Peter J. Henning of the New York Times has reported that It’s a bad week when one senator says that “somebody needs to go to jail” for selling shares in your company before it disclosed a massive data breach, and another asserts that the episode was “one of the most egregious examples of corporate malfeasances since Enron.”
The hacking into Equifax’s trove of consumer and financial data that exposed the sensitive personal information of as many as 143 million Americans leads naturally to the question of the legal consequences the company and its executives might face. The answer, for those who remember the government’s response to the financial crisis, will be as familiar as it is unwelcome: not much.
That seems outrageous when so many individuals may see their identities stolen because of a company’s failure to ensure the safety of its primary product. But Equifax operates in a sphere with minimal government regulation, and its conduct is unlikely to trigger a criminal prosecution of the company or any of its executives.
The worst anyone connected with Equifax may end up facing is a tongue-lashing from Congress — many hearings are already scheduled — except for the outside chance that the aggrieved public gets its own day in court. But that could be years from now.
Unlike the banks that packaged and sold risky securities and derivatives, leading to the meltdown in the financial markets nine years ago, Equifax is a victim, not a perpetrator. Frustrating as it may be in this case, we usually don’t blame the victim of a theft for allowing it to happen — even if you go into a bad neighborhood late at night. And the usual tools that federal prosecutors use to go after companies for misconduct — most notably the mail fraud and wire fraud statutes — do not apply because Equifax did not actively mislead anyone about the hacking.
Although the company was accused of “malfeasances” (by Senator Chuck Schumer, Democrat of New York), it appears more likely that it was a matter of nonfeasance: Equifax did not properly install a security patch to open-source software it had used, even though it was available weeks before the hackers exploited the flaw.
That failure may well have been negligent, but that level of intent is rarely the basis for prosecuting white-collar offenses. Negligence is used regularly only in federal criminal prosecutions for food and drug safety problems and environmental contaminations.
The claim that someone needs to be put in jail (by Senator Heidi Heitkamp, Democrat of North Dakota) was related to stock sales by three Equifax executives, including the chief financial officer, on Aug. 1, just a few days after the company became aware of the security breach. The Justice Department confirmed that it is investigating for possible criminal insider trading, but it is unclear what any of the executives knew about the hacking when they sold the shares.
Although the timing of the stock sales certainly looks suspicious, it may be that the executives did not know the extent or severity of the hacking, and therefore did not trade on material nonpublic information, a central requirement for pursuing a case.
On the regulatory side, Equifax and its two main competitors, TransUnion and Experian, come within the purview of the Federal Trade Commission and the Consumer Financial Protection Bureau. But the likelihood of significant civil penalties for Equifax for any violations is small, and perhaps nonexistent. The F.T.C., which broke with tradition by publicly confirming that it had launched an investigation of Equifax, cannot hit companies with heavy fines, at least for a first offense. And the C.F.P.B. has limited power to impose penalties because it deals primarily with misleading information or products provided to consumers.
A number of state attorneys general have opened investigations into the hacking, and Massachusetts filed a lawsuit seeking civil penalties from Equifax for not protecting sensitive information. These types of claims are often limited to the actual harm caused to consumers in a state, something that might take months or years to manifest.
Equifax is a publicly traded company, so the Securities and Exchange Commission could investigate whether it had improperly delayed disclosing the security breach by waiting almost six weeks before informing the public. The rules for when a company must disclose material information are imprecise at best, however, and the company’s efforts to identify the scope of the breach may give it some cover. So the delay, while frustrating to those put at risk, might not violate securities laws.
Even if regulators pursue a civil enforcement action against the company, Equifax executives and directors will probably escape any claims against them. Bank executives and directors can be suspended or removed from their positions for unsafe and unsound practices, but the credit bureaus are not subject to those regulations despite the crucial role they play in the financial system.
Equifax has an incentive compensation clawback policy that allows the company to reclaim bonuses and other awards to management, but it applies only “in the event of a material restatement of the company’s financial results.” The hacking did not involve any financial misstatement, and even if the company could reclaim compensation, any amount would likely be minuscule, given that the breach took place only over several weeks.
The data breach appears to have cost two executives their jobs when Equifax announced on Friday that its chief information officer and chief security officer were retiring immediately. They will not lose any of their past compensation, and should get to enjoy the benefits accrued from their tenure in senior management.
With executives at Equifax unlikely to face criminal charges and regulators largely handcuffed, civil remedies may be the only avenue for redress.
Equifax shareholders have paid a steep price; the company’s stock has lost over one-third of its value. But they are unlikely to win a claim for damages for breach of the corporate duty of due care unless there was a complete breakdown in how the company operated that allowed for the hacking.
Equifax is incorporated in Georgia, and the Georgia Supreme Court explained in Federal Deposit Insurance Corporation v. Loudermilk that directors and management are not liable for damages unless they acted “without deliberation, without the requisite diligence to ascertain and assess the facts and circumstances upon which the decisions are based, or in bad faith.”
The last glimmer of hope, then, may be a class-action lawsuit against Equifax for violating the Fair Credit Reporting Act, claiming that the company failed to safeguard consumer records. Unlike other consumer complaints, the law allows for punitive damages against a company for a violation, along with any actual damages and attorney’s fees, potentially exposing Equifax to a significant award.
Dozens of class-action lawsuits, all seeking punitive damages, have been filed against the company for failing to protect consumer information. The usual procedure is to consolidate the complaints filed across the country before one federal district judge to conduct the preliminary proceedings, which itself can take months to sort out as the lawyers for the plaintiffs fight over who gets to lead the litigation.
Equifax faces a tidal wave of claims, but none will see the inside of a courtroom for months, if not years, especially if the company successfully argues that the claims must be pursued individually rather than as a class action. We can expect a settlement at some point once the preliminary issues are resolved, but even if the total sum tops $1 billion, that might mean individual recoveries of just a few dollars each.
There may be some solace here: The same day that Equifax disclosed the breach, Sept. 7, a House Financial Services subcommittee held a hearing on the F.C.R.A. Liability Harmonization Act, which would preclude punitive damages for violating the statute, a bill the company supported. The chances of the legislation’s passing in light of the hacking appear to be negligible now.
But those looking for some type of criminal prosecution — or even just a regulatory penalty — for the company and its executives will probably be sorely disappointed.