So, let’s say we all owned chickens. And we were required, as a condition of conducting commerce, to keep all our chickens in one giant hen house. And, then, a fox simply strolled in and helped himself to all the birds he could eat. And then, the farmer responsible for the hen house hide the carnage from us. Who should be held accountable for such a fiasco? The chicken farmer, of course. And he should pay a steep price for his negligence.
That’s how I feel about the recent Equifax data breach. The credit-checking company, which that holds sensitive data on over 140 million people, suffered one of the worst data breach in history, and then tried to hide the damage.
Equifax discovered the data theft on July 29th but kept the breach secret for over a month, finally disclosing it in an 8-K filing, an SEC document that public companies are required to file when they experience a ‘material event.”
It gets worse. While Equifax was sitting on this information, its CFO sold shares. The company has denied that he knew about the still-secret breach when he dumped that stock. But we may not be at the end of that story.
In a final bit of ineptitude, Equifax asked customers to use their Social Security numbers to check the company’s website to see if they were affected by the data theft. Oh, and when customers went to the Equifax site to do so, it was way too easy for them to unintentionally agree to settle their grievances through arbitration, rather than a class-action lawsuit.
All very sketchy.
Equifax’s failure to safeguard customer data, and report that loss promptly, should bring down the wrath of consumers and government alike.
The data breach by itself may be a violation of the Federal Trade Commission Act. The FTC should be aggressively looking into the case. If it needs a nudge to get started, that will likely come from Congress, where plans for a hearing on the matter are already in the works, lead by Rep. Maxine Waters, a California Democrat.
One issue that may be addressed in those hearings is that companies are not currently specifically required to file an 8-K in the wake of a data breach, no matter how serious. Such events aren’t considered “material adverse events.” Yet.
Equifax shareholders should also be furious and looking to take action. Management’s handling of this event clearly put their investments in the company at risk. A Securities and Exchange Commission investigation into the CFO’s stock sale would seem likely. That’s no good for a stock’s price.
Consumers should also be looking for redress. If we want to employ credit and otherwise fully participate in the modern economy, we have no choice but to trust our most sensitive financial data to credit bureaus like Equifax. We have a right to know that data is safe – and to be told when it’s been stolen.
Two Oregon residents recently filed suit against Equifax saying that it was negligent with their information and that if it had invested more in security none of this would’ve happened.
The suit is based on the Financial Services Modernization Act of 1999, or the Gramm-Leach-Bliley Act (GLBA), which regulates how financial-services institutions use and guard customers’ information, and relevant Oregon law. Violation of the GLBA can result in fines of up to $100,000 per violation and five years in prison for those found responsible. The Oregon law says financial institutions must “notify the consumer in the most expeditious manner possible” when a data breach occurs.
Credit bureaus are crucial to the operation of our consumer economy. We must be able to trust them. Let’s hope the Equifax investigations and lawsuits lead to improvements and increased confidence in credit bureaus and all financial institutions.
Check Out: Minimize Damage From Card Data Breach
Cover Image: Shawn Hill / Shutterstock.com