Just days after Equifax Inc. discovered it had been hacked, three executives sold off $1.8 million worth of shares, a move that would avoid the price plummet that followed the credit bureau’s public disclosure of one of the largest data breaches in U.S. history.

Equifax has maintained the executives were unaware of the breach, which the company said it learned about on July 29, when they made those trades on Aug. 1. Still, published reports about the stock sales raise “fundamental questions,” two partners at the law firm Dorsey & Whitney said in an article published Friday at the Harvard Law School Forum on Corporate Governance and Financial Regulation.

“Under Equifax’s insider trading policy, was there a mandatory pre-clearance policy requiring the executives to get approval prior to placing their sell orders? If so, why were the sales approved in light of the existence of a data breach? Did Equifax invoke a blackout period as soon as it knew of the data breach and, if not, why not?” Dorsey & Whitney partners Cam Hoang and Gary Tygesson, both in Minneapolis, said in the article.

Scrutiny of the stock sales is only part of the Atlanta-based company’s problems right now. The Federal Trade Commission said Thursday the agency is investigating the breach, which potentially compromised the sensitive personal information of more than 143 million Americans. Meanwhile, class actions are piling up in federal courts around the country. The company has turned to King & Spalding’s Phyllis Sumner to lead the defense of those lawsuits. 

Here’s a snapshot from the Dorsey & Whitney report about issues surrounding the stock sales, and guidance for companies that are watching how Equifax responds to the cyber breach for any wider lessons about what to do—and perhaps what not to do.

1. Be worried about the U.S. Securities and Exchange Commission, and have a policy in place for trading. This week, a bipartisan group of U.S. senators called on the SEC and the U.S. Department of Justice to “conduct a thorough examination of any unusual trading, including any atypical options trading, for violations of insider trading law.” The Dorsey & Whitney team offered this guidance: “A well-crafted and implemented insider trading policy can help prevent insiders from inadvertently violating these laws and incurring civil and criminal liability, and can protect the company from circumstances that would otherwise result in premature disclosures or ‘control person’ liability.”

2. It’s not just quarterly financial reports that should trigger trading “blackout.” It is common for companies to prevent directors, executives and others involved in the financial reporting process from trading during a pre-established time period leading up to a quarterly filing.

But companies shouldn’t stop there, Hoang and Tygesson wrote in their article. In addition to restrictions around the time of quarterly filings, they wrote, companies should provide event-specific blackout periods when material nonpublic information—a data breach, for instance—is known internally but not yet disclosed.

Beyond issues with insider trading, any stock sales by employees could force a company to disclose a material event earlier than it would prefer, the Dorsey & Whitney team wrote.

Here’s what Hoang and Tygesson had to say: “The importance of event-specific blackout periods cannot be understated. The anti-fraud provisions of the federal securities laws generally do not impose an affirmative duty on public companies to disclose material inside information unless, among other things, the company or its insiders are trading in the company’s securities. Therefore, trading by insiders essentially forces a company to disclose material inside information at a time when it may be disadvantageous to the company and would not have otherwise been required.”

3. Freshen up on insider-trading compliance protocols. Compliance with insider-trading policies can get tricky. Hoang and Tygesson said companies should name a point person—the general counsel, for instance—to answer any questions. And at least once a year, directors and executives should be reminded about trading restrictions, including the scheduled blackout periods. Those restrictions might also be necessary for consultants and contractors. “Periodic educational sessions for the various classes of individuals subject to the insider trading policy are advisable,” Hoang and Tygesson wrote.