Equifax’s massive data breach of sensitive information of 143 million Americans has done more than anger the public and tarnished its image. It may have violated securities law.
That’s because companies have a duty to quickly report any information about its operations that significant changes its financial outlook. And the fact that Equinox discovered the breach on July 29 but did not disclose the problem until Sept. 7 raises questions about whether it followed those laws and regulations.
“It’s pretty remarkable here how long Equifax has been aware of the problem and did not disclosed it,” said Eric Chaffee, a law professor at University of Toledo and editor of the Securities Law Blog. “The main problem here is the failure to disclose a catastrophic cyberattack that compromised the information that is at the heart of Equifax’s business model. This created a duty to disclose this attack in a timely fashion to investors, potential investors, and those whose data was compromised.”
Chaffee said there is nothing explicit in the law setting a limit for how many days a company can wait to disclose material information. But companies open themselves up to investigations by various authorities if they are found to have waited too long to make disclosures.
In October 2011 the SEC issued guidelines to companies for when it would have to disclose a breach. After its own massive data breach was disclosed last year, Yahoo disclosed in a filing that its handling of the hack was the subject of investigations by, among others, the SEC, the U.S. Federal Trade Commission, a number of state attorneys general, and the U.S. Attorney’s office for the Southern District of New York.
The SEC would not comment Friday on whether it was looking at Equifax’s disclosures in this case, and Equifax did not respond to requests for comment on why it took so long to make a disclosure.
Beyond the lawsuits filed on behalf of consumers whose names, addresses, social security numbers and other vital private financial records were stolen, it is certain that the company will face investor suits due to its delayed disclosure according to Chaffee.
“The stock price for the last five weeks did not accurately reflect the facts that we now know. That’s a problem,” said Chaffee.
The company has disclosed that three top executives sold large blocks of stocks within days of when the breach was discovered. Equifax Chief Financial Officer John Gamble sold shares of the company’s stock worth nearly $950,000 on August 1. Joseph Loughran, Equifax’s president for U.S. information solutions, sold shares worth about $685,000 on August 1 as well. And Rodolfo Ploder, president of workforce solutions, sold stock for just more than $250,000 on August 2. Equifax told CNNMoney that the sales were just a “small percentage” of what these executives own and that they all “had no knowledge that an intrusion had occurred” when they made the sales.
But the plunge in the value of the stock in Friday trading – Equifax shares were down 13% in afternoon trading – shows that those executives benefited from the fact that the information had not been made public at the time of their trades.
“The fact that it had a data breach of this magnitude is really quite significant and a great concern for the future of the business,” said Chaffee.
— CNNMoney’s Paul La Monica contributed to this report