Equifax Leaders Blasted Over Handling of Massive Security Breach
Firm stores data on more than 820 million consumers worldwide.
(Bloomberg) -- The Equifax Inc. data breach that may have compromised sensitive information on almost half of the U.S. population has landed the company’s leadership at the center of a tempest.
“This is a Category 5 storm for the board,” said Bart Friedman, a senior counsel at Cahill Gordon & Reindel LLP who advises corporate directors on compliance matters. “If they knew about the breach and waited to make it public, they will be criticized for not exercising appropriate oversight. If they did not know about it, they will be criticized for being out of touch and not demanding the reporting expected of public company management -- let alone a company with Equifax’s mission.”
The credit bureau said Thursday that hackers had accessed information such as birth dates and Social Security numbers for about 143 million U.S. customers, and that it first detected the attack on July 29. Days later, three senior managers including Chief Financial Officer John Gamble sold stock worth almost $1.8 million.
The six-week span between discovery and disclosure, and the timing of the stock sales, are likely to subject the decisions and oversight of the executive team and board of directors to regulatory scrutiny. Equifax maintains data on more than 820 million customers worldwide and protecting that information is central to its mission.
Saturday Shock
The three executives “sold a small percentage” of their stock and “had no knowledge that an intrusion had occurred at the time,” Ines Gutzmer, a spokeswoman for Atlanta-based Equifax, said in an emailed statement late Thursday. She didn’t respond to subsequent requests for comment.
The unauthorized access occurred between mid-May and July, but no suspicious activity has been found in the company’s core credit-reporting databases, Chief Executive Officer Richard Smith said in a video on Equifax’s website.
Because July 29 was a Saturday, it’s possible that the three executives didn’t know about the breach or its severity at the time they sold the stock, Jeff Meuler, a Robert W. Baird & Co. analyst, said Friday in an interview on Bloomberg Television.
Gamble sold shares worth $946,374 on Aug. 1 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099, regulatory filings show. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. Equifax, which closed above $146 on both of those days, tumbled 13 percent to $123.50 at 2:03 p.m. Friday in New York, the biggest intraday drop in almost two decades.
Gamble sold more than 13 percent of his stake in Equifax. Loughran sold 9 percent of his holdings and Ploder disposed of 4 percent.
To run afoul of laws that prohibit insider trading, a seller has to be aware of nonpublic information, said Stephen Crimmins, a former enforcement lawyer for the Securities and Exchange Commission. The executives probably will avoid punishment because the company quickly put out a statement saying they were unaware of the breach. Still, regulators will want to explore how the company handled the sales, Crimmins said.
Signs of a breach should prompt a company’s general counsel to head off stock trades of any kind until the crisis has been resolved and publicly disclosed, said Peter Metzger, a vice chairman at executive recruiting firm DHR International Inc., who specializes in cybersecurity searches.
John J. Kelley, Equifax’s chief legal officer, didn’t reply to messages seeking comment. An SEC spokeswoman declined to comment.
Companies struck by big data breaches usually bring in a small army of outside help long before notifying the public, including lawyers, public relations specialists and consultants adept at managing communications with regulators and law enforcement. They also hire digital forensics firms to determine how and when hackers got in and what data were compromised, a timeline that tends to be scrutinized during litigation.
The SEC doesn’t have specific disclosure requirements for cyber attacks and electronic data breaches. Firms must share such information with investors if it’s significant enough to be considered a “material” event, according to a guidance the SEC released in October 2011.
See also: SEC shouldn’t punish hack victims for acting responsibly
An insufficient response can cost executives their jobs. A 2013 breach that exposed the personal information of tens of millions of Target Corp. shoppers resulted in the resignation of CEO Gregg Steinhafel and Beth Jacob, who was the retailer’s top technology officer. Lawmakers criticized the company for not reacting sooner to warnings from anti-hacking systems.
That might also be the case at Equifax, said DHR’s Metzger.
“This is one of two things -- either a lack of proper oversight and leadership or attempted cover-up,” he said. “Based on the facts as we now know them, it’s clear that there’s got to be changes.”
To contact the reporters on this story: Anders Melin in New York at amelin3@bloomberg.net, Matt Robinson in New York at mrobinson55@bloomberg.net, Michael Riley in Washington at michaelriley@bloomberg.net.
To contact the editors responsible for this story: Alicia Ritcey at aritcey@bloomberg.net, Peter Eichenbaum, Steven Crabill