As we wrote yesterday, the CIO of Equifax is currently facing civil and criminal liability following trading he made after his employer suffered a major cybersecurity breach. As we indicated in our prior blog post, the SEC has filed a complaint alleging liability because he independently figured out that his employer was the victim of a breach and traded on that information.
This case is important not only because of the reasons we reported yesterday, but also because it illustrates the need for public companies to closely consider their procedures for responding to a breach, including their processes for issuing trading blackouts during investigation of the breach, and how and when to communicate with employees who are not part the core incident response team, as even careful planning cannot prevent inadvertent discovery of material non-public information.
Putting it into Practice: If you are a public company, consider revising your insider trading policies or offering additional employee training to address instances in which employees may obtain (whether directly or indirectly) non-public information regarding a potential data breach impacting the company or its customers.