X

Equifax Top Lawyer Investigated in Share Sales

Summary: The top lawyer at Equifax is being investigated for his role in the share sales by some of the company’s top executives.

The top Equifax lawyer is being investigated for his role in share sales by executives upon the news of their massive data breach. The Australian reports that the Board of Equifax is currently reviewing the lawyer’s actions as they try to determine who knew what about the hack and when it happened to better understand how those that learned of the hack handled that discovery.

Chief Legal Officer John J. Kelley had the top power in approving share sales by top executives days after the credit reporting company realized they had been hacked in late July. He is also responsible for security at the company.

There are three congressional hearings scheduled for this week where the former chief executive, Richard Smith, will testify and a focus on the company’s security approach and share sales will be included. Smith stepped aside last week as chairman and chief executive. In his resignation, Smith said it was in “the best interests of the company” and that the security breach was the “most humbling moment” in the company’s 118-year history.

The security breach at Equifax is under intense scrutiny after it was learned the hackers gained access through a publicly identified software vulnerability, which Equifax has since fixed. Four cyber risk analysis companies pointed out the weaknesses months before the attack when they analyzed publicly available information on their security systems. The cyber companies found that Equifax was behind on basic maintenance of their websites. An Equifax spokeswoman previously said the company took security measures seriously.

Kelley’s position differed from peers at rival credit reporting companies. He had a broad range of responsibilities exceeding legal services. He is one of the senior executives in charge of security. Sources indicate that former chief security officer Susan Mauldin used to report to Kelley. Along with the chief information officer, Mauldin retired just a week after the breach was disclosed last month. Kelley participated in the hiring of Mauldin, serving as her main contact with senior leadership.

Equifax explains that Kelley was put in charge of cybersecurity, instead of another executive, because he could provide an unbiased opinion when choosing to allocate money to IT and cybersecurity. His predecessor also oversaw security. As well as serving as the chief legal officer in charge of cybersecurity, he was in charge of government and legislative relations and corporate governance and privacy functions.

The actions by executives in question happened on August 1 and 2 when three of them sold shares. On August 3, the sales were reported by a deputy of Kelley to the Securities and Exchange Commission. Equifax claims the executives, including finance Chief John Gamble, were unaware of the hack when they sold their shares. The sales made them almost $1.8 million.

Equifax is conducting their own review but the executives were not involved in any meetings about the breach and the sales were made during a period when they were allowed to. The bigger concern is on Kelley and when he learned of the security breach. Equifax and their security staff apparently learned on July 29 of what had happened.

For the share sales, the company’s earnings report was posted on July 26. Their rules do not allow executives from trading immediately after an earnings report. The first day they would have been allowed to trade was July 28 or July 31.

Equifax’s outside counsel hired Mandiant, a cyber investigations division of FireEye, on August 2. Kelley should have been involved in that decision.

Kelley joined Equifax in 2013 from the law firm King & Spalding, where he had worked for 27 years. He graduated from the University of Virginia School of Law before joining King & Spalding, where he became a senior partner advising clients on SEC reporting and disclosure requirements. The law firm had worked with Equifax for several years, although Kelley was not one of the lawyers working with Equifax.

Do you think Kelley was aware of the breach when he approved the share sales? Share your thoughts with us in the comments below.

To learn more about cyber hacks, read these articles:

Photo: commons.wikimedia.org

Amanda Griffin: