Federal prosecutors recently brought insider trading charges against numerous attorneys, who were previously employed at various prominent law firms. The indictments in United States v. Nourafchan, No. 1:26-cr-10115 (D. Mass. 2026) and United States v. Fejal, No. 1:26-cr-10133-LTS (D. Mass. Apr. 2026) allege that these attorneys tipped off third parties about confidential M&A deals brought in by their law firms, enabling the third parties to profit from securities trades based on the information.

As discussed in further detail below, these recent insider trading cases (1) may test the boundaries of the First Circuit’s ruling in United States v. Abdelaziz, No. 21-1878 (1st Cir. 2023), which held that disparate defendants unaware of one another cannot be charged in a single conspiracy; and (2) offer important lessons about insider threats, third-party risk management, and the limits of traditional cybersecurity programs in preventing misuse by trusted insiders.

The “Varsity Blues” Conspiracy Defense

The decision in United States v. Abdelaziz is relevant to a potential defense that the defendants and Nourafchan and Fejal could raise in response to the conspiracy allegations. In Abdelaziz, two parents were convicted at trial of conspiracy to commit fraud and bribery, among other claims, as part of the broader “Varsity Blues” prosecutions—a series of federal cases that were brought against parents who allegedly bribed college officials to secure admission for their children. The defendants in Abdelaziz were charged alongside numerous other parents based on allegations that they participated together in a single overarching conspiracy.

The First Circuit vacated the conspiracy convictions finding that the government failed to prove an overarching conspiracy. The First Circuit further held that similar conduct by individual, disparate defendants who were unaware of and indifferent to one another does not establish a single conspiracy, and that joining such defendants in one case created an unacceptable risk that the jury convicted them based on others’ conduct rather than their own.

Given that the cases in Nourafchan and Fejal are both before the same federal district court that administered the underlying trial in Abdelaziz and include conspiracy claims against defendants employed at different firms but who engaged in similar conduct, the defendants may attempt to rely on the First Circuit precedent in Abdelaziz as a defense. 

Insider Threats Are a Data Governance Issue

Regardless of whether a defense based on the First Circuit’s ruling in Abdelaziz is successful, the indictments in Nourafchan and Fejal also serve as an important lesson that unauthorized use of information does not always originate from phishing campaigns, ransomware incidents, or network intrusions by external threat actors.

Unauthorized disclosure by insiders poses many of the same risks as those that result from external compromises. For example, insider misuse can similarly expose key company information such as intellectual property, strategies, active litigation or regulatory investigations, trade secrets, financial information, and other confidential business records that could be used in a manner to harm a company and its reputation. For example, the alleged conduct in Nourafchan and Fejal has the potential harm to both the law firms and their clients—including through reputational damage, litigation exposure, and regulatory scrutiny.

Relatedly, the allegations in these cases are evidence that a law firm’s reputation, size, or brand is not a substitute for implementing third-party risk management controls to protect confidential information once it is shared. Instead of relying on a service provider’s reputation, companies should evaluate the actual access controls, monitoring capabilities, incident response procedures, and insider threat safeguards providers have implemented.

Conclusion

The significance of the insider trading allegations in Nourafchan and Fejal extends well beyond the criminal charges. On the legal front, these cases may test the reach of the First Circuit’s Abdelaziz ruling. On the operational front, the cases illustrate how information security failures can emerge not only from sophisticated external attacks, but also from individuals operating within systems that lack sufficiently granular access controls and monitoring mechanisms.