On March 14, 2018, the Securities and Exchange Commission (SEC) charged a chief information officer (CIO) for a US business division of Equifax with insider trading in advance of Equifax’s September 2017 disclosure of the massive security breach it suffered that exposed personal information of approximately 148 million Equifax customers.
Prosecutors allege that Jun Ying used confidential, non-public information to conclude that Equifax had sustained a data breach. Thereafter, he exercised all of his vested Equifax stock options and sold the shares for proceeds of approximately $950,000. The complaint alleges that “[t]hese securities transactions were made on the basis of material nonpublic information and breached the duty of trust and confidence that Ying owed to Equifax and its shareholders.” In their investigation, SEC investigators discovered that Ying had exchanged several texts and emails indicating Ying’s suspicion that Equifax had sustained a data breach. Additionally, investigators found that on August 28, 2017 – prior to Equifax’s disclosure of its data breach – Ying conducted several searches on the Internet related to the effect Experian’s 2015 data breach had on the company’s stock price.
Equifax announced its data breach after the stock market closed on September 7, 2017. The stock price dropped the next day by nearly 14 percent and the volume of Equifax shares traded increased more than 30-fold as compared to the previous day. SEC investigators estimate that Ying avoided $117,000 in losses that would have resulted from news of the Equifax breach had he not taken any action prior to the public announcement of the breach.
The relief sought by the SEC in its complaint includes an order requiring that Ying disgorge an amount equal to the $117,000 in losses that he avoided plus interest and a civil monetary penalty, as well as a prohibition against Ying serving as an officer or director of any public company.
Before vesting his shares, Ying was on track to become Equifax’s next global CIO, and Equifax offered him the job on September 15, 2017, when the previous global CIO resigned. At the time of the offer, Ying did not reveal to the company that he had vested and subsequently sold his shares prior to the public announcement of the breach. Upon the completion of an internal Equifax investigation into Ying’s trading, the company moved to terminate Ying’s employment, and Ying agreed to resign.
This case serves as a reminder that when a company sustains a cybersecurity incident, in addition to its investigation and response to the event, a company should also (1) ensure that employees are aware of insider trading rules; (2) apply blackout periods (when individuals are not allowed to trade following a breach) to a broader group of employees; and (3) implement a plan to monitor the vesting of stock options and trade of shares after a breach occurs, but before the breach is made public.