Dipping Through Geometries

On February 14, in To Man Choy Jacky v. Securities and Futures Commission, the Hong Kong Court of First Instance (Court) rejected a set of legal and constitutional challenges to the authority of the Hong Kong Securities and Futures Commission (SFC) to obtain and execute search warrants, to seize various digital devices pursuant to those warrants, and to require individuals to provide to the SFC the passwords to their email accounts or digital devices.

This case consolidated five separate applications for judicial review.  It stemmed from two ongoing SFC investigations concerning (1) a Hong Kong Exchange-listed company, Aeso Holdings Ltd (“Aeso”) and its 2017 listing and (2i) bond placements by two other Hong Kong Exchange-listed companies, Skyfame Realty (Holdings) Ltd (“Skyfame”) and China Agri-Products Exchange Ltd (“China Agri”).

The Court itself deemed the background facts of the investigations to be “of some considerable complexity.”  In brief, the Aeso investigation involved a sustained dispute between two groups of Aeso shareholders and allegations of fraud and market manipulation.  The China Agri investigation stemmed from an SFC inspection of a firm that had placed private bonds for Skyfame, which led to concerns that the placing scheme and the related bond program might constitute securities fraud under the Hong Kong Securities Fraud Ordinance (Ordinance).

Because the Aeso Investigation and the Skyfame/China Agri Investigation involved common parties, the SFC conducted a joint operation based on warrants that magistrates issued in each investigation.   In the course of the joint operation, SFC representatives –

• Found digital devices (including mobile phones, tablets and/or computers) belonging to applicants in the CFI case (Applicants);
• Conducted keyword searches to check for relevant materials when no password was required to access certain devices, and when Applicants voluntarily unlocked the digital devices, “looked for relevant materials by using keyword searches or by scrolling through the contents to look for relevant materials”;
• Based on the above-mentioned searches, were able “to identify materials contained in emails, contact lists and messaging applications that were relevant, or believed to be relevant, to the SFC’s investigations”;
• Requested the Applicants to provide printouts of the relevant materials or login names/passwords to the email accounts or digital devices to enable the SFC to access the same, but Applicants either declined to do so outright “(in some instances by asserting legal professional privilege), or used various excuses not to provide the same;”
• In one case in which an Applicant asserted legal professional privilege, “suggested that the relevant emails and attachments thereto could be printed out and kept under seal for the time being pending the resolution of the legal professional privilege claim,” but the Applicant rejected the claim;
• Decided “to seize various digital devices belonging to the Applicants”; and
• Issued notices under the Ordinance that required the Applicants “to provide the login names and/or passwords to various email accounts or digital devices.”

In its decision, the Court rejected the Applicants’ arguments that the decisions to seize and retain the Applicants’ digital devices and to issue the notices requiring provision of the login names and/or passwords were ultra vires, unlawful or unconstitutional.  With regard to seizure of such devices, the Court held that the SFC was “clearly and amply empower[ed]” to do so:

In order that the SFC can effectively discharge its investigative functions in relating to dealings or transactions in the securities and futures markets, it is obviously essential that the SFC has the power to seize and retain digital devices containing evidence of, or relating to, the relevant dealings or transactions.

With regard to retention of the devices, the Court held “that there can be no valid complaint about the continued retention of the digital devices if the decisions to seize them were lawful in the first place,” which the Court had previously found to be the case.

With regard to the notices, the Court took note of

the practical reality that information, documents and records are nowadays mostly kept in digital or electronic forms and stored in (inter alia) email accounts and digital devices which (i) would almost inevitably contain large amounts of personal or private, but irrelevant, materials, and (ii) are often also protected by specific login names/IDs and passwords.

It found that the Ordinance empowered the SFC “to require the Applicants to provide means of access to email accounts and digital devices which contain, or are likely to contain, information relevant to its investigations even though the email accounts and digital devices would likely also contain other personal or private materials which are not relevant to the SFC’s investigations.”  It also characterized the safeguards that the SFC offered to protect the Applicants’ privacy as “a practical and reasonable compromise of the conflicting interests of the SFC and the Applicants.”

With regard to the warrants themselves, the Court held that they satisfied the five requirements for such warrants under the Ordinance:

• “the magistrate’s satisfaction on information laid on oath by an employee of the SFC of the relevant matter was stated”;
• “(2) the persons authorized to execute the warrant (namely, each and all employees of the SFC, amongst others) were specified”;
• “(3) the premises authorized to be entered and searched were identified”;
• “(4) the authorization given to the specified persons to search for, seize and remove any record or document which such persons had reasonable cause to believe might be required to be produced under Part VIII of the [Ordinance] was stated”; and
• “(5) the validity period of the warrant was given.”

It also found that nothing in section 191(1) of the Ordinance “require[s] a warrant issued under that section to state the relevant offence or misconduct in respect of which the warrant was applied for and granted,” and that even if such a requirement could be found, the warrants in the present case specified the grounds on which records and documents might be required to be produced under the Ordinance.

Note:  This decision is a significant victory for the SFC in several respects.   The Court not only generally affirmed the general constitutionality and legality of the SFC’s investigative powers, but approved the SFC’s broad construction of the Ordinance’s language in the exercise of those powers.  In addition, the Court’s endorsement of the SFC’s authority to require provision of login names and passwords will undoubtedly encourage the SFC to do so in other investigations in which digital devices may contain relevant information.

On March 4, the United Kingdom Competition and Markets Authority (CMA) announced that, after an investigation into the supply of antidepressant drug nortriptyline, it had imposed fines totaling £3.4 million in fines on four pharmaceutical companies for two violations of United Kingdom competition law.

One of the violations involved market-sharing between King Pharmaceuticals Ltd and Auden Mckenzie (Pharma Division) Ltd.  According to the CMA, those two firms “shared out between them the supply of nortriptyline to a large pharmaceutical wholesaler.”  From September 2014 to May 2015, the two companies agreed that King would supply only 25mg tablets and Auden Mckenzie only 10mg tablets. The two firms also colluded to fix quantities and prices.

The CMA stated that both King and Auden Mckenzie admitted violating the competition law.  It imposed a £1,882,238 fine on Accord-UK Ltd, which has taken control of Auden Mckenzie’s nortriptyline business after the market-sharing ended, and a £75,573 fine on King.  Accord-UK and Auden Mckenzie also agreed to make a £1 million payment to the United Kingdom National Health Service (NHS) in connection with the case — only the second time that the CMA “has secured a payment to the NHS following one of its pharmaceutical investigations.”

The other violation involved King, Lexon (UK) Ltd, and Alissa Healthcare Research Ltd “illegally sharing commercially sensitive information, to try to keep nortriptyline prices up.”  The CMA said that between 2015 and 2017, when the cost of nortriptyline was falling, the three suppliers “exchanged information about prices, the volumes they were supplying, and Alissa’s plans to enter the market.”

The CMA fined Lexon, which did not admit to violating the competition law, a total of £1,220,383.  By contrast, it fined King and Alissa £75,573 and £174,912 respectively, because they both admitted in September 2019 to violating the competition law.

In addition to the corporate fines and payment to the NHS, the CMA “secured the disqualification” of Dr. Philip Hallwood, a director at King and the sole director of consultancy firm Praze.”  It reported that “Praze conducted King’s corporate and commercial services during the illegal activity and took part in this alongside King.”  After both King and Praze admitted to their involvement in the violation, Dr. Hallwood “signed a legally binding undertaking which disqualifies him as director of both companies,” meaning that he cannot be involved in the management of any UK company for seven years.  As the CMA explained,

Under the Company Directors Disqualification Act, the CMA has the power to apply to the court to disqualify a director from holding company directorships or performing certain roles in relation to a company for a specified period, if a company which he or she is a director of has breached competition law. The Act also allows the CMA to accept a disqualification undertaking from a director instead of bringing proceedings, which has the same legal effect as a disqualification order.

The CMA pointedly concluded that it “is also considering the possible disqualification of other directors.”

Note: Antitrust and competition compliance officers at United Kingdom companies should inform senior executives of these CMA penalties, to remind them that price-fixing and bid-rigging are not the only types of core anticompetitive conduct that can attract the attention of enforcement authorities.  They should also include these cases in their competition-law training materials.

In July 2019, Gulf News reported on an apparent multimillion-dollar fraud involving the disappearance of some 6,000 tons of rice that Indian exporters had shipped into Dubai.  According to Gulf News, the 6,000 tons of rice disappeared – as did the company in whose name the rice was ordered and its ostensible representatives, whose checks (at least some of which were postdated) for the rice purchases, the warehouse from which the rice disappeared, and airline tickets bounced due to insufficient funds — without a trace.  At that time, the Dubai Public Prosecutor ordered police in the Jebel Ali district of Dubai to investigate possible fraud by six men and two companies, including a Dubai money exchange, in the case.

On March 6, Dubai authorities reportedly made their first arrest in the case.  The individual, a 52-year-old Indian national, was released on bail two days later.  It is not clear whether the conditions of that individual’s bail prohibit him from leaving Dubai while the investigation proceeds.

Note:  This initial report may be heartening to the 20 or more Indian rice exporters who were victimized by the fraud.  It nonetheless underscores the need for exporters in general to pay attention to indicia of trading fraud schemes, which have plagued the United Arab Emirates for some time. As the Indian Consulate in Dubai tweeted after the arrest, “Indian traders especially those in rice should take due precautions specially on terms and mode of payment [Ed. – postdated checks] to avoid such situations.”

As the coronavirus pandemic intensifies its grip around the world, it may be difficult for people who constantly seek new information about it online to recognize that cyber-attackers have no compunctions about exploiting popular fear and uncertainty for their own benefit.  Two recent reports indicate that malicious actors are actively exploiting people’s concerns about coronavirus to infect computers with malicious code.

On March 5, software firm Check Point reported that since January 2020, there have been more than 4,000 coronavirus-related domains registered globally.  For example, according to CheckPoint data, weekly coronavirus-related domain registrations rose rapidly from approximately 100 as of January 13 to nearly 1,000 as of January 27 and nearly 1,000 as of February 10.  Check Point found that of those 4,000 registered domains, 3 percent were found to be malicious and an additional 5 percent are suspicious.  CheckPoint also concluded that coronavirus- related domains are 50 percent more likely to be malicious “than other domains registered at the same period, and also higher than recent seasonal themes such as Valentine’s day.”

In addition, CheckPoint reported that “a widespread targeted coronavirus themed phishing campaign was recently spotted targeting Italian organizations.”  That campaign reached 10 percent of all organizations in Italy “with the aim of exploiting concerns over the growing cluster of infections in the country.”

On March  11, The Next Web reported that a security researcher at Reason Labs found that hackers are exploiting organizations that have created dashboards to track the spread of coronavirus “to inject malware into computers” and steal users’ information such as user names, passwords, credit card numbers that are stored in users’ browsers.  The researcher found that hackers are designing websites that “pose as genuine maps for tracking coronavirus, but have a different URL or different details from the original source.”

Note:  As more and more employees are working from home during the pandemic, they are likely to be using their computers for extended periods for both work and personal purposes.  For that reason, information-security officers in all types of organizations should bring these reports to the attention of all corporate employees, and provide the following directions:

• Do not use your work computers to search for information about coronavirus developments. Even a single point of entry for a cyber-attacker can potentially result in compromise of an entire network.
• When you use your personal computer to seek out coronavirus information, do not click on every site that purports to offer virus-tracking or -reporting information, as “lookalike” domains are highly likely to be malicious. Instead, use only dashboards that you have verified come from the actual organizations presenting those dashboards.
• Ignore any websites, emails, posts, or texts that promise information about coronavirus “cures” or vaccines – there are none, according to the Centers for Disease Control and Prevention.
• If you see purportedly coronavirus-related emails, websites, or domains that appear suspicious, do not click on any of those links, but report them to a designated email address in your organization for reporting spam and fraudulent emails.

On March 9, according to Gulf News, the Dubai Court of First Instance sentenced a Dubai manager at an unnamed government entity to five years’ imprisonment, a fine of Dh1.85 million (US $503,587), and repayment of that amount “for taking more than Dh1 million [US$ 272,209] in bribes to facilitate unauthorised payments and procedures.”

The Court of First Instance reportedly stated that the unnamed defendant “sought a Dh1 million bribe from a contracting company in return for facilitating a payment of Dh50 million [US$13.6 million] on a project the company had won with a government entity,” and “accepted Dh856,000 [US$233,000] in bribes from three other companies in return for helping them be listed as service providers with the government entity, between November 9, 2017 and July 5, 2018.”  Records showed that Emirati police received information about the manager’s bribe-taking, and authorities arrested him “after setting a trap for him.”

In addition to the manager, four other unnamed defendants, all Indian nationals, were convicted and sentenced in the case.  One of those defendants, who “was convicted of mediating between the Emirati defendant and the bribing companies,” was sentenced to five years’ imprisonment, a Dh100,000 (US$27,220), and deportation.  The three other defendants, “who worked at the companies which paid the bribes,” were convicted of offering bribes and were each sentenced to three years’ imprisonment and deportation.  In addition, each of those three defendants were fined and ordered to repay the same amount as their respective fines to the government entity: one was fined Dh250,000 (US$68,052), a second Dh100,000 (US$27,220), and the third Dh500,000 (US$136,105).

Note: These prosecutions are the latest in a series of criminal sentences since November 2019 that Dubai courts have imposed on managerial-level staff (both Emirati and foreign nationals) for bribery and other corruption-related conduct.  While reports of aggregate prosecution statistics are always instructive, reports about specific criminal prosecutions, particularly for financial crimes such as bribery and corruption, are even more useful in demonstrating the capacity and willingness of prosecutors to pursue complex criminal cases and of courts to impose appropriate sentences for such cases.