So - brief summary of timeline:-
Feb 24, 2016 - Annual 10K report - indicates only generic, boilerplate risks that a financial services company like Equifax should include in their SEC filing.
Jly 27, 2017 - Quarterly 10-Q filing with the SEC, indicating
"There have been no material changes with respect to the risk factors disclosed in our
2016 Form 10-K."
Aug 1, 2017 - Chief Financial Officer John Gamble sells $946,374 in shares
Aug 2, 2017 - Joseph Loughran, President of US Information Solutions sells $584,099 in shares... and Rodolfo Ploder, President of Workforce Solutions, sells $250,458 in shares
Aug 17, 2017 - Rick Smith gives a presentation to the University of Georgia, discussing cyber security threats - and makes a memorable quote...
Sep 7, 2017 - Equifax admit to a massive data breach, impacting at least 143 million Americans, see here:-
http://www.independent.co.uk/n...
Sep 7, 2017 - On the same day as admitting to the breach, Equifax also admit that 3 executive sold $1.8MM in shares between the breach being detected and the date it was made public. Crucially, despite Equifax claiming that the Executives had no knowledge of the breach, none of the three sales were part of planned, scheduled trading (i.e. were covered by 10b5-1 plans). In other words, these were spontaneous sales. See here:-
https://www.bloomberg.com/news...
The crucial thing is, however, that in the above Independent article, published September 7th, is the statement,
"The Atlanta-based company said that that “criminals” exploited a US website application to access files between mid-May and July of this year - with the weakness said to have been discovered at the end of that month. "
Now, among the pieces of information we don't know are: 1) when, exactly, did the three executives sell their shares?; and 2) what internal discussions - i.e. board meetings, emails - were used to disseminate the information internally.
Obviously we're not told this, but the company will by now have received a "Preservation Order" from the SEC, requiring them to ensure that data pertaining to this event is not destroyed. Backup tapes will be pulled from cycles; current email folders will be locked; individuals will be warned that their documents are subject to such an order. Given the close proximity of events - we're talking days, not weeks or months - it should not be difficult to forensically re-create a very precise time-line.
So whilst the speech that Smith gave a the University of Georgia is going to be hugely embarrassing for him personally - and whilst the acknowledgements he makes in it will be very uncomfortable for the company - the really crucial evidence here is all about the timing. Understanding the truth behind the question, "Who knew what, and when", is going to make the difference between negligence and a criminal act.
Here is the key thing to bear in mind. That statement as reported in the UK Independent newspaper article that the breach came to light "at the end of July" is absolutely crucial. If there is enough evidence to suggest that persons within the company knew of the data breach *before* that 10-Q was filed, then I don't see how Smith and his co-directors can avoid jail time. The deciding factor [for me] is that the actual timing could very easily show conspiracy.
If there was a suggestion that a concerted effort was made to hold back the breach information until after the second quarter 10-Q, then it will not look good for the board. They are on the horns of a dilemma here. Either there was widespread knowledge of the breach and the three executives attempted off-plan sales of their stock based on that insider knowledge, in which case they are guilty of fraud and possibly some of their colleagues are guilty of conspiracy to conceal it; or a significant portion of Equifax Management are utterly incompetent and basically allowed one of the worst data breaches in history to happen on their watch... in which case we can only hope that shareholder lawsuits will follow.
Personally, I am inclined to suspect that "Where there is smoke, there is fire..." I can't accept this as the innocent coincident that Equifax are claiming...
The one thing that bugs me, however, is that [at least] 143 Million Americans have just been made the victims of a pretty egregious crime. They could experience all sorts of additional challenge, including becoming the victims of fraud and/or identity theft, yet they will have no ability to seek compensation from Equifax, because of course they will not be able to "prove" that their losses came as a direct result of the breach. That's not right.