On June 28, 2018 the Department of Justice (“DOJ”) and the Securities and Exchange Commission (“SEC”) announced parallel criminal and civil charges against Sudhakar Reddy Bonthu, a former software development manager, for selling his shares of Equifax stock before Equifax publicly announced that it had suffered an immense data breach.
This follows similar charges against Jun Ying, the former Chief Information Officer of Equifax’s United States Information Systems, as well as recent SEC guidance on ensuring corporate insiders do not trade in securities while in possession of material nonpublic information about cybersecurity incidents.
In late July 2017, Equifax learned of cyber-intrusions that resulted in a critical data breach of its information technology systems, compromising the personal information of over 145 million consumers. In response, Equifax created two action teams to investigate and respond to the breach. One team had direct knowledge that Equifax was the victim of a large data breach, while the other was told that a client had been the victim of a large data breach. Equifax instituted a trading blackout period to prevent trading shares of Equifax only for employees on the action team that knew Equifax was the victim of a breach.
The DOJ and SEC complaints alleged that Bonthu learned of the breach on Friday, August 25, 2017, when he was asked to assist with ongoing breach remediation efforts. He was not told that Equifax itself was the victim of the data breach. The next week Bonthu, still working under the impression that Equifax was not the victim of the breach, received an email with an attachment named “EFXDatabreach.postman_collection” (“EFX” is the stock ticker symbol for Equifax).
On September 1, 2017, two days after receiving the attachment, Bonthu purchased put options in Equifax stock, which would result in a profit if the value of Equifax dropped during the next two weeks. Equifax publicly announced the data breach on September 7, 2017 and Bonthu exercised his put options the next day, earning more than $75,000.
Key to the charges against both Bonthu and Ying was their knowledge, or likely knowledge, of the material nonpublic information that Equifax was the victim of the data breach. Four other top Equifax executives, including the Chief Financial Officer, sold nearly $2 million in stock during the same time period when the breach was known internally but not yet publicly-disclosed. None of these four individuals were charged by the DOJ or the SEC, and an investigation authorized by a special committee of the Equifax board determined they did not know about the breach when they sold their stock.
These new charges only underscore the critical need in publicly traded companies to properly refine their insider trading policies to address potential data breaches, even when certain employees may be initially screened from information concerning the breach. When those screens drop or fail, insider trading concerns can arise, leading to regulatory scrutiny and possible criminal action.