Blogs > Biz Law Blog

Outside Tips: SEC Sues Trio for Trading on Equifax Breach

SEC Sues Trio for Trading on Equifax Breach.

Until 1864 no generally available system existed to assess the creditworthiness of borrowers; instead, lenders, whether dealing with Commodore Vanderbilt or the proverbial “John Smith,” had to rely on informal information obtained from neighbors, community, or otherwise about a putative borrower’s reputation and perceived financial capacity. As the Civil War ended, national banks were founded (under the National Bank Act of 1863), the federal government imposed its first income tax in 1861 (repealed in 1862 but replaced with a more progressive federal income tax act); an effort began to create one or more systems of credit ranking. The effort eventually led to the founding, in 1899, of the Retail Credit Company, which was subsequently renamed Equifax, Inc. Equifax is a Georgia corporation headquartered in Atlanta, whose publicly traded shares are listed on the New York Stock Exchange. In addition to being the oldest, Equifax is the largest of the three major American credit reporting agencies. The others are: i) Experian, which came out of the conglomerate TRW (after TRW bought Credit Data in 1968), which operating unit was in turn bought in 1996 by private equity funds Bain Capital and Thomas H. Lee, and was renamed Experian; and ii) Trans Union, which owned the rail car leasing company Union Tank Car Company, and which in 1969 bought the Credit Bureau of Cook County and renamed it Trans Union. 

Credit reporting agencies (according to the Sept. 8, 2021 Report “Who Are the Major Credit Reporting Agencies?” issued by the trade association “collect consumer data and provide it to lenders when requested…so lenders can make credit decisions. The credit reporting agencies are subject to substantial regulatory requirements under the Federal Fair Credit Reporting Act (“FCRA”). One of the agencies’ most important obligations is the protection of all the consumer data they collect. Indeed, the U.S. Bureau of Consumer Financial Protection (“CFPB”), in its recently-issued Advisory Opinion entitled “Fair Credit Reporting: Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports,” states:

                  Consumer reporting agencies collect and assemble or evaluate information about, among other things, the credit, criminal, employment, and rental, histories of hundreds of millions of Americans. They package this information into consumer reports, which are used by creditors, insurers, landlords, employers, and others to make eligibility and other decisions about consumers. The collection, assembly, evaluation, dissemination, and use of vast quantities of often highly sensitive personal and financial information about consumers poses significant risks to consumer privacy.

Thus, the CFPB reminds one that Courts have recognized that a principal purpose of the FCRA is to protect the privacy of consumer data.

“On July 29, 2017, Equifax’s security department observed suspicious network traffic within an internal system,” according to a Complaint (the “Complaint”) filed on Aug. 15, 2022, by the U.S. Securities and Exchange Commission (“SEC”) in the Federal Court for the Northern District Georgia, Atlanta Division, against three individual residents in Illinois. Equifax retained “a cybersecurity consulting firm to determine the scope of the intrusion.” By mid-August Equifax concluded that “the hackers had accessed the personally identifiable information of millions of consumers.” Clearly, the “intrusion” ran afoul of the FCRA, and the resulting “significant risks to consumer privacy” were a material development affecting Equifax, as well as the consumers whose personal data was accessed. As part of planning to announce the breach to the public and adopting remediation steps, Equifax through its outside counsel engaged a Chicago-based public relations firm “to help …[it] develop…[how] to respond to …government and media inquiries… [about the data breach once it made the public announcement].”

The key to this case was, curiously, the configuration and internal structure of the office of that Chicago public relations firm. According to the Complaint, the employees of that firm were assigned workstations in low-walled cubicles. One of the firm’s employees who was assigned to “support the Equifax crisis team” assisted in drafting the scope of work for the team and in reallocating workloads of other team members. He happened to work in the cubicle next to Ann Dishinger, 52, a resident of Deerfield, Illinois, who was a senior financial manager of the public relations firm.  She had been with the firm for at least 10 years and annually “acknowledged receipt of the company’s policy that client information…was confidential.” She overheard her co-worker talking to other members of the crisis team and so learned of the Equifax data breach “within a day or so” of her employer being engaged by Equifax. She shared that information with a 59-year-old resident of Glenview, Illinois, Lawrence M. Palmer, who was a Vice President of a mortgage loan company and her “significant other.” He in turn shared that Equifax information with his older brother, Jerrold L. Palmer, 61, also of Glenview, who was Vice President of another mortgage lender operating in the same building as his younger brother. Both Palmers purchased put options, Lawrence through a former business associate with whom he communicated using code terms from the movie “Wall Street” to confirm the purchase. His brother did the same thing through a third friend (after the first two turned him down).

See my Aug. 8, 2022 Blog “The SEC ‘Special Ops’ of Enforcement: Five Cases Identified by Analysis and Detection Center” for a discussion both of the essence of insider trading and of the case law developments explaining that the quid pro quo between a tipper and a tippee need not involve money, but could be supported by the kind of relationships as those I) between Dishinger and Lawrence, on the one hand, and II) between the Palmer brothers (even without Jerrold’s transfer of $28,000, noted below, to his brother) on the other. The SEC alleged that Dishinger knew that the information about Equifax was material and that tipping off Lawrence was a violation of her obligations to her employer. The SEC also alleged that both Lawrence and Jerrold knew or were reckless in not knowing that the information was material, and that Dishinger was in breach of her obligations when she told Lawrence.

At the close of business on Sept. 7, 2017, Equifax issued a press release and filed a Form 8-K with the Commission, disclosing the breach. On Sept. 8, 2017, the price of Equifax stock closed at $123.23, down $19.49 (almost 14%) from the September 7 closing price of $142.72. Lawrence made a profit of $34, 848.90. Jerrold made a profit of $73,398.74, approximately $28,000 of which he gave to his brother. Dishinger did not purchase or sell securities. The Complaint alleged that each of the three Defendants violated Section 10(b) of the Securities Exchange Act of 1934, as amended (the “34 Act”) and Rule 10b-5 thereunder by using a fraudulent scheme and engaging in practices that operated as a fraud on other market participants and the market itself, in connection with the purchase and sale of securities. The SEC sought a judgment: i) finding that the Defendants violated the cited securities law; ii) permanently enjoining them from future violation of that law; iii) ordering Lawrence and Jerrold to disgorge their ill-gotten gains plus prejudgment interest; and iv) ordering each Defendant to pay a civil money penalty. The Commission’s Aug. 16, 2022 Press Release (the “Press Release”) concerning this matter discloses that each of Lawrence and Jerrold consented to the entry of judgment against him as requested by the SEC, including: in Lawrence’s case, disgorgement of $9,000 together with prejudgment interest of $2,026, and payment of a civil penalty of $88,698; and in Jerrold’s case, disgorgement of $28,000 plus prejudgment interest of $6,303, and payment of a civil penalty of $73,399. The Press Release also discloses that “[t]he litigation as to Dishinger remains pending.”

When one gives one’s word to protect information about a third party, and then “breaks” that word, one may expect at least criticism and disapproval, and when that “breaking” involves the capital markets, one may expect to hear from the SEC. Unfortunately, the Equifax breach proved far too tempting to persons who put greed ahead of both loyalty and keeping one’s word. The Press Release notes that the Dishinger-Palmer case is the third insider trading case arising out of the Equifax breach brought by the Commission since 2018. One of those cases was brought against the former Equifax Chief Information Officer, and the other against an Equifax software engineering manager. Sometimes the facts (of human nature), are not “equitable.”

Peter D. Hutcheon, with the assistance of my colleague, Jerome F. Gallagher, Jr., concerning the CFPB.