Here’s an additional piece of legal advice for board members: if you know of or suspect a breach, don’t rush to sell stock…:
[…] Not only does the Equifax breach raise concerns of cyber intrusions, it also highlights the potential for insider trading before cyber incidents are publicly disclosed. An Equifax executive was alleged to have figured out that there was an intruder in the company’s system prior to public disclosure. On that hunch, he sold Equifax stock. He has since pled guilty to insider trading charges and was sentenced for four months in prison.
The kind of insider trading in play here, the “mosaic theory,” is more elusive than the traditional approach to insider trading. Under the mosaic theory, the alleged insider trader is using multiple tidbits of non-public information from several sources that, taken together, provide him or her with insight to make a logical inference on what is occurring. The insider then uses that information to trade. Here, the executive had not been directly informed of the hack, rather, he used limited facts to deduce that a hack had taken place, then sold his stock.
The exact contours of “mosaic theory” are ill-defined, but the appearance of insider trading, on its own, is enough to raise concerns for companies and their officers.
When a company officer or employee has knowledge or reason to believe that there has been a data breach, the officer or employee should proceed with caution. Even if there has been no formal announcement of a breach, the executive’s decision to trade on a hunch could lead the executive and the company down a path to legal trouble.