OPINION: It’s time we penalize, not reward, corporate negligence


Does the number 143 million sound familiar? It’s the number of American consumers whose personal and financial data were initially presumed stolen during a months-long data breach at Equifax, one of the three largest credit monitoring firms in the United States. It’s nearly half of all Americans, whose personal data are now thought to be compromised.

What does all of this mean to all of us? Just this: The information stolen was what many companies use to verify customer identities. If your information was involved, you might one day find your bank or brokerage accounts hacked, your debit card drained, your credit cards billed for fraudulent purchases, your credit rating trashed.

By being in the business of tracking the data of millions of people, Equifax and similar firms would seem ethically and legally obliged to safeguard that sensitive information by all reasonable means. That the intrusion shouldn’t have happened is clear, but that it would have happened eventually was just a matter of time — unless it was preventable.

Was it? Let’s look at Equifax’s own timeline, from reported sources:

Early March, 2017: U.S. Computer Emergency Readiness Team identified and disclosed a vulnerability in software supporting Equifax’s online dispute portal. Equifax Security was aware of the vulnerability at the time, and “took efforts to identify and patch any vulnerable systems.”

May 13 to July 30: Equifax “cybersecurity incident” occurred.

July 29: Equifax Security observed suspicious network traffic, and blocked it.

July 30: Equifax Security observed more suspicious activity, and took the affected application offline. Equifax identified a vulnerability in the application, and patched it before bringing it back online.

Aug. 2: Equifax contracted independent cybersecurity firm Mandiant to determine the extent of the intrusion. Over several weeks, Mandiant found the potentially compromised personal information included names, Social Security numbers, birthdates, addresses, and driver’s license numbers of millions of U.S. consumers, plus credit card numbers and other documentation for between 280,000 and 400,000 U.S. consumers.

Sept. 7: Over a month later, Equifax publicly acknowledged the data breach.

Sept. 15: Equifax released these details on the cybersecurity incident, and announced the retirements of its chief information and chief security officers.

Sept. 26: Equifax CEO Richard Smith retired.

What the Equifax release does not mention is a Reuters news report that a patch for the portal vulnerability was available in March, well before the attack, yet no decision was made to apply the patch as a routine preventive measure. Indeed, it wasn’t until two and a half months into the attack that Equifax finally remedied the vulnerability after-the-fact.

Considering this, perhaps it’s time to declare an emergency recall of golden parachutes pending an independent investigation, maybe one or more criminal negligence indictments, and Equifax’s unqualified acceptance of all responsibility, effort, and cost to restore the personal security of every one of those millions of affected individuals. Some might consider this an unfair burden on Equifax. But many more, I think, would agree it’s a reasonable expectation for all companies that collect and store personal data.

S.A. Joyce is one of our regular community contributors.



Reader Comments ...


Next Up in Opinion

Opinion: Billionaires desperately need our help

It is so hard to be a billionaire these days! A new yacht can cost $300 million. And you wouldn’t believe what a pastry chef earns — and if you hire just one, to work weekdays, how can you possibly survive on weekends? The investment income on, say, a $4 billion fortune is a mere $1 million a day, which makes it tough to scrounge by with...
Opinion: Alabamans should do right thing on Roy Moore problem

The allegations and evidence against Senate candidate Roy Moore are piling up to the point of indefensibility. To the Washington Post’s extensively sourced story accusing him of misconduct toward girls as young as 14, recent days have added news of an additional accuser and a report from a retired police officer saying Moore was unofficially...
PERSPECTIVE: The magic of Thanksgiving togetherness

The calm before the rush of Thanksgiving preparation invites reflection. My mom, although extraordinary in matters of the heart, was really not a very good cook. I’m the first to admit her Thanksgiving turkey was a tad dry, and the cauliflower-au-gratin was s bit more watery than Velveeta cheesy. Yet she managed to create the best of what Thanksgiving...
Opinion: Alabama rolls toward a high-stakes skirmish

BIRMINGHAM, Ala. — But for the bomb, the four would be in their 60s, probably grandmothers. Three were 14 and one was 11 in 1963 when the blast killed them in the 16th Street Baptist Church, which is four blocks from the law office of Doug Jones, who then was 9. He was born in May 1954, 13 days before the U.S. Supreme Court’s Brown v. Board...
Opinion: You’re not worried enough about judicial appointments

You are not worried enough. Granted, that may seem a nonsensical claim. Assuming you don’t belong to the tinfoil hat brigades who consider Donald Trump the greatest thing to hit 1600 Pennsylvania Avenue since Abraham Lincoln left for the theater, you’ve spent the last year worrying as much as you know how. There has certainly been no shortage...
More Stories