By now everyone's aware of the Equifax (EFX) data - or security - breach in which hackers accessed the personal information (i.e., names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers) for up to 143 million people in the U.S, per the press release attached to the company's 8-K filed with the SEC on September, 7. The unidentified culprits also stole credit card numbers for about 209,000 U.S. customers and "personal identifying information" for 182,000 Americans; the company has not explained how this latter information differs from the aforementioned personal information. The company also revealed that unspecified numbers of U.K. and Canada residents had "limited personal information" compromised. (The company subsequently divulged that 400,000 U.K. customers may have also had their data compromised.)
According to Equifax, I'm one of those whose "personal information may
have been impacted by this incident." If you haven't yet checked for
yourself, you can do so by visiting this website set up by Equifax and input your last name and last six digits of your Social Security number.
The breach lasted from mid-May through July. The company discovered the hack on July 29 and informed the public on September 7. The breach was traced to a tool, called Apache Struts, used to build web applications. Equifax utilized it to support its online dispute portal, where customers go to log issues with their credit reports. The company admitted that its personnel was aware of the security vulnerability a full two months before the hackers first accessed customer data.
Unsurprisingly, a wave of investigations and lawsuits has been unleashed by the debacle that has affected so many. "The [Federal Trade Commission] typically does not comment on ongoing investigations, Peter Kaplan, the FTC's acting director of public affairs, said in a statement. "However, in the light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach." The attorney general of Massachusetts, Maura Healey, said she intends to file the first state lawsuit over the breach of customer data. U.S. Rep. Jeb Hensarling (R-TX), chairman of the House Financial Services Committee, has indicated that preparations are underway to hold congressional hearings on the matter. Not to be outdone, Senate Minority Leader Chuck Schumer (D-NY) compared Equifax to Enron, the eponymous company brought down by an accounting fraud scandal.
Along with Experian (LON: EXPN) and TransUnion (TRU), Equifax is a major credit reporting bureau that collects and maintains consumer credit information and resells the data in mainly the form of credit reports. While Equifax has been publicly-traded since 1978 and Experian since 2006, TransUnion only went public in 2015. Because of the often determinative impact of credit scores in the financial lives of Americans, and because the bureaus "don't care, because they don't have to," Bloomberg's Joe Nocera says that, at a minimum, the government needs to create incentives that would reward the companies for accuracy, customer service, and ironclad data security. If that doesn't do the trick, he proposes a "radical and sensible" solution: treat the three companies like public utilities. The companies would remain publicly-traded but would be overseen by a government regulator that would set performance standards for accuracy, data security, etc., and would be empowered to restrict dividends and executive compensation for failing to measure up.
As if that's not enough, according to SEC Form 4 filings, three senior EFX executives sold shares worth approximately $1.8 million three days after the company discovered the security breach. Company spokeswoman Ines Gutzmer said they "had no knowledge that an intrusion had occurred at the time" and only "sold a small percentage of their Equifax shares." On August 1, Chief Financial Officer John Gamble sold just over 13 percent of his shares worth $946,347, president of U.S. information solutions Joseph Loughran sold 9 percent of his shares (in conjunction with an option exercise) worth $584,099, and president of workforce solutions Rodolfo Ploder sold 4 percent of his shares worth $250,458. The filings do not indicate that these were transactions pursuant Rule 10b5-1 plans, by which executives can sell a predetermined number of shares at a predetermined time.
Given the foreseeable reverberations of selling shares while cognizant of adverse - or explosive - non-public information, it's hard to fathom executives nonetheless proceeding with the transactions under such circumstances. We're likely to find out, though, because a bipartisan group of 36 senators sent a letter urging the FTC, the Department of Justice and the Securities and Exchange Commission to investigate the company over the executives' early-August stock sales. Having worked at MSCI/ISS, I'm rather familiar with the intricacies of an elaborate system of option exercise blackout periods, share trading windows, preclearance requirements, and the like. In the midst of dealing with the fallout of the massive customer data breach, temporarily tightening prohibitions on executive stock sales was probably the last thing on their minds in the C-suite. But, at the very least, the transactions aren't helping with optics in the light of the mounting damage to customer relationships, company and industry reputation and, potentially, the bottom line.
Robert Stead
No comments:
Post a Comment