OPINION: It’s time we penalize, not reward, corporate negligence


Does the number 143 million sound familiar? It’s the number of American consumers whose personal and financial data were initially presumed stolen during a months-long data breach at Equifax, one of the three largest credit monitoring firms in the United States. It’s nearly half of all Americans, whose personal data are now thought to be compromised.

What does all of this mean to all of us? Just this: The information stolen was what many companies use to verify customer identities. If your information was involved, you might one day find your bank or brokerage accounts hacked, your debit card drained, your credit cards billed for fraudulent purchases, your credit rating trashed.

By being in the business of tracking the data of millions of people, Equifax and similar firms would seem ethically and legally obliged to safeguard that sensitive information by all reasonable means. That the intrusion shouldn’t have happened is clear, but that it would have happened eventually was just a matter of time — unless it was preventable.

Was it? Let’s look at Equifax’s own timeline, from reported sources:

Early March, 2017: U.S. Computer Emergency Readiness Team identified and disclosed a vulnerability in software supporting Equifax’s online dispute portal. Equifax Security was aware of the vulnerability at the time, and “took efforts to identify and patch any vulnerable systems.”

May 13 to July 30: Equifax “cybersecurity incident” occurred.

July 29: Equifax Security observed suspicious network traffic, and blocked it.

July 30: Equifax Security observed more suspicious activity, and took the affected application offline. Equifax identified a vulnerability in the application, and patched it before bringing it back online.

Aug. 2: Equifax contracted independent cybersecurity firm Mandiant to determine the extent of the intrusion. Over several weeks, Mandiant found the potentially compromised personal information included names, Social Security numbers, birthdates, addresses, and driver’s license numbers of millions of U.S. consumers, plus credit card numbers and other documentation for between 280,000 and 400,000 U.S. consumers.

Sept. 7: Over a month later, Equifax publicly acknowledged the data breach.

Sept. 15: Equifax released these details on the cybersecurity incident, and announced the retirements of its chief information and chief security officers.

Sept. 26: Equifax CEO Richard Smith retired.

What the Equifax release does not mention is a Reuters news report that a patch for the portal vulnerability was available in March, well before the attack, yet no decision was made to apply the patch as a routine preventive measure. Indeed, it wasn’t until two and a half months into the attack that Equifax finally remedied the vulnerability after-the-fact.

Considering this, perhaps it’s time to declare an emergency recall of golden parachutes pending an independent investigation, maybe one or more criminal negligence indictments, and Equifax’s unqualified acceptance of all responsibility, effort, and cost to restore the personal security of every one of those millions of affected individuals. Some might consider this an unfair burden on Equifax. But many more, I think, would agree it’s a reasonable expectation for all companies that collect and store personal data.

S.A. Joyce is one of our regular community contributors.



Reader Comments ...


Next Up in Opinion

Opinion: Trump and the invasion of the West

“It is cruel. It is immoral. And it breaks my heart,” says former first lady Laura Bush of the Trump administration policy of “zero tolerance,” under which the children of illegal migrants are being detained apart from their parents. “We need to be … a country that governs with a heart,” says first lady Melania...
Opinion: GOP moderates fold to Trumpism

WASHINGTON — “Moderate Republicans are the people who are there when you don’t need them.” It was one of former Rep. Barney Frank’s many devastating zingers, and it certainly applies to the fiasco unfolding in the House of Representatives on immigration. A headline last week on Roll Call’s website might have been...
Opinion: Why only answer is to break up biggest Wall Street banks

Federal bank regulators are proposing to allow Wall Street more freedom to make riskier bets with federally insured bank deposits — such as the money in your checking and savings accounts. Watch your wallets. The new proposal waters down the so-called “Volcker Rule” (named after former Federal Reserve Chairman Paul Volcker, who proposed...
Opinion: Pruitt, Carson trapped by the trappings of power

It’s not an iron law that power corrupts. But it’s often a good way to bet. The interesting question is: Why does power corrupt so many people? The way I see it, power — money, fame, celebrity, authority or some mix of them all — lowers the cost of indulging human nature. This is one of the central reasons elites wreak such...
Opinion: Trump’s new world order: America first — and him, too

Even critics of President Donald Trump, like me, breathed sighs of cautious relief after he managed to meet with leaders of the G-7 and North Korea without starting World War III. Yet, in characteristic fashion, even that low bar was not enough for Trump. “(E)verybody can now feel much safer than the day I took office,” and “There...
More Stories