Two corporate executives at Equifax sold over 10,000 of their shares in the corporation just three days after Equifax discovered hackers accessed the names and social security numbers of 143 million Americans. Equifax discovered the data breach on July 29, and the executives sold the stock in the first days of August. However, Equifax did not announce the data breach until September 7. Because the stocks sales preceded the public announcement of the hack by nearly a month, the sales triggered legitimate questions as to both the ethics and the legality of the transactions. While the sales certainly damage Equifax’s public image and the public trust in the company, whether the executives committed a crime under federal securities law is a more complicated question.
Rule 10b-5 prohibits what is commonly known as insider trading - the use of material, nonpublic information in the purchase or sale of a security for personal profit, in breach of a fiduciary duty. Under the traditional theory of insider trading, the fiduciary duty involved is the duty owed by a corporation’s executive to the shareholders of the corporation. Indeed, a fiduciary duty gives rise to a disclosure obligation, and it is fraud where one under such a duty fails to disclose material, nonpublic information prior to the consummation of a transaction. Thus, a corporate executive's fiduciary duty to the company requires the executive to either abstain from trading on the nonpublic information or disclose the information to the shareholders. If the corporate executives at Equifax told the shareholders about the hack, there would be no fraudulent omissions and thus no Rule 10b-5 violation.
Even if the Equifax executives failed to disclose the nonpublic information, the executives would only be criminally liable if the Equifax executives committed the fraudulent nondisclosure willfully - i.e. knowingly and purposefully. As is the case with most white collar criminal offenses the element of willfulness is ultimately determinative of criminal liability. A person acts willfully when their actions are intentional, deliberate, and not due to an innocent mistake or inadvertence. In order to avoid misconceptions, corporate executives often set up stock sales to occur at a future date. Here, we do know from filings that the executives did not pre-arrange these transactions.
Usually, the Department of Justice pursues criminal charges after the SEC brings a civil enforcement action. Until more information is known about whether the shareholders had knowledge of the hack at the time of the executive sales, it is difficult to speculate about the occurrence of a criminal act. The Department of Justice pursues criminal securities fraud charges more often in cases of large and strikingly profitable transactions. The Equifax transactions in question are on the smaller end of this scale, but the public uproar over the sales may place the executives in the DOJ’s crosshairs. Look for the SEC to bring an enforcement action in the coming months as the first step in a potential criminal prosecution. Until an SEC enforcement action, the biggest legal issue at hand is the liability of Equifax for the data breach. For a discussion of data privacy and cybersecurity law in this context, check out prior blog posts by my colleague Zachary Heck.