The Equifax breach is a monstrous screw-up, and the company’s handling of the crisis is a dark comedy of incompetence, parsimony, and perhaps malfeasance.
Like other companies that have leaked consumers’ personal information, Equifax has trotted out its CEO to mouth the words from the bible of public relations (Book of Breaches chapter 1, verses three to five):
The company is very sorry. The company takes this incident seriously. The privacy and security of consumer data is among our highest priorities. The company will do everything it can to make this right.
It all sounds very sincere. But if Equifax really wants to demonstrate that the organization takes this incident seriously and that it is taking steps to improve data protection, it needs to fire the CEO.
1. The company failed to protect its core business assets
Equifax traffics in—and profits from—highly sensitive consumer financial information. This information is the core of the company’s business and the source of its profits.
Yet the company spectacularly failed to protect these assets. This failure opens the company to significant financial and legal repercussions including fines, class action lawsuits, shareholder lawsuits, and increased regulatory oversight.
2. Equifax has exposed consumers to serious risk
The stolen data includes names, addresses, Social Security numbers, and other information that can be used to perpetrate identity theft against consumers.
Identity thieves can open credit card accounts, take out loans, file false tax returns, and engage in other acts that can cause significant damage to victims.
For consumers who are impacted by identity theft, it can take months of effort to recover, including tracking credit activity, filing police reports, disputing charges, freezing credit (often at a charge to the consumer), and other steps.
3. Equifax has a history of poor security
Equifax has a poor track record when it comes to protecting consumer information. In May 2016, attackers stole tax data from Equifax’s W-2Express service. Tax records were once again the target of attackers who pilfered data from an Equifax subsidiary called TALX—a breach announced earlier this year.
And as an article in Forbes notes, independent security researchers have been warning about Web vulnerabilities such as cross-site scripting on Equifax sites since 2016.
That same article also cites other security incidents as far back as 2013.
All of these security lapses occurred under the leadership of Rick Smith, who has been chief executive of the company since 2005.
What’s particularly galling about this exposure is how little choice or power consumers have when it comes to having our data collected and stored by credit ratings agencies. If you want to participate in the modern financial system (open a credit card, get a car loan, take out a mortgage, and so on) then you are enmeshed.
As Equifax explains in a post on its Web site, consumer financial data ends up in Equifax’s possession via banks, credit unions, and other lenders that share it with the credit ratings agencies. Equifax also purchases public records that contain consumer information, including “bankruptcies, tax liens, and judgments.”
In other words, our information is the product around which credit ratings agencies build their business–whether we want want them to or not.
Time To Go
Mr. Smith has not demonstrated the leadership necessary to protect consumers’ critical data.
If Equifax’s board members are serious about security and risk management, they should fire Mr. Smith. Investors should advocate for his removal.
Setting aside any moral imperative Equifax might have to be a good steward of the most sensitive financial information it collects on millions of people (and I believe it does have such an imperative), it should be clear to those focused on the bottom line that Mr. Smith is endangering the engine that drives Equifax’s business.
Firing the chief executive will send a clear and necessary signal to the organization, and the industry at large, that the protection of consumers’ critical financial information is actually a priority, and not just an exercise in lip service.