As the aftermath of the Equifax cybersecurity breach unfolds, more companies will face scrutiny of securities-related trading and disclosure issues surrounding cyber incidents. As cloud-based computing, e-commerce, the Internet of Things, and other digital technology expands, hackers will have more and more opportunity to access different networks, so it will become increasingly important to regulators, prosecutors, and courts to learn how insiders behave in the wake of cybersecurity breaches.

Inside Counsel sat down with Joshua M. Robbins, partner at litigation law firm Greenberg Gross LLP and chair of its White Collar Defense and Governmental Investigations Department, to discuss the Equifax investigation. He shared how the courts and government view securities-related disclosure cases, the obligations of companies when a cyber incident arises, and what the U.S. Department of Justice and U.S. Securities and Exchange Commission will be looking for in the Equifax investigation.

First, the DOJ, the SEC, the Federal Trade Commission, Congressional committees, and others are investigating the data breach itself:  who did the hacking, how they did it, whether Equifax was negligent in failing to prevent it, and how such breaches can be prevented in the future. 

“While the hackers, if found, would face criminal charges under the Computer Fraud and Abuse Act and other laws, Equifax likely would not, because there is no reason to think it intended to be hacked, and negligence is rarely the basis of criminal prosecution,” explained Robbins. “However, Equifax could face civil penalties from the FTC or state regulators.”

Second, the DOJ and SEC are looking into possible insider trading by Equifax executives. In fact, it was reported that executives, including the company's CFO, sold about $1.8 million in Equifax shares several days after the company learned of the breach, but before the breach was publicly disclosed. That allowed the executives to avoid losing money when the company's share price fell after the disclosure. According to Robbins, if the executives knew about the breach at the time they sold, they could be liable. Investigators will be looking into their access to information about the breach, and any other possible explanations for the timing of their sales. 

Lastly, the SEC could consider whether Equifax, which is a publicly-traded company, improperly withheld information about the breach from the investing public. “It would be difficult to bring such a case, because the rules on the timing of such disclosure are unclear, and Equifax could claim that the scope of the breach – and how material it would be to investors – was not immediately apparent,” he said.

Today, in the federal securities regulation context, disclosure obligations would be driven by some of the traditional factors, including the materiality of the incident to the company's financial performance. In 2011, the SEC issued non-binding guidance on public companies' obligations to report cybersecurity risks and incidents. It advised that in deciding whether and what to disclose, companies should consider such factors as the impact of the incident on the company's financial condition, whether important intellectual property was stolen, and whether the company's products, services, or customer relationships were affected. 

“While the SEC has not yet brought an enforcement action for inadequate disclosure following a cybersecurity incident, But its Chair has said that he expects public companies to 'take seriously' their 'clear obligation to disclose material information about cyber risks and cyber events,' he explained. “And its Director of Enforcement has said that the SEC would absolutely bring an enforcement action against a company that violated its disclosure obligations in this area.”

Currently, the SEC is investigating Yahoo based on the two-year delay between the massive hack of three billion of its email users and its disclosure of that breach; Yahoo's recent disclosure that the hack was much larger than previously stated will only augment calls for punishment. How courts will address private shareholder litigation based on alleged failure to disclose breaches remains to be seen, per Robbins. Since companies suffering major breaches have often not seen a significant impact on their share prices, there have been few large shareholder class actions raising the issue. 

“Data security breaches are rampant, and the problem has been getting worse every year,” he explained. “Not only major companies like Equifax, but also government agencies – even the NSA – have been victimized. Because of the complexity of corporate networks, the inevitability of user error by employees, and the sophistication of malicious hackers, it is virtually impossible for any business to prevent all cybersecurity incidents. Things have become even more complicated as companies increasingly use remote third parties.”

Many companies face greater liability – legal, financial, and reputational – from data breaches than in the past because they are increasingly encouraging customers to entrust their private data to the companies to facilitate e-commerce transactions and use or sell the data for marketing purposes. New tech like “smart” houseware devices connected to the IoT make use of this model. When a company is hacked, the victims thus include its customers, who may abandon the company and bring lawsuits while regulators may act as well. Although major breaches have not always resulted in huge drops in share prices, the impact may grow as companies' risk from cyber incidents becomes more predictable.  

In these cases, it can be tempting for companies to keep quiet when learning of a potential breach issue, in the hope that the incident is one of the minor or unsuccessful intrusions that larger companies encounter on a regular basis, rather than an Equifax-level debacle. Even when a company's intentions are good, poor communication among IT, legal, and financial departments can delay recognition that a breach has reached a critical level. According to Robbins, this may cause the company to delay disclosure longer than it should, or even to make affirmative misstatements. 

He said, “Because of these trends and the importance of data security to share prices, the SEC has been paying increasingly close attention to companies' and executives' handling of breach incidents.  As discussed above, it has issued official guidance on disclosures of breaches, and its leadership – including the head of its Enforcement Division – have said that they will not shy from filing an enforcement case in the case of improper disclosures, or the failure thereof.”