Cybersecurity has become an issue of national importance in recent years as people entrust more and more personal information to various companies, and as other companies compile massive amounts of personal information from various sources. Businesses that maintain databases of personal information must take reasonable measures to keep this information secure, and they must also disclose cybersecurity breaches to affected people or the general public. In early September 2017, a major credit reporting agency (CRA) disclosed a hack that potentially compromised millions of people’s personal data several months earlier. The Department of Justice (DOJ) has reportedly opened an investigation into several of the CRA’s executives for alleged actions between the time the company learned of the breach and the time it announced it to the public. The investigation does not concern the breach itself but allegations that the executives sold stock in the company because of the anticipated impact of the announcement on the stock price. This is also known, in both federal and Texas white-collar criminal laws, as insider trading.Federal securities statutes do not identify “insider trading” as a distinct offense. The Securities Exchange Act of 1934 prohibits the use of “manipulative and deceptive devices” in connection with publicly traded securities, including stocks. 15 U.S.C. § 78j. The Securities and Exchange Commission (SEC) expounds on this provision in its regulations. Rule 10b5-1 states that it is a manipulative and deceptive device to buy or sell a publicly traded security “on the basis of material nonpublic information.” 17 C.F.R. § 240.10b5-1(a). Willful violations of these provisions by an individual can result in a fine of up to $5 million and a prison sentence of up to 20 years, 15 U.S.C. § 78ff(a), but the burden of proof for the state is substantial.
The CRA, Equifax, is one of the main agencies in the U.S. that collect and compile consumer credit information, using this information to generate credit reports and credit scores. The company reportedly experienced a massive cybersecurity attack between May and July 2017. During this time, hackers obtained personal information, including names, addresses, and Social Security numbers, for about 143 million people. (For the sake of scale, this is somewhat less than half the total population of the United States, or about equal to the population of Russia.) The company reportedly learned of the hack in late July but did not announce it to the public until early September.
After the announcement of the hack, Equifax’s share price reportedly dropped by more than a third over several weeks. Federal securities regulators apparently noticed, through regulatory filings, that several executives at the CRA had sold some of their stock in the company before the announcement. Specifically, they are investigating allegations that three executives sold $1.8 million worth of stock outside of any scheduled plans for stock trades.