Equifax execs skedaddle as Congress, FTC threaten action

Also known as getting out while the getting’s good. Two top Equifax executives have retired, the company announced, after a massive data breach that impacted over 140 million Americans. The chief information officer and the top security executive have both left, but that may not be enough to forestall Congress or the Federal Trade Commission:

A week after Equifax disclosed it suffered a massive data breach that may have compromised sensitive information belonging to 143 million people, the credit reporting agency’s chief information officer, David Webb, and chief security officer, Susan Mauldin, are retiring, effective immediately, the company said in a statement Friday evening.

The sudden departures come as Equifax has been the target of intense criticism over the lapses in security that led to the hack and the way the company has handled the aftermath. …

At least two congressional hearings on the Equifax breach have been announced. The first scheduled panel will take place on Oct. 3, when Smith is expected to testify. A bipartisan group of 36 senators have asked the Justice Department and the U.S. Securities and Exchange Commission to investigate reports Equifax executives sold stock after learning about the breach but before it was made public. The Federal Trade Commission took the unusual step of announcing it is conducting a probe into the Equifax breach.

The FTC announced its probe on Thursday, ahead of the Friday news dump from Equifax over the “retirement” of the two execs that presumably had the most responsibility for information security. The Consumer Financial Protection Bureau has also indicated that it will conduct some sort of investigation, but that raises some questions about what exactly they’ll be investigating. It’s not likely to be the hack itself; that will fall under the FBI’s jurisdiction, and they’re not likely to comment on it..

Both the FTC and the CFPB have authority to probe criminal fraud by commercial entities, in sales and lending respectively, but it’s a stretch to use that for any jurisdiction in this case. One can maybe make a case that Equifax defrauded consumers in both credit and sales in reassurances of security, but that ultimately transforms a victim of a hack into a perpetrator, which will limit their ability to cooperate in catching the real perpetrators. In this case, they’ll likely be probing Equifax’s attempts to corral consumers into their TrustedID program while keeping the lawsuit waiver buried deep in the fine print, and the fumbling manner in which the sign-up process took place. (Full disclosure: my records were among those exposed, and it took several days for the TrustedID sign-up process to work properly.)

The biggest risk for Equifax might be an SEC probe. Several executives sold significant amounts of Equifax stock shortly after the company discovered the intrusion but well before the hack was made public. Equifax claims that the three executives had no knowledge of the situation, but the SEC might take a very keen interest in e-mails and subpoenas, especially with Congress breathing down their neck. That might make for a few more “retirements” in the coming weeks.

The Congressional hearings will likely produce more legislation on data privacy, the Washington Post predicted on Thursday. Or maybe not:

The FTC’s move could provide momentum for Congress to act on data privacy legislation. While advocates and elected officials have long pushed for laws to protect consumers against data breaches, such efforts in recent years have stalled. But some say the scope of Equifax’s breach, and the company’s handling of the aftermath, will finally prompt a reaction from Washington.

“I don’t think this is just going to quickly disappear with a couple of hearings on Capitol Hill,” said Gene Kimmelman, president of the consumer group Public Knowledge. “This is a little like Three Mile Island. You can’t put the genie back in the bottle.” …

Some are skeptical however that even a massive and egregious lapse of security affecting almost half the population will lead to congressional action.

“There will be hearings, yes. But as with everything in Washington, it’s easier to stop something than to make something happen, and there are a lot of people who have doubts to any remedy that might be proposed,” said Stewart Baker, a former general counsel of the National Security Agency and assistant secretary for policy at the Department of Homeland Security. “It’s easier to imagine a stalemate than adopting legislation.”

The obstacle to passage before now wasn’t partisanship, Sen. Mark Warner (D-VA) told the Post, but the number of exemptions demanded by various industries to proposals that went through Congress. That won’t change on future efforts, but it might get a little tougher to make them stick after Equifax.