Atlanta: The Equifax Inc data breach that may have compromised sensitive information on almost half of the US population has landed the company’s leadership at the centre of a tempest.
“This is a Category 5 storm for the board,” said Bart Friedman, a senior counsel at Cahill Gordon & Reindel LLP who advises corporate directors on compliance matters. “If they knew about the breach and waited to make it public, they will be criticised for not exercising appropriate oversight. If they did not know about it, they will be criticised for being out of touch and not demanding the reporting expected of public company management — let alone a company with Equifax’s mission.”
The credit bureau said Thursday that hackers had accessed information such as birth dates and Social Security numbers for about 143 million US customers, and that it first detected the attack on July 29. Days later, three senior managers including Chief Financial Officer John Gamble sold stock worth almost $1.8 million.
The six-week span between discovery and disclosure, and the timing of the stock sales, are likely to subject the decisions and oversight of the executive team and board of directors to regulatory scrutiny. Equifax maintains data on more than 820 million customers worldwide and protecting that information is central to its mission.
The three executives “sold a small percentage” of their stock and “had no knowledge that an intrusion had occurred at the time,” Ines Gutzmer, a spokeswoman for Atlanta-based Equifax, said in an emailed statement late Thursday. She didn’t respond to subsequent requests for comment.
The unauthorised access occurred between mid-May and July, but no suspicious activity has been found in the company’s core credit-reporting databases, Chief Executive Officer Richard Smith said in a video on Equifax’s website.
Because July 29 was a Saturday, it’s possible that the three executives didn’t know about the breach or its severity at the time they sold the stock, Jeff Meuler, a Robert W. Baird & Co. analyst, said Friday in an interview on Bloomberg Television.
Gamble sold shares worth $946,374 on Aug. 1 and Joseph Loughran, president of US information solutions, exercised options to dispose of stock worth $584,099, regulatory filings show. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. Equifax, which closed above $146 on both of those days, tumbled 13 per cent to $123.50 at 2:03pm. Friday in New York, the biggest intraday drop in almost two decades.
Gamble sold more than 13 per cent of his stake in Equifax. Loughran sold 9 per cent of his holdings and Ploder disposed of 4 per cent.
To run afoul of laws that prohibit insider trading, a seller has to be aware of nonpublic information, said Stephen Crimmins, a former enforcement lawyer for the Securities and Exchange Commission. The executives probably will avoid punishment because the company quickly put out a statement saying they were unaware of the breach. Still, regulators will want to explore how the company handled the sales, Crimmins said.
Signs of a breach should prompt a company’s general counsel to head off stock trades of any kind until the crisis has been resolved and publicly disclosed, said Peter Metzger, a vice-chairman at executive recruiting firm DHR International Inc, who specialises in cybersecurity searches.
John J. Kelley, Equifax’s chief legal officer, didn’t reply to messages seeking comment. An SEC spokeswoman declined to comment.
Companies struck by big data breaches usually bring in a small army of outside help long before notifying the public, including lawyers, public relations specialists and consultants adept at managing communications with regulators and law enforcement. They also hire digital forensics firms to determine how and when hackers got in and what data were compromised, a timeline that tends to be scrutinised during litigation.
The SEC doesn’t have specific disclosure requirements for cyber attacks and electronic data breaches. Firms must share such information with investors if it’s significant enough to be considered a “material” event, according to a guidance the SEC released in October 2011.
An insufficient response can cost executives their jobs. A 2013 breach that exposed the personal information of tens of millions of Target Corp. shoppers resulted in the resignation of CEO Gregg Steinhafel and Beth Jacob, who was the retailer’s top technology officer. Lawmakers criticised the company for not reacting sooner to warnings from anti-hacking systems.
That might also be the case at Equifax, said DHR’s Metzger.
“This is one of two things — either a lack of proper oversight and leadership or attempted cover-up,” he said. “Based on the facts as we now know them, it’s clear that there’s got to be changes.”