Support Salvation Army Wildfire Relief

Equifax’s delayed hack disclosure: Did it break the law?

Equifax says a giant cybersecurity breach compromised the personal information of as many as 143 million Americans — almost half the country.

Equifax waited weeks before alerting 143 million of its customers that a data breach exposed sensitive personal information like social security numbers.

But U.S. companies are required by law to quickly report any new information that could materially affect its financial outlook. The fact that Equifax discovered the breach on July 29 but did not disclose the problem until Sept. 7 raises questions about whether it followed those laws.

“It’s pretty remarkable how long Equifax has been aware of the problem and did not disclose it,” said Eric Chaffee, a law professor at University of Toledo and editor of the Securities Law Blog. “The main problem here is the failure to disclose a catastrophic cyberattack that compromised the information that is at the heart of Equifax’s business model. This created a duty to disclose this attack in a timely fashion to investors, potential investors, and those whose data was compromised.”

Chaffee said there is nothing explicit in the law that lays out how many days a company can wait to disclose material information. But waiting too long to make a disclosure opens a company to scrutiny from authorities.

The SEC issued guidelines in October 2011 to companies as to when they have to disclose a breach. After its own massive data breach was disclosed last year, Yahoo said that it was under investigation for how it handled the hack by the SEC, the U.S. Federal Trade Commission, a number of state attorneys general, and the U.S. Attorney’s office for the Southern District of New York.

The SEC would not say Friday whether it was looking at Equifax’s disclosure in this case, and Equifax did not respond to requests for comment on why it took so long to make the information public.

The company will almost certainly face lawsuits from both consumers who had their records stolen and Equifax investors, according to Chaffee.

“The stock price for the last five weeks did not accurately reflect the facts that we now know. That’s a problem,” said Chaffee.

One salient fact that the company has revealed: Three of its top executives sold large blocks of stock days after the company discovered the breach. Equifax Chief Financial Officer John Gamble sold shares of the company’s stock worth nearly $950,000 on August 1. Joseph Loughran, Equifax’s president for U.S. information solutions, sold shares worth about $685,000 on August 1 as well. And Rodolfo Ploder, president of workforce solutions, sold stock for just more than $250,000 on August 2. Equifax told CNNMoney that the sales were just a “small percentage” of what these executives own and that they all “had no knowledge that an intrusion had occurred” when they made the sales.

But Equifax shares plunged 14% on Friday, so these executives did in fact benefit from the fact that the information was not public at the time of their trades.

“The fact that it had a data breach of this magnitude is really quite significant and a great concern for the future of the business,” said Chaffee.