Published By Janet Gershen-Siegel at March 16, 2018
As we predicted back in October, insider trading charges are now a part of the untangling of the web surrounding the 2017 Equifax data breach. The Equifax data breach check, now, includes a look at court dockets.
According to the Boston Globe (and several other sources), former senior executive Jun Ying is facing both civil and criminal charges from the Securities and Exchange Commission and the United States Attorney’s Office for the Northern District of Georgia.
Note: the insider trading case, while it is venued in Georgia, is a separate matter from O’Dell Properties, LLC, O’Dell & O’Neal, P.C., Jellie Donuts, LLC, et. al. v. Equifax, Inc. (see: http://www.smallbusinessequifaxclass.com/) The O’Dell Properties matter is a class action alleging damages to several businesses due to last year’s data breach.
As readers might recall, on September 7, 2017, the Associated Press reported the Equifax breach, which involved some 143 million Americans’ personal data, including Social Security numbers (that figure is now up to 148 million). A troubling detail was that hackers had access to files between the middle of May and July of 2017. Apparently Equifax caught the breach on July the 29th but the company waited until September 7 to publicly announce it. After the announcement of the data breach, Equifax’s stock dropped 13%, to $124.10 in extensive trading.
What is perhaps even more interesting is that Ying, who had been the troubled credit reporting agency’s chief information officer for a United States division (Mr. Ying was under consideration for the CIO role when the company’s CIO resigned; an offer was rescinded once the company learned of the trades), was not the only executive dumping stock.
Three other Equifax executives seem to have protected themselves by selling shares with a combined value of $1.8 million on August 1 and 2, a mere few days after the July 29 discovery of the breach, per documents that were filed with securities regulators. However, the company claimed the executives did not know about the breach when they made their trades. These executives are the Chief Financial Officer John Gamble; and Joseph Loughran, Equifax’s president of United States information solutions; plus Rodolfo Ploder, who is Equifax’s president of workforce solutions.
As for Mr. Ying, according to the SEC complaint, before the breach was made public, he exercised all of his Equifax stock options, thereby realizing a profit of nearly $1 million and avoiding what would have been over $117,000 in losses. Most telling were internet searches he performed before trading. Per Ars Technica, Mr. Ying was searching for information on Experian’s stock prices after their own 2015 breach.
Equifax’s shakeup also included the retirement of two of its executives. They were the company’s Chief Security Officer, Susan Mauldin, and its Chief Information Officer, David Webb.
On October 4, 2017, Equifax’s former CEO, Richard Smith (his retirement was reported by the New York Times on September 26, 2017) testified in front of the Senate Banking Committee for about three hours. Questioning including whether the company had notified consumers of the breach so they could take proactive steps to prevent consumer credit damage, and how the credit bureau could (and should) have acted to prevent such a breach in the first place.
Note that the Board of Directors took the rare step of indicating that they could retroactively reclassify Smith as having been fired for cause. Currently, Smith would receive over $18 million in pension benefits and he holds $20.8 million in stock awards, plus $23.6 million in Equifax stock. A firing for cause would likely mean he would be forced to repay or forego some of that compensation.
If Smith is on the receiving end of a lawsuit and loses, then the Board may very well vote to change its records and say they fired him for cause.
As we also reported back in October, the company’s efforts at addressing the problem with online solutions were far from adequate. In addition to the credit reporting agency’s own issues with redirects and unclear instructions (and downright incorrect data), consumers were understandably cautious about entrusting their personal information to a company that had just experienced a theft of that same information, all in exchange for knowing for sure if their own information had been compromised. As for how the Equifax data breach happened, Ars Technica reports it was a two-month old security patch which was not installed. This patch was intended to fix a critical web application bug. Why was Equifax hacked? It was to get at their valuable private data on hundreds of millions of people, of course. And failing to install a patch was how the hackers were able to do just that.
Will there be more indictments? Or will Mr. Ying be the only one? Will Mr. Smith or any other Equifax executives, both past and present, appear in front of the Senate or the House of Representatives? And after all of this, can Equifax be trusted? Will Equifax survive?
Be sure to get a copy of your Equifax credit report, both for consumer and business credit, and check it over carefully. Dispute Equifax credit report errors that you find, with copies of your receipts and as clear a letter as possible outlining the issues. And as always, protect your personal information as well as you can.
We will be watching this one closely, so be sure to stay tuned.