Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Remediation and the Equifax data breach

Tom Fox | September 10, 2017

The Man From FCPA, like some 143 million others in the United States is now looking at his most sensitive personal and financial data being floating through the ethisphere of stolen data, after the data breach at Equifax. To say the breach and the company’s response have been something less than sub-optimal would seem to be one very large understatement. Further the senior executives’ sale of company stock shortly after they had knowledge of the breach but before the information was made public might seem like a tailor-made case of criminal insider trading. The overall legal liability of the company could simply be staggering. The largely self-inflicted public relations disaster which has befallen the company is only in its opening stages.

The matter presented many of the differences between the legal function of an organization and the compliance function. Circling the wagons and defending the company is what the legal department exists to do. That is not the function of a corporate compliance program. Whether you accept the 3-pronged McNulty’s Maxim (What did you do to prevent it? What did you do to detect it? What did you do after you found out about it?) or more of a best practices compliance program, the key difference between compliance and legal is that compliance remedies the problem so that (hopefully) it will not occur again.

The remedy prong is broader than simply fixing a specific problem. It moves toward a making a whole or entire solution. Once again this bumps up against the way in which a legal function handles an issue which is to deny information about a problem for fear that information will be used in litigation or regulatory enforcement against the company. This remedy prong is also prominently mentioned in the Justice Department’s FCPA Pilot Program, as the third component a company must engage in to obtain benefits under the Pilot Program.

Equifax has quite a long road to travel over this data breach. Some have called it the worse commercial data breach to-date, including those from Target, Sony, and YaHoo. Equifax will need to engage in significant remedial action if they hope to survive the upcoming fallout from their miss-steps.