Equifax Breach Spurs Increased Scrutiny on Securities-Related Disclosure
As the aftermath of the Equifax cybersecurity breach unfolds, more companies will face scrutiny of securities-related trading and disclosure issues surrounding…
October 17, 2017 at 09:38 AM
6 minute read
The original version of this story was published on Law.com
As the aftermath of the Equifax cybersecurity breach unfolds, more companies will face scrutiny of securities-related trading and disclosure issues surrounding cyber incidents. As cloud-based computing, e-commerce, the Internet of Things, and other digital technology expands, hackers will have more and more opportunity to access different networks, so it will become increasingly important to regulators, prosecutors, and courts to learn how insiders behave in the wake of cybersecurity breaches.
Inside Counsel sat down with Joshua M. Robbins, partner at litigation law firm Greenberg Gross LLP and chair of its White Collar Defense and Governmental Investigations Department, to discuss the Equifax investigation. He shared how the courts and government view securities-related disclosure cases, the obligations of companies when a cyber incident arises, and what the U.S. Department of Justice and U.S. Securities and Exchange Commission will be looking for in the Equifax investigation.
First, the DOJ, the SEC, the Federal Trade Commission, Congressional committees, and others are investigating the data breach itself: who did the hacking, how they did it, whether Equifax was negligent in failing to prevent it, and how such breaches can be prevented in the future.
“While the hackers, if found, would face criminal charges under the Computer Fraud and Abuse Act and other laws, Equifax likely would not, because there is no reason to think it intended to be hacked, and negligence is rarely the basis of criminal prosecution,” explained Robbins. “However, Equifax could face civil penalties from the FTC or state regulators.”
Second, the DOJ and SEC are looking into possible insider trading by Equifax executives. In fact, it was reported that executives, including the company's CFO, sold about $1.8 million in Equifax shares several days after the company learned of the breach, but before the breach was publicly disclosed. That allowed the executives to avoid losing money when the company's share price fell after the disclosure. According to Robbins, if the executives knew about the breach at the time they sold, they could be liable. Investigators will be looking into their access to information about the breach, and any other possible explanations for the timing of their sales.
Lastly, the SEC could consider whether Equifax, which is a publicly-traded company, improperly withheld information about the breach from the investing public. “It would be difficult to bring such a case, because the rules on the timing of such disclosure are unclear, and Equifax could claim that the scope of the breach – and how material it would be to investors – was not immediately apparent,” he said.
Today, in the federal securities regulation context, disclosure obligations would be driven by some of the traditional factors, including the materiality of the incident to the company's financial performance. In 2011, the SEC issued non-binding guidance on public companies' obligations to report cybersecurity risks and incidents. It advised that in deciding whether and what to disclose, companies should consider such factors as the impact of the incident on the company's financial condition, whether important intellectual property was stolen, and whether the company's products, services, or customer relationships were affected.
“While the SEC has not yet brought an enforcement action for inadequate disclosure following a cybersecurity incident, But its Chair has said that he expects public companies to 'take seriously' their 'clear obligation to disclose material information about cyber risks and cyber events,' he explained. “And its Director of Enforcement has said that the SEC would absolutely bring an enforcement action against a company that violated its disclosure obligations in this area.”
Currently, the SEC is investigating Yahoo based on the two-year delay between the massive hack of three billion of its email users and its disclosure of that breach; Yahoo's recent disclosure that the hack was much larger than previously stated will only augment calls for punishment. How courts will address private shareholder litigation based on alleged failure to disclose breaches remains to be seen, per Robbins. Since companies suffering major breaches have often not seen a significant impact on their share prices, there have been few large shareholder class actions raising the issue.
“Data security breaches are rampant, and the problem has been getting worse every year,” he explained. “Not only major companies like Equifax, but also government agencies – even the NSA – have been victimized. Because of the complexity of corporate networks, the inevitability of user error by employees, and the sophistication of malicious hackers, it is virtually impossible for any business to prevent all cybersecurity incidents. Things have become even more complicated as companies increasingly use remote third parties.”
Many companies face greater liability – legal, financial, and reputational – from data breaches than in the past because they are increasingly encouraging customers to entrust their private data to the companies to facilitate e-commerce transactions and use or sell the data for marketing purposes. New tech like “smart” houseware devices connected to the IoT make use of this model. When a company is hacked, the victims thus include its customers, who may abandon the company and bring lawsuits while regulators may act as well. Although major breaches have not always resulted in huge drops in share prices, the impact may grow as companies' risk from cyber incidents becomes more predictable.
In these cases, it can be tempting for companies to keep quiet when learning of a potential breach issue, in the hope that the incident is one of the minor or unsuccessful intrusions that larger companies encounter on a regular basis, rather than an Equifax-level debacle. Even when a company's intentions are good, poor communication among IT, legal, and financial departments can delay recognition that a breach has reached a critical level. According to Robbins, this may cause the company to delay disclosure longer than it should, or even to make affirmative misstatements.
He said, “Because of these trends and the importance of data security to share prices, the SEC has been paying increasingly close attention to companies' and executives' handling of breach incidents. As discussed above, it has issued official guidance on disclosures of breaches, and its leadership – including the head of its Enforcement Division – have said that they will not shy from filing an enforcement case in the case of improper disclosures, or the failure thereof.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllUS Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Pre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readPreparing for 2025: Anticipated Policy Changes Affecting U.S. Businesses Under the Trump Administration
Senate Panel Postpones Vote on Reconfirmation of Democrat Crenshaw to SEC
Trending Stories
- 1Recent Decisions Regarding the Telephone Consumer Protection Act
- 2The Tech Built by Law Firms in 2024
- 3Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 4For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 5As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250