I'm re minded of when baseball was pulled infront of congress and players were questioned about steroid use.
There was one player Sammy Sosa who had for years conducted interviews in English who suddenly could not speak English when questioned by congress.
This seems to mirror whats going on at Equifax now. The executives only way of staying out of jail is to claim that they suddenly have no idea what's going on not only in their company but in the case of the IT people, also in the very division they are supposed to be running.....
Hmmm
Time for Matt Levine to update his rules of insider trading to add rule 11, if caught insider trading after a a security breach don't try and claim that you as a C Level executive don't know whats going on in your own company.
I have wondered if the SEC could finesse this by saying "Ok, you can stick with your 'I didn't know' defense and we'll drop the insider trading case but we'll require that the company separate you for cause and invalidate all post separation agreements." (aka the golden parachutes).
Since the benefits of such contracts often dwarfs the value they receive from trading it should help 'remind' them of what they did and didn't know. But they should not be allowed to have it both ways.
Never going to happen. Corporate boards are all stacked with C-level execs of other companies. These people went to the same business schools, socialize together, serve on boards together.
It's a small world where everyone knows one another and I rub your back so you rub mine.
If you testify to the SEC that you didn't manage you division well enough to even know that basic security was being handled appropriately, as a shareholder, can I sue you for negligence?
Cause it sounds like you're testifying that you're just not doing your job in any meaningful capacity, and I should be able to include that as a fact in a civil suit, since you swore in public record that it was the truth.
Forcing them to testify that they didn't fulfill their duties to the shareholders in order to not be responsible personally for the breaches may introduce enough liability all on its own.
Its probably far easier to organize with your other shareholders to get that person fired. Suing is an option but you should probably try what I suggested in the mean time.
Not exactly sure what you're driving at. If there's enough evidence that these guys knew despite their protestations to the contrary, it doesn't matter what they say. It's not like they need to confess to get convicted. And if there's not enough evidence, the SEC can't make companies fire its executives or revoke golden parachutes.
The point is that if they claim that they didn't know better, and that is to be taken at face value, then they're plainly not competent to hold their jobs.
So, if they testify that they knew - they're liable.
If they testify that they didn't know, and SEC can prove otherwise - same as above + perjury.
If they testify that they didn't know, and SEC cannot prove otherwise, then at least it is treated as them confirming their incompetence. So if they get, say, a bonus later, or a "golden parachute" for outstanding service on retirement, that is treated as evidence contradicting their claims.
When did the government get the authority to tell a company who they can hire and under what conditions?
Either there's enough evidence to convict those execs of crimes, or there isn't. If there's not sufficient evidence for that, then how can you suggest that the government should still have the authority to have them punished?
The US Government has always had that authority, the Government insists you only hire people who are allowed to work (by their rules) in the US, the Government insists you hire people without discrimination (regardless of how much you might want to), and the Government insists that when you hire someone you will will not exploit them in any number of ways. Further, the Government has given itself the authority to forfeit civil assets, whether or not they get a criminal conviction.
Clearly it doesn't apply to non US governments but the government of the United States has all of the tools already at their disposal to unilaterally implement just this sort of policy.
The policy question is a bit deeper than that, governing is ideally equal parts carrot and stick, and when there is clear evidence of a harm (and there is in this case) where it is impractical for the citizen to prosecute their own defense (could be debated either way) then the last line of defense for the citizen is the enforcement by their collectively empowered authority. That is perhaps the fundamental source of authority for any government.
You're saying that like all companies are just widget manufacturers and who cares whether they succeed or fail? But some companies make their money based on a public trust and if you turn out to be abusing that, the government should come down on you with the full weight and measure of their power. We've spent so long in the middle and upper-classes of the First World kneeling at the altar of Shareholder Value we don't see any difference between Someguy's Ditch Digging Service and Arsenic Baby Votamins, Inc.
"Ok, you can stick with your 'I didn't know' defense and we'll drop the insider trading case but we'll require that the company separate you for cause and invalidate all post separation agreements."
And a fine/penalty for not doing their job and putting so many lives at stake. They should literally be driven down to middle class mediocrity for their negligence.
There has to be some example set for future transgressions.
I resonate with the sentiment but I expect taking away the golden parachutes of affected C level execs will go further to improving accountability than any amount of prison time will.
But who would ever take a C-level position then? Since they're the face of the company they're fired ceremoniously as a PR move whenever the something bad happens.
In my experience a lot of people would take the job believing that they wouldn't allow something like that to happen on their watch. That said, you do have a point about the added pressure. Much like the '3 strikes' rule in California, the unintended consequence might be even more egregious and illegal behavior in order to avoid losing their contractual exit commitments.
Or maybe they'll report in a more timely manner. They knew for the entire month of August a breach had occurred and they didn't report it.
It shouldn't take more than a couple days. That's enough time to verify you had a problem and get a good picture of the extent. You might not have all the details nailed down, but you put out the information you know and say "We'll provide more details as they become available."
It seems unlikely that anyone would've cared. The big problem is that they lost everyone's SSNs. The timing around the reporting isn't really why their company is under the guillotine.
Whoever dismantles their company could try to frame it that way, but the rest of the industry will see through that. It won't be a good situation for us to be in.
I wish more folks would use this as an example for why it might be time for us as a society to move on from having identity security hinge on a 9-digit number and a few other pieces of "flimsy" information.
They can advise all they like. When a law gets passed that says private companies cannot refuse or degrade service to any consumer that refuses to disclose certain categories of information that are not directly relevant to the operation of the business with respect to that specific consumer, then I will believe that the government is serious about this.
Right now, a baker can refuse to sell you a cupcake if you won't tell them your SSN. Your electric company can refuse to sell you power if you don't tell them your SSN. The phone company can refuse to give you dial tone. They can even refuse to serve you if your SSN has too many fives in it, or not enough. The character of the SSN currently assigned to you is simply not a protected class for anti-discrimination purposes, even though the difficulty in changing it is somewhere between one's race and one's religion.
So if I as a business wanted to discriminate against a protected class, I could ask for the person’s SSN and refuse service when they don’t provide it?
I agree, though it's not clear to me what we should use for identity security. Any piece of information related to a person is going to get out eventually.
If they had a requirement to report each breach promptly, we'd have known far sooner there was a problem there, and the pressure to improve security would have been higher. They have been leaking for years.
I'd argue factors that push such details out would overrule that worry. When there are three companies with the sort of power that credit ratings hold over people society is already suffering.
The people need to reign in the corporate interests of the world. Companies are already larger and more powerful than governments. People should be freaking out. This event just underscores that need.
Individuals will always utilize the power granted to them in whatever way is most convenient to them.
This is why it's important we not allow laws to be passed with the assumption that overly broad permission grants are OK, because they'll only be used 'correctly'.
White collar crime is difficult to prosecute. If you give people the choice between the certainty of losing millions of dollars and the somewhat remote possibility of prison, they may not make the right choice.
> There was one player Sammy Sosa who had for years conducted interviews in English who suddenly could not speak English when questioned by congress.
Do you know how stressful it is being questioned? I was waiting to pick someone up from a train station in Spain when security approached to tell me the station had closed, and why was I still there. All the Spanish went out my head. I imagine being questioned by congressional investigators is probably even more stressful.
Sometimes people's lawyers will also advise them not to accept being questioned in a foreign language even if they're relatively fluent because small language nuances may make a big difference in legal proceedings. I've given lectures and press interviews in Portuguese before, but if I were giving an oral deposition in a Brazilian court case or being questioned by police, I would ask for an interpreter.
I was once on a jury in California in a case where several witnesses gave testimony through a Spanish interpreter. It seemed clear that some of the witnesses who testified through the interpreter were fluent in English, and so it seemed a little gratuitous to me at the time. Later on I understood that it made sense both for reducing the stress in the situation and for avoiding any minor linguistic misunderstandings in cross-examination that a lawyer might try to make a big deal out of. It's quite possible that the lawyers encouraged their witnesses to use the interpreter.
I am fluent in English. I have been for many years. But until a couple months ago, I thought throw in throwing a game was similar to throwing a party. One is a fun activity, the other could be a criminal offence. If I were being questioned in a court, I would definitely request an interpreter. I wouldn't want to inadvertently confess to a crime I didn't commit because I didn't quite understand the linguistic nuances of the question.
Well, being fluent/conversational means you can still hear what words the translator chooses, and can verify it means what you meant. It's just that their word choice would be more precise.
I wouldn't pretend I don't speak the language. I would simply request to have an interpreter present similar to how I would request a lawyer. I would check with my lawyer to see if I have the right to an interpreter. If I do, I would absolutely use it.
I'm more concerned that the persecution, understanding how stressful the situation is for me and how not being a native speaker I wouldn't necessarily be familiar with legalese or very formal lexicon, uses it against me to extract a confession due to my confusion, than I am that the nuances would be lost through an interpreter.
The problem is I don't know what I don't know, and I wouldn't want to risk finding it out in a court. I would never take that chance with my freedom. It's one of those cases where what is the worst thing that could happen can be quite bad.
I'm an American in Germany, and I speak German with the immigration office (want them to see how hard I'm trying).
I speak English with the police, even for trivial things where I'm the one requesting service, like when I lost my wallet. That is not a context where I want to get anything wrong, and where there is absolutely nothing to be gained from showing off what I learned in language class.
Good point. Fortunately he had the foresight to bring an attorney along to testify on his behalf. And an artfully worded statement that avoided a perjury charge, as he did not 'inject' anything -- the trainer's drug of choice was available as a tablet after all.
Matt Levine has already stated that this won't result in a new rule; that there is nothing new here and everything falls under rule #1: "don't insider trade"
He also said this (which, scanning through this thread, appears to be a rare voice of reason):
> Also, though, I found it hard to imagine that those Equifax executives were consciously insider trading. It would just be too dumb. Equifax's press release reporting the breach says that it "discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion," though it didn't announce it until yesterday because it was still investigating. The three executives filed Form 4s reporting sales on Aug. 1 and 2, days after the discovery. You could just about imagine them learning of the security breach, panicking, and selling everything -- except that they didn't sell everything. One sold about 4 percent of his stock holdings, another about 9 percent, another about 13 percent. Why do such comically obvious insider trading if you're only selling a small percentage of your stock? And indeed the company explained that these executives "had no knowledge that an intrusion had occurred at the time." I guess the time between "tech person discovers a security breach" and "top executives discover it's a huge embarrassing crisis" is more than a couple of days.
> I guess the time between "tech person discovers a security breach" and "top executives discover it's a huge embarrassing crisis" is more than a couple of days.
That's exactly right. I can imagine the gradual motion up the chain of command, with the progress actually slowing down as the size of the breach and potential exposure becomes more and more apparent, and each level trying to minimize the damage. I'd have hated to be the guy that had to tell the CEO...
C-levels aren't notified of anything until there are concrete details to share. They don't want to be notified of every port scan or bruteforce attempt, nor do they want to deal with the scope of a confirmed breach changing on a daily basis ("yesterday you told me only N consumers were compromised, now you're telling me it's worse?!")-- a bad situation that gets reported as worse and worse every day is great for Fox News, but bad for shareholder confidence.
It's better for them that they don't know anything until they know everything.
"The guy that had to tell the CEO" (actually woman) was one of the two parties who resigned the other day.
Depends on the industry. Companies in certain highly-regulated industries are required to escalate even a minor breach of security ("We think something could possibly have happened, but there' no evidence anything did.") to C-level ASAP. One place I worked, if a breach was discovered by a janitor should make it to the C's within 24 hours or everyone in-between would be reprimanded, if not sacked.
But that was a very specific (and again, regulated) industry.
When did the company learn of this incident?
"We learned of the incident on July 29, 2017, and acted immediately to stop the intrusion and conduct a forensic review."
The trades in question took place between three and four days later. During this time, Equifax would have us believe, these three senior managers were kept in the dark about the fact that hackers had undertaken what may be the largest-ever private security breach right under their noses. Moreover, we’re to understand that even the chief financial officer remained unaware as the company “acted immediately” to right the ship.
> Why do such comically obvious insider trading if you're only selling a small percentage of your stock?
Because then it makes it look innocuous and fools those who would scrutinize the behavior, like it did may have for anyone expressing the above opinion. It would be so blindingly damning to sell-off all of one's holdings, but selling off a small portion could allow for partial benefit of your asset at peak value before it declines.
If it were me, I'd do it exactly this way. I'd be trying to find the perfect intersection of mitigating the upcoming asset value decline and maximizing perceived innocuousness. Selling everything? That'd be a sucker's move.
The point is you're still going to be investigated, and it's not going to be fun, and probably not going to be worth the relative small gain you'll make even on the off chance you manage to get away with it. [That said, if it's me, I'm making a point of disclosing all future stock sales well in advance just to make sure this kind of thing can't come back to bite me.]
But they've spent their careers building up layers of untouchable-it is, and assuming since nothings bitten them before, they can do what they want... what's a minor investigation when you can grab a few mil? And get the probes quashed by just mentioning in a closed hearing how many SEC officials and congresspeople were involved in the breach, or maybe they weren't? Hard to figure out when I'm spending so much time in these hearings...
(I hate myself for having written that but ugh Too damn much tit-for-tat.)
> I think we are up to the Seventh Law of Insider Trading. The first six are: (1) don't do it, (2) don't do it by buying short-dated out-of-the-money call options on undisclosed merger targets, (3) don't text or email about it, (4) don't do it in your mother's account, (5) don't do it by planting bombs at a company and shorting its stock, and (6) don't do it while employed at the Securities and Exchange Commission. I hereby declare the Seventh Law: (7) If you are going to insider trade, don't Google "how to insider trade without getting caught" before or after you trade.
In any company of significant size, there is an approval process for trading in own company stock precisely to capture this scenario, where an employee may not be aware of a price moving event. I am not suggesting that they knew or didn't when they traded. Just that if they didn't it's a pretty massive failure in their procedure that would need an investigation on its own.
Samsung's heir and acting chairman, Lee Jae-yong, attempt the same approach in the S. Korea bribery scandal. Pleading ignorance didn't work out so well for him. I foresee the same here. You cannot be at that level within a corporation and dismiss all accountability.
Matt Levine already opined on this case, and his take was that nobody would be stupid enough to commit such an obvious crime for the rather low monetary advantage they got from selling a minor fraction of their shares (I believe it was around 4% of their respective stocks in Equifax).
Matt Levine actually wrote about this already and suggested that it's not likely to be insider trading. Buried in the details (according to him) is that these guys moved like <5% of their stock.
Perhaps, but their defense isn't what will be investigated. First they will collect and sift through all the evidence before even asking why they might have sold the stock at that point in time.
The executives only way of staying out of jail is to claim that they suddenly have no idea what's going on
Hire a lawyer, no interviews with the FBI, but "me know nothing" might be a problem if they got memos on the breach, attended meetings, drew up plans on dealing with the fallout etc. It's hard to keep such a secret, especially from the top level execs.
FYI the "President of US Information Solutions" at Equifax is a role that has nothing to do with their IT/security department. It's not the same thing as the CIO or head of IT, as many people are confusing him for. He's the head of a product line which is called "information solutions". The head of IT/CIO is a completely different person (who has since been fired/resigned).
This is a good clarification, but the guy shoudn't be absolved in either case. Here's the description of his duties from their website:
> Trey Loughran leads the company’s United States Information Solutions (USIS) business, which includes U.S.-based services that provide businesses with consumer and commercial information and insights related to areas of risk management, identity and fraud, marketing and other industry-specific solutions.
He would definitely be in the loop regarding a breach of this nature.
I don't necessarily think so. Just because he manages the risk management offering which is sold to other companies doesn't mean he would be aware of or involved in day-to-day risk management at his own company.
At my consulting firm, the execs in charge of our cybersecurity consulting practice are absolutely not involved in any internal cybersec investigations that happen to our own firm. In fact, we have specific procedures which say that our cybersecurity consultants cannot be involved with internal incidents. All internal investigations have to be done by outside, impartial firms.
I'm not interested in giving the benefit of the doubt to a C-suite executive who cashes out about a week after the company suffers one of the most newsworthy data breaches in recent history. To my mind, they are in exactly the right position to know about this sort of thing.
For sure, an investigation will be forthcoming and, in this country, one is innocent until proven guilty. But it seems, in my opinion, exceedingly likely that we'll find an email or text or some bit of ephemera notifying these people of the breach.
Have you worked at a BigCo or know what it's like to be in senior leadership? I would not be surprised in the least if this guy had no clue about the hack. These organizations are huge. People are actually very tight lipped when these things happen. You are/should be told not to speak about it even with your peers.
I also wouldn't be surprised if he did know, but just wanted to emphasize these BigCo org charts tend to be insanely big and complicated. At the senior levels you may not talk to or see your boss for weeks; especially when some big shit like this is being uncovered. So totally possible he knew nothing.
Due process for punishment applied from public gov't bodies. However, people can and will reach conclusions based on the evidence laid before to make their judgements to whether be Equifax customers or not.
I realize this may seem like mob-mentality or mob-rule but there's some nuance here. When you see such gross negligence do you wait until hearings and court judgements which can easily take years before voting with your wallet?
Individual consumers did not choose to be Equifax customers, and as far as I know there is no way for me to "opt out" and effectively have all of my data removed from Equifax (including all future data).
The terms and conditions of any loan, credit card, or other credit account include a release or disclosure that covers reporting the account and payment history to credit reporting agencies. So technically, we did "opt-in" when we accepted credit.
That's not really fair though, as credit is only one facet of the data they collect on you.
In most of the US it's against code to live in an apartment without electricity. In order to get electricity, you have to open an account with a utility, who opts-in to submit all your data to Equifax.
Their Workforce Solutions division does the same thing with employment data-- so simply by applying for a job from a participating employer, you're consenting to ultimately let the employer report that you work for them, what your current salary is, your SSN and all the rest of the juicy PII.
Fall on hard times? Need some government assistance? Applying for food stamps will also result in your state agency making an inquiry with Equifax to confirm your location of residence and last reported income. If you didn't have a profile before, you do now.
There is no way to opt out unless you work for yourself, live in a home you paid cash for, generate your own power/gas, and never use credit. So basically Unabomber life.
Well I didn't say it was fair or even reasonable. Just what is. There are stories of people who have trouble getting credit or renting an apartment, etc. because they have never had credit before and therefore have no credit report. So it seems that the reporting agencies don't know about people who don't use credit or any other services that report.
This kind of contractual oligopoly should be explicitly disallowed. It's exactly the kind of place regulation should step in, much like it has with anti-competitive non-competes, forced-arbitration clauses, and IP-creator protections in some states.
Asking for a loan or credit is the quickest route into these credit rating agency's databases. But their goal is to catalog and rate everyone, so you eventually get in there whether you ask for money or not.
Nope, I don't wait for courts when I think I have enough info to form my own opinion. I'm just as outraged about the Equifax breach as anyone else, and would never do business with them in any way. The key is, there's more evidence every day of negligence: the obvious authentication issues on their site, the "SSN API", the 4+ months that they didn't install the Apache security update, etc.
For me personally, the trading issue is a related but separate incident; one hasn't crossed the same threshold of clear evidence.
No. There's no question that the breach happened; Equifax disclosed it. Who knew what, and when, and whether any stock sales were illegal, are matters for due process. Outrage over the breach itself and the clear negligence that caused it is a separate issue.
Due process is important but there's a norm of competency for executives at a publicly traded company and there's a legal theory called "constructive knowledge" that asserts managers at a company are presumed to know what their underlings know. Together, these are very damning for the executives who traded after the security breach.
Prejudging their guilt isn't favorable and we should avoid doing it as a commitment to our legal system but people would have to ignore their eyes to come to the conclusion that this isn't what it looks like.
I'll probably be sorry for this, but... why doesn't this same standard apply in the political sphere?
A few years back, it seemed that a huge number of people were willing to give President Obama, and even Lois Lerner, a pass on illegal actions of the IRS based on exactly this theory: it's the responsibility of the manager to know what their underlings are doing.
And I don't mean to pick on just Obama. Ronald Reagan, patron saint of the GOP, skated on just such a thing with Iran-Contra. They got Oliver North to be a scapegoat and insulate Reagan and Bush.
So if you're wanting blood from the Equifax execs, think about who you've given a free pass to before.
shockingly, the people who write the rules didn't really write them for easy application to the political class.
Constructive knowledge really only holds in corporations (and I'm not an attorney but I think it holds in organized crime organizations as well). And it was enhanced with Sarbanes Oxley which was passed in the early-2000s.
Also, I'm under the impression that federal prosecutors appear very reluctant to actually use it in court and where they do use it, they usually have more direct evidence of wrong doing. However, I get the sense that prosecutors know it exists and the Justice Department under Obama did use it to extract those massive fines from banks (albeit with no admission of wrong doing, a get out of jail free card for the criminals in the firm, and the firms that retained Eric Holder's law firm seemed to get more favorable settlements).
I'd argue that the size of equifax and its impact on everyone's lives pushes the matter beyond simple constructs of the legal system. I don't have an option to not do business with them so they shouldn't have any excuses.
Due process is a legal concept, and fundamentally, a restriction on the state (for very good reasons). I think it's fine for commenters on an internet board to use P(crime was committed|shady trading patterns) > 0.5.
There's a pretty big difference between "a full investigation is warranted" (what you said - totally accurate) and "they should go to JAIL!!1" (much of this thread).
Zero facts? The fact is that 3 people sold between the company finding out and the public finding out. In fact, there is only one fact missing which is evidence that they knew of the breach.
Wouldn't it be more accurate to say that we have n-1 facts? (or n-3, one for each person)
Wouldn't it be a better crime (more profit, easier to get away with) to use the hack to manipulate a company's stock then try to sell all the person data for pennies per GB?
with an investor conference call on the morning of Thursday, July 27.
Any public company I've worked at has had a trading window that opened a day or two after an earnings report came out, with most people who want to trade trading early in that window. Admittedly I've never been an executive and I don't know how the rules differ for execs, but the dates when these trades took place are when I would expect Equifax employees to execute options and sell stock.
It also strikes me as possible that information about a security breach discovered on the weekend might not make its way up the company hierarchy for a few days, and that execs might not have been aware of it when they traded.
I do think this should be investigated by the SEC, but I'm a little disappointed at the rush-to-judgement in this thread.
Right. I also seem to recall the internet hive mind researching this when the story broke, and those same executives had been selling for months on a particular schedule and these trades were right in line with that schedule, and they still held significant stock in the company. Can't seem to find ATM though...
In many companies, if they don't have a CTO, the IT division reports to the CFO. Is that the case here? If so, hard to believe he didn't know about the breach very soon after discovery.
I mean, on one hand, I wouldn't want this to go unnoticed and unpunished, but on the other, I'd rather that the feds be more focused on the actual breach part of things.
Then again, was any part of the breach actually criminally negligent? Maybe this is the only real way that the DoJ even can go after Equifax...
Most security standards are voluntary right? Based more on market pressure than regulation. It looks like the Fed is considering a set of regulations for large banking entities, which I assume Equifax would be a part of, but AFAIK the existing regulations aren't very robust and haven't been updated in recent years.
Is there anything the government has in regards to the storage of SSN? It could be regarded that the SSN is property of the Federal Government, i.e. the SSN Administration. Is there anything where they may have breached federal standards for storing federally owned data?
Edit: for example, there is the fedramp set of compliance rules.
Being surprised or upset that there are "illegal numbers" is like being upset that there are illegal configurations of matter and energy. "It's not murder, it's just a configuration of atoms!" doesn't fly.
Someone in Equifax was made aware of the breach on July 29, 2017. It defies common sense that the chief officers of the company did not learn of it until the same time as the general public, over a month later.
I don't believe there's any claim that they didn't learn of it until the public announcement, only that they didn't know of it at the time of the stock sale which was on Aug 1st, only a few days after the breach was "discovered".
Now, based on my experience, it's entirely possible that the July 29th "discovery" date only refers to the date on which some security analyst noticed abnormal behavior. That, combined with the possibility that Equifax doesn't have good security communication practices in place, it easily could have been a few days (or even weeks) before the security team looked into it enough to know the size of the breach and escalated it up to the C-suite.
In the United States, insider trading is not a crime of a specific statute. Instead, it's charged as a breach of fiduciary obligation [1].
Whether the executives in question knew of the breach at the time they sold is irrelevant to whether the company, in allowing this sale to occur, misled the investors who bought those shares since the company, at the time of the sale, had awareness of the breach.
What’s even more disgusting is that behind the public’s back all of these guys brag about this sort of behavior.
I was reading a book published in 2008 called “Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity”.
The main bad guy lobbyist of that book, Eric Ellman, who is now the head of the credit reporting lobbyist group (http://www.cdiaonline.org), PROUDLY DISPLAYS his portrayal in that book on his LinkedIn.
In the timeline of events that Equifax released [1] it says that they took the web app down on July 30 and contacted an external cybersecurity firm on August 2nd. The managers unloaded their stock from 7/31 to 8/2.
It doesn't sound believable to me that the managers could be unaware of the hiring of an external security firm, or that the company had shut down one of their major web applications.
None of the managers had anything to do with or were in the chain of command of the security team, so it's entirely possible they had absolutely no idea about the breach until long after 8/2.
The CFO is the one that is a little iffy, because the CFO might be involved in the hiring of the external firm. However, having worked for security consulting firms, it's also entirely possible that the CISO is given a blank check for this type of stuff without having to get CFO approval. I've worked in plenty of organizations doing cybersecurity work where the C-suite (including CIO, CFO, etc) was completely unaware we are there because they don't have to rubber stamp every single transaction.
It's also a possibility that the 8/2 date on which they "contacted" the firm was just when discussions started between the two parties, and it might have been a few days before a contract was ironed out enough to involve the CFO or anyone else.
There's a bunch of other possibilities/scenarios in which I think it's entirely believable that they didn't know. It's shady and worthy of investigation, yes, but I'm not willing to convict them just yet.
Perhaps if these guys get nailed then companies will start to see the value of disclosing security breaches in a timely manner instead of sitting on them for months while they spin up the PR machine.
Having worked on the incident response teams for these types of breaches, the "PR machine" is only part of the reason why companies "sit" on the info. It also takes a long time to do investigations on the breach to know what was stolen, how much was stolen, and how to mitigate it. The FBI also gets involved in breaches like this, and sometimes they'll ask to put off announcing the breach while they do their investigation of it as well.
It doesn't do anyone any good if you release a statement as soon as you notice abnormal behavior that just says "we might have been breached and our customers may be affected, but we don't know who is affected and we don't know how it affects them yet".
They will scrape through all their texts, emails, call logs. Someone will screw up somewhere. If they are dumb enough to provide a "SSN API" - I am sure their texts are a hilarious treasure trove. An easy slam dunk case.
- "Prices are going up so seemed right to jump in"
The question can they reasonably refute that they didn't hear anything about the breach. If it has to be proven beyond reasonable doubt the lawyers might think they can convince a jury. They could say they were on vacation maybe and didn't receive any communication about. It is just that their cousin happens to be the college buddy of another exec but that might be tricky to prove.
They're very much more likely to face consequences from the stock sales than they are to face any sort of 'negligence' charges due to their security practices, sadly. If Toyota got acquitted in their 'unintended acceleration' criminal negligence case, no one can ever be penalized for it. Toyota was exceptionally egregious in their negligence, even worse than most companies are as part of their daily practices. Their developers didn't even have access to a bug tracker. So whatever Equifax was doing, the courts will just look at it and do what they always do, say 'huh... computers, huh? NOBODY knows how they work. Acquitted!'
Maybe because I don't work at a "pure" tech company, but a few coworkers have commented that they had to sign up for credit protection with sort of a shrug attitude. They don't realize how negligent Equifax was here or what the impact is going to be for the rest of their lives.
Congress and the various regulatory bodies will take their pound of flesh. The CEO/Chairman will keep his job. Maybe MAYBE the President of USIS and/or the CFO go to jail for insider trading.
On the surface the security folks don't have great credentials...I kind of wonder if the CEO chose his subordinates specifically to take the hit in a data breach situation like this.
> I kind of wonder if the CEO chose his subordinates specifically to take the hit in a data breach situation like this.
^ This! They sure have shuffled the CIO and CISO out of the conversation quickly.
I'm sure you can be a perfectly competent CISO with two degrees in music composition and ten years experience, but they sure don't want us to hear about it if we haven't already.
I've been through an acquisition before and promoted and put into the position of "potential fall guy" where my name went on official documents, and there wasn't a budget for more people or things we needed. If we lost medical records to hackers, I'd expect to answer some uncomfortable questions!
But they are actively erasing information about these people from the internet, when lots of us want to have a closer look.
What happened to failure as a learning experience? Retired effective immediately? Come on, those two people will never make that same mistake again!
As with any insider trading case, they just need to prove access to the information. So either a witness needs to come forward and say "I told X to Y executive" or they need email/phone records which prove that such information was shared with these individuals.
Unlike crimes like murder, insider trading is not predicated on intent, so proving intent is unnecessary.
Interesting. In that case, isn't all trading, given you work for an employer, "insider trading." If you see a bug opened on your company's GitHub and think it's crucial and sell all of your stock that's insider trading right?
IANAL but I believe that the spirit of the law being that insider trading is when you use confidential/privileged information to decide your trades. In this case IF they knew about the breach and made trades before a public announcement then that is insider trading. As for github bug report, that seems like a legal gray area.
Did you choose GitHub because (most) repositories there are public? If that's the question, I'm pretty sure it wouldn't be insider trading, because by definition it wasn't inside knowledge.
(Unless it required other, non-public data to know that the bug was important)
Not addressed in the article: whether the SEC thinks the suspicious trading in Equifax options[1] is at all related to this investigation. People say "well, $1.8M isn't that much given how much stock they hold"; yes, but, if they were trading options as well then it becomes serious money: the profit on the suspicious options trade was $4.2M.
I'm always perplexed by people's motivations for advancing that argument. The notion that the criminality of your actions depends on whether or not you're already wealthy (other facts not being in dispute) seems like the essence of corruption.
Not a popular opinion, but should insider trading be legal?
It seems to create a false sense of security, that people inside the company aren't going to do bad things. Many people have made their fortunes on some degree of insider trading that they wouldn't have made otherwise.
Wouldn't the markets be more efficient without this mirage?
No–legalising insider trading would destroy the market, because anybody not in a position to have insider knowledge would be at a severe disadvantage so as to make the expected return of investing negative.
An analogy: It'd be like playing online chess for money, without any way to stop your opponent from using a computer to make their moves. Or like the Olympics where some people are allowed to use performance enhancing drugs.
After a very short time, most everyone will have left the market.
There's also no more reason to legalise insider trading than murder or burglary. The prevalence is very likely to be at an all-time low currently, because the statistical methods used to spot insider trading in market data have improved dramatically. Some quant funds also flag suspicious trades as a sort of by-product of their work and share that data with the authorities.
> Not a popular opinion, but should insider trading be legal?
Isn't this legal for members of the United States Congress? I can't recall the specifics, but seem to remember some special exemption for them from insider trading rules.
Yes, members of Congress are not prohibited from making stock trades based on information they learn in their role as a Congressional rep. This includes not just routine and public hearings, but also closed and secret/classified hearings.
I don't know nearly as much about stock as most people on this site, so bear with me because I have a potentially dumb question.
I agree that the timing of these sales looks really bad. However, I've heard that these guys are executives with an enormous amount of stock and the sales were for a small percentage of their overall stake. If they were intentionally breaking the law to avoid losses, wouldn't they sell all or most if it? Was most of their stock not vested and they just dumped what already vested? Or is the claim that it was a small percentage of their stock not true?
It's not as if there's an amount X you can sell less of where it's totally fine, but if you go over, you're in trouble. Nobody would be dumb enough to sell their entire position, but at the same time, if you did have insider knowledge, you wouldn't want to have all your position tank. So what do you do? You could go a little bit in the middle and claim ignorance. Trading based off of insider knowledge is illegal regardless of the amount of trades, but in practice obviously the government only chases after egregious cases.
I think the idea of the question is, if you're talking about the difference between losing 50% of your value (doing nothing), and losing 49% of your value (making a small illegal trade), would it make sense to expose yourself to criminal liability for that 1%, even if that 1% represents a lot of money in absolute terms?
Since it is a criminal probe the prosecutor would have to prove beyond reasonable doubt they knew? It would seem the executives who believed they could officially refute seeing the information would have done this. Some might have contacted their lawyer maybe and asked "ok so I overheard it in the hallway as I was leaving on vacation, didn't open my email or get any calls about it, what do you think, could I slide by and sell".
In general what is the conviction rate for insider trading. It seems in general a hard thing to prove.
Note that, as others have said, these executive only sold 4% and 17% of their holdings, respectively. It seems rather unlikely that they would risk so much for a rather negligible profit.
Regarding your question: insider trading is pretty well-policed. Conviction rate isn't really meaningful (but I'd estimate it's well above 3/4). What would be interesting is the rate of discovery, which is unfortunately impossible to know, because it's a "victimless" crime: nobody knows they've been harmed, and therefore it's impossible to find instances of insider trading without (usually) also finding the culprits.
But it's a pretty good guess that prosecution of insider trading is better today than it has ever been. Because all data is now available in digital form and can be sifted through with all sorts of advanced statistics/machine learning/etc. There's really no escape from this dragnet, because there's no way to trade without those trades showing up in the data. It's only after suspicious trades are discovered that they start following the money.
It's easy for the Fed to subpoena all emails, communications, and meetings of these people. It'll be easy to show the breach notice email sent to them, their replies, meeting agenda/attendees, and conference calls with their numbers.
In these days of electronic work environment, there are so many digital footprint one left in the trail.
I assume these are the sneaky execs who can officially claim they haven't opened that email. Individually each one thinks they probably have a chance o fooling the jury. I wonder how admissible the evidence that all 4 of them sold in the same time frame. Because individually (imagine there was only executive) each could argue that their case is just a random coincidence.
That leads into willful blindness territory, where unreasonable ignorance equates to knowledge: if there's no way you couldn't have known something without contriving a way not to know it, then you knew, in broad strokes at least, what you were trying not to know. That's how the law sees it.
Right. Sadly I think they are very likely going to get away with it.
They are almost certainly the kind of folks who planned this out and if there isn't any proof of knowledge, then there just isn't any. But it does seem inconceivable that they would have no knowledge of the event.
Maybe it's already been noted here, but I'm wondering about stock purchases. For instance, with the advanced knowledge in hand, did anyone with that information purchase a large amount of shares in, say, LifeLock or another such company?
As obvious as these sales look like insider trading, I wonder if the execs are that ignorant and or greedy, or if this is truly a case of bad timing of large sales...
I wonder if, in an ironic twist, they try to play the ignorance card and use the breach itself as proof.
"Of course we were ignorant of the breach, we're really just not on top of things, I mean, look at how we got into this situation, and how we handled it! Does that sound like competence to you? Of course not!"
That would be a risky defense because while they may get off on the insider trading charge, they would open themselves up to a huge shareholder lawsuit.
I can believe they kept this pretty quiet inside the company while they figured it out... but I have a really hard time believing the CFO was out of the loop.
Here's a link to the video interview from CISO Susan Mauldin in 2016 that was erased from YouTube a few days ago, on September 10 after it was first reported:
I'm reposting this information, there's nothing earth shattering for me in the interview but I smell a coverup (I hope it doesn't sound controversial when I say this, it appears to be that material information has been wiped off the public record during an investigation, and that's a coverup! Not mincing words.) This has hardly been covered at all, so I'm going to mention it again. I figure the story probably isn't going away anytime soon.
I think it's criminal (possibly quite literally) that this information is being suppressed by whoever has taken the original interviews down. It should be a case study, we should all watch it. I want to hear more from Susan Mauldin, but the appearance is they want her to disappear.
I am interested in the stock sales too, but I would like it to be a thing, where we all can learn from what has happened and fix our issues to be better at this kind of thing. There are obviously technical and greedological issues that own some blame, but let's not be hasty and sweep the cultural issues under the rug. (There was a second interview from that day, which to my knowledge has not been recovered yet.)
I'd like to be charitable and say that CISO Susan Mauldin did nothing wrong, but it's hard for me to make that argument seriously without more data and I don't hear anyone calling for her to testify in front of Congress yet. Maybe they'd like us to forget she was ever involved in the company, that just makes me want to know more and it should you too, if you've been following the story (but who could blame you for not knowing, just look what they're doing!)
Not to be pessimistic, but I'm surprised that anyone even being considered for insider trading, it's legal for Congress to do it, why shouldn't rich people be able to do it? It will probably end up the same way as the credit default swaps, rich people trying to flip houses, banks selling shady packages to the middle class, and the US taxpayer providing a bailout and poor people getting the blame. The idea of justice or consumer protection in the US is a joke.
Oh, yeah that's the real crime. Give them 6 months in jail.
(USA can chew gum and walk at the same time, but where is the probe for the breach...? 143 million people terrorized and most likely thousands will have their life turned upside down because of it.)
There was one player Sammy Sosa who had for years conducted interviews in English who suddenly could not speak English when questioned by congress.
This seems to mirror whats going on at Equifax now. The executives only way of staying out of jail is to claim that they suddenly have no idea what's going on not only in their company but in the case of the IT people, also in the very division they are supposed to be running.....
Hmmm
Time for Matt Levine to update his rules of insider trading to add rule 11, if caught insider trading after a a security breach don't try and claim that you as a C Level executive don't know whats going on in your own company.