Holding Top Officials and the Auditors Responsible for the Data Breach at Equifax
What Should Government Regulators Do?
In my last blog I examined the bewildering action by the IRS to award a $7.25 million-dollar contract to Equifax to verify taxpayer identities and help prevent fraud under a no-bid contract. This is nothing less than rewarding bad behavior. In this blog I look at the role and responsibilities of top company officials and the company’s auditors – Ernst & Young (EY).
The security breach at Equifax could have affected as many as 143 million people. We know the CEO Richard Smith resigned in the aftermath of the chaos that followed. Unanswered questions include whether Smith and other senior executives should return some compensation earned during the period between gaining knowledge of the breach and its public disclosure, or even further back. The government might go after him and others under a “clawback” provision that has been used by the SEC to get top executives to pay back incentive compensation during the period of a financial fraud.
The clawback provision should be used. It’s the right thing to do. It’s an ethical approach to holding top officials accountable for actions that harm the public good. It holds responsible those who knew, or should have known, about the failure to disclose.
The Equifax case is particularly egregious because the company knew about the hack on July 29, but the public wasn’t notified of the problem until September 7. There is a six-week gap between when Equifax discovered the breach and when it alerted the public. The only way to characterize Equifax’s delayed action as unconscionable. The main ethical question is whether the delayed reporting took place to enable top officials to sell stock ahead of the public disclosure of the data breach – an act of insider trading.
Last month it was announced that the US Department of Justice (DOJ) has opened a criminal investigation into Equifax officials’ stock sales just before the disclosure of the security breach. The DOJ is looking into whether officials dumped nearly $1.8 million in stock just after the company discovered the breach and about a month before it was announced. The company maintains that the three didn’t know about the breach when they sold the stock…Seriously?
The Securities and Exchange Commission (SEC) is also looking into the sales to determine if the stock sales constitute insider trading. This is a serious charge because the public expects top officials and public companies to play by the rules and any effort to move the market or take advantage of non-public information breaches the trust between stockholders and management.
External auditors examine financial data and information systems to gather sufficient evidence in order to render an opinion on a client’s financial statements and internal controls, including those designed to provide data security for customers. According to Francine McKenna, writing for MarketWatch, EY was already aware that the SEC had scrutinized Equifax for inadequate disclosures of its cyberrisk and poor disclosure controls. That’s based on correspondence reviewed by MarketWatch between the SEC and the Equifax CEO and CFO dating from 2011 and 2014. McKenna points out that the SEC had questioned Equifax about cyberattack security breaches as far back as 2012 and inadequate disclosures regarding a material weakness in internal controls over financial reporting in 2013.
Addressing EY’s responsibilities, McKenna points out that “before EY even thinks about reviewing and testing the numbers, it must make sure that company executives set the right “tone at the top” about controls, including of its IT [information technology] systems, to ensure Equifax is protecting its biggest asset – the consumer information it sells to banks and other organizations that generates most of its revenues.”
For me, the questions the SEC should ask are: When did EY find about the breach? What did it know about the nature and extent of the breach? What did it do about it? And, did the firm honor its commitment to serve the public interest above all else?
Equifax is under federal investigation by the Federal Trade Commission, a consumer watchdog agency. Its looking into the hacker attacks on its data systems that compromised personal data on nearly half of all U.S. consumers. The Consumer Financial Protection Bureau, the independent consumer watchdog agency created by the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010, also is investigating. Let’s hope these investigations resolve the issues and the company and top officials are sanctioned for their irresponsible behavior.
Ironically, in 2015 Forbes ranked Equifax as number 71 out of 100 on its list of The World’s Most Innovative Companies. Forbes might want to revisit the issue in light of the Equifax security breach and failure of its data systems.
Blog posted by Steven Mintz, aka Ethics Sage, on October 10, 2017. Dr. Mintz is a Professor Emeritus from Cal Poly San Luis Obispo. Visit his website to find out more about other blogs, sign up for his Newsletter and learn about his professional services.