Summary of the Fraudulent Scheme6. As set forth below, ADAM ROGAS, the defendant, was a founder and the CEO, CFO, and a member of the Board of Directors of NS8, a cyberfraud prevention company. ROGAS exercised control over the books and records of NS8, and also maintained control over the bank accounts where NS8's revenue was purportedly deposited. From at least in or about 2019 through in or about September 2020, ROGAS operated a fraudulent scheme to deceive NS8's investors by falsely inflating the company's reported revenue and assets by substantial amounts. As part of his fraudulent scheme, ROGAS used falsified bank statements to cause material misrepresentations to be made to investors regarding NS8's assets and revenue, including by showing tens of millions of dollars in assets and revenue that did not exist. Through those material misrepresentations, ROGAS enticed investors to purchase securities in two fundraising rounds which provided NS8 with at least approximately $123 million in funds. ROGAS subsequently tendered NS8 shares he owned and otherwise controlled, obtaining at least approximately $17.5 million as a result.
[I]n the fall of 2019 and the spring of 2020, NS8 engaged in fundraising rounds through which it issued Series A Preferred Shares and obtained approximately $123 million in investor funds. ROGAS used the materially misleading financial statements to raise those funds.Specifically, ROGAS maintained control over a bank account into which NS8 received revenue from its customers and periodically provided monthly statements from that account to NS8's finance department so that NS8's financial statements could be created. ROGAS also maintained control over spreadsheets that purportedly tracked customer revenue, which were also used to generate NS8's financial statements.During the fundraising process in the fall of 2019 and spring of 2020, ROGAS altered the bank statements before providing them to NS8's finance department to show tens of millions of dollars in both customer revenue and bank balances that did not exist. In the period from January 2019 through February 2020, between at least approximately 40% and 95% of the purported total assets on NS8's balance sheet were fictitious. In that same period, the bank statements that ROGAS altered reflected over $40 million in fictitious revenue. ROGAS also falsified nearly all of NS8's purported customers on internal tracking spreadsheets.Additionally, ROGAS provided the falsified bank records he had created to auditors who were conducting due diligence on behalf of potential investors. After these fundraising rounds concluded, NS8 conducted a tender offer with the funds raised from investors, and ROGAS received $17.5 million in proceeds from that tender offer, personally and through a company he controlled. After ROGAS's fraud was uncovered, NS8 ultimately entered bankruptcy proceedings. ROGAS used his fraudulent proceeds to purchase, among other things, luxury goods and a residence in the Dominican Republic.
B. Hansen's Actions to Impede5. In 2018 and 2019, an NS8 employee (the "NS8 Employee") raised concerns internally that NS8 was overstating its number of paying customers, including that the customer data (including purported customer numbers and monthly revenue) used to formulate external communications-including to potential and existing investors-was false. During this period, the NS8 Employee also raised his concerns about NS8's customer numbers directly to Respondent- although the NS8 Employee never directly or indirectly reported to Respondent.6. In July 2019, through counsel, the NS8 Employee submitted a tip to the SEC.7. In August 2019, the NS8 Employee raised his concerns directly to Respondent that NS8 may have falsely inflated customer counts. During the course of the conversation, the NS8 Employee told Respondent that unless NS8 addressed this inflated customer data, he would reveal his allegations to NS8's customers, investors, and any other interested parties. Respondent suggested that the NS8 employee raise his concerns directly to his supervisor or the CEO.8. Later that day, in a phone call with his supervisor, the NS8 Employee reiterated his concerns that NS8 may be falsely inflating customer counts. In that conversation, the NS8 Employee again stated that he could reveal his allegations to NS8's customers, investors, and any other interested parties. The supervisor then called Respondent and indicated that he had a conversation with the NS8 Employee about the allegations.9. Shortly after, Respondent messaged the CEO, "[P]lease call me ASAP. This is EXTREMELY URGENT." Respondent and the CEO then spoke. Respondent understood that the NS8 Employee's concerns involved a possible securities law violation, including potential fraud against NS8's investors.10. After Respondent spoke to the CEO, both took steps to remove the NS8 Employee's access to NS8's IT systems. At one point, the CEO told Respondent that he removed NS8 Employee's administrator privileges to one system but kept read-only access "so it looks like an error."11. The CEO also asked if Respondent had "agent on [the NS8 Employee's company] laptop." "Agent" referred to a tool that permitted NS8 IT, including Respondent, to remotely access NS8-issued laptops and provide IT support-including viewing what was happening on a laptop screen in real time. Respondent replied, "I can watch what he is doing if we care."12. Respondent messaged the CEO: "I want to give you a password to login his laptop. . . [f]rom there, I'm hoping he is dumb enough to have his Keeper password memorized and see what's in there." "Keeper" referred to a password management system that NS8 employees used to save passwords to various NS8-related applications. The NS8 Employee also chose to save passwords for his personal email and other applications in his Keeper.13. The next day, Respondent met the CEO at NS8's office. Respondent used NS8's administrative account to access the NS8 Employee's company computer. Respondent then left the NS8 Employee's computer and password in the CEO's office.14. That same day, the NS8 Employee's saved "Keeper" personal passwords were used to access his Hotmail, Dropbox, Facebook, Glassdoor, and Google accounts on his NS8-issued laptop.15. Later that week, the CEO fired the NS8 Employee.
(a) No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.
Exchange Act Rule 21F-17(a), adopted in 2011 as part of the whistleblower program mandated by the Dodd-Frank Act, prohibits taking "any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications." The Commission's Order concludes that David Hansen, a co-founder of NS8, Inc. who held various positions in the company, including Chief Information Officer, violated Rule 21F-17(a). The alleged violation related to Mr. Hansen's response to concerns raised with him by an NS8 Employee that the company was overstating the number of paying customers. The Order does not explain what, precisely, Mr. Hansen did to hinder or obstruct[1] direct communication between the NS8 Employee and the Commission. Accordingly, I dissent from instituting the action and accepting the settlement.The Order states that the NS8 Employee was concerned that "NS8 was overstating its number of paying customers, including that the customer data . . . used to formulate external communications-including to potential and existing investors-was false." After submitting a tip to the Commission, the NS8 Employee raised these concerns with Mr. Hansen and told Mr. Hansen "that unless NS8 addressed this inflated customer data, he would reveal his allegations to NS8's customers, investors, and any other interested parties." Mr. Hansen, who "understood that the . . . concerns involved a possible securities law violation," suggested to the NS8 employee that he raise his concerns to his supervisor or to NS8's CEO, and the employee conveyed his concerns to his supervisor later that same day. The supervisor then called Mr. Hansen, who then called NS8's CEO.The Order has several sentences describing interactions between Mr. Hansen and the CEO and their subsequent actions, but the salient facts, as I see them,[2] are:
- The "CEO told Respondent that he [the CEO] removed NS8 Employee's administrator privileges to one system but kept read-only access 'so it looks like an error.'"
- Mr. Hansen told the CEO that the NS8 Employee's company-issued computer had a tool that permitted remote access, and that Mr. Hansen could " 'watch what [the NS8 Employee] is doing [on his company-issued computer] if we care.' "[3]
- Mr. Hansen "used NS8's administrative account to access the NS8 Employee's company computer" and "then left the NS8 Employee's computer and password in the CEO's office."
- The CEO fired the NS8 Employee later in the week.
Although the Order states that "both took steps to remove the NS8 Employee's access to NS8's IT systems," the above list includes only two concrete actions by Mr. Hansen: (1) accessing the NS8 Employee's computer and (2) leaving the computer and password in the CEO's office. How did Hansen's actions as set forth in the Order remove the NS8 Employee's access to the IT systems, let alone stand in the way of the NS8 Employee's direct communication with the Commission? In my view, they quite plainly did not.At most, these actions affected the content of what the NS8 Employee could communicate, not whether he could communicate. Rule 21F-17(a) ensures the whistleblower's entitlement to speak directly to the Commission, and NS8 did not prevent the NS8 Employee from doing so. Actions that limit access to company data do not necessarily limit access to the Commission. Mr. Hansen's actions, as reported in the Order, did not hinder the NS8 Employee's communications with the Commission regarding his already-submitted tip.[4] Furthermore, the Order does not state that Mr. Hansen knew about the tip. If there were evidence that he knew of the tip, then his actions may have implicated Rule 21F-17(a) or the anti-retaliation rules.A broad interpretation of Rule 21F-17(a) could prohibit companies from limiting employees' access to data. Limiting access to sensitive data is a common element in cybersecurity programs.[5] A plausible inference, based on the facts recited in the Order, is that Mr. Hansen was concerned about the NS8 Employee's threat to disclose confidential company data "to NS8's customers, investors, and any other interested parties." Rule 21F-17(a) by its plain terms applies only to communications with the Commission. We should not read it in a manner that complicates a company's ability to act to protect its data in the face of sweeping disclosure threats, even well-intentioned ones by concerned employees. Companies hold troves of data about their customers, assets, and business practices. They and their customers have a keen interest in protecting those data. We should not engage in an undisciplined interpretation and application of Rule 21F-17(a) that adds unnecessary legal risk to that burden.I respectfully dissent.= = = = =[1] Impede means "to retard in progress or action by putting obstacles in the way; to obstruct; to hinder; to stand in the way of." Oxford English Dictionary (1971).[2] The Order also states that the NS8 Employee used a password management system installed on his NS8-issued computer to save passwords both "to various NS8-related applications" and to "his personal email and other applications." Additionally, the Order states that the saved passwords were used to access his personal accounts "on his NS8-issued laptop" the same day Mr. Hansen left the computer in the CEO's office. Because the Order does not identify who accessed what personal accounts, the relevance of these facts is not clear.[3] The Order does not state that Mr. Hansen (or anyone else) in fact watched.[4] The Order states that it was the CEO who limited the NS8 Employee's "privileges to one system" to "read-only access" and later fired the NS8 Employee, and does not state that Mr. Hansen had any role in either action.[5] See, e.g., Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Rel. No. 34-94197, https://www.sec.gov/rules/proposed/2022/33-11028.pdf (proposing rule § 275.206(4)-9(a)(2)(4) to require as "an element of an adviser's or fund's reasonably designed policies and procedures . . . [r]estricting access to specific adviser or fund information systems or components thereof and adviser or fund information residing therein solely to individuals requiring access to such systems and information as is necessary for them to perform their responsibilities and functions on behalf of the adviser or fund").