Equifax disclosed that it occurred a data breach on September 7, 2017, which impacted 143 million Americans. The New York Times adequately explains the magnitude of the recent Equifax data breach:
“Equifax warehouses the most intimate details of Americans’ financial lives, from the credit cards in their wallets to the size of their medical bills. But the company doesn’t face the constant monitoring and auditing that help strengthen banks’ systems and data protections. Despite the wealth of sensitive information in its database, Equifax, in essence, falls through the regulatory cracks.”
The compromised data included sensitive information such as Social Security numbers, credit card information, birth dates, and addresses. Equifax is now facing a variety of potential legal action. Consumers have brought a class action and there are clear regulatory failures that the company must face, however, for the purposes of this blog we are going to discuss the different types of claims investors can bring against Equifax.
Law360’s Pro Say podcast invited Carmen Germaine, a Senior Securities Reporter, to discuss the different legal avenues available to investors. Investors can bring two types of claims, the first being an investor class action, where the investors allege the company committed securities fraud and the investors in turn suffered economic loss. Here, investors are alleging that the company knew or ought to have known that the cybersecurity was insufficient, concealed its defects, or lied to investors about how the security quality. The second option is a derivatives lawsuit where investors allege that the company’s board of directors breached their fiduciary duty and knowingly used inadequate cybersecurity measures or actively attempted to harm the company and its investors. Germaine explains that these cases are hard for investors to bring because in class actions there needs to be a drop in the company’s stock price to claim damages, and typically companies who disclose data breaches do not see a shift in their stock price, and derivative suits need to demonstrate that the board of directors intentionally harmed the company or were negligent.
Showing a loss to the investors’ bottom line is not difficult here. Equifax’s stock decreased by 14 percent from the time they disclosed the data breach to when the market opened, giving investors proof of economic loss. Over the past three months the company’s stock steadily remained around $140, but on September 7, 2017 the stock took a significant dive and dropped to its lowest point in the past year on September 15 to $92.98. There have also been other factors that will help investors bring a claim. Equifax was hacked in May of this year, but was aware of their cybersecurity vulnerabilities in March and did not disclose the breach until September. This will bring up issues with the Securities and Exchange Commission (SEC) as they investigate whether Equifax took too long to disclose the information and if they took the appropriate measures to safeguard their systems. There have also been accusations that executives of the company committed insider trading as they sold around $1.8 million of stock a couple of days after the breach was discovered. Germaine points out how these executives most likely did not trade based on the non-public material information, however, this will still give weight to a derivatives law suit. It will exemplify how the executives were either not made aware of financially pertinent material after a data breach in their company when they should have been made aware, or that they knew and traded based on that information.