Equifax did not immediately respond to calls and emails seeking comment.

Although the stock sales by Equifax executives have prompted concerns, securities regulators have seldom, if ever, brought an insider trading case arising from a data breach. It all comes down to what an executive knew about a breach at the time of a stock sale.

It is not uncommon for information about data breaches to develop over time. Initial reports of a relatively minor breach can be proved wrong with further investigation by a company’s security team. If a corporate executive sold shares before the full extent of the breach was known, the trading might not be deemed to have been material at the time, even though in retrospect it looks especially prescient.

The regulatory environment for credit reporting bureaus like Equifax has been a subject of debate in Congress.

On Thursday, the day the Equifax breach was announced, the House Financial Services Committee was holding hearings about legislation that could reduce accountability for credit bureaus and other companies. One bill, for example, would eliminate punitive damages under the Fair Credit Reporting Act, the main law that governs the three big credit bureaus, according to Chi Chi Wu, a staff lawyer at the National Consumer Law Center. It would also cap statutory and actual damages.

After the breach, senators are looking closer at the company’s operations, like how management dealt with previous security breaches. Among other things, the Senate leaders asked about Equifax’s use of third-party security experts to test its systems — and whether they worked to fix any of the issues that were identified.