Did Equifax Executives Violate Insider Trading Laws?Print Article
- Posted on: Oct 2 2017
In the wake of the hack of personal consumer information from Equifax Inc.’s computers, congressional lawmakers have asked the Securities and Exchange Commission (“SEC”) to investigate whether company executives violated insider trading laws.
The cyber breach involved the theft of 143 million Americans’ personal data –including Social Security numbers, driver’s license records and birth dates. Equifax is one of the main credit bureaus that compiles data to form credit histories that banks rely on to issue loans.
It has been reported that three executives of the company sold shares in an aggregate amount of $1.8 million days after the security breach was discovered on July 29. Equifax did not publicly disclose the hack until 6 weeks later, however. The company has “apologized” for the security breach, but has repeatedly claimed the executives were unaware of the breach at the time they sold their shares.
Equifax has offered consumers the option of “locking” their credit information for free and to sign up for a credit monitoring service. In order to do so, consumers were required to waive their right to join a class action lawsuit that was filed in connection with the hack. However, Equifax has since said that it is no longer enforcing the waiver, stating that it has updated its policy to provide that: “enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action.”
Class Action Lawsuits
Consumer Class Actions
On September 11, 2017, USA Today reported that more than 20 consumer class actions had been filed against Equifax, adding that “additional cases are likely to come.” Among other things, the actions allege that Equifax negligently failed to protect customer information and willfully and/or negligently delayed notifying the public of the breach. The lawsuits also refer to earlier, smaller data breaches the company sustained in 2013, 2016, and earlier this year. According to one of the lawsuits, Equifax “knew and should have known of the inadequacy of its own data security.”
Securities Class Actions
Along with the consumer class actions, investors have filed securities class actions against Equifax and certain for its officers — namely, the company’s Chairman and CEO, Richard F. Smith (“Smith”), and its CFO, John W. Gamble, Jr. (“Gamble”). According to a press release issued on September 11 by the plaintiff’s attorneys, the defendants issued materially false or misleading statements or failed to disclose that “(1) the Company failed to maintain adequate measures to protect its data system; (2) the Company failed to maintain adequate monitoring systems to detect security breaches; (3) the Company failed to maintain proper security systems, controls and monitoring systems in place; and (4) as a result of the foregoing the Company’s financial statements were materially false and misleading at all relevant times.”
The complaint (here) was filed in the United States District Court for the Northern District of Georgia on behalf of all persons who purchased Equifax shares between February 25, 2016 and September 7, 2017 (the “Class Period”). The plaintiff specifically references the insider trading by Gamble and other company executives. The complaint also references a variety of alleged statements by the company during the Class Period relating to the quality of its data protection and security measures. As a result of the disclosure of the data breach, the complaint alleges that the company’s shares fell nearly 17%.
On September 12, letters signed by thirty-six U.S. Senators were sent to the SEC and the Federal Trade Commission seeking a probe of the stock sales by Equifax insiders — namely, Gamble; the President of U.S. Information Solutions Joseph Loughran; and the President of Workforce Solutions Rodolfo Ploder. The bipartisan request highlights the degree of public outrage over the company’s handling of the cyber breach and the subsequent insider sales.
“We request that you conduct a thorough examination of any unusual trading, including any atypical options trading, for violations of insider trading law … and that you spare no effort in your investigations,” the senators wrote in the letter.
The insider trading allegations make the securities class action lawsuit more problematic for the defendants. Although Equifax has maintained that the selling executives were not aware of the breach when they traded and the sales themselves were relatively small, representing only a small portion of the sellers’ holdings, the timing of the sales is suspicious. As noted, the trading took place after the breach had been discovered but before the breach was publicly disclosed. Courts look at the timing of the sales, in addition to the amount of the sales versus the insider’s total holdings, to determine if the sales are unusual or suspicious. None of the sales were made pursuant to scheduled 10b5-1 trading plans.
Complicating the issue for the insiders are recent reports that Equifax was the victim of a separate security breach in March of this year. Equifax has not publicly disclosed the March breach.
According to Bloomberg, in early March, “Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate.” According to the article, “the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July.” Gamble sold 14,000 shares on May 23, for proceeds of $1.91 million, more than twice the size of his Aug. 1 sale of 6,500 shares for $946,374. The securities class action plaintiffs and regulators will no doubt find this transaction and its timing worth investigating.
The securities class action will be interesting to follow, in addition to the various regulatory and congressional investigations. In the past, securities class action and shareholder derivative plaintiffs have not fared well after bringing actions following the disclosure of data breaches. Time will tell what happens in this case. But, given the regulatory and congressional scrutiny of the breach and the insider trading, the outcome of this securities class action may be different than the previous data breach class actions involving other companies. Stay tuned.