21 Aug 2019

The recent conviction of a second Equifax executive (Jun Ying) for insider trading after the Equifax data breach in 2017, highlights concerns about the possible interplay between data breach and insider trading. In the period from detection of a data breach to its public disclosure, insiders might try to use non-public information in securities trading, cashing in on the prediction that the disclosure of a data breach will cause stock price to fall.

Here, we look beyond the Equifax cases brought by the U.S. Securities and Exchange Commission ('SEC'), and focus on the risks of insider trading related to a personal data breach, in the context of the General Data Protection Regulation ('GDPR') and the market abuse regime in the UK.

Background: insider trading in the Equifax case

Jun Ying, who was to become Equifax's next CIO (the offer was rescinded after his trading activity came to light) has recently been found guilty of selling Equifax's shares back in March 2017, shortly after learning that Equifax had sustained a data breach but before it was announced to the public. Having learnt about the breach through internal communications (before he was formally advised not to trade company stock), he exercised his options and then sold $950,000 worth of Equifax shares, within an hour of researching a competitor's stock move after their 2015 data breach. As a result of his trading, Ying avoided a loss of about $117,000 and gained over $480,000. Ying pleaded guilty to insider trading and was sentenced to four months in prison, fined $55,000 and ordered to pay $117,117 in restitution.

In an earlier case, the SEC charged a former Equifax software engineer with buying put options (a bet that the stock price would go down) after learning of a data breach before it was publicly disclosed, and exercising these options when Equifax's stock dropped following the data breach announcement. Following the detection of the breach, Sudhakar Reddy Bonthu worked on a breach notification website and, despite being told that it was a project for an 'unidentified client', he concluded from the information that was entrusted to him, that it was in fact Equifax that suffered the breach. His insider trading made him a profit of more than $75,000. He was sentenced to eight months of home confinement, fined $50,000 and ordered to forfeit $75,979.

The impact of data breach notification laws

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The GDPR imposes short data breach notification deadlines. It requires all controllers to notify (1) the ICO of a personal data breach likely to result in a risk to the rights and freedoms of individuals without undue delay and, where feasible, no later than 72 hours after discovering the breach; and (2) data subjects without undue delay, if a data breach is likely to result in a high risk to their rights and freedoms. Processors who become aware of a data breach must notify the controller without undue delay. For comparison, the U.S. state data breach notification laws vary in specific provisions regarding the timing of breach notification, and they either require breach notification as soon as possible (e.g. District of Columbia) or specify deadlines (which can be as long as 45 days in Ohio).

Mandatory data breach notifications reveal to the market a negative event that might not have otherwise become public. Any impending notification of a personal data breach could, to insiders, create an expectation of a drop in the affected company's stock price. It could tempt insiders to sell their shares ahead of a breach notification. From that perspective, data breach notification obligations create a setting that may trigger opportunistic insider trading. Short breach notification deadlines, like those under the GDPR, reduce the time window for insider trading by speeding up the public's realisation of the breach and thereby constraining the opportunity to trade on private information. They also indirectly support the prevention and detection of market abuse under the Financial Conduct Authority's suspicious transaction and order reports (STOR) regime, by preventing insiders from spreading trades based on non-public information over longer periods, in an attempt to conceal them.

Insider trading controls

Public companies should review their securities trading policies, procedures and codes of conduct, to ensure that they address and counter the risks of trading on insider information relating to personal data breaches. Policies should both identify and take steps to counter financial crime pre-trade and mitigate future risks posed by clients or employees who have already traded suspiciously. Following the Equifax cases, companies should consider implementing the following measures:

  • trading bans from detection or suspicion of a data breach up until notification to remove the opportunity for insider trades
  • procedures which identify and highlight the risk arising from a data breach and outline the requirements to disclose insider trades. Procedures should be communicated to all relevant business areas including front office employees
  • clear requirements which ensure that senior management takes an active role in understanding and mitigating risks arising from data breaches
  • enhanced monitoring/surveillance of employee trading, particularly employees involved in the identification or investigation of a data breach
  • ensuring that policies are in place to take disciplinary action against an employee and, if required, terminate the employee relationship; and
  • ensuring that risk assessments evaluate and scrutinise the effectiveness of policies and procedures in place to adequately control and mitigate the risk arising from a data breach.

Management of data breach response

Public companies should address a number of areas in their data breach response plans to reduce the risk of opportunistic insider trading. Lessons from the Equifax cases (where executives deduced the occurrence of a data breach from the activities they had been involved in after the breach was detected but before Equifax issued internal breach announcement and blackouts on trading) relate in particular to ensuring that:

  • internal restrictions (e.g. stock trading bans) and obligations (e.g. confidentiality) are used in a timely manner, to reduce the risk of insider trading before the breach is publicly disclosed. Such restrictions may need to be imposed earlier on those who are on a data breach response team or otherwise involved in generating documents related to the data breach investigation
  • a data breach response team is limited to those whose involvement is strictly necessary to investigate and manage a breach
  • all internal activities and communications related to a data breach investigation and response, including information from which employees could draw their own conclusions about the occurrence of a data breach, are carefully managed, monitored and restricted; and
  • the company utilises the protection of legal privilege (legal advice privilege and litigation privilege) to investigate a data breach without fear that internal investigation documents will be used against it. Only the data breach response team should have access to such documents (e.g. through a closed worksite) and must not circulate legal advice to employees or third parties not linked to the investigation, as this may lead to the loss of legal privilege.

Summary of key risk mitigation takeaways

Public companies should review their internal securities trading policies and codes of conduct to ensure that they effectively minimise the risk of insiders trading company stock on the basis of non-public information related to personal data breaches, in the period between detection of a data breach and its notification to the public, e.g. through timely use of trading blackout periods.

Senior management and boards of directors should ensure that robust data security, data breach detection and response plans and procedures are in place, and that important personal data breach information is elevated to senior corporate levels in a timely manner for appropriate decision-making and oversight.

Companies should seek legal advice and make use of legal privilege as soon as possible after detection of a data breach.