The grousing began within 24 hours of Equifax’s announcement, last Thursday, of its massive data breach that compromised personal data of over 140 million U.S. consumers. I’m generally unsympathetic about such complaints (“We’re shocked – SHOCKED – that in a breach affecting 140+ million people, we’re having trouble immediately reaching a live person at the phone bank! And the breach website is not operating smoothly!”). Usually only Louis CK’s masterpiece “Everything’s Amazing – and Nobody’s Happy” can coax me out of my grumpy place.
But as post-announcement events have unfolded, some of the initial criticism appears to have legs:
Arbitration clause with no class
Take the money and run?
Bloomberg reported on 9/7/2017 that regulatory filings indicate three Equifax executives made unscheduled sales of over $1.8 million in company stock and options on 8/1 and 8/2/2017 – a few days after Equifax says it discovered the breach (7/31/2017), yet more than a month before the public announcement. A company spokesperson promptly countered that the three insiders “had no knowledge that an intrusion had occurred at the time.” Co-chairs of the Senate Finance Committee are now pointedly asking Equifax to explain the nature and timing of these sales.
It’s to be expected that Equifax will be under a high-power microscope for its breach response. This was indeed an epic breach, both in scale (4 in 10 American consumers) and scope (the perfect do-it-yourself identity theft kit). More significantly, unlike our relationships with our retailers, banks, and health systems, folks don’t feel they have a relationship of choice with credit bureaus (we’re the product, not the customer). And our feelings about them are clouded by our ambivalence, or frustration, with our credit generally – nearly a third of Americans are dissatisfied with their credit score, and 28 percent doubt that their current score can help them reach their goals.
From the perspective of affected individuals, there are more options than those offered to date by Equifax. You can request and review your credit report for free, once per year (every four months if you alternate between Equifax, Experian, and TransUnion). You can also put a fraud alert on your credit files, which is less drastic than a credit freeze. Diligent review of bank and credit card statements is always prudent, and anytime one’s Social Security number is at risk, filing tax returns early is a good move. And if you want to do more to lock things down, consider the credit freeze option.
Looking at this from the perspective of organizational breach response is different. By analogy, it’s one thing to be a Houston or Jacksonville homeowner reacting to a natural disaster, but another thing entirely to be a mayor, governor, or disaster response official who’s accountable for both disaster preparedness and effective response and recovery. So, how is Equifax doing from that perspective? It looks a bit wobbly out of the blocks, yet Equifax is showing some nimbleness by promptly responding to complaints about website functionality, tripling its call center staff, and rapidly changing course on its irritating arbitration clause.
At this early point, the stock sales by executives are the wildcard. If the allegations prove true, it will indeed be a hot mess.