In Short

The Situation: Despite Equifax's use of a cover story to keep employees from learning it was the victim of a serious data breach, a then-employee allegedly figured it out and made illegal securities trades based on the information.  

The Outcome: The U.S. Securities and Exchange Commission ("SEC") charged the former employee with insider trading, and the U.S. Attorney's Office in Georgia brought criminal charges.  

Looking Ahead: The matter raises difficult questions for public companies relating to the internal sharing of material, nonpublic information ("MNPI").

On June 28, 2018, the SEC filed an insider trading case against a former Equifax employee—Sudhakar Reddy Bonthu—alleging he traded in company securities while in possession of MNPI concerning Equifax's cybersecurity breach. The U.S. Attorney's Office in Georgia also announced criminal charges against him. 

Discovery of the Breach 

According to the Complaint, Equifax concluded in the summer of 2017 that its information technology systems had been breached and that personally identifiable information for millions of consumers had likely been stolen. Equifax established a remediation plan known internally as Project Sparta and told the participants they were working for an unnamed potential client that had experienced a large data breach. 

The SEC's Allegations

According to the SEC, in an effort to prevent the spread of MNPI, Equifax did not disclose to Bonthu that it had experienced a breach itself, but instead asked him to help develop a remediation plan for an unnamed potential Equifax client that had been breached. Bonthu, a software engineer, was assigned to Project Sparta on August 25, 2017. Like the other employees, he was told he was working on a "fast-breaking opportunity" for an unnamed potential client.

During the next several days, Bonthu learned that the unnamed client intended to "go live" within a week and that the breach affected at least 100 million consumers. He also received a file with the phrase "EFXDatabreach" included in the title. (Equifax's trading symbol is EFX.) Based on this and other information, Bonthu concluded that Equifax itself was the victim of the breach.

On September 1, 2017, Bonthu spent approximately $2,000 to purchase Equifax put options in his wife's account. His purchase violated company policy, which prohibited trading in derivative securities. On September 7, 2017, Equifax publicly disclosed the cybersecurity breach, and Bonthu sold his options the next day, generating a $75,000 profit.

To settle the case, Bonthu agreed to be enjoined from future fraudulent conduct and disgorge his trading profits; the criminal charges remain pending.

Risks for Companies

Bonthu's alleged conduct demonstrates the risks companies face in determining whether to bring employees "under the tent." Expanding the circle increases the number of potential sources of inadvertent (or intentional) disclosure, but keeping it too small may encourage employees to engage in detective work to figure out what is really going on.

In the latter scenario, employees may be more likely to trade or tip because they have uncovered the information on their own and are not subject to a trading blackout. In Bonthu, the trader's alleged conduct indicates he may have traded in either situation, but for many employees, bringing them under the tent and imposing a blackout (rather than providing a cover story) may be more effective.

The answers are not simple, but this case illustrates the potential benefits of expanding the circle and imposing broader trading blackouts on employees who may learn MNPI as a result of their remediation responsibilities. Many companies have more experience dealing with this issue on the transactional/M&A side, but the same principles apply.