July 13, 2020

Volume X, Number 195

July 13, 2020

Subscribe to Latest Legal News and Analysis

DOJ Announces More Equifax Charges – Credits Chinese Hackers

On February 10, 2020, Attorney General William Barr announced the indictment of four members of the Chinese military on charges of hacking into Equifax’s computer networks, maintaining unauthorized access to those networks and stealing sensitive information. The announcement highlights one of the more pronounced nation-state actor cyber threats to industry and to personal privacy. The Equifax saga also includes a since-resolved related concern—insider trading on cyber incident information. The four officers in the People’s Liberation Army are accused of conspiring to hack into Equifax’s computers, to maintain unauthorized access to those computers and to steal sensitive personal information of American citizens. The Department of Justice announced the indictment on nine charges the day it was unsealed. The charges include computer fraud conspiracy, computer fraud and abuse with intentional damage and unauthorized access, conspiracy to commit economic espionage, economic espionage, conspiracy to commit wire fraud and wire fraud. The four officers are currently in China, and it is unlikely that they will ever appear in U.S. court.  

According to the unsealed indictment, the Equifax breach compromised the names, birth dates and Social Security numbers of nearly 145 million Americans, as well as the driver’s license numbers of at least 10 million Americans and the credit card numbers and other data belonging to 200,000 American consumers. The indictment further alleges that data of more than a million Canadian and British citizens was also compromised. The U.S. Computer Emergency Readiness Team, an organization within the Department of Homeland Security, warned Equifax months before the breach that its network was vulnerable. Equifax, however, did not act quickly enough or thoroughly enough to change its practices or update vulnerabilities in its software. The indicated Chinese officers allegedly used encrypted communications and routed their internet traffic through 34 servers in approximately 20 countries. Despite these tactics and efforts to erase their tracks, they were identified through review of forensic data and investigation of the malware used. After the breach, the House Oversight Committee concluded that, because Equifax was aware of the vulnerability but failed to create an adequate security program, the hack was “entirely preventable.”

Data breaches continue to be a major concern for governments and businesses alike. While most data breaches have a pure financial or ideological motivation behind them, there is also a persistent, mixed-motive threat from nation-state actors.

When a nation-state is suspected in a cyber incident, the U.S. government’s interest increases, its involvement becomes more non-negotiable, and its assistance may be required to contain the incident and evict the intruder from the target network. Unlike smaller scale, private or individualized breaches, the motivation of hackers in these nation-state breaches often spans beyond pure financial gain or public “doxing,” though economic espionage is certainly part of the equation.

This indictment and the government’s account of Equifax’s response efforts highlight the importance of developed cyber incident response plans that company executives, technical support staff and legal professionals are aware of and understand. Having a plan in place, on its own, is not enough. Not only should company leaders and employees know the steps to follow in the event of breach, they should have practice following the protocols closely and efficiently, to minimize the impact of the intrusion and to prepare to notify the government of the breach in concrete terms.

Avoiding the Appearance of Insider Trading

Not only does the Equifax breach raise concerns of cyber intrusions, it also highlights the potential for insider trading before cyber incidents are publicly disclosed. An Equifax executive was alleged to have figured out that there was an intruder in the company’s system prior to public disclosure. On that hunch, he sold Equifax stock. He has since pled guilty to insider trading charges and was sentenced for four months in prison.

The kind of insider trading in play here, the “mosaic theory,” is more elusive than the traditional approach to insider trading. Under the mosaic theory, the alleged insider trader is using multiple tidbits of non-public information from several sources that, taken together, provide him or her with insight to make a logical inference on what is occurring. The insider then uses that information to trade. Here, the executive had not been directly informed of the hack, rather, he used limited facts to deduce that a hack had taken place, then sold his stock.

The exact contours of “mosaic theory” are ill-defined, but the appearance of insider trading, on its own, is enough to raise concerns for companies and their officers.

When a company officer or employee has knowledge or reason to believe that there has been a data breach, the officer or employee should proceed with caution. Even if there has been no formal announcement of a breach, the executive’s decision to trade on a hunch could lead the executive and the company down a path to legal trouble.

Takeaways

The announcement of the indictment of Chinese military officers in the Equifax breach is further warning to American business. Nation-state actors are hacking into sensitive data, not just for financial gain, but for national security purposes. The hackers are sophisticated: finding and ending the breach may be difficult. The best way for companies to prepare for potential intrusions is to have a cyber incident response plan in place, to be able to exercise that plan efficiently and effectively, and to ask for the assistance of legal counsel and the government. In the wake of a potential intrusion, company leadership and employees should not be acting on the non-public information they have explicitly received or discovered regarding the breach.

© 2020 Bracewell LLPNational Law Review, Volume X, Number 44

TRENDING LEGAL ANALYSIS


About this Author

Philip Bezanson, white collar criminal defense, securities, attorney, Bracewell
Managing Partner, Seattle

Philip J. Bezanson's practice focuses on white collar criminal defense, internal investigations, securities enforcement and regulatory matters.

Mr. Bezanson is a member of the Bracewell & Giuliani LLP team that has represented corporate and individual clients in recent high-profile and complex cases, including the Deepwater Horizon explosion, the George Washington Bridge lane closure and General Motors ignition switch investigations, "Pay to Play" cases in New York, New Mexico and Illinois, the stock options backdating cases, and a variety...

212-508-6138
David Springer Energy and finance lawyer Bracewell
Associate

David Springer serves as counsel to companies and financial institutions that are seeking resolution to their business disputes. He represents clients in diverse matters including securities litigation, class action lawsuits, complex commercial disputes, and government investigations.

Before joining Bracewell, David was a law clerk to Justice Jeff Brown of the Supreme Court of Texas. In law school, he was a member of the Texas Law Review editorial board. Prior to practicing law, David had a career in counterterrorism and intelligence, having served in various roles at the National Counterterrorism Center and the Defense Intelligence Agency in Washington and abroad. Those roles included work on matters related to cyber security. He is the recipient of multiple awards, including the Defense Intelligence Agency Civilian Combat Service Award and the National Counterterrorism Center Director's Award for his outstanding performance while leading a counterterrorism planning effort.

+1.512.494.3617
Mary Curry Litigation Attorney Bracewell
Associate

Mary Curry focuses her practice on internal investigations, commercial litigation and government enforcement and investigations.

Prior to joining Bracewell, she was an intern at St. John’s University School of Law Securities Arbitration Clinic.   

212.508.6150