Post-breach, Equifax remains in a harsh spotlight

For a company embroiled in one of the nation’s largest data breaches, things have been relatively quiet in recent weeks on the Equifax front.

That has quickly changed with recent revelations that the data breach was worse than first reported, an insider trading charge, and Senate legislation that is both good news and bad for the consumer credit reporting agency.

Late last year, Equifax, reported a data breach that may have affected upwards of 143 million U.S. consumers. The breach lasted from mid-May through July, when hackers penetrated a Web-based application and accessed names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Approximately 209,000 individuals had their credit card numbers stolen.

Among the revelations with a post-breach slate of bad news is that the intrusion was worse than expected. Continuing investigations now identify upwards of 2.4 million U.S. consumers whose partial driver’s license information was stolen, but who were not in the previously identified affected population.

Beyond the volume of those affected, another potential scandal revolved around accusations of insider trading. It was revealed that multiple Equifax senior executives, including the company’s Chief Financial Officer, had sold thousands of company shares ahead of the company’s disclosure of the data breach.

Although those executives were not involved, the Securities and Exchange Commission this week charged a former chief information officer of a U.S. business unit of Equifax with insider trading in advance of the company’s September 2017 announcement about the massive data breach.

According to the SEC’s complaint, Jun Ying, who was next in line to be the company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach. 

The SEC alleges that before Equifax’s public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million. According to the complaint, by selling before public disclosure of the data breach, Ying avoided more than $117,000 in losses.

“As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard Best, director of the SEC’s Atlanta Regional Office, in a statement. “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”

The U.S. Attorney’s Office for the Northern District of Georgia today announced parallel criminal charges against Ying.

The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief.

Equifax, in a response, was quick to point out that other executives were not included in the SEC’s charges.

Equifax’s Interim Chief Executive Officer, Paulino Do Rego Barros, Jr., issued the following statement: “Upon learning about Mr. Ying’s August sale of Equifax shares, we launched a review of his trading activity, concluded he violated our company’s trading policies, separated him from the company and reported our findings to government authorities. We are fully cooperating with the DOJ and the SEC, and will continue to do so.”

“We take corporate governance and compliance very seriously, and will not tolerate violations of our policies,” he added, stressing that the government action is unrelated to the four executives who, in November, were found by a Special Committee of the Board not to have engaged in insider trading.

An independent investigation concluded that the four executives fully complied with company policy and were not aware of the cyber-security incident at the time they sold company shares.

Other company-related headlines come courtesy of a Dodd-Frank Act reform bill making its way though the Senate.

The bill includes requirements that credit reporting companies, including Equifax, allow the public to freeze and unfreeze their files for free and provide free credit monitoring for active-duty members of the military. The trade-off: active duty military members would be prohibited from suing these companies regarding any problems with the free credit monitoring.

Still lingering in legislative limbo is other legislation, proposed by a coalition of Democratic senators. They introduced the Freedom from Equifax Exploitation (FREE) Act, a stated effort “to give control over credit and personal information back to consumers.”

The bill gives consumers more control over their own personal data and prohibits companies like Equifax from charging consumers for freezing and unfreezing access to their credit files.

The Freedom from Equifax Exploitation Act would:

create a uniform, federal process for obtaining and lifting a credit freeze (currently, there is no federal requirement for credit reporting agencies to offer consumers a credit freeze, and consumer rights vary widely depending on which state they live in);

require credit reporting agencies to allow consumers to impose, temporarily lift, or permanently remove a credit freeze for free;

prevent the credit reporting agencies from profiting off the use of consumers’ information for the duration of their credit freeze;

enhance fraud alert protections and allow consumers to request that a fraud alert be included in their credit file if they have suspicion that they were harmed by the unauthorized disclosure of their personal identifying information;

extend the length of the alert from 90 days to one year, which can be renewed for an additional year;

provide for a renewable 7-year fraud alert in the case of identity theft, during the course of which credit reporting agencies are prohibited from including the consumer on a marketing list;   

allow consumers to get a refund on any fee credit reporting agencies charged them to impose a credit freeze in the wake of the Equifax breach;

and provide the opportunity for consumers to get an additional free credit report; and

force Equifax and the other credit reporting agencies to refund any fees they charged for credit freezes in the wake of the Equifax data breach.

The bill is sponsored by Warren, and Senators Bob Menendez (D-N.J.) and Brian Schatz (D-Hawaii). Original co-sponsors of the legislation include Senators Chris Van Hollen (D-Md.), Kirsten Gillibrand (D-N.Y.), Richard Blumenthal (D-Conn.), Edward J. Markey (D-Mass.), Bernie Sanders (I-Vt.), Ron Wyden (D-Ore.), Richard Durbin (D-Ill.), Jeff Merkley (D-Ore.), and Al Franken (D-Minn.).