On March 14, 2018, the SEC and DOJ sued Jun Ying, a former Chief Information Officer within an Equifax Inc. business unit, for insider trading. Specifically, they accused him of knowing about a significant Equifax data breach prior to its public disclosure and, while in possession of that material nonpublic information, exercising his Equifax options and selling those shares. When Equifax subsequently announced the data breach its stock price fell, giving Ying a loss avoided of over $117,000.

This fact pattern, were that all there is, seems a rather straightforward, uncontroversial application of the “classical” theory of insider trading. Under that theory, a corporate insider, such as Ying, violates Section 10(b) and SEC Rule 10b5 by trading in the company’s securities “on the basis” of material nonpublic information about the corporation. Chiarella v. United States, 445 U.S. 222, 230 (1980); United States v. Newman, 773 F.3d 438 (2d Cir. 2014) (abrogated on other grounds by Salman v. United States, 137 S. Ct. 420 (2016)). According to the SEC’s Rule 10b5-1, a trade is “made ‘on the basis of’ material non-public information . . . if the person making the purchase or sale was aware of the material nonpublic information when the person made the purchase or sale.” Rule 10b5-1(b) (emphasis added). To prove a criminal violation, the DOJ must also establish that the defendant acted “willfully,” 15 U.S.C. § 78ff(a), defined in this context as “a realization on the defendant’s part that he was doing a wrongful act under the securities laws.” Newman, 773 F.3d at 447 (quoting United States v. Cassese, 428 F.3d 92, 98 (2d Cir. 2005)).

However, here, both the SEC and DOJ acknowledge in their charging papers that, at the time of his trading, Ying was not “aware” of Experian’s data breach – at least not explicitly. Indeed, when he traded, Equifax had disclosed this information to only a select few insiders, of which Ying was not one. To the contrary, Equifax had explicitly lied to Ying and told him that the data breach he and his team were working on was for an Equifax client. As one of Equifax’s business lines is assisting clients with data breaches, this explanation seemed plausible. As time went on, however, the behavior of his superiors and colleagues made Ying suspicious that there was no “client” and that it was Equifax that had been breached. Based on his suspicions, Ying exercised his outstanding Equifax options and sold his shares.

But suspicions were all they were – Ying is alleged to have “put 2 and 2 together” according to the SEC’s Complaint. Indeed, Equifax did not reveal to Ying that it was the hacking victim until days later. Nevertheless, notwithstanding his avowed lack of actual knowledge, Ying was charged with criminal insider trading by the DOJ and sued civilly by the SEC.

Clearly the government believes that, notwithstanding his lack of actual knowledge, Ying’s strong suspicion that Equifax, and not a client, had suffered a data breach, is sufficient to satisfy the knowledge requirement of Rule 10b-5 and create insider trading liability. This expands Rule 10b5-1’s knowledge requirement beyond actual awareness and into the realm of constructive knowledge at best, and mere suspicion at worst.

Thus, as this case progresses, it will be interesting to see whether the facts show Ying had constructive knowledge of Equifax’s data breach or something less, and whether as a matter of law, whatever he “was aware of” at the time he traded, is deemed sufficient to create liability.

While we have not seen cases addressing whether actual, as opposed to constructive, knowledge is required in the classical insider trading context, under the “misappropriation theory” of insider trading, a tippee must have actual knowledge that a tipper received a personal benefit in connection with the disclosure of the material nonpublic information in order to be convicted of insider trading. United States v. Newman, 773 F.3d 438 (2d Cir. 2014) (reversing tippee criminal convictions because the government failed to prove the tippees had actual knowledge that the tipper received a personal benefit in connection with disclosure of the material nonpublic information). Absent actual knowledge of the personal benefit, there is no liability. Id. Given that a tippee can be quite removed from the actual insider who initially tipped the information, one can see how courts would be reluctant to impose anything other than an actual knowledge requirement for insider trading liability. For corporate insiders, however, a court may feel that constructive knowledge is sufficient given the unique information available to insiders that they can use to potentially piece together what is, in fact, material nonpublic information. Clearly this is the government’s view of what Ying did here. See, e.g., SEC Complaint at para. 33 (“Ying used the information entrusted to him as an Equifax employee to conclude that Equifax was the victim of the breach, and that the ‘breach opportunity’ idea suggesting a client was the victim was merely a cover story.”).

The battle lines are drawn. Stayed tuned to see how it is resolved.