- Michael E. Kanell The Atlanta Journal-Constitution
Equifax couldn’t protect the personal data of millions of Americans, but the company may yet successfully defend itself.
The massive data breach announced Sept. 7 did untold damage to individual consumers and the nation’s financial system, enough for some experts to take seriously the possibility of a corporate death penalty, but most say the odds favor survival for the Atlanta-based, $3.4 billion-a-year, 9,900-employee firm.
Still, there are precedents — a number of companies have stumbled badly and publicly.
Arthur Andersen, the once-proud accounting giant, was effectively put out of business in 2002 by regulators following its enabling of Enron deceit about its losses. Lehman Bros., which ran out of money after billions of dollars in housing loans went bad, was deemed so important to the financial system in 2008 that it was saved from extinction with a government-shaped takeover.
Then again, companies from Target to Home Depot to Yahoo have suffered massive data breaches and come through the storm virtually unscathed.
What is most harmful to Equifax might be the way the data breach was an attack on its core mission – collecting and protecting data. Unlike the hacking of retailers like Target or Home Depot, where data was collected as part of the business, collecting data at Equifax is the business.
It is still too early to predict which path Equifax will take, said Humayun Zafar, professor of information security at Kennesaw State University. “Each of those is a potential outcome and you could argue for any of the options.”
Wall Street seems to be betting that the company will be damaged, but survive.
For starters, Equifax is the biggest component in a sector that is essential to the financial system – a gatekeeper and judge for billions of dollars in loans each week. Without the credit agencies, consumers might not get car loans and mortgages: Lenders need the agencies to look at the data and tell them whether their loans are likely to be repaid.
Anti-trust concerns make a takeover by a rival unlikely. Moreover, unlike Andersen with Enron, Equifax actions – at least so far – have not shown a habitual disregard for the truth.
Just a reluctance to say it out loud: the breach apparently took place in May and was discovered by Equifax in late July. The company finally announced the problem in September. During the next six trading days, Equifax stock plunged 35 percent. Since then, shares have bounced back, but are still 23 percent off that previous level.
While the public has become used to news of data breaches, the information pouring out of Equifax was deeper, more personal and more long-lasting than accounts stolen from retailers. And its management of the crisis was clumsy at best.
Consumers were not told of the problem until months after their personal data had been compromised. Then they found out that three top executives had sold nearly $2 million in stock early August day, around the time the company told the FBI of the breach.
In contrast, companies like Home Depot and Target were quicker to announce data breaches and offer consumers free credit monitoring, Zafar said. “Target’s handling of its problem was textbook. It was exactly as you’d want to handle things. Equifax was also textbook. As in, this is what you should not do.”
The company was warned by the Department of Homeland Security in early March of a vulnerability in its software. A fix was suggested, but Equifax did not make the fix. The database was apparently breached later that month, although the company was unaware of the attack until July.
Equifax notified the FBI in August and announced the breach publicly a month later.
Equifax set itself on a dangerous, potentially self-damaging course right at the start, said Carol Cookerly, president of Cookerly Public Relations & Marketing, who said she has not worked for Equifax, but has advised many other companies on handling a crisis.
“Probably the single most damaging aspect of a crisis is when the company doesn’t realize its responsibility or think it’s responsible,” she said. “Any kind of evasion means that the politicians and regulators and public will double down on their pursuit of you.”
But she thinks the company’s recent efforts to make amends— the willingness to accept responsibility, and the offering a year of free credit monitoring — give it a good chance of repairing the damage, perhaps within a few months. She compared the crisis to a horse race.
“It doesn’t matter if they stumble coming out of the gate, it matters what happens in the last furlong,” Cookerly said.
After the first wave of angry reaction, the company announced the retirement of two executives.
CEO Richard Smith also retired.
Other factors – besides the company’s upgraded approach – also seem to point at a much more positive endgame for Equifax.
“It’s a very tempting comparison, but there are important differences between Andersen and Equifax,” said Kevin Crowley, adjunct professor at Emory’s Goizueta Business School and former investment banker. “I don’t see it playing out the way Arthur Andersen did.”
But regulators and Congress have barely started scrutiny of Equifax. There are also lawsuits in the works – potentially including damage and payment to 145 million plaintiffs.
Equifax no-doubt has insurance, but not necessarily enough to cover all judgments, Crowley said. “What is unknown is what the cost of all this will be.”
Those uncertainties hold back many of those who might take a hand in the fate of Equifax, especially big investors and other huge financial companies, he said. “There are just too many things in motion.”
That is a “seismic” event, said Campbell Harvey, finance professor at Duke University’s Fuqua School of Business. “How viable is their business model, when the model depends on trust? The information they have is highly confidential, so people need to be able to trust them. And now, they can’t.”
There are developing technologies that might provide better security, he said.
But in the meantime, pretty much every company with a database – that is, every company – faces the same question.
So ultimately, the fate of Equifax really can’t be separated from larger questions about the way the United States handles and protects data, Harvey said. “How many times are these giant company breaches going to happen before we actually do something about it?”