On March 14, 2018, the Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) announced parallel criminal and civil charges against Jun Ying, the former Chief Information Officer of Equifax’s United States Information Systems, for selling his shares of Equifax stock before Equifax publicly announced that it had suffered an immense data breach.  These charges come in the wake of recent SEC guidance on ensuring corporate insiders do not trade in securities while in possession of material nonpublic information about cybersecurity incidents.

Equifax learned in late July 2017 that it had been subject to cyber-intrusions that resulted in a critical data breach of its information technology systems.  In response, Equifax created two action teams to investigate and respond to the breach.  One team had direct knowledge that Equifax was the victim of a large data breach, while the other was told that a client had been the victim of a large data breach.  Equifax instituted a trading blackout period to prevent employees from trading shares of Equifax only for employees on the action team that knew Equifax was the victim of a breach. 

The DOJ and SEC complaints alleged that Mr. Ying learned of the breach on Friday, August 25, 2017, when he received an email requesting assistance with ongoing breach remediation efforts.  This communication did not specify that Equifax itself was the victim of the data breach.  Later that evening, as he learned more details, Mr. Ying deduced that Equifax was likely the victim of the data breach. 

On Monday morning, August 28, Mr. Ying researched the impact that a 2015 data breach had on stock prices of Experian, another credit bureau.  Searches revealed that Experian’s stock price dropped 4% following the public announcement of the 2015 data breach.  Within an hour of these searches, Mr. Ying accessed his stock plan, exercised all of his vested options, and sold all of his shares of Equifax for over $950,000.  Mr. Ying would have lost over $117,000 had he waited to sell his shares until after the public announcement of the breach on September 7, 2017.

These charges illustrate the importance of companies adopting and enforcing robust and comprehensive policies and procedures to prevent corporate insiders from trading securities based on material nonpublic information.  Companies that have experienced a data breach should take measures to ensure that corporate insiders who know, or are likely to know, of a breach, cannot trade on such information.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2018 Harter Secrest & Emery LLP


This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.