“Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.” Richard R. Best, SEC – Atlanta Division
For years many in the cybersecurity/data breach space have been saying that somebody is going to have to go to jail before corporate decision-makers begin to take cybersecurity as seriously as they should. Many thought the Department of Justice’s focus on individual accountability through the “Yates Memo” may be the vehicle but that has not yet happened.
With the Equifax breach and revelations that three executives had sold stock in the company before the breach was announced publicly, we saw an outcry against what was believed to be insider trading and calls for the executives to face jail time:
Thirty-six U.S. senators on Tuesday called on federal authorities to investigate the sale of nearly $2 million in shares of credit bureau Equifax Inc by company executives after a massive data breach, and one compared their actions to insider trading.
The lawmakers signed a letter asking the U.S. Department of Justice, the Securities and Exchange Commission and the Federal Trade Commission to look into about $1.8 million in stock sales by three executives between July 29 – the day Equifax said it learned that its systems were hacked in mid-May – and when they made it public last week.
“If that happened, somebody needs to go to jail,” Senator Heidi Heitkamp, a Democrat on the Senate Banking Committee, said at a credit union industry conference in Washington. “It’s a problem when people can act with impunity with no consequences. How is that not insider trading?”
Criminal Charges Filed Against Former CIO of Equifax Unit
For one former Equifax executive, however, his actions were not quite so innocent and may now give rise to the closest chance yet of someone actually getting jail time as a consequence of a data breach:
The criminal charges were filed in federal court by the United States Department of Justice and the United States Securities and Exchange Commission is also pursuing claims against Ying.
The basis for the charges are the allegations that Ying,
learned of the potential Equifax data breach,
texted a colleague stating that it “Sounds bad. We may be the one breached.”,
If these allegations are true, this certainly sounds like insider trading. As stated by Richard R. Best, Regional Director of the Atlanta Regional Office of the SEC, “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”
Best’s sentiments were echoed by David J. LeValley, Special Agent in Charge of FBI Atlanta: “By prosecuting cases like this, the FBI and the U.S. Securities and Exchange Commission are sending a strong message to company insiders that they must follow the same rules that govern regular investors. Otherwise, they face the severe consequences for failing to do so.”
Severe consequences can mean many things. What everyone is really wanting to know is whether Ying actually serve any jail time. If he does, this case will be a game-changer that moves the needle of data breach consequences significantly upward. We will not know the answer to that question until he is convicted (or enters a plea agreement) and sentenced. Some articles state that Ying is facing up to 25 years in jail on the charges. Neither the SEC nor DOJ press releases state how long of a sentence is being sought.
As far as real-life insider trading cases where people have actually been sentenced to jail go, a Wall Street Journal post from 2014 discussing the longest insider trading sentences has the top 5 longest sentences ranging from 12 years down to 7 years. Comparing the amount of money involved in those cases to the $117,000 in losses that Ying avoided makes this cases relatively small. I doubt we will see anything approaching those sentences.
If the question, however, is not how much jail time will Ying get but whether he will get any jail time, I think both the SEC and DOJ have been looking for the right poster child to make an example out of and Ying may have drawn the short straw. Let’s see …
______________________
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
The once prestigious 40-year law firm Mossack Fonseca, infamously known for its data breach that revealed the Panama Papers, is closing at the end of the month. The reason, in its words:
“The reputational deterioration, the media campaign, the financial siege and the irregular actions of some Panamanian authorities have caused irreparable damage, whose obligatory consequence is the total cessation of operations to the public.”
What led to all of that? Its data breach, of course.
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
The push for a single uniform national data breach notification law gained strength in the wake of the Equifax breach. Now proposed legislation in North Carolina would amend its law in a way that would add momentum to this push. And, now South Dakota is tired of being one of only two states without a breach notification law and wants to abandon Alabama and join the other 48 states by getting a law of its own.
North Carolina, in a never-ending race to see which state can come up with the most impractical breach notification law, has proposed legislation that would (1) now requiring that companies notify consumers and the state Attorney General of data breaches within 15 days; and (2) adopt the HHS’ view under HIPAA that a ransomware attack is a data breach that requires notification and reporting. You can read more details about the new law here, but this is enough to help you see why even this Texan believes we need a federal breach notification law in place before some state requires instantaneous notification of consumers by a clairvoyant.
South Dakota’s proposed legislation is at least generally consistent with the existing laws of many of the other 48 states. It would require companies to notify its residents whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person, within 45 days from the discovery or notification of the breach. Breaches affecting more than 250 of its residents would require notifying the state’s Attorney General as well. You can read more details about the proposed law here.
Under the proposed laws for both the North Carolina and South Dakota, the failure to comply with the breach notification requirements would be a violation of the respective states’ deceptive trade practices laws.
______________________
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
On January 19, 2018, cybercriminals were successful in a ransomware attack on Allscripts, an electronic healthcare record (EHR) provider for healthcare providers across the United States. The attack encrypted some of Allscripts systems and prevented those healthcare providers who use those systems for their EHRs from being able to access their patient records. Not only is there the obvious impact this has had on those healthcare providers’ ability to treat their patients, but also, under HIPAA, the Office of Civil Rights presumes that all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless certain criteria are satisfied. (See checklist in this post and this post for further explanation).
The Texas Medical Liability Trust (TMLT)’s blog post, Allscripts EHRS Falls Victim to Ransomware Attacks, goes into much greater detail in describing the facts of this event and what has taken place since the initial attack. The blog also provides an excellent analysis of the Business Associates considerations in a situation such as this and the postfeatures severalimportant recommendations for what practices need to do now from my friend and excellent cybersecurity and data privacy attorney Adrian Senyszyn (LinkedIn) and myself. So, what are you waiting for, go read the TMLT post … and hope and pray that you planned ahead and have cyber insurance!
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
(9/15/17) I have written a good bit about shame hacking and how hackers’ efforts to monetize their activities have evolved to their using shame, or embarrassment, as a tool to extort payments from their targets. This case seems to be taking it to a new level. For the last two days we have all seen the news about how Equifax’s failure to patch was the cause of the breach. Today, it got worse.
Now, apparently, the hackers are trying to play the role of “good guys” by telling the secrets of how they hacked Equifax, how easy it was, and just how negligent Equifax was in defending its network. Check out this story (which seems to be legit): How Equifax got Hacked
Stop and think about this for a moment:
The hackers — the criminals who attacked Equifax and stole data from at least hundreds of thousands of people to potentially hundreds of millions of people — are now coming out and shaming Equifax for allowing them to do what they did.
Now I understand, with these revelations about its security practices, it is hard to feel sorry for Equifax and view it as the victim, and I’m not suggesting that we should. But let’s also not forget that Equifax was the company that was attacked — and now the attackers are the ones telling all to shame the company they attacked. We must keep this in perspective.
The problem is, we will not keep it in perspective and we as part of the masses will all start to dog pile Equifax even more for the juicy scoop that the hackers are revealing about the company they attacked and the hackers are stoking the flames: “if I have to release the information and make it public for these companies to finally acknowledge and admit their fuck ups (maybe not blame on apache flaw either) then I will” — the hackers
I am all for learning any lessons that we can from this attack, even if from the hackers themselves, and I am all for really letting Equifax have it for what they did, but the one thing I am not for is making these hackers out to be heroes in the end. As ridiculous as this may seem, now on 9/15/17, it would not be unprecedented … please, please, please, do not make these guys out to be heroes because they are not. They are criminals.
This is taking shame hacking to a new level. This kind of taunting would get a college or NFL football player ejected from a game — and we the people will enjoy every bit of it!
Stay tuned, this is getting interesting …
Will I lead a consumer class action lawsuit against Equifax?
I have received more inquiries from people via calls, emails, and social media posts who are interested in pursuing a class action lawsuit against Equifax than I have following every other breach combined, by at least double or triple the numbers! However, while it is clear that people want their pound of flesh, it will not be me leading the charge.
Lawsuits and investigations against Equifax
Well-respected data breach class action attorney John Yanchunis has already filed one class action lawsuit and it would not surprise me to see another well-respected data breach class action firm Edelson PC bring one as well. You can also learn more about class action lawsuits that are filed at the Top Class Actions website.
What to do if you’re impacted by the Equifax data breach?
I doubt I could do a better job of giving you advice on this than the Federal Trade Commission can so check out their Consumer Information page that explains what to do and how to do it: The Equifax Data Breach: What to Do
One of the issues that has caused some confusion is the difference between a fraud alert and a credit freeze, which the FTC has also addressed: Fraud alerts vs. credit freezes: FTC FAQs
Given that data breaches are the new normal, I see no reason why we shouldn’t all have some form of credit monitoring as one more level of protecting ourselves. While Equifax is offering a year of free credit monitoring using its service, if you’re reluctant to sign up for Equifax’s free credit monitoring, you should sign up for somebody’s even if it means paying for it. My friend Todd Hindman works for ID Experts and they have a top-notch product: https://www2.idexpertscorp.com/
Here are some general talking points I used for a couple of media interviews on this (much of this came directly from the FTC website):
IDENTITY THEFT – HOW DO INDIVIDUALS PROTECT THEMSELVES
[This week’s update]
Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier. We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.
[Last week’s update]
We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.
What caused the Equifax data breach?
The Apache Foundation which oversees the use of open source software issued a statement alleging the breach was caused by Equifax’s failure to install a patch, or security update, that had been available for a couple of months: “The Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner”
If you run Apache Jakarta Struts, there's a public, working remote exploit being used in the wild now. Upgrade ASAP. https://t.co/yG3awqgXJL
Absolutely agree 100% on this @Garin_Pace — if you're in that high-profile of a biz with data that valuable and can't patch … boy oh boy! https://t.co/XeN4ZGaBKt
The SecureWorld News Team talked with me about many of the lessons that can be learned from the Equifax data breach and winnowed it down to the following 3 takeaways that are discussed more thoroughly in the article:
We need a uniform national breach notification law in the United States.
When it comes to data breach response, “[i]t’s not about what you do right, as much as what you do not do wrong.”
Will Equifax be the “tipping point” for companies to take action on cybersecurity, much the way Target was the “tipping point” for awareness?
My friend Roberta Anderson and I had a conversation on Facebook in which she shared an article she wrote back in April 2014 (Business Forum: Target security breach could be a wake-up call) about the Target data breach being the tipping point for raising awareness about the need for cybersecurity and the risks of data breach. Her question to me was whether I thought Equifax would be another such tipping point. Here is the link to the Facebook post if you want to join the conversation.
Here is my response, also in the post above:
Roberta, that is an excellent article and some excellent questions you raise about Equifax. I recall back in 2011 hearing that year was the “Year of the Data Breach” because we thought, at the time, that with news of *some* data breaches making their way into the traditional news headlines it would be enough to jolt business leaders to start taking action. It wasn’t. As you predicted back in April 2014, it was going to be Target that really turned out to be the “tipping point” and I firmly believe that it was quite a watershed moment in the world of cybersecurity and data breach insofar as raising awareness is concerned. Unfortunately, it wasn’t enough. It wasn’t enough to move from mainstream awareness to mainstream action.
Now to the question of Equifax — will it be the “tipping point” that moves the needle from awareness to action? It very well could be for several reasons. First and foremost, people are pissed — really pissed — about a company that has made it’s business off of judging them and their “worthiness” now not only showing its unworthiness but also doing so at the expense of the people it has been judging — without their consent! In the world of perception and persuasion, that’s a horrible fact. I have seen this first hand — I have received two to three times more telephone calls, emails, texts, and social media messages asking me to bring a class action lawsuit against Equifax in less than a week than I have in the wake of every other data breach combined — COMBINED! People want their pound of flesh! Add to that the actions of the executives in selling their stock, post-breach (whether they knew or not), the perceived delay in notifying, and the extreme sensitivity of the data involved and you have the makings of a nuclear bomb of breach consequences which are already forming with the lawsuits, extended publicity, and congressional inquiries. But, will that be enough to move the needle to action? I don’t know … will their stock rebound? Will the congressional inquiry go the way of Yahoo’s CEO (who also received letters of inquiry from Congress)? Will the insurance cover much of the sting? Will the execs lose their jobs — without golden parachutes that provide them with better landings than most of us will ever have in our lives? Or, will somebody go to jail and, if so, under what theory?
Effective cybersecurity is hard and requires a commitment to a perpetual journey that has no final destination. That’s not a journey that most companies will truly commit to unless they are forced to do so — even if they *should*. Unless someone really pays the price for this Equifax incident, in a grand and public manner for all of the world to see (no, I’m not suggesting a public hangings — but something that will leave the imagery in the public’s mind the way those once did — like the Ford Pinto case), I just don’t know.
Will Equifax get hit for this data breach like Ford did for its “bean counting” in the Pinto case?
I wrote this post back in 2011 and we’re still waiting for the “message” to sent — will this be it? Data Breach — Who’s Gonna Get It?
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
The SecureWorld News Team talked with Shawn Tuma about many of the lessons that can be learned from the Equifax data breach and winnowed it down to the following 3 takeaways that are discussed more thoroughly in the article:
We need a uniform national breach notification law in the United States.
When it comes to data breach response, “[i]t’s not about what you do right, as much as what you do not do wrong.”
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
Delaware recently amended its data breach notification law to include the following requirements:
Expanded definition of “personal information” to include biometric data, medical information, passport numbers, routing numbers for accounts, individual taxpayer identification numbers and usernames in addition to the traditional forms of PII such as birth date and social security numbers.
Notice to affected individuals within 60 days.
Notice to the Delaware Attorney General if the breach affects more than 500 residents of Delaware.
Provide one year of free identity theft protection services in breaches where Social Security numbers were compromised (joining CA and CT).
Companies are not required to notify individuals if, after an appropriate investigation (i.e., performing a risk assessment), the company reasonable determines there is no risk of harm to the individuals.
On the cybersecurity side of things, the new law requires companies to “implement and maintain reasonable security” to protect the information a company collects and holds for Delaware residents.
The effective date of the new law is April 14, 2018.
The webinar qualifies for CPE Credits, and will take place on Wednesday, November 30 at 12 pm CST but if you are unable to attend, you can access the recording as well.
You can learn more about, and register for, the webinar at this LINK.
There is a grave and unfortunate misperception among many business leaders who believe that when their company has had a data breach, going through a response and notification of affected individuals is optional. To the educated readers of this blog, this sounds shocking. Sadly, it is something I see on a regular basis. What is worse is that there are far too many lawyers who do not practice in this area but, out of ignorance, advise such clients that it is really not as big of a deal as we are making out of it and that they can just ignore it. Continue reading “Yahoo Data Breach: US Senators Demand Answers – Still Think You Don’t Have to Disclose and Notify?”→
Shawn Tuma delivered the presentation Cybersecurity Legal Issues: What you really need to know at a Cybersecurity Summit sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies’ Institute for Homeland Security, Cybercrime and International Criminal Justice. The presentation was on September 13, 2016 at the George Bush Institue. The following are the slides from Tuma’s presentation — a video of the presentation will be posted soon!
As it turned out, however, the sale of stock by those Equifax executives was found to have been properly approved and they did not know of the data breach at the time of the sale, so it was not the problem that many had suspected.
The push for a single uniform national data breach notification law gained strength in the wake of the Equifax breach. Now proposed legislation in North Carolina would amend its law in a way that would add momentum to this push. And, now South Dakota is tired of being one of only two states without a breach notification law and wants to abandon Alabama and join the other 48 states by getting a law of its own.
The Texas Medical Liability Trust (TMLT)’s blog post, 
