Equifax Executives Resign Without Charge

After an estimated 143 million Americans' personal information was accessed by hackers targeting Equifax Inc., its chief information officer and chief security officer are stepping down.

Equifax said recently that Chief Information Officer David Webb and Chief Security Officer Susan Mauldin had departed. They've been replaced by current international IT chief Mark Rohrwasser as interim chief information officer and Russ Ayres, a vice president in Equifax's IT operation, as interim chief security officer.

Background

Picture a factory gushing pollution into a nearby waterway. Now, imagine the factory’s executives knew a giant leak was likely but did nothing to prevent it. Finally, think of those same executives waiting weeks to warn anyone of the spill, and then bungling the clean-up efforts, after first trying to profit from them.

If all this happened, the company responsible would face criminal fines and its executives would likely end up in prison.

That's why Equifax and its leadership team can count themselves lucky they’re in the data business. Even though their incompetence and foot-dragging compromised the security of over 140 million Americans, they're beyond the reach of criminal law.

Equifax may face class action suits and a FTC investigation, but the worst that can happen to individual executives is they will have to resign (two already have), probably with a tidy payout on their way out.

Executives should Catch-Up

It doesn’t have to be this way. According to Jesse Eisinger, author of a recent book about white collar crime, there’s ample precedent for corporate executives going to jail for negligence. In an interview with Fortune, Eisinger pointed to a rule called the “responsible corporate officer” doctrine, which prosecutors can use to charge executives whose lack of oversight endangers the public welfare.

The catch, though, is the “responsible officer” rule has only been deployed in cases involving food, drugs or the environment. Examples include executives who received criminal penalties over mislabeled oxycontin shipments, and whose negligence led to salmonella-tainted eggs.

According to David Frulla, a regulatory lawyer at Kelley Drye, prosecutors can only bring responsible officer charges in respect to a specific law, such as the FDCA, that provides criminal penalties for violators. They can't simply charge Equifax executives for general incompetence.

Right now, there's no such federal law when it comes to personal data. But there probably should be given the clear public harm that occurs after major data breaches, including the Equifax hack, which has been widely described as the worst in history.

In the case of Equifax, hackers plundered not only the name and Social Security numbers of more than 100 million people but, in many cases, their phone numbers and home addresses (past and present) as well. Those who paid for Equifax’s credit monitoring service also had their credit card information stolen.

All of that data is already for sale in dark corners of the Internet, and is going to lead to a spate of scams and identity thefts that will haunt people for years. Meanwhile, the website Equifax set up to help consumers find out if they had been breached has also been found vulnerable to hackers, and critics are accusing the company of using the breach to tout paid ID Theft products. Some sort of punishment is clearly in order.

Many people in cyber-security circles caution that shaming corporate hacking victims is not a good idea because companies will be less forthcoming about data breaches. This reasoning is not convincing in the case of Equifax, however. The company’s whole business revolves around personal data, their failure to protect it should mean public disgrace.

Equifax executives behaved with brazen carelessness, storing the data in a way that made it easy for hackers to try and steal it. Eventually, the hackers broke in because Equifax failed to update a critical piece of software, even though a patch had been available for months.

It’s poor practice, these days, for consumers not to update the software on their home devices. For a giant corporation to ignore software updates is simply reckless, and even more so when that corporation’s core business involves consumer data.

Equifax executives will nonetheless face no legal consequences for this debacle (other than three officers who could face charges for selling stock before the breach was disclosed). The US right now just doesn’t have the laws to hold them accountable. Meanwhile, CEO Richard Smith will probably keep the $68.9 million he's made from selling the company's shares since 2016.

This could change, however, if US Senators Orrin Hatch and Ron Wyden are serious about getting to the bottom of the Equinox breach. Their proposed investigation should seek to identify who at Equifax was responsible for the breach, and also propose ways for this not to happen again.

According to Sam Buell, who teaches corporate criminal law at Duke University School of Law, scandals like the Equifax affair often trigger public conversations that lead to new regulatory oversight.

"There's a good argument this is one of those industries where there’s a need for a higher standard or the pain of criminal punishment. When you’re in a business that has the potential to do this scale of harm, you have a duty of care for your product that could be covered by criminal law."

Consumers would no doubt agree. The time is rapidly coming when executives should be held to the same standard for protecting personal data as they do for the environment or the food supply.

Fortune:      The Street:

You MIght Also Read:

Disastrous Equifax Breach Exposes 44% Of The US Population:

Threat Lessons from Sony and Anthem:

 

« Transforming Your Database
Preventing The Hacked AI Apocalypse »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IGX Global

IGX Global

IGX Global is a provider of information network and security integration services and products.

Antiy Labs

Antiy Labs

Antiy Labs is a vender of antivirus engine and solution, providing the best-in-breed antivirus engine and next generation antivirus services for confronting PC malware and mobile malware.

StormWall

StormWall

StormWall is an Anti-DDoS protection service for websites and networks. We offer 100% protection from all types of DDoS attacks and 24/7 technical support.

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) is the Directorate of MCIT responsible for the security of critical information infrastructures in Afghanistan.

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) undertakes cyber security research and plays a leading role in securing Pakistan’s Cyberspace.

ThreatGen

ThreatGen

ThreatGEN™ works with your team to improve your resiliency and industrial cybersecurity capabilities through an innovative and modernized approach to training and services.

Kiuwan

Kiuwan

Kiuwan provide software security solutions with SAST and SCA source-code analysis that fit into your DevOps process.

Spamhaus

Spamhaus

Spamhaus is the world leader in supplying realtime highly accurate threat intelligence to the Internet's major networks.

CISO Global

CISO Global

CISO Global (formerly Cerberus Sentinel) are on a mission to demystify and accelerate our clients’ journey to cyber resilience, empowering organizations to securely grow, operate, and innovate.

riskmethods

riskmethods

riskmethods helps you proactively identify, assess and mitigate supply chain risk. You need to master supply chain risk management—we can help.

Cyber Security Cooperative Research Centre (CSCRC)

Cyber Security Cooperative Research Centre (CSCRC)

The CSCRC provides frank and fearless research and in-depth analysis of cyber security systems, the cyber ecosystem and cyber threats.

Accedian

Accedian

Accedian is a leader in performance analytics and end user experience solutions, dedicated to providing our customers with the ability to assure their digital infrastructure.

Telstra

Telstra

Telstra is one of the world's leading telecommunications and technology companies, offering a wider range of services from networks and cloud solutions to mobility and enterprise collaboration tools.

RSK Cyber Security

RSK Cyber Security

RSK Cyber Security are a leading cyber security services company that uses services, consulting, and product knowledge to lower security risk across the board.

Positiwise Software Pvt Ltd

Positiwise Software Pvt Ltd

Positiwise Software offers end-to-end software development solutions to accelerate the digital growth of businesses.

Neosoft

Neosoft

Néosoft is an independent digital transformation consulting group with expertise in Consulting & Agility, Cybersecurity, Data, DevOps, Infrastructure & Cloud and Software Engineering.