A former Equifax CIO has been indicted on charges of insider trading, raising questions about the level of legal liability enterprises face when they fail to protect consumer data.
By some counts, the July 2017 Equifax hack was the third-largest data breach of the 21st century. When the consumer credit reporting giant revealed the breach on September 7, 2017, it reported that 143 million records — including consumers’ names, social security numbers, dates of birth, and addresses — had been compromised. Just a month later, they added another 2.5 million to their estimate. By early March, Equifax had increased the figure once again, admitting that more than 148 million consumer records may have been compromised in the attack.
Several Equifax executives — including CEO Richard Smith, CIO Susan Mauldin, and CSO David Webb — have been compelled to step down in the wake of the breach. What’s more, according to the company’s 2017 Q4 earnings report, the financial damages caused by the breach topped $114 million, even after cyber-insurance payouts.
That said, many observers are concerned that Equifax has yet to be held fully accountable for its egregious mishandling of the breach. For instance, four of the company’s top executives collectively netted $2 million in profits by selling shares of Equifax stock between July and September, yet all of them were cleared of any wrongdoing by an internal investigatory board. Other C-level staffers at the company, however, have not been so lucky.
The Legal Fallout of the Breach
On March 13, 2018, former Equifax USIS CIO Jun Ying was indicted by a federal grand jury in the Northern District of Georgia on charges of insider trading. As a press release issued by the US Attorney’s Office explains, “[Ying] took advantage of his position...and allegedly sold over $950,000 worth of stock to profit before the company announced [the] data breach.”
According to the indictment, Ying texted a coworker on Friday, August 25, sharing, “[It] sounds bad. We may be the one breached.” Ying’s browser history shows that he subsequently researched how Experian’s 2015 breach affected the company’s stock prices, and the ensuing Monday, he sold all 6,815 shares of his Equifax stock, realizing a net gain of more than $480,000. As expected, the public announcement of the Equifax breach just ten days later caused the company’s stock prices to plummet.
Ying isn’t the only party wrapped up in litigation as a result of the breach, however. Last November, plaintiffs from all 50 states and the District of Columbia filed a class-action complaint against Equifax as a corporate entity, alleging both that the company’s negligence was a proximate cause of the breach and that the company’s inadequate response to the breach caused additional (and preventable) harm. This complaint came on the heels of more than 240 other class-action lawsuits, a formal FTC investigation, and investigations by a slew of state attorneys general, as well as by the federal governments of the UK and Canada.
A Developing Set of Standards
The 50-state class-action — Allen et al. v. Equifax, Inc. — raises a number of legal questions whose answers will bear heavily upon the future of enterprise data responsibility — most notably the issue of standing.
Case law related to Article III of the Constitution has firmly established that a plaintiff can only bring a complaint to court if they suffered harm from the alleged illegal act. In short, if one is not a victim of an illegal act, they do not have adequate standing to demand the prosecution of the act. For instance, in May 2016, the U.S. Supreme Court vacated and remanded the Court of Appeals for the Ninth Circuit’s ruling in Spokeo, Inc. v. Robins because the plaintiff had failed to establish “injury-in-fact.” Various Circuits since then have split on whether “potential future harm” is enough to establish standing.
In the context of an incident like the Equifax breach, the question is whether any random member of the group of consumers whose data was compromised has standing to bring a lawsuit. Some of the plaintiffs in Allen very clearly suffered an injury-in-fact as a result of the breach — fraudulent credit card charges, unauthorized mortgages taken out in their name, etc. — but others are only able to allege that the breach raises the threat of future harm.
If Allen ends up going the plaintiffs’ way, it will set a legal precedent that every American enterprise must note: if your digital systems are breached, you may very well be held liable for even the mere possibility of damage.
Limiting Legal Liability
Of course, the best way for an enterprise to avoid being held liable for a data breach isn’t to hire a good lawyer, but to partner with a cybersecurity expert to prevent a breach from occurring in the first place.
At Turn-key Technologies, we have over two decades of experience helping companies of every size and configuration design, deploy, and manage blazing-fast networks with industry-leading security features. We recognize that in today’s day and age, a company’s digital assets are at once extremely valuable and extremely vulnerable, and we have the know-how necessary to ensure that they remain secure in the face of today’s advancing cyberthreats.