Last week, the SEC and DOJ filed civil and criminal insider trading charges against a former Equifax executive for selling shares of Equifax stock prior to public disclosure of the company’s massive data breach.1 The case demonstrates an increased emphasis by the SEC on cybersecurity-related disclosures and follows closely on the heels of updated SEC guidance that admonishes public companies to disclose material cyber risks and incidents and to adopt policies and procedures to prevent insider trading on undisclosed data breaches.2
The Equifax Data Breach
In early September 2017, Equifax, one of the nation’s three major credit reporting agencies, disclosed that an unknown attacker had stolen personally identifiable information for approximately 145.5 million consumers, making it one of the largest and most potentially consequential data breaches in recent history. An internal probe at Equifax revealed that hackers first infiltrated Equifax’s network in May 2017 and that the intrusion went undetected until late July 2017, when suspicious network traffic was first identified by Equifax employees. Equifax’s response to the breach and the timing and contents of its disclosure, as well as its overall efforts to protect consumer data, were heavily criticized and are now the subject of a host of regulatory investigations and private lawsuits. The criticism led to the resignation of several Equifax executives, including the CEO.
The Alleged Insider Trading
As alleged in the SEC’s and DOJ’s cases, Jun Ying was the Chief Information Officer (CIO) for a business unit within Equifax and a leading candidate to succeed the then-global CIO of the company. According to the SEC’s complaint, starting in late August 2017, Ying was called upon to provide technical support in assisting with Equifax’s data breach remediation and customer notification efforts. Equifax, however, neither told Ying that it was the victim of a data breach nor did it expressly impose a blackout period on sales of Equifax shares by Ying, as it had with employees who were directly told about the breach. Instead, Equifax told Ying that his assistance was urgently needed to help one of Equifax’s customers respond to a substantial data breach. Nevertheless, within a few hours of being asked for help, Ying allegedly concluded that Equifax was the victim of the data breach.
Three days later, Ying allegedly executed several internet searches for information regarding a 2015 data breach of Experian, another credit reporting agency, and the effect of the breach on Experian’s stock price, which, according to the SEC, declined four percent after its data breach disclosure. After running these internet searches, Ying allegedly sold his Equifax shares, realizing gross proceeds of more than $950,000 and thereby avoiding more than $117,000 in losses that he would have incurred had he sold his shares on the first trading day after Equifax disclosed the breach to the public.
Two days after Ying sold his shares, Equifax officially told him that it was the victim of the breach and directed him not to sell any shares. Upon receiving these instructions, Ying did not inform Equifax that he had already sold his shares.
Ying’s trades were allegedly discovered by an internal investigation at Equifax, and his employment was terminated in October 2017.
Interestingly, Ying was not one of the four Equifax executives who had initially been identified as having sold shares of Equifax stock prior to disclosure of the breach. Those executives, which included Equifax’s CFO, were cleared of any wrongdoing by an internal probe conducted by a special committee of Equifax’s board, which found that the executives did not know of the breach at the time they sold their shares.
Although Equifax told some employees involved in its remediation efforts about the breach, it did not tell other employees, like Ying, who were also not expressly instructed regarding the blackout on Equifax share sales. Equifax apparently failed to anticipate that those employees might conclude that the breach was Equifax’s and might engage in securities transactions before being instructed that a blackout restriction under the company’s insider trading policy applied. Accordingly, this case illustrates the difficulties public companies face in mobilizing the appropriate employees to respond effectively to a data breach or other potential material event while also timely implementing restrictions on trading by those employees. Public companies would do well to take a close look at both their incident response plans and insider trading policies and seek the advice of counsel in navigating these complex issues.
1 The cases are SEC v. Ying, No. 1:18-cv-1069 (N.D. Ga. filed March 14, 2018) and United States v. Ying, No. 1:18-cr-74 (N.D. Ga. filed March 14, 2018).
2 Murphy & McGonigle has previously published an analysis of the SEC’s guidance, available here.