District Court’s January 8, 2008 order denying the SEC’s

motion for a preliminary injunction is VACATED. The cause is REMANDED for further

proceedings consistent with this opinion.

14