Ah Equifax. For connoisseurs of human folly, it is truly the gift that keeps on giving.
Today we have a report from Equifax, commissioned by their board, that concludes that those executives that sold their shares just a few short days after the breach were all totally innocent of any wrongdoing. Yes, yes, nothing to see here. It’s all good, they conclude.
From the report:
The Special Committee’s report, which is attached, concludes that “none of the four executives had knowledge of the incident when their trades were made, that preclearance for the four trades was appropriately obtained, that each of the four trades at issue comported with Company policy, and that none of the four executives engaged in insider trading.” As part of the review process, the Special Committee conducted dozens of interviews, and reviewed more than 55,000 documents including emails, text messages, phone logs and other records.
Now, some out there are “calling shenanigans.” I get that. It’s pretty suspicious looking — and we know that their CEO knew about it. So it’s strains credulity that these other folks were clue-free. But, “flat earth” possibility aside, I actually think it’s possible that what the report describes could be the case. I also don’t think that’s great news for Equifax.
Here’s what I mean. Since the beginning of this, I’ve held that there are two options with respect to the stock sales: 1) Equifax has four crooked execs, or 2) Equifax is rife with such epic incompetence that key executives had literally no clue that one of the biggest disclosures of customer data ever took place until long long after the fact. Is the discovery that the answer is “epic incompetence” really all that much better? If the answer was “illegal shenanigans from crooked execs”, they could fire those people, we as a society could send them to jail, and Roberto’s your uncle. As it stands, we have a systemic problem in Equifax that is cultural, systemic, and pervasive.
Why do I say it’s “epic incompetence”? A few reasons. First, the CFO literally was not informed about the breach. Likewise, their internal counsel – who ultimately provided the approval for these transactions in the first place – was out of the loop of this breach. The person whose business line this all impacted (US products)? Also not informed. They all apparently learned about it at the leadership retreat on August 22nd. Must have been a hell of a retreat. Look, I’m not saying that you have to send engraved stationary to everyone in the world when a breach happens — but you would expect something in the way of a notification chain.
Say for the sake of argument that you found out that your company disclosed the most intimate financial information of millions of people. Who would you inform? Who would be on the short list for such a notification? Who would you expect would find out about it within, say, the first month or so? I’m thinking CFO and legal counsel would be up there. Say you were going to have a breach notification exercise. Would you include these folks? I would. Equifax apparently did not. These folks didn’t find out until later – like way, way, way later.
Either way you slice it, it’s not great news for them – or us. Because keep in mind that they are still collecting data on you. They also likely still have major, systemic security issues. Major cultural issues don’t get fixed overnight – so it’ll be a while before their act is fully cleaned up – and in the meantime, data about us continues to be at risk.