Bloomberg legal reporter Ava Benny-Morrison, discusses the first person charged in the FTX collapse to avoid prison time. Securities law expert James Park, a professor at UCLA Law School, discusses the crypto industry using a Texas legal strategy to attack the SEC. Cybersecurity expert Dr. Ilia Kolochenko, partner and cybersecurity practice leader at Platt Law, discusses Delta Airlines suing CrowdStrike. June Grasso hosts.
This is Bloomberg Law with June Brusso from Bloomberg Radio.
He's the first person charged in the FTX collapse to avoid prison. Former FTX chief engineer Nishad Singh was one of three top executives who turned on Sam Bankman Freed and testified against him after his once thriving crypto empire imploded in twenty twenty two. Bankman Freed is serving a twenty five year prison sentence after a jury found him guilty of fraud last year. Alameda Research chief executive officer Caroline Ellison, the star witness against Bankman Freed, is reporting to prison in September to serve a two year sentence. Ryan Salome, one of Bankman Freed's top lieutenants at FTX who did not testify against him, is serving a seven and a half year sentence. But Singh walked out of the courtroom yesterday. A free man joining me is Bloomberg Legal reporter Ava Benny Morrison, who covered the trial and was at the sentencing, tell us a little about Singh.
Mshad sing was one of three top executives at FTX who turned on Sam Banks and Freed and signed up his corporating witnesses to the government. They all testified at stmin Fred's broad trial and eventually helped land his conviction to statement. Freed's currently serving twenty five years in jail, and after his sentence, it was time for the corporators to face their own punishment for their role in the collapse and the years long thought at FTX. Now Mishad Singh turned up in court yesterday and we heard some pretty compelling arguments from his attorney about why he should avoid spending a day in prison. Only a couple of months ago, Caroline Elison, the former CEO of Alimenta Research, was sentenced to.
Two years in jail.
This is unusual most corporators end up avoiding any jail time whatsoever, but fortunately for Nishad scene that was what happened. Judge Lewis Caplan found that he deserved more cooperation credit than Caroline Ellison, and he was essentially less culpable than the florid at FTX than Allison was.
It also that he was involved in the fraud for a shorter period of time.
Judge Kaplan certainly seemed to focus on the amount of time Mishading knew about the fraud, so Nishad who was the chief engineer at FTX, only found out in September of twenty twenty two that FTX had been sending customer funds billions at dollars worth of customer fund to alimated research. In contrast, Caroline Ellison knew about this for years and was an accomplice to Sam Bankman. Fridge and Caplan found that this certainly helped Mishad Thing's case, the fact that he only knew about it for a couple of months before STX collapsed. You know, both the prosecution and the defense did admit even when Nishad Thing found out about this, max is broad and that STX couldn't afford to cover the whole customer deposits. He continued to allow campaign donations to be made in his name and forged ahead with a purchase of a beautiful house in Washington State, something that his lawyer said he will forever be ashamed of.
Three point seven million dollar house.
Yes, that's right, it was worth three point seven million dollars and he bought it with his friends with a place to go and when he could relax and go on holidays. This was kind of the only luxury. Maybe indulging purchase that Mishad seen had May when he was STX. His lawyers, you know, really stressed that he was a true believer in effect of altruism, his philosophy that drew a lot of the STX and LM research folks together, this idea that you could earn a lot of money and give most of your way to make the world better place. Mishad was very interested in charity. You know, he's been involved in given away a lot of concernings since he was in college. And his lawyers really tried to push that point that this was, you know, yeah, a big purchase, but it didn't look like he's and he's.
Been working all this time, unlike Caroline Ellison.
In Caroline Ellison's case, her lawyers have said that she was really struggling to find an employment after the SPX collapse, mainly because of the reputational damage that came is being associated with STX and Elemental Research. She had been working on writing a non fiction book and a math book that Mischadsen had been lucky enough to find a job. He's been working as a software engineer for a firm in California since FTX collapsed, and he's also been volunteering at a homeless shelter up from his house in the Bay Area, and at night he's working on code for a affordable housing project. So this certainly went towards his argument for someone that is trying to build his life back up again, and you know, he's certainly just any interest in getting involved in a multi billion dollar thought again.
When he spoke to the judge, how did it come across.
Something that struck me about Mishad in court yesterday was that he remained very calm and very composed the entire time. When he got up to speak to Judge Caplan, he approached the lectern with a piece of paper with his written words on it in his hand and said that how remorseful he was and how gutted he was about the harm that he caused to so many innocent people. He spoke about, you know, wanting to prove to not only the judge but others that he was on the past to redemption and he wanted to do good and be a force for good in the world since being part of the calamity at SS And what.
Was the reaction when he learned that he wasn't going to have to go to prison.
I think that the big question mark was whether Judge Caplan was going to send Mishad's prison or save him from that, especially after the two years Tent said he had the Caroline Elephent. So when he got to the pointy end of delivering his judgment, Mi Shad was standing between his two lawyers, and Judge Kaplin said I order you to report to the Attorney General of the United States the time served. And at that point Shad sing barely reacted. There was a very saint smile that came across his face. While his family, of which there were many, seated in the public gallery behind him, Augar his Beyonce Claire put her hand over her mouth. His mother kissed his Beyonce on the cheek, and they held hands and you could see that how emotional that they were. They were crying, but you could just sense the kind of utter relief that was put across the court room.
What seemed a little unusual is that the judge addressed Thing's parents and said, I don't see anything you did wrong. Tell us what led to that.
That's right part of things. Sentencing his parents along with his brother and other friends and former colleagues that FTX permitted letters in support of him, and his parents' letters were pretty heartbreaking. They spoke about raising their son as best as they could, spoke about how intelligent and talented he was, and then discovering that he had been caught up and export at FTX, And there were some pretty harrowing parts in there about the impact that the FTX collapse had had on the Shad and how he had contemplated suicide in the weeks and months after FTX. His parents spoke about the impact on his mental health, and the Shad lawyer actually made a point of saying, you know, every time Shad flew over from California to New York to meet with us at our offices, his father was there in the conference room sitting across from him, or his younger brother was there. So he had the unwavering support of his family. And that was very clear from the amount of people that turned up in the court yesterday. And the judge addressed that at the end of his sentence, after he told the Shad that he wouldn't have to serve danja Ol, and he said, you know, I'd like to just address this Thing's parents on a personal note, and he said, there is nothing I can see that you did wrong, and then he walked out of the courtroom. And I think it was quite an emotional moment in the courtroom, especially if Mishad's parents to see that. They were I think quite receptive to what he said and almost grateful because you can imagine the impact he's had on his family.
So this case is over. What's the next sentencing?
Is that this final sentencing in this case.
Yes, we've got one final sentencing hearing left in this FTX saga, and that is of Gary Wong. Gary Wong was the co founder at STX. He helped build the exchange with Sam Bank mcfreed. He became the chief technology officer, and he was also a corporating witness and gay testimony at Sam's trial. He's due to be sentenced at the end of November, so it'll be interesting to see where Judge Kaplan puts him on the culpability scale because he knew about the afforded STX and animator research a little bit earlier than Michez Thing did. Thought from the evidence that we heard it call, he wasn't as safely involved as Camlin.
Elision was and of course we should mention that Sam Bankman freed is appealing his conviction. Thanks so much, Ava. That's Bloomberg Legal reporter Ava. Benny Morrison coming up next on the Bloomberg Law Show. The crypto industry is using a Texas legal strategy to dial up its attacks on the SEC. A leading crypto trading platform is trying a preemptive strike against the SEC. Crypto dot Com is suing the SEC before the agency has a chance to bring an enforcement action against it. And it's suing in the strategic venue of Texas, home of the Fifth Circuit, the most conservative appellate court in the country, which has restricted agency powers, including in the Jocracy case which led to a Supreme Court decision last year limiting the SEC's use of in house judges. Joining me is securities law expert James Park, a professor at UCL Law School. Crypto dot Com got a Wells Notice indicating the SEC was going to bring an enforcement action, and instead of waiting, it beat the SEC to the pun so to speak.
It did and that's unusual. You know. Wells notice is an indication by the SEC that it's panning to bring a case, and the purpose of the Wells notice, which has been around since the nineteen seventies, is to give the potential defendant a chance to provide evidence or arguments to the SDC persuading it not to bring a case. And so this is unusual in that a typical response to a Wells Notice would be to make a final attempt to persuade the SEC not to bring a case, and instead Crypto has preemptively sued the SDC in the Eastern District of Texas and basically argue that it is overreaching its jurisdiction even though the SEC is not actually voted to bring the case.
So is the case ripe then for decision if they don't know exactly what the SEC would be doing.
That's the argument I think the SEC is going to make. They will argue that we have not decided to sue you at this particular point in time, and so there's not a ripe dispute that can really be adjudicated in this case. I think Crypto dot Com will argue though, that well, you know, we know you're going to bring enforcement against us. We know the theory because it's been asserted against other crypto exchanges. And therefore we should be permitted to challenge your policy, your administrative actions, and we might have standing because we could be injured or affected by that particular decision. But I think that'll be a critical issue for the district court to consider whether this is indeed a right dispute.
Crypto dot Com, which is based in Singapore, last year moved at US headquarters from Miami to Tyler, Texas. Does it seem like that's a move to a friendlier jurisdiction.
It could be for a variety of reasons, not necessarily related to this lawsuit, but simply the lack of a state income tax generally a business friendly climate. I would be surprised sort of the ability to file in a particular jurisdiction is what may have motivated Crypto dot com. And you know, I think there are a lot of considerations that go into play when you are moving your headquarters from one place to another, But certainly the fact that it is in Texas now it's more of a natural place for the like this to be filed as opposed if they were in Miami and filing in Texas, it'd be more of an attenuated link between Crypto dot Com and Texas if its headquarters was not located. Now, certainly they have customers in Texas, they do business in Texas, and so they could argue they should still be able to see in Texas. But the fact that they are headquarters there may make the arguments that the case should be in Texas a little bit stronger.
Any case in Texas that's appealed would be appealed to the Fifth Circuit, which is notoriously conservative and has struck down a slough of Biden regulations.
It hasn't particularly with respect to SEC regulations. They are struck down very extensive, ambitious regulations of hedge funds private funds that would have required disclosure relating to fees, and they have struck down disclosure rules were leading to stock repurchases by companies. They basically said, the SEC arbitrarily changed its position on a proxy advisory firms and the advice they give with respect to voting. One exception, though, with respect to the Fifth Circuit, is that initially they upheld various rules relating to diversity and diversity disclosure passed by the Nasdaq, which is a regulated exchange that is regulated by the SEC, and past various rules saying that if you don't have a certain diversity on your board, you have to issue disclosure a panel that this circuit initially upheld that decision, but the entire Fifth Circuit unboked. The entire court decided to review that decision, and reports of the argument indicate that they may strike down that rule as well. So the answer is yes, so that the Fifth Circuit generally has not been a favorable court for the SEC.
If the SEC brings in action, would it be brought in the second Circuit?
It depends. I think it depends on the circumstances. And they have sort of a wide amount of discretion. Is where they can file a suit. And you know, wherever there are investors who have been harmed by a particular practice and so forth, that they might choose to sue in that venue. But you know, they could have chosen Texas. You know, the SEC might have simply said, your headquarters in Texas will sue you in Texas. They might have suit in Washington, DC. That's another place where they can bring suit, and they often bring suit in the Southern District of New York. There's a common venues and there's a lot that goes into I think choosing a venue there's no real science to it, And I think they actually still could sue Crypto dot Com in another jurisdiction, in another venue if they chose to bring a case against Crypto. I don't think there's anything about this particular case that precludes them from suing Crypto independently in the enforcement action that they might have been planning to bring. And then you could have concurrent lawsuits where you could have this proceeding in Texas at the same time as a SEC enforcement case against Crypto and Washington DC, and that poses a certain complication, which might be you know, an argument for dismissing one of the cases on ripe this grounds is that it may not be a good thing to have two concurrent lawsuits against the same defendants that are basically deciding the same issue.
So is Crypto dot COM's lawsuit about the SEC's power about agency power?
That's certainly part of it. It is a broader question, and they're they're interrelating, right, it's sort of you know, I'm questioning your agency power, your jurisdiction that could be asserted against US. And if the SEC brought a case against Crypto, the assumption is that the SEC has jurisdiction and power, it would be just more of a background issue. Both cases, I think would raise the same basic issue, but you know, the one in Texas, I think is much more hypothetical and it's much more of a hypothetical injury to Crypto dot Com. Whereas if the SEC sues Crypto dot Com, then Crypto has a very clear basis for saying that we have been injured by the SEC's action and the SEC does not have authority, and so there's an argument that it might be better to decide that issue in that concrete setting where the SEC has asserted it's jurisdiction under Crypto, rather than hypothetically wondering whether the SEC does have jurisdiction over Crypto.
We've talked before about how Crypto has been fighting the SEC in different ways. Is this affirmative litigation part of a broader strategy.
It's a good question as to whether there's any coordination. No, is there a crypto industry that is essentially strategize That's something I just don't know, but you know, certainly these arguments are out there, and they've been developed in earlier cases by by Ripple by binance by coinbase, and I think crypto dot Com and its attorneys and I've learned from those arguments, and I think that they are trying to open up another front in the battle. And perhaps their belief is that, you know, if you can get a favorable decision from a Texas court, a fifth Circuit court, that that might help our cause in some way with other appellate judges or the US Supreme Court. And so I think that you know, even if there is not coordination among various members of the industry, there is just a concerted industry argument that is being asserted in different venues and in jurisdiction that you know, may ultimately be decided by the US Supreme Court. And having a variety of judges weigh in could be helpful to the crypto industry if you're getting more favorable ruling that are skeptical of the SEC's jurisdiction of a crypto asset. Now, there's also a risk though to a strategy where you're bringing multiple cases, is that some of those cases may go against you and so forth. You know, I also think there's a pr aspect to this as well, where you know, we're filing a high profile action against the SEC. Let's create this narrative that you know, the SEC is abusing its authority and that a lot of folks are angry about them. Are you know? Basically it's coming up again and again, right, I think you know that coinbase and binance cases are not really in the news as much. So hey, let's let's bring this preemptive action and keep this in the public discourse to put pressure on the SEC. So to keep the issue alive as we lobby for more favorable regulation.
We're certainly paying attention to it. So in September, a judge in Texas dismissed a case brought by a crypto company, and he found that wells notice and subsequent suit from the SEC weren't final actions and that the case was therefore premature. But this is being a sign to Judge Jeremy Kernadel, who ruled in July to freeze rulemaking by the Labor Department. I mean he wouldn't have to follow the other judge's determination.
Right, That's true. It's not binding. It's a district court decision, so it's not binding on another district court. The reason could be influential though, and it's certainly something I'm sure that the judge will look at very closely. You know, there may be some differences between Crypto dot COM's case and the prior case, and you know, I read something very quickly about that prior case by I can consent, and I think in that case it was very clear at some point that the SEC would not bring an action, and so maybe that's the way you would distinguish the Crypto dot Com case in that I'm fairly certain that the SEC will bring an action against Crypto dot Com. It's a very similar fact pattern as Binance and coinbase, and so Crypto dot Com will say, sure, they haven't decided to bring a suit against that, but given our knowledge of their past enforcement activity, it's very unlikely that they will not. I think that's the argument Crypto dot Com might try to make.
What do you think of Crypto dot COM's tactic in general?
You know, it's a very interesting move to preemptively sue before the SEC can bring an action. I think that is extremely interesting, and it's aggressive. It is certainly aggressive, and I think they are certainly trying to take advantage of a favorable venue. They may believe the SEC would never decide to file in Texas given its past experience with the Fifth Circuit, and that may very well proved to be true, but it's also unclear. The decision has not been made, and I think this is an interesting choice of litigation strategy and we'll see how it turned out.
Thanks so much, Jim. That's Professor James Park of UCLA Law School. Coming up next. Delta sues CrowdStrike. This is Bloomberg. Delta Airlines is suing cybersecurity firm CrowdStrike over the chaos caused this summer by a software update that disabled millions of computers worldwide and grounded much of the airline's passenger fleet. Delta is accusing the cybersecurity firm of gross negligence that costs the airline five hundred million dollars. CrowdStrike apologized publicly after the July nineteenth glitch that shut down computers running the Microsoft Windows operating system, paralyzing airports, banks, stock exchanges businesses around the world, But CrowdStrike says Delta is giving misinformation, doesn't understand cybersecurity, and is trying to shift the blame for its slow recovery from the outage, joining me is an expert in cybersecurity, doctor Ilia Koloshchenko. He's a partner in cybersecurity practice, lead at PLAT Law and CEO of Immune Web. This was a global technology outage, so isn't it obvious that CrowdStrike bears the blame.
I don't think it would be fair to say that it is crowdstrikes fault before we get all the texts. Of course, I'm not saying that CrowdStrike is completely blame last, but I'm unconvened that we have solid matters to claim financial damages, and I believe that we need to investigate these cases a little bit more because, based on crowd strike public announcement and the details that they disclosed about the incident, such kind of incidents may happen virtually everywhere, so it was not like a negligence that can we can Reprimand I think, what do.
We know so far about what caused this?
So to the depth of my knowledge, it was a faulty update that was not tested as sophisticatedly as it could see, and as a result, we have the many machines that were using CrowdStrike software that became unusable, inoperable for several hours at least, and actually this caused a lot of inconvenience around the globe.
Delta claims the incident could have been prevented by testing the software update on just one computer. Does that pointed negligence?
This will probably be the very cracks of the lawsuits if we have a lossit not for a virtual contract boss In towards, I think that it will be difficult to prove that crowd strike was negligent unless we get some addition materials during the discovery phase or we have any expert witnesses who will be able to testify that crowd strikes software testing and deployment process was below the industry acceptable standards. But I think it will be a challenge and probably we will end up with many different experts saying, you know, contradicting things. And at the end of the day, I think it's fair to accept that new software is perfect and we have a new regular bug fixes and updates. I'm not talking about security patches, okay, but I'm talking about you know, errors and buck success in Microsoft software, in Apple software. So this is like, you know, commonly acceptable reality that no software is immune from small bags and issues. So I think crowd Strike will insie that it has been duly following all applicable processes and procedures to ensure the best reasonable quality of its software and of its coptic Delta.
Is accusing CrowdStrike of gross negligence? What would it take to prove that?
So? I think they have. Gross negligence is a very high standard of proof in civil litigation, and I don't think that they will manage to prevail on this claim unless we don't know some facts that are probably known to the plainting. Okay, negligence is possible, Okay, but gross negligence I don't think it will be the case. And I'm especially you know, capt icilled out unity damages because the alleged misconduct of CrowdStrike has to be so eregious that it would deserve in its punishment. So I honestly don't think that gross negligence and unity damages will prevail.
Delta attributes the scope of the adage on crowdstrikes efforts to alter other operating systems through uncertified and untested shortcuts that damage and impaired its client systems and businesses. Is that difficult to prove?
I don't think it will be difficult to prove when I think it's give an attack that was admitted by CrowdStrike. But the reality is that many security products do very similar things because they need to have full control of your machine, of your device in order to protect it completely. There are alternative ways to do the same thing, Bob. It's like you know, arguing, whether you know Android software that is an open source sulftware is better than IOP software that is for pree three closed first sulfware, Whether it's better to have Linux versus Microsoft. So it's an open question, and I don't think that justin based on these facts, they will be able to prove even negligent laft, a little gross.
Negligence, a crowd Strike spokesperson said, speaking of finger pointing. Delta's claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure. What do you think of that respons.
Well, I think this is like a response that I would expect. However, you know, probably the one thing that deserves your attention. Is that actually when we talk about negligence or even if they see you for breach of contracts, I would probably say that crowd Strike will also argue saying, listen, you've been using our software for a long period of time. You had all the documentations, your IT people, your cybersecurity people will fully aware of how it works, of what exactly we do, how it operates you or web through all our terms of services, framework agreements, whatever they may have in place. So now you know, telling us that you are kind of you know, flob a gaset, you know, ambushed by these very facts you know how our software works, doesn't sound credible because you've been aware of these facts since the very beginning, or you should have been aware of it. So now saying that it's a big surprise and you have shocked doesn't sound They're like a credible claim, And here I think they will get some attention from the jury.
What about a breach of contract claim.
Well, that's a very interesting question because if they have a contract, it really depends on the contract. And I think, you know, unless crowd strike made some important concessions and agreed to remove some of the clauses that expressly limit, reduce, exclude, or cap their liability for certain incidents. I think Delta chances to succeed fairly modest usually all cyber secure against it. Under they have variance lawyers who know how to write in a good tech contracts excluding or limiting their liability to the full extent permitted by laws. So under the contract, I'm not sure they will have much success. Maybe they will get some nominal damages, but in this case it will be a questionable victory in court because they'll probably spend more money in their legal costs than they will eventually stain at the end, and if they do so, I think if this ends up in court, I'm confident will have an appeal. So I don't think understand that a litigation here is the best way to resolve this regrettable incidents. I would rather settlement that would be mutually there for Delta and for Crowdstright, because the breach of contracts for me sounds we claim unless Delta managed to change in new default contractual and saying that Crowdstrights will be liable to the fullest extent for all directs indirect damagers. In this case, it can be very problematic for crowds work, right, But I don't think it's the case.
Are there consequences for other companies from this lawsuit?
I think that this case may open a fron door box, because if it ends up in court, then probably all cybersecurity and tax vendors will start urgently modifying their contract in terms of services as the lays. Of course, it will be in a very fact specific and it will depend on the decision of the court. If the parties don't settle and do this in a discrete, calm and considential matter to everyone's satisfaction, I think it will create a dangerous precedence first and second will probably see a lot of the lawsuits not only against crowd Strike up Basic, but also all other companies are saying, oh listen, I had a problem with my iPhone. You know, I'm sewing Apple. So it can cause you the kind of avalanche of lawsuits. So I really hope that the parties will find an amicable resolution of this regrettable incident.
Thanks for being on the show. That's cybersecurity expert doctor Ilia Koloshenko, and that's it for this edition of the Bloomberg Law Podcast. Remember you can always get the latest legal news by subscribing and listening to the show on Apple Podcasts, Spotify, and at bloomberg dot com, slash podcast, slash Law. I'm June Grosso and this is Bloomberg