Equifax Data Breach: Preliminary Lessons for the Adoption and Implementation of Insider Trading Policies

by Dorsey & Whitney LLP

Dorsey & Whitney LLP

Insider trading allegations have surfaced at Equifax, a credit rating agency that last week announced a data breach that could potentially affect 143 million consumers in the United States, nearly half of the country’s population. SEC filings show that three Equifax executives – Chief Financial Officer John Gamble Jr., Workforce Solutions President Rodolfo Ploder and U.S. Information Solutions President Joseph Loughran – sold nearly $2 million in shares of the company’s common stock days after the cyberattack was discovered but before the news was publicly announced. It was unclear whether their share sales had anything to do with the breach. None of the SEC filings list the sales as being conducted as part of pre-established 10b5-1 trading plans. Equifax said in a statement that the three executives sold a “small percentage” of their shares on August 1 and August 2, adding they “had no knowledge that an intrusion had occurred at the time they sold their shares.” Following the company’s announcement of the data breach on September 9, Equifax shares traded down by almost 14 percent. The SEC has not commented on the share sales.

While all of the facts are not yet public, the situation as reported raises a number of fundamental questions. Under Equifax’s insider trading policy, was there a mandatory pre-clearance policy requiring the executives to get approval prior to placing their sell orders? If so, why were the sales approved in light of the existence of a data breach? Did Equifax invoke a blackout period as soon as it knew of the data breach and, if not, why not?

These questions and the developing circumstances at Equifax serve as a reminder for public companies to consider the following practices when adopting or revising an insider trading policy:

  • Make sure that your company has a policy and procedures in place that cover the purchase and sale of securities by insiders. The anti-fraud provisions of U.S. securities laws (Section 10(b) and Rule 10b-5 of the Securities Exchange Act of 1934 (the “Exchange Act”)) prohibit individuals with material nonpublic information from trading in the company’s securities on the basis of that information and from providing the information to others who may trade in the securities. Directors and executive officers of public companies are also subject to the reporting requirements and short-swing trading restrictions of Section 16 of the Exchange Act. A well-crafted and implemented insider trading policy can help prevent insiders from inadvertently violating these laws and incurring civil and criminal liability, and can protect the company from circumstances that would otherwise result in premature disclosures or “control person” liability. Keep in mind that the outcomes in these situations are typically determined with the benefit of 20/20 hindsight, and they can be costly not only in financial terms but also to the reputations of the insider and the company.
  • Be clear on which individuals are subject to the insider trading policy, and how it applies to each class of persons. The policy may apply to anyone who has a fiduciary duty to the company (including directors, executive officers, other employees, and potentially advisors, consultants and contractors, and their related persons), and none of these individuals should be trading securities based on material nonpublic information. Restrictions on trading activities by these individuals, however, will vary depending on their level and function at the company. For example, many insider trading policies only require directors, executive officers and designated insiders with regular access to material nonpublic information to pre-clear their transactions. Companies must apply judgments on risk and feasibility of policy implementation in defining the set of “designated insiders” beyond directors and executive officers who are subject to additional restrictions not placed on rank-and-file employees.
  • Articulate and enforce pre-clearance policies for directors, executive officers, other designated insiders and their related persons. Pre-clearance is the most effective procedure to prevent sales by insiders during a blackout period or at other times when they might be in possession of material inside information. Insiders should be encouraged to pre-clear transactions before they are discussed with their brokers or financial planners. The policy should also be clear on the types of transactions that require pre-clearance. Some transactions that require pre-clearance may not be intuitive, such as an intra-401(k) plan transfer into or out of the company stock fund and changes in the form of ownership or the manner in which ownership is recorded, such as transfers in or out of joint ownership; transfers into or out of a trust; and transfers into or out of a custodial account. Similarly, there may be exceptions related to employee stock purchase programs, dividend reinvestment plans or other arrangements where the individual does not control a market transaction in the company securities.
  • Establish clear blackout periods related to the quarterly financial reporting calendar. Directors, executive officers and those involved in the company’s external financial reporting process should be restricted from trading in company securities during pre-established blackout periods tied to the company’s financial reporting calendar. Blackout periods generally commence at a time prior to the end of a fiscal quarter, as determined by each company based on its internal information gathering and processing timetable, and continues until 24 to 48 hours following the public release of the company’s quarterly results.
  • Provide for (and implement) event-specific blackouts to allow the company to impose trading restrictions outside of scheduled blackout periods when material nonpublic information is known within the company. The importance of event-specific blackout periods cannot be understated. The anti-fraud provisions the federal securities laws generally do not impose an affirmative duty on public companies to disclose material inside information unless, among other things, the company or its insiders are trading in the company’s securities. Therefore, trading by insiders essentially forces a company to disclose material inside information at time when it may be disadvantageous to the company and would not have otherwise been required. The law department should have a procedure in place to notify designated individuals subject to such a blackout that they may not trade in company securities, and that they should not disclose the existence of the blackout to other individuals. However, the failure to designate or notify these individuals does not relieve these individuals of an obligation not to trade while in possession of material nonpublic information.
  • Provide examples in the policy of material nonpublic information. A simple statement that information may be considered material if a reasonable investor would consider it important in making a decision to buy, hold or sell securities may provide insufficient guidance. Instead, a set of specific examples can make the policy easier to understand. In addition, individuals should be reminded that their obligations extend to material nonpublic information about other companies that do business with the company, which were obtained in the course of their business activities on behalf of the company.
  • Avoid standing orders to buy or sell company securities at a particular price, because they may be triggered when the individual is in possession of material nonpublic information. These concerns may be avoided by establishing a Rule 10b5-1 plan.
  • Explain how trades may be exempt from the insider trading policy if they are made under a properly pre-established and maintained trading plan, known as a 10b5-1 trading plan, and articulate the criteria for a properly pre-established and maintained plan. In brief:
    • the plan must be established when the individual was unaware of material nonpublic information;
    • the plan must be established in good faith and not as part of a scheme to evade the prohibitions of Rule 10b5-1;
    • the plan must specify the number or dollar value of company securities to be purchased or sold, the price at which the shares are to be traded, and the date of the trade; provide a written formula, algorithm or computer program for determining these variables; or not permit the individual to exercise any subsequent influence over how, when or whether to effect purchases or sales, provided that any other person exercising such influence must not be aware of material nonpublic information when doing so; and
    • the purchase or sale must be pursuant to the plan (without deviation and without a corresponding or hedging transaction with respect to the securities).
  • At least annually, remind directors, executive officers and designated insiders of trading restrictions, including restrictions under the insider trading policy, Section 16 of the Exchange Act and any anti-hedging and anti-pledging policies, and remind them of the scheduled blackout periods. Periodic educational sessions for the various classes of individuals subject to the insider trading policy are advisable.
  • Identify a contact for questions concerning the insider trading policy. Generally, this would be the company’s General Counsel or another person who manages the disclosure of material information to the public.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Written by:

Dorsey & Whitney LLP

Dorsey & Whitney LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.