John Kelley, CLO of Equifax, has found himself at the center of the controversy surrounding the recent massive data breach at the company.

Former Equifax Inc. CEO Richard Smith spent much of last week testifying before Congress about the massive data breach that has affected some 145 million U.S. consumers. Many grilling Smith questioned the timeline following the discovery of the incursion and wondered how three Equifax executives were able to sell shares totaling close to $2 million just days later.

The answers inevitably came back to the company’s chief legal officer, John Kelley III, who along with being in charge of security within the company, is responsible for approving share sales by Equifax executives.

Parsing the decisions Kelley made in the aftermath of the breach raises some intriguing issues for the many in-house counsel who must grapple with cybersecurity threats and shows that the story of how Equifax responded to its recent breach is anything but simple.

The Timeline

Over the course of three days of testimony before four congressional committees, Smith laid out the timeline leading up to and in the days, weeks and months after the the incident, one of the largest data breaches in U.S. history.

Equifax’s security department observed suspicious activity on July 29 and 30. This, according to Smith, was not necessarily out of the ordinary, as in any given year, it’s not unusual to have millions of instances of suspicious activity or potential attacks. On July 31, Smith was notified of this incident and he testified that, “it’s my understanding” that Kelley was also notified on that same day. On Aug. 1 and  2, Kelley approved stock sales totaling roughly $1.8 million from Chief Financial Officer John Gamble, president of U.S. information solutions Joseph Loughran and president of workforce solutions Rodolfo Ploder.

Smith said that to the best of his knowledge, these execs did not know of the cybersecurity incident when they initiated the stock sales, and that while Kelley knew of suspicious activity, he did not know the activity constituted a breach when he approved the sales. Though Smith said in the hearings that the nature and scope of the cyber incident were not known until late August, he testified that the Federal Bureau of Investigation was notified on Aug. 2. And Kelley would have been notified of the FBI’s involvement “on and around that same time,” according to Smith. The window for stock sales, Smith testified, was not closed by Kelley until mid-August.

Kelley did not respond to a request for comment for this article. In response to a request for comment, an Equifax representative said: “We have no additional comments. Mr. Kelley is a respected member of the senior leadership team.”

The Optics

“Being informed that there is suspicious activity [on company networks] is certainly not a good day, because you know where it could lead to, but you don’t necessarily know it’s a breach,” said Sterling Miller, general counsel at marketing automation software company Marketo Inc., who approved stock sales in a previous GC role at Sabre Corp. “If I’m the general counsel and I hear about this, the thought is: OK, I probably need more information as soon as possible. And then you have, days later, executives coming to you for approval to sell stock. This is where it’s a judgment call.”

Miller added: “Obviously, in the light of day, the optics look bad.”

The most conservative approach to the Equifax scenario would have been for Kelley to decline approval of the sales, Miller said, noting that the GC in that situation is “not going to be popular.”

Companies and their executives can also avoid accusations of insider trading with Rule 10b5-1 plans, added Miller. Under these plans, which were established by the U.S. Securities and Exchange Commission, major shareholders and high-ranking execs who often have material nonpublic information can arrange to sell a predetermined number of shares on a prearranged date.

If you put a plan like this in place, Miller said, it really doesn’t matter what’s going on in the news, because the executives wouldn’t have known about it when the plan was implemented.

In an Oct. 5 hearing, Smith testified that some Section 16 officers, or top executives, “may have had a 10b5-1 plan, others may not have.” Smith said such a plan was not a requirement at Equifax, but that Kelley “has a clearing process that he has to approve” before one of these officers can sell stock.

The most conservative approach, however, may not always be realistic, according to Alan Dye, a partner at Hogan Lovells, whose focuses include securities and corporate governance. “Some might look at a particular event and conclude, we need more time to think about whether this is material. We don’t know today that it is, but we don’t know that it isn’t. So why buy trouble?” he said.

“The practical problem with that is that at most companies, there’s always something going on,” Dye said.  “There are so many things at most companies that are going on at any given time, that if you conclude, ‘I’m not going to open the window if there’s something that might blow up on me’ … it would be hard to open the window.”

A company needs to identify where there’s risk of sudden material developments, according to Dye, and should have a policy with a clear reporting structure so it’s readily apparent who needs to be alerted when a certain type of event happens. Then, he added, the person in charge of approving stock sales needs to be able to ask the right questions.

What About the FBI?

Another point of contention for some quizzing Smith during the hearings was the fact that the FBI was notified of the incident on Aug. 2, and trades were approved that day, as well as the day before.

“It looks pretty suspicious, and your chief legal officer has some explaining to do,” said U.S. Sen. Heidi Heitkamp in an Oct. 4 hearing. “Because even after he knew that there was a notification to the FBI about this level of breach, he did not claw back or try to undo those transactions and reverse what clearly appears to be a pretty beneficial situation for three of your employees.”

In a hearing the following day, Smith revealed that Kelley has, on previous occasions, canceled the trading window “a few times” because of material nonpublic information that was known by certain company insiders.

The decisions around when and whether to notify law enforcement of an incident is “a fact-specific question,” said Paul Rosen, a partner at Crowell & Moring who works in several of the firm’s practice groups, including its privacy and cybersecurity group. Rosen added that including law enforcement can offer a number of benefits, such as the resources to help catch those responsible.

Not all incidents will necessarily rise to the level of law enforcement notification, however. “Companies can be hit with incidents large and small all the time, including cyberattacks,” Rosen said. “And notification to law enforcement is generally an indication of a serious incident.”

Edward McAndrew, a partner at Ballard Spahr and co-leader of the firm’s privacy and data security group, agreed that while there’s no “standard protocol for the timing of the notification or disclosure to the FBI,” the decision to notify the FBI may indicate the seriousness of the incident.

“Generally, before a notification is made to the FBI, the victimized organization has enough to conclude that something … is afoot of significance,” McAndrew said. “I think there has to be enough of sufficient significance to warrant that disclosure.”

Jennifer Williams-Alvarez is based in New York and covers corporate law departments.