Someone in Equifax was made aware of the breach on July 29, 2017. It defies common sense that the chief officers of the company did not learn of it until the same time as the general public, over a month later.
I don't believe there's any claim that they didn't learn of it until the public announcement, only that they didn't know of it at the time of the stock sale which was on Aug 1st, only a few days after the breach was "discovered".
Now, based on my experience, it's entirely possible that the July 29th "discovery" date only refers to the date on which some security analyst noticed abnormal behavior. That, combined with the possibility that Equifax doesn't have good security communication practices in place, it easily could have been a few days (or even weeks) before the security team looked into it enough to know the size of the breach and escalated it up to the C-suite.
I mean, on one hand, I wouldn't want this to go unnoticed and unpunished, but on the other, I'd rather that the feds be more focused on the actual breach part of things.
Then again, was any part of the breach actually criminally negligent? Maybe this is the only real way that the DoJ even can go after Equifax...
Most security standards are voluntary right? Based more on market pressure than regulation. It looks like the Fed is considering a set of regulations for large banking entities, which I assume Equifax would be a part of, but AFAIK the existing regulations aren't very robust and haven't been updated in recent years.
Is there anything the government has in regards to the storage of SSN? It could be regarded that the SSN is property of the Federal Government, i.e. the SSN Administration. Is there anything where they may have breached federal standards for storing federally owned data?
Edit: for example, there is the fedramp set of compliance rules.
Being surprised or upset that there are "illegal numbers" is like being upset that there are illegal configurations of matter and energy. "It's not murder, it's just a configuration of atoms!" doesn't fly.
As with any insider trading case, they just need to prove access to the information. So either a witness needs to come forward and say "I told X to Y executive" or they need email/phone records which prove that such information was shared with these individuals.
Unlike crimes like murder, insider trading is not predicated on intent, so proving intent is unnecessary.
Interesting. In that case, isn't all trading, given you work for an employer, "insider trading." If you see a bug opened on your company's GitHub and think it's crucial and sell all of your stock that's insider trading right?
IANAL but I believe that the spirit of the law being that insider trading is when you use confidential/privileged information to decide your trades. In this case IF they knew about the breach and made trades before a public announcement then that is insider trading. As for github bug report, that seems like a legal gray area.
Did you choose GitHub because (most) repositories there are public? If that's the question, I'm pretty sure it wouldn't be insider trading, because by definition it wasn't inside knowledge.
(Unless it required other, non-public data to know that the bug was important)
I'm re minded of when baseball was pulled infront of congress and players were questioned about steroid use.
There was one player Sammy Sosa who had for years conducted interviews in English who suddenly could not speak English when questioned by congress.
This seems to mirror whats going on at Equifax now. The executives only way of staying out of jail is to claim that they suddenly have no idea what's going on not only in their company but in the case of the IT people, also in the very division they are supposed to be running.....
Hmmm
Time for Matt Levine to update his rules of insider trading to add rule 11, if caught insider trading after a a security breach don't try and claim that you as a C Level executive don't know whats going on in your own company.
I have wondered if the SEC could finesse this by saying "Ok, you can stick with your 'I didn't know' defense and we'll drop the insider trading case but we'll require that the company separate you for cause and invalidate all post separation agreements." (aka the golden parachutes).
Since the benefits of such contracts often dwarfs the value they receive from trading it should help 'remind' them of what they did and didn't know. But they should not be allowed to have it both ways.
Never going to happen. Corporate boards are all stacked with C-level execs of other companies. These people went to the same business schools, socialize together, serve on boards together.
It's a small world where everyone knows one another and I rub your back so you rub mine.
If you testify to the SEC that you didn't manage you division well enough to even know that basic security was being handled appropriately, as a shareholder, can I sue you for negligence?
Cause it sounds like you're testifying that you're just not doing your job in any meaningful capacity, and I should be able to include that as a fact in a civil suit, since you swore in public record that it was the truth.
Forcing them to testify that they didn't fulfill their duties to the shareholders in order to not be responsible personally for the breaches may introduce enough liability all on its own.
Its probably far easier to organize with your other shareholders to get that person fired. Suing is an option but you should probably try what I suggested in the mean time.
I resonate with the sentiment but I expect taking away the golden parachutes of affected C level execs will go further to improving accountability than any amount of prison time will.
But who would ever take a C-level position then? Since they're the face of the company they're fired ceremoniously as a PR move whenever the something bad happens.
In my experience a lot of people would take the job believing that they wouldn't allow something like that to happen on their watch. That said, you do have a point about the added pressure. Much like the '3 strikes' rule in California, the unintended consequence might be even more egregious and illegal behavior in order to avoid losing their contractual exit commitments.
Or maybe they'll report in a more timely manner. They knew for the entire month of August a breach had occurred and they didn't report it.
It shouldn't take more than a couple days. That's enough time to verify you had a problem and get a good picture of the extent. You might not have all the details nailed down, but you put out the information you know and say "We'll provide more details as they become available."
It seems unlikely that anyone would've cared. The big problem is that they lost everyone's SSNs. The timing around the reporting isn't really why their company is under the guillotine.
Whoever dismantles their company could try to frame it that way, but the rest of the industry will see through that. It won't be a good situation for us to be in.
I wish more folks would use this as an example for why it might be time for us as a society to move on from having identity security hinge on a 9-digit number and a few other pieces of "flimsy" information.
They can advise all they like. When a law gets passed that says private companies cannot refuse or degrade service to any consumer that refuses to disclose certain categories of information that are not directly relevant to the operation of the business with respect to that specific consumer, then I will believe that the government is serious about this.
Right now, a baker can refuse to sell you a cupcake if you won't tell them your SSN. Your electric company can refuse to sell you power if you don't tell them your SSN. The phone company can refuse to give you dial tone. They can even refuse to serve you if your SSN has too many fives in it, or not enough. The character of the SSN currently assigned to you is simply not a protected class for anti-discrimination purposes, even though the difficulty in changing it is somewhere between one's race and one's religion.
So if I as a business wanted to discriminate against a protected class, I could ask for the person’s SSN and refuse service when they don’t provide it?
I agree, though it's not clear to me what we should use for identity security. Any piece of information related to a person is going to get out eventually.
If they had a requirement to report each breach promptly, we'd have known far sooner there was a problem there, and the pressure to improve security would have been higher. They have been leaking for years.
White collar crime is difficult to prosecute. If you give people the choice between the certainty of losing millions of dollars and the somewhat remote possibility of prison, they may not make the right choice.
I'd argue factors that push such details out would overrule that worry. When there are three companies with the sort of power that credit ratings hold over people society is already suffering.
The people need to reign in the corporate interests of the world. Companies are already larger and more powerful than governments. People should be freaking out. This event just underscores that need.
Individuals will always utilize the power granted to them in whatever way is most convenient to them.
This is why it's important we not allow laws to be passed with the assumption that overly broad permission grants are OK, because they'll only be used 'correctly'.
Not exactly sure what you're driving at. If there's enough evidence that these guys knew despite their protestations to the contrary, it doesn't matter what they say. It's not like they need to confess to get convicted. And if there's not enough evidence, the SEC can't make companies fire its executives or revoke golden parachutes.
The point is that if they claim that they didn't know better, and that is to be taken at face value, then they're plainly not competent to hold their jobs.
So, if they testify that they knew - they're liable.
If they testify that they didn't know, and SEC can prove otherwise - same as above + perjury.
If they testify that they didn't know, and SEC cannot prove otherwise, then at least it is treated as them confirming their incompetence. So if they get, say, a bonus later, or a "golden parachute" for outstanding service on retirement, that is treated as evidence contradicting their claims.
"Ok, you can stick with your 'I didn't know' defense and we'll drop the insider trading case but we'll require that the company separate you for cause and invalidate all post separation agreements."
And a fine/penalty for not doing their job and putting so many lives at stake. They should literally be driven down to middle class mediocrity for their negligence.
There has to be some example set for future transgressions.
When did the government get the authority to tell a company who they can hire and under what conditions?
Either there's enough evidence to convict those execs of crimes, or there isn't. If there's not sufficient evidence for that, then how can you suggest that the government should still have the authority to have them punished?
The US Government has always had that authority, the Government insists you only hire people who are allowed to work (by their rules) in the US, the Government insists you hire people without discrimination (regardless of how much you might want to), and the Government insists that when you hire someone you will will not exploit them in any number of ways. Further, the Government has given itself the authority to forfeit civil assets, whether or not they get a criminal conviction.
Clearly it doesn't apply to non US governments but the government of the United States has all of the tools already at their disposal to unilaterally implement just this sort of policy.
The policy question is a bit deeper than that, governing is ideally equal parts carrot and stick, and when there is clear evidence of a harm (and there is in this case) where it is impractical for the citizen to prosecute their own defense (could be debated either way) then the last line of defense for the citizen is the enforcement by their collectively empowered authority. That is perhaps the fundamental source of authority for any government.
You're saying that like all companies are just widget manufacturers and who cares whether they succeed or fail? But some companies make their money based on a public trust and if you turn out to be abusing that, the government should come down on you with the full weight and measure of their power. We've spent so long in the middle and upper-classes of the First World kneeling at the altar of Shareholder Value we don't see any difference between Someguy's Ditch Digging Service and Arsenic Baby Votamins, Inc.
Perhaps, but their defense isn't what will be investigated. First they will collect and sift through all the evidence before even asking why they might have sold the stock at that point in time.
Matt Levine has already stated that this won't result in a new rule; that there is nothing new here and everything falls under rule #1: "don't insider trade"
He also said this (which, scanning through this thread, appears to be a rare voice of reason):
> Also, though, I found it hard to imagine that those Equifax executives were consciously insider trading. It would just be too dumb. Equifax's press release reporting the breach says that it "discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion," though it didn't announce it until yesterday because it was still investigating. The three executives filed Form 4s reporting sales on Aug. 1 and 2, days after the discovery. You could just about imagine them learning of the security breach, panicking, and selling everything -- except that they didn't sell everything. One sold about 4 percent of his stock holdings, another about 9 percent, another about 13 percent. Why do such comically obvious insider trading if you're only selling a small percentage of your stock? And indeed the company explained that these executives "had no knowledge that an intrusion had occurred at the time." I guess the time between "tech person discovers a security breach" and "top executives discover it's a huge embarrassing crisis" is more than a couple of days.
> I guess the time between "tech person discovers a security breach" and "top executives discover it's a huge embarrassing crisis" is more than a couple of days.
That's exactly right. I can imagine the gradual motion up the chain of command, with the progress actually slowing down as the size of the breach and potential exposure becomes more and more apparent, and each level trying to minimize the damage. I'd have hated to be the guy that had to tell the CEO...
C-levels aren't notified of anything until there are concrete details to share. They don't want to be notified of every port scan or bruteforce attempt, nor do they want to deal with the scope of a confirmed breach changing on a daily basis ("yesterday you told me only N consumers were compromised, now you're telling me it's worse?!")-- a bad situation that gets reported as worse and worse every day is great for Fox News, but bad for shareholder confidence.
It's better for them that they don't know anything until they know everything.
"The guy that had to tell the CEO" (actually woman) was one of the two parties who resigned the other day.
Depends on the industry. Companies in certain highly-regulated industries are required to escalate even a minor breach of security ("We think something could possibly have happened, but there' no evidence anything did.") to C-level ASAP. One place I worked, if a breach was discovered by a janitor should make it to the C's within 24 hours or everyone in-between would be reprimanded, if not sacked.
But that was a very specific (and again, regulated) industry.
When did the company learn of this incident?
"We learned of the incident on July 29, 2017, and acted immediately to stop the intrusion and conduct a forensic review."
The trades in question took place between three and four days later. During this time, Equifax would have us believe, these three senior managers were kept in the dark about the fact that hackers had undertaken what may be the largest-ever private security breach right under their noses. Moreover, we’re to understand that even the chief financial officer remained unaware as the company “acted immediately” to right the ship.
> Why do such comically obvious insider trading if you're only selling a small percentage of your stock?
Because then it makes it look innocuous and fools those who would scrutinize the behavior, like it did may have for anyone expressing the above opinion. It would be so blindingly damning to sell-off all of one's holdings, but selling off a small portion could allow for partial benefit of your asset at peak value before it declines.
If it were me, I'd do it exactly this way. I'd be trying to find the perfect intersection of mitigating the upcoming asset value decline and maximizing perceived innocuousness. Selling everything? That'd be a sucker's move.
The point is you're still going to be investigated, and it's not going to be fun, and probably not going to be worth the relative small gain you'll make even on the off chance you manage to get away with it. [That said, if it's me, I'm making a point of disclosing all future stock sales well in advance just to make sure this kind of thing can't come back to bite me.]
But they've spent their careers building up layers of untouchable-it is, and assuming since nothings bitten them before, they can do what they want... what's a minor investigation when you can grab a few mil? And get the probes quashed by just mentioning in a closed hearing how many SEC officials and congresspeople were involved in the breach, or maybe they weren't? Hard to figure out when I'm spending so much time in these hearings...
(I hate myself for having written that but ugh Too damn much tit-for-tat.)
> I think we are up to the Seventh Law of Insider Trading. The first six are: (1) don't do it, (2) don't do it by buying short-dated out-of-the-money call options on undisclosed merger targets, (3) don't text or email about it, (4) don't do it in your mother's account, (5) don't do it by planting bombs at a company and shorting its stock, and (6) don't do it while employed at the Securities and Exchange Commission. I hereby declare the Seventh Law: (7) If you are going to insider trade, don't Google "how to insider trade without getting caught" before or after you trade.
> There was one player Sammy Sosa who had for years conducted interviews in English who suddenly could not speak English when questioned by congress.
Do you know how stressful it is being questioned? I was waiting to pick someone up from a train station in Spain when security approached to tell me the station had closed, and why was I still there. All the Spanish went out my head. I imagine being questioned by congressional investigators is probably even more stressful.
Good point. Fortunately he had the foresight to bring an attorney along to testify on his behalf. And an artfully worded statement that avoided a perjury charge, as he did not 'inject' anything -- the trainer's drug of choice was available as a tablet after all.
Sometimes people's lawyers will also advise them not to accept being questioned in a foreign language even if they're relatively fluent because small language nuances may make a big difference in legal proceedings. I've given lectures and press interviews in Portuguese before, but if I were giving an oral deposition in a Brazilian court case or being questioned by police, I would ask for an interpreter.
I was once on a jury in California in a case where several witnesses gave testimony through a Spanish interpreter. It seemed clear that some of the witnesses who testified through the interpreter were fluent in English, and so it seemed a little gratuitous to me at the time. Later on I understood that it made sense both for reducing the stress in the situation and for avoiding any minor linguistic misunderstandings in cross-examination that a lawyer might try to make a big deal out of. It's quite possible that the lawyers encouraged their witnesses to use the interpreter.
I am fluent in English. I have been for many years. But until a couple months ago, I thought throw in throwing a game was similar to throwing a party. One is a fun activity, the other could be a criminal offence. If I were being questioned in a court, I would definitely request an interpreter. I wouldn't want to inadvertently confess to a crime I didn't commit because I didn't quite understand the linguistic nuances of the question.
The problem is I don't know what I don't know, and I wouldn't want to risk finding it out in a court. I would never take that chance with my freedom. It's one of those cases where what is the worst thing that could happen can be quite bad.
Well, being fluent/conversational means you can still hear what words the translator chooses, and can verify it means what you meant. It's just that their word choice would be more precise.
I wouldn't pretend I don't speak the language. I would simply request to have an interpreter present similar to how I would request a lawyer. I would check with my lawyer to see if I have the right to an interpreter. If I do, I would absolutely use it.
I'm more concerned that the persecution, understanding how stressful the situation is for me and how not being a native speaker I wouldn't necessarily be familiar with legalese or very formal lexicon, uses it against me to extract a confession due to my confusion, than I am that the nuances would be lost through an interpreter.
I'm an American in Germany, and I speak German with the immigration office (want them to see how hard I'm trying).
I speak English with the police, even for trivial things where I'm the one requesting service, like when I lost my wallet. That is not a context where I want to get anything wrong, and where there is absolutely nothing to be gained from showing off what I learned in language class.
The executives only way of staying out of jail is to claim that they suddenly have no idea what's going on
Hire a lawyer, no interviews with the FBI, but "me know nothing" might be a problem if they got memos on the breach, attended meetings, drew up plans on dealing with the fallout etc. It's hard to keep such a secret, especially from the top level execs.
In any company of significant size, there is an approval process for trading in own company stock precisely to capture this scenario, where an employee may not be aware of a price moving event. I am not suggesting that they knew or didn't when they traded. Just that if they didn't it's a pretty massive failure in their procedure that would need an investigation on its own.
Samsung's heir and acting chairman, Lee Jae-yong, attempt the same approach in the S. Korea bribery scandal. Pleading ignorance didn't work out so well for him. I foresee the same here. You cannot be at that level within a corporation and dismiss all accountability.
Matt Levine already opined on this case, and his take was that nobody would be stupid enough to commit such an obvious crime for the rather low monetary advantage they got from selling a minor fraction of their shares (I believe it was around 4% of their respective stocks in Equifax).
Matt Levine actually wrote about this already and suggested that it's not likely to be insider trading. Buried in the details (according to him) is that these guys moved like <5% of their stock.
As obvious as these sales look like insider trading, I wonder if the execs are that ignorant and or greedy, or if this is truly a case of bad timing of large sales...
I wonder if, in an ironic twist, they try to play the ignorance card and use the breach itself as proof.
"Of course we were ignorant of the breach, we're really just not on top of things, I mean, look at how we got into this situation, and how we handled it! Does that sound like competence to you? Of course not!"
That would be a risky defense because while they may get off on the insider trading charge, they would open themselves up to a huge shareholder lawsuit.
They will scrape through all their texts, emails, call logs. Someone will screw up somewhere. If they are dumb enough to provide a "SSN API" - I am sure their texts are a hilarious treasure trove. An easy slam dunk case.
- "Prices are going up so seemed right to jump in"
The question can they reasonably refute that they didn't hear anything about the breach. If it has to be proven beyond reasonable doubt the lawyers might think they can convince a jury. They could say they were on vacation maybe and didn't receive any communication about. It is just that their cousin happens to be the college buddy of another exec but that might be tricky to prove.
Since it is a criminal probe the prosecutor would have to prove beyond reasonable doubt they knew? It would seem the executives who believed they could officially refute seeing the information would have done this. Some might have contacted their lawyer maybe and asked "ok so I overheard it in the hallway as I was leaving on vacation, didn't open my email or get any calls about it, what do you think, could I slide by and sell".
In general what is the conviction rate for insider trading. It seems in general a hard thing to prove.
Right. Sadly I think they are very likely going to get away with it.
They are almost certainly the kind of folks who planned this out and if there isn't any proof of knowledge, then there just isn't any. But it does seem inconceivable that they would have no knowledge of the event.
It's easy for the Fed to subpoena all emails, communications, and meetings of these people. It'll be easy to show the breach notice email sent to them, their replies, meeting agenda/attendees, and conference calls with their numbers.
In these days of electronic work environment, there are so many digital footprint one left in the trail.
I assume these are the sneaky execs who can officially claim they haven't opened that email. Individually each one thinks they probably have a chance o fooling the jury. I wonder how admissible the evidence that all 4 of them sold in the same time frame. Because individually (imagine there was only executive) each could argue that their case is just a random coincidence.
That leads into willful blindness territory, where unreasonable ignorance equates to knowledge: if there's no way you couldn't have known something without contriving a way not to know it, then you knew, in broad strokes at least, what you were trying not to know. That's how the law sees it.
Note that, as others have said, these executive only sold 4% and 17% of their holdings, respectively. It seems rather unlikely that they would risk so much for a rather negligible profit.
Regarding your question: insider trading is pretty well-policed. Conviction rate isn't really meaningful (but I'd estimate it's well above 3/4). What would be interesting is the rate of discovery, which is unfortunately impossible to know, because it's a "victimless" crime: nobody knows they've been harmed, and therefore it's impossible to find instances of insider trading without (usually) also finding the culprits.
But it's a pretty good guess that prosecution of insider trading is better today than it has ever been. Because all data is now available in digital form and can be sifted through with all sorts of advanced statistics/machine learning/etc. There's really no escape from this dragnet, because there's no way to trade without those trades showing up in the data. It's only after suspicious trades are discovered that they start following the money.
Not addressed in the article: whether the SEC thinks the suspicious trading in Equifax options[1] is at all related to this investigation. People say "well, $1.8M isn't that much given how much stock they hold"; yes, but, if they were trading options as well then it becomes serious money: the profit on the suspicious options trade was $4.2M.
I'm always perplexed by people's motivations for advancing that argument. The notion that the criminality of your actions depends on whether or not you're already wealthy (other facts not being in dispute) seems like the essence of corruption.
There's a pretty big difference between "a full investigation is warranted" (what you said - totally accurate) and "they should go to JAIL!!1" (much of this thread).
Due process is a legal concept, and fundamentally, a restriction on the state (for very good reasons). I think it's fine for commenters on an internet board to use P(crime was committed|shady trading patterns) > 0.5.
Due process for punishment applied from public gov't bodies. However, people can and will reach conclusions based on the evidence laid before to make their judgements to whether be Equifax customers or not.
I realize this may seem like mob-mentality or mob-rule but there's some nuance here. When you see such gross negligence do you wait until hearings and court judgements which can easily take years before voting with your wallet?
Individual consumers did not choose to be Equifax customers, and as far as I know there is no way for me to "opt out" and effectively have all of my data removed from Equifax (including all future data).
The terms and conditions of any loan, credit card, or other credit account include a release or disclosure that covers reporting the account and payment history to credit reporting agencies. So technically, we did "opt-in" when we accepted credit.
This kind of contractual oligopoly should be explicitly disallowed. It's exactly the kind of place regulation should step in, much like it has with anti-competitive non-competes, forced-arbitration clauses, and IP-creator protections in some states.
That's not really fair though, as credit is only one facet of the data they collect on you.
In most of the US it's against code to live in an apartment without electricity. In order to get electricity, you have to open an account with a utility, who opts-in to submit all your data to Equifax.
Their Workforce Solutions division does the same thing with employment data-- so simply by applying for a job from a participating employer, you're consenting to ultimately let the employer report that you work for them, what your current salary is, your SSN and all the rest of the juicy PII.
Fall on hard times? Need some government assistance? Applying for food stamps will also result in your state agency making an inquiry with Equifax to confirm your location of residence and last reported income. If you didn't have a profile before, you do now.
There is no way to opt out unless you work for yourself, live in a home you paid cash for, generate your own power/gas, and never use credit. So basically Unabomber life.
Well I didn't say it was fair or even reasonable. Just what is. There are stories of people who have trouble getting credit or renting an apartment, etc. because they have never had credit before and therefore have no credit report. So it seems that the reporting agencies don't know about people who don't use credit or any other services that report.
Asking for a loan or credit is the quickest route into these credit rating agency's databases. But their goal is to catalog and rate everyone, so you eventually get in there whether you ask for money or not.
Nope, I don't wait for courts when I think I have enough info to form my own opinion. I'm just as outraged about the Equifax breach as anyone else, and would never do business with them in any way. The key is, there's more evidence every day of negligence: the obvious authentication issues on their site, the "SSN API", the 4+ months that they didn't install the Apache security update, etc.
For me personally, the trading issue is a related but separate incident; one hasn't crossed the same threshold of clear evidence.
No. There's no question that the breach happened; Equifax disclosed it. Who knew what, and when, and whether any stock sales were illegal, are matters for due process. Outrage over the breach itself and the clear negligence that caused it is a separate issue.
Due process is important but there's a norm of competency for executives at a publicly traded company and there's a legal theory called "constructive knowledge" that asserts managers at a company are presumed to know what their underlings know. Together, these are very damning for the executives who traded after the security breach.
Prejudging their guilt isn't favorable and we should avoid doing it as a commitment to our legal system but people would have to ignore their eyes to come to the conclusion that this isn't what it looks like.
I'd argue that the size of equifax and its impact on everyone's lives pushes the matter beyond simple constructs of the legal system. I don't have an option to not do business with them so they shouldn't have any excuses.
I'll probably be sorry for this, but... why doesn't this same standard apply in the political sphere?
A few years back, it seemed that a huge number of people were willing to give President Obama, and even Lois Lerner, a pass on illegal actions of the IRS based on exactly this theory: it's the responsibility of the manager to know what their underlings are doing.
And I don't mean to pick on just Obama. Ronald Reagan, patron saint of the GOP, skated on just such a thing with Iran-Contra. They got Oliver North to be a scapegoat and insulate Reagan and Bush.
So if you're wanting blood from the Equifax execs, think about who you've given a free pass to before.
shockingly, the people who write the rules didn't really write them for easy application to the political class.
Constructive knowledge really only holds in corporations (and I'm not an attorney but I think it holds in organized crime organizations as well). And it was enhanced with Sarbanes Oxley which was passed in the early-2000s.
Also, I'm under the impression that federal prosecutors appear very reluctant to actually use it in court and where they do use it, they usually have more direct evidence of wrong doing. However, I get the sense that prosecutors know it exists and the Justice Department under Obama did use it to extract those massive fines from banks (albeit with no admission of wrong doing, a get out of jail free card for the criminals in the firm, and the firms that retained Eric Holder's law firm seemed to get more favorable settlements).
Zero facts? The fact is that 3 people sold between the company finding out and the public finding out. In fact, there is only one fact missing which is evidence that they knew of the breach.
Wouldn't it be more accurate to say that we have n-1 facts? (or n-3, one for each person)
FYI the "President of US Information Solutions" at Equifax is a role that has nothing to do with their IT/security department. It's not the same thing as the CIO or head of IT, as many people are confusing him for. He's the head of a product line which is called "information solutions". The head of IT/CIO is a completely different person (who has since been fired/resigned).
I'm not interested in giving the benefit of the doubt to a C-suite executive who cashes out about a week after the company suffers one of the most newsworthy data breaches in recent history. To my mind, they are in exactly the right position to know about this sort of thing.
For sure, an investigation will be forthcoming and, in this country, one is innocent until proven guilty. But it seems, in my opinion, exceedingly likely that we'll find an email or text or some bit of ephemera notifying these people of the breach.
Have you worked at a BigCo or know what it's like to be in senior leadership? I would not be surprised in the least if this guy had no clue about the hack. These organizations are huge. People are actually very tight lipped when these things happen. You are/should be told not to speak about it even with your peers.
I also wouldn't be surprised if he did know, but just wanted to emphasize these BigCo org charts tend to be insanely big and complicated. At the senior levels you may not talk to or see your boss for weeks; especially when some big shit like this is being uncovered. So totally possible he knew nothing.
This is a good clarification, but the guy shoudn't be absolved in either case. Here's the description of his duties from their website:
> Trey Loughran leads the company’s United States Information Solutions (USIS) business, which includes U.S.-based services that provide businesses with consumer and commercial information and insights related to areas of risk management, identity and fraud, marketing and other industry-specific solutions.
He would definitely be in the loop regarding a breach of this nature.
I don't necessarily think so. Just because he manages the risk management offering which is sold to other companies doesn't mean he would be aware of or involved in day-to-day risk management at his own company.
At my consulting firm, the execs in charge of our cybersecurity consulting practice are absolutely not involved in any internal cybersec investigations that happen to our own firm. In fact, we have specific procedures which say that our cybersecurity consultants cannot be involved with internal incidents. All internal investigations have to be done by outside, impartial firms.
What’s even more disgusting is that behind the public’s back all of these guys brag about this sort of behavior.
I was reading a book published in 2008 called “Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity”.
The main bad guy lobbyist of that book, Eric Ellman, who is now the head of the credit reporting lobbyist group (http://www.cdiaonline.org), PROUDLY DISPLAYS his portrayal in that book on his LinkedIn.
In the timeline of events that Equifax released [1] it says that they took the web app down on July 30 and contacted an external cybersecurity firm on August 2nd. The managers unloaded their stock from 7/31 to 8/2.
It doesn't sound believable to me that the managers could be unaware of the hiring of an external security firm, or that the company had shut down one of their major web applications.
None of the managers had anything to do with or were in the chain of command of the security team, so it's entirely possible they had absolutely no idea about the breach until long after 8/2.
The CFO is the one that is a little iffy, because the CFO might be involved in the hiring of the external firm. However, having worked for security consulting firms, it's also entirely possible that the CISO is given a blank check for this type of stuff without having to get CFO approval. I've worked in plenty of organizations doing cybersecurity work where the C-suite (including CIO, CFO, etc) was completely unaware we are there because they don't have to rubber stamp every single transaction.
It's also a possibility that the 8/2 date on which they "contacted" the firm was just when discussions started between the two parties, and it might have been a few days before a contract was ironed out enough to involve the CFO or anyone else.
There's a bunch of other possibilities/scenarios in which I think it's entirely believable that they didn't know. It's shady and worthy of investigation, yes, but I'm not willing to convict them just yet.
Oh, yeah that's the real crime. Give them 6 months in jail.
(USA can chew gum and walk at the same time, but where is the probe for the breach...? 143 million people terrorized and most likely thousands will have their life turned upside down because of it.)
Perhaps if these guys get nailed then companies will start to see the value of disclosing security breaches in a timely manner instead of sitting on them for months while they spin up the PR machine.
Having worked on the incident response teams for these types of breaches, the "PR machine" is only part of the reason why companies "sit" on the info. It also takes a long time to do investigations on the breach to know what was stolen, how much was stolen, and how to mitigate it. The FBI also gets involved in breaches like this, and sometimes they'll ask to put off announcing the breach while they do their investigation of it as well.
It doesn't do anyone any good if you release a statement as soon as you notice abnormal behavior that just says "we might have been breached and our customers may be affected, but we don't know who is affected and we don't know how it affects them yet".
Not to be pessimistic, but I'm surprised that anyone even being considered for insider trading, it's legal for Congress to do it, why shouldn't rich people be able to do it? It will probably end up the same way as the credit default swaps, rich people trying to flip houses, banks selling shady packages to the middle class, and the US taxpayer providing a bailout and poor people getting the blame. The idea of justice or consumer protection in the US is a joke.
In the United States, insider trading is not a crime of a specific statute. Instead, it's charged as a breach of fiduciary obligation [1].
Whether the executives in question knew of the breach at the time they sold is irrelevant to whether the company, in allowing this sale to occur, misled the investors who bought those shares since the company, at the time of the sale, had awareness of the breach.
with an investor conference call on the morning of Thursday, July 27.
Any public company I've worked at has had a trading window that opened a day or two after an earnings report came out, with most people who want to trade trading early in that window. Admittedly I've never been an executive and I don't know how the rules differ for execs, but the dates when these trades took place are when I would expect Equifax employees to execute options and sell stock.
It also strikes me as possible that information about a security breach discovered on the weekend might not make its way up the company hierarchy for a few days, and that execs might not have been aware of it when they traded.
I do think this should be investigated by the SEC, but I'm a little disappointed at the rush-to-judgement in this thread.
In many companies, if they don't have a CTO, the IT division reports to the CFO. Is that the case here? If so, hard to believe he didn't know about the breach very soon after discovery.
Right. I also seem to recall the internet hive mind researching this when the story broke, and those same executives had been selling for months on a particular schedule and these trades were right in line with that schedule, and they still held significant stock in the company. Can't seem to find ATM though...
I can believe they kept this pretty quiet inside the company while they figured it out... but I have a really hard time believing the CFO was out of the loop.
Wouldn't it be a better crime (more profit, easier to get away with) to use the hack to manipulate a company's stock then try to sell all the person data for pennies per GB?
200 comments
[ 6.5 ms ] story [ 282 ms ] threadNow, based on my experience, it's entirely possible that the July 29th "discovery" date only refers to the date on which some security analyst noticed abnormal behavior. That, combined with the possibility that Equifax doesn't have good security communication practices in place, it easily could have been a few days (or even weeks) before the security team looked into it enough to know the size of the breach and escalated it up to the C-suite.
Then again, was any part of the breach actually criminally negligent? Maybe this is the only real way that the DoJ even can go after Equifax...
Edit: for example, there is the fedramp set of compliance rules.
http://www.gregthatcher.com/Financial/LawyerProblems.aspx
We've got the FBI and other law enforcement agencies for that aspect, not that I'm optimistic that anyone will really be held accountable.
From the limited descriptions I've read of the architecture of the Equifax system, someone needs to go to prison.
Also, if there was a "bad vibe" at the company, but they didn't specifically know about the breach, would that be insider trading?
Unlike crimes like murder, insider trading is not predicated on intent, so proving intent is unnecessary.
(Unless it required other, non-public data to know that the bug was important)
There was one player Sammy Sosa who had for years conducted interviews in English who suddenly could not speak English when questioned by congress.
This seems to mirror whats going on at Equifax now. The executives only way of staying out of jail is to claim that they suddenly have no idea what's going on not only in their company but in the case of the IT people, also in the very division they are supposed to be running.....
Hmmm
Time for Matt Levine to update his rules of insider trading to add rule 11, if caught insider trading after a a security breach don't try and claim that you as a C Level executive don't know whats going on in your own company.
Since the benefits of such contracts often dwarfs the value they receive from trading it should help 'remind' them of what they did and didn't know. But they should not be allowed to have it both ways.
Though, I don't know if it's even gonna be an option on the table.
It's a small world where everyone knows one another and I rub your back so you rub mine.
Cause it sounds like you're testifying that you're just not doing your job in any meaningful capacity, and I should be able to include that as a fact in a civil suit, since you swore in public record that it was the truth.
Forcing them to testify that they didn't fulfill their duties to the shareholders in order to not be responsible personally for the breaches may introduce enough liability all on its own.
They ask if an opened suit can possibly succeed. That is what "can I sue" means colloquially, one hundred percent of the time.
https://www.usatoday.com/story/money/2017/09/11/equifax-hit-...
It shouldn't take more than a couple days. That's enough time to verify you had a problem and get a good picture of the extent. You might not have all the details nailed down, but you put out the information you know and say "We'll provide more details as they become available."
Whoever dismantles their company could try to frame it that way, but the rest of the industry will see through that. It won't be a good situation for us to be in.
Right now, a baker can refuse to sell you a cupcake if you won't tell them your SSN. Your electric company can refuse to sell you power if you don't tell them your SSN. The phone company can refuse to give you dial tone. They can even refuse to serve you if your SSN has too many fives in it, or not enough. The character of the SSN currently assigned to you is simply not a protected class for anti-discrimination purposes, even though the difficulty in changing it is somewhere between one's race and one's religion.
The people need to reign in the corporate interests of the world. Companies are already larger and more powerful than governments. People should be freaking out. This event just underscores that need.
That seems like a dangerous, slippery road with a lot of unintended side effects.
This is why it's important we not allow laws to be passed with the assumption that overly broad permission grants are OK, because they'll only be used 'correctly'.
So, if they testify that they knew - they're liable.
If they testify that they didn't know, and SEC can prove otherwise - same as above + perjury.
If they testify that they didn't know, and SEC cannot prove otherwise, then at least it is treated as them confirming their incompetence. So if they get, say, a bonus later, or a "golden parachute" for outstanding service on retirement, that is treated as evidence contradicting their claims.
And a fine/penalty for not doing their job and putting so many lives at stake. They should literally be driven down to middle class mediocrity for their negligence.
There has to be some example set for future transgressions.
Either there's enough evidence to convict those execs of crimes, or there isn't. If there's not sufficient evidence for that, then how can you suggest that the government should still have the authority to have them punished?
Clearly it doesn't apply to non US governments but the government of the United States has all of the tools already at their disposal to unilaterally implement just this sort of policy.
The policy question is a bit deeper than that, governing is ideally equal parts carrot and stick, and when there is clear evidence of a harm (and there is in this case) where it is impractical for the citizen to prosecute their own defense (could be debated either way) then the last line of defense for the citizen is the enforcement by their collectively empowered authority. That is perhaps the fundamental source of authority for any government.
I think in this case the execs are going down. I will be shocked if we don't see some jail time after this is all done.
> Also, though, I found it hard to imagine that those Equifax executives were consciously insider trading. It would just be too dumb. Equifax's press release reporting the breach says that it "discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion," though it didn't announce it until yesterday because it was still investigating. The three executives filed Form 4s reporting sales on Aug. 1 and 2, days after the discovery. You could just about imagine them learning of the security breach, panicking, and selling everything -- except that they didn't sell everything. One sold about 4 percent of his stock holdings, another about 9 percent, another about 13 percent. Why do such comically obvious insider trading if you're only selling a small percentage of your stock? And indeed the company explained that these executives "had no knowledge that an intrusion had occurred at the time." I guess the time between "tech person discovers a security breach" and "top executives discover it's a huge embarrassing crisis" is more than a couple of days.
That's exactly right. I can imagine the gradual motion up the chain of command, with the progress actually slowing down as the size of the breach and potential exposure becomes more and more apparent, and each level trying to minimize the damage. I'd have hated to be the guy that had to tell the CEO...
It's better for them that they don't know anything until they know everything.
"The guy that had to tell the CEO" (actually woman) was one of the two parties who resigned the other day.
But that was a very specific (and again, regulated) industry.
When did the company learn of this incident? "We learned of the incident on July 29, 2017, and acted immediately to stop the intrusion and conduct a forensic review."
The trades in question took place between three and four days later. During this time, Equifax would have us believe, these three senior managers were kept in the dark about the fact that hackers had undertaken what may be the largest-ever private security breach right under their noses. Moreover, we’re to understand that even the chief financial officer remained unaware as the company “acted immediately” to right the ship.
http://dealbreaker.com/2017/09/equifaxs-execs-explaining-to-...
Because then it makes it look innocuous and fools those who would scrutinize the behavior, like it did may have for anyone expressing the above opinion. It would be so blindingly damning to sell-off all of one's holdings, but selling off a small portion could allow for partial benefit of your asset at peak value before it declines.
If it were me, I'd do it exactly this way. I'd be trying to find the perfect intersection of mitigating the upcoming asset value decline and maximizing perceived innocuousness. Selling everything? That'd be a sucker's move.
(I hate myself for having written that but ugh Too damn much tit-for-tat.)
https://www.bloomberg.com/view/articles/2017-07-13/main-stre...
Do you know how stressful it is being questioned? I was waiting to pick someone up from a train station in Spain when security approached to tell me the station had closed, and why was I still there. All the Spanish went out my head. I imagine being questioned by congressional investigators is probably even more stressful.
I was once on a jury in California in a case where several witnesses gave testimony through a Spanish interpreter. It seemed clear that some of the witnesses who testified through the interpreter were fluent in English, and so it seemed a little gratuitous to me at the time. Later on I understood that it made sense both for reducing the stress in the situation and for avoiding any minor linguistic misunderstandings in cross-examination that a lawyer might try to make a big deal out of. It's quite possible that the lawyers encouraged their witnesses to use the interpreter.
It sounds like a bad idea all around.
I'm more concerned that the persecution, understanding how stressful the situation is for me and how not being a native speaker I wouldn't necessarily be familiar with legalese or very formal lexicon, uses it against me to extract a confession due to my confusion, than I am that the nuances would be lost through an interpreter.
I speak English with the police, even for trivial things where I'm the one requesting service, like when I lost my wallet. That is not a context where I want to get anything wrong, and where there is absolutely nothing to be gained from showing off what I learned in language class.
Though to be fair, the Sammy Sosa anecdote was more for humor than anything else. Oddly it turned into a comment that got 50 upvotes.
I appreciate the response, I think you've flipped my thinking on this:)
Hire a lawyer, no interviews with the FBI, but "me know nothing" might be a problem if they got memos on the breach, attended meetings, drew up plans on dealing with the fallout etc. It's hard to keep such a secret, especially from the top level execs.
"Of course we were ignorant of the breach, we're really just not on top of things, I mean, look at how we got into this situation, and how we handled it! Does that sound like competence to you? Of course not!"
Equifax officer: "uh.."
They will scrape through all their texts, emails, call logs. Someone will screw up somewhere. If they are dumb enough to provide a "SSN API" - I am sure their texts are a hilarious treasure trove. An easy slam dunk case.
Maybe not too believable but to suggest they would have no answer at all is a bit naive.
> Equifax officer: "uh.."
- "To buy a vacation home...".
- "But why now?"
- "Prices are going up so seemed right to jump in"
The question can they reasonably refute that they didn't hear anything about the breach. If it has to be proven beyond reasonable doubt the lawyers might think they can convince a jury. They could say they were on vacation maybe and didn't receive any communication about. It is just that their cousin happens to be the college buddy of another exec but that might be tricky to prove.
I realize they're examples, but if there really is a high index of suspicion...
"So which realtor have you been working with? Presumably your browser history will show hits to real estate sites, too..."
"Vacation? Very nice. I'm sure you have boarding passes or credit card receipts from hotels..."
Since it is a criminal probe the prosecutor would have to prove beyond reasonable doubt they knew? It would seem the executives who believed they could officially refute seeing the information would have done this. Some might have contacted their lawyer maybe and asked "ok so I overheard it in the hallway as I was leaving on vacation, didn't open my email or get any calls about it, what do you think, could I slide by and sell".
In general what is the conviction rate for insider trading. It seems in general a hard thing to prove.
They are almost certainly the kind of folks who planned this out and if there isn't any proof of knowledge, then there just isn't any. But it does seem inconceivable that they would have no knowledge of the event.
In these days of electronic work environment, there are so many digital footprint one left in the trail.
Regarding your question: insider trading is pretty well-policed. Conviction rate isn't really meaningful (but I'd estimate it's well above 3/4). What would be interesting is the rate of discovery, which is unfortunately impossible to know, because it's a "victimless" crime: nobody knows they've been harmed, and therefore it's impossible to find instances of insider trading without (usually) also finding the culprits.
But it's a pretty good guess that prosecution of insider trading is better today than it has ever been. Because all data is now available in digital form and can be sifted through with all sorts of advanced statistics/machine learning/etc. There's really no escape from this dragnet, because there's no way to trade without those trades showing up in the data. It's only after suspicious trades are discovered that they start following the money.
[1]: https://www.cnbc.com/2017/09/08/suspect-trading-in-equifax-o...
The excess capital, if the stock has not recovered, should be given to non profit charities that support victims of identity fraud.
Which may get them off the insider trading charge, but opens them up to one hell of a shareholder lawsuit.
Everyone seems to have reached conclusions about this on very suspicious circumstances, but almost zero facts.
I realize this may seem like mob-mentality or mob-rule but there's some nuance here. When you see such gross negligence do you wait until hearings and court judgements which can easily take years before voting with your wallet?
I'm already trying to figure out how to push locally for dropping SSNs from processes, no matter how Sisyphean it feels.
The way to "opt-out" is to never use credit.
In most of the US it's against code to live in an apartment without electricity. In order to get electricity, you have to open an account with a utility, who opts-in to submit all your data to Equifax.
Their Workforce Solutions division does the same thing with employment data-- so simply by applying for a job from a participating employer, you're consenting to ultimately let the employer report that you work for them, what your current salary is, your SSN and all the rest of the juicy PII.
Fall on hard times? Need some government assistance? Applying for food stamps will also result in your state agency making an inquiry with Equifax to confirm your location of residence and last reported income. If you didn't have a profile before, you do now.
There is no way to opt out unless you work for yourself, live in a home you paid cash for, generate your own power/gas, and never use credit. So basically Unabomber life.
For me personally, the trading issue is a related but separate incident; one hasn't crossed the same threshold of clear evidence.
Prejudging their guilt isn't favorable and we should avoid doing it as a commitment to our legal system but people would have to ignore their eyes to come to the conclusion that this isn't what it looks like.
A few years back, it seemed that a huge number of people were willing to give President Obama, and even Lois Lerner, a pass on illegal actions of the IRS based on exactly this theory: it's the responsibility of the manager to know what their underlings are doing.
And I don't mean to pick on just Obama. Ronald Reagan, patron saint of the GOP, skated on just such a thing with Iran-Contra. They got Oliver North to be a scapegoat and insulate Reagan and Bush.
So if you're wanting blood from the Equifax execs, think about who you've given a free pass to before.
Constructive knowledge really only holds in corporations (and I'm not an attorney but I think it holds in organized crime organizations as well). And it was enhanced with Sarbanes Oxley which was passed in the early-2000s.
Also, I'm under the impression that federal prosecutors appear very reluctant to actually use it in court and where they do use it, they usually have more direct evidence of wrong doing. However, I get the sense that prosecutors know it exists and the Justice Department under Obama did use it to extract those massive fines from banks (albeit with no admission of wrong doing, a get out of jail free card for the criminals in the firm, and the firms that retained Eric Holder's law firm seemed to get more favorable settlements).
Wouldn't it be more accurate to say that we have n-1 facts? (or n-3, one for each person)
> ... discovered a security breach on July 29...
> ... sold shares worth almost $1.8 million in early August...
> ... didn’t know of the breach at the time
You're the president of U.S. information solutions and you didn't know about the largest information breach in your company's history a week later?
If that's true, that speaks more to the problems in this company than the actual breach itself.
For sure, an investigation will be forthcoming and, in this country, one is innocent until proven guilty. But it seems, in my opinion, exceedingly likely that we'll find an email or text or some bit of ephemera notifying these people of the breach.
If not, well, I will eat my hat.
I also wouldn't be surprised if he did know, but just wanted to emphasize these BigCo org charts tend to be insanely big and complicated. At the senior levels you may not talk to or see your boss for weeks; especially when some big shit like this is being uncovered. So totally possible he knew nothing.
> Trey Loughran leads the company’s United States Information Solutions (USIS) business, which includes U.S.-based services that provide businesses with consumer and commercial information and insights related to areas of risk management, identity and fraud, marketing and other industry-specific solutions.
He would definitely be in the loop regarding a breach of this nature.
At my consulting firm, the execs in charge of our cybersecurity consulting practice are absolutely not involved in any internal cybersec investigations that happen to our own firm. In fact, we have specific procedures which say that our cybersecurity consultants cannot be involved with internal incidents. All internal investigations have to be done by outside, impartial firms.
I was reading a book published in 2008 called “Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity”.
The main bad guy lobbyist of that book, Eric Ellman, who is now the head of the credit reporting lobbyist group (http://www.cdiaonline.org), PROUDLY DISPLAYS his portrayal in that book on his LinkedIn.
http://linkedin.com/in/eric-j-ellman-0a33857
He basically doxxed himself.
How can anyone believe this bullshit anymore. That website was out of date by 1996. It looks so bad. They don’t care at all.
It doesn't sound believable to me that the managers could be unaware of the hiring of an external security firm, or that the company had shut down one of their major web applications.
[1] https://investor.equifax.com/news-and-events/news/2017/09-15...
The CFO is the one that is a little iffy, because the CFO might be involved in the hiring of the external firm. However, having worked for security consulting firms, it's also entirely possible that the CISO is given a blank check for this type of stuff without having to get CFO approval. I've worked in plenty of organizations doing cybersecurity work where the C-suite (including CIO, CFO, etc) was completely unaware we are there because they don't have to rubber stamp every single transaction.
It's also a possibility that the 8/2 date on which they "contacted" the firm was just when discussions started between the two parties, and it might have been a few days before a contract was ironed out enough to involve the CFO or anyone else.
There's a bunch of other possibilities/scenarios in which I think it's entirely believable that they didn't know. It's shady and worthy of investigation, yes, but I'm not willing to convict them just yet.
(USA can chew gum and walk at the same time, but where is the probe for the breach...? 143 million people terrorized and most likely thousands will have their life turned upside down because of it.)
It doesn't do anyone any good if you release a statement as soon as you notice abnormal behavior that just says "we might have been breached and our customers may be affected, but we don't know who is affected and we don't know how it affects them yet".
The US needs a DPA, or at least its residents do. The government couldn't care less.
Whether the executives in question knew of the breach at the time they sold is irrelevant to whether the company, in allowing this sale to occur, misled the investors who bought those shares since the company, at the time of the sale, had awareness of the breach.
[1] https://www.sec.gov/fast-answers/answersinsiderhtm.html
Disclaimer: I am not a lawyer. This is not legal advice. Do not ever insider trade.
https://www.techdirt.com/articles/20130416/08344222725/congr...
https://investor.equifax.com/news-and-events/news/2017/06-28...
with an investor conference call on the morning of Thursday, July 27.
Any public company I've worked at has had a trading window that opened a day or two after an earnings report came out, with most people who want to trade trading early in that window. Admittedly I've never been an executive and I don't know how the rules differ for execs, but the dates when these trades took place are when I would expect Equifax employees to execute options and sell stock.
It also strikes me as possible that information about a security breach discovered on the weekend might not make its way up the company hierarchy for a few days, and that execs might not have been aware of it when they traded.
I do think this should be investigated by the SEC, but I'm a little disappointed at the rush-to-judgement in this thread.
https://www.cnbc.com/2017/09/08/suspect-trading-in-equifax-o...
I wonder if the 2600 number is significant or just a coincidence.
http://www.investopedia.com/terms/r/rule-10b5-1.asp