From mid-May 2017 through July 2017 Equifax, one of the nation’s three major credit reporting agencies, allowed the personal and financial records of 145.5 million American consumers to be collected by nefarious criminal actors. On March 8, 2017, reports the New York Post, Equifax had been warned by the Department of Homeland Security about the software flaw that could lead to the breach, but Equifax did not patch the flaw.
Equifax, as reported by the Federal Trade Commission, allowed access to people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. UK and Canada personal information was also hacked.
“Equifax generates substantial income as a gatekeeper and fiduciary of the public’s financial information and credit backgrounds and thus must be held to the highest standard of public trust. Insider trading undermines investor confidence in the fairness and integrity of the securities markets, said Professor William Byrnes of Texas A&M Law School. “Because this insider trading investigation involves Equifax executives, it is imperative that the SEC transparently and fully investigate to determine when each became ‘aware’ of the massive cyber breach. SEC Rule 10b5-1 provides that an insider trades on the basis of material nonpublic information if the insider is ‘aware’ of the material nonpublic information when making the purchase or sale.”
Byrnes continued “It has been reported that the CFO John Gamble sold 13 percent of his Equifax stake and Joseph Loughranth the president of U.S. information solutions sold nine percent two days after Equifax employees discovered the massive data breach of the company, when the share price hovered around $146. On September 7, 2017, the day before news of the extensive data breach was released to the public, Equifax shares still traded around $142, but a day later upon the announcement of the data breach, Equifax shares fell to $123 and today its shares sit around $106. If the SEC discovers through interviews and searching emails and internal memos that Equifax employees informed any of the three executives of the data breach before August 1, 2017, it is probable that the SEC will seek disgorgement of the profits and a civil penalty up to three times the loss avoided by the early sale.
Byrnes cautioned, “But if the evidence is strong of being informed and then instructing a sale, it is possible that the SEC also seeks a criminal indictment which carries a maximum prison sentence of 20 years and fine of $5 million.”
“Moreover, Equifax itself carries risk of corporate civil or criminal indictment from the investigation. If the investigation uncovers insider trading by the executives, then Equifax may be charged either civilly or criminally if a controlling superior of one of the executives knew or recklessly disregarded that an executive was informed of the data breach and was then likely to engage in selling shares before the public announcement. The company would be able to defend itself by showing that it took appropriate steps to prevent the sales. The most likely risk concerns the CFO because of the size of his share sale two days after employees at Equifax discovered the data breach and the CFO is probably a controlling superior of the other two executives. A corporate civil insider trading penalty may be up to a minimum of one million dollars or a maximum of three times the loss avoided,” warned Byrnes.
The Washington Post reported that the share sells were not part of a pre-planned transaction. Bloomberg reported that the DOJ has opened a criminal investigation into several issues resulting from the data breach, including securities laws.
Have a question? Contact William Byrnes
Your comments are welcome!