Categories & Search

Equifax Mea Culpa: Too Little, Too Late?

Equifax Inc.’s interim CEO, Paulino do Rego Barros Jr., issued the company’s second public apology this morning for the massive data breach that has affected as many as 143 million U.S. consumers.

In a Wall Street Journal op-ed, Barros acknowledged the company’s ball drop in handling the breach and promised to “act quickly and forcefully to correct our mistakes.” He said the company will introduce a new service that would permit consumers to control access to their personal credit data.

Ironically, there is no posting on the Equifax website about this new service.

“There’s no magic cure for data breaches,” he wrote in the op-ed. “As we all know, every organization is at risk.”

Barros assumed the interim CEO role earlier this week after the company’s former chairman and CEO, Richard F. Smith, announced his “retirement.”

The company’s full-throated mea culpa is unlikely to stem the ongoing criticism of its data security posture with regulatory investigations and enforcement actions ongoing, class action lawsuits filed and more to come. We have blogged about this chaos here, here, here and here.

Yet, amid this wave of criticism, underlies the often irreconcilable demands that face a company victimized by a data breach. Public companies have a duty to the public markets and investors to make prompt disclosure of material events and risks to their businesses. But to avoid tipping off the perpetrators with too much information, companies – often rightly encouraged by law enforcement – are reluctant to disclose too much information.

This tension between the obligation to keep investors and the markets informed and the demands of responding to a massive data breach – and cooperating with law enforcement – often put companies in an unfortunate dilemma. The securities laws don’t say when a hack requires disclosure and the extent of any such disclosure.

In 2011, the U.S. Securities and Exchange Commission issued “guidance” to companies on when to disclose an incident to investors. But the guidance isn’t law, nor is it mandatory. And it hasn’t been updated in six years.

With news this week that the agency is launching two enforcement initiatives to address cyber threats and protect retail investors, including the creation of a Cyber Unit, perhaps it’s time to add an update to the 2011 guidance to the Commission’s agenda.