BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Equifax, SEC And Deloitte Cyber Breaches: Is It Time To Remove Executive Immunity From Prosecutions?

Following
This article is more than 6 years old.

Here we go again; another corporate scandal. Credit reporting agency Equifax announced last month that hackers breached into the accounts of 143 million customers, gaining access to sensitive non-public information including social security and driver’s license numbers. The most egregious part of this mess is the company’s five-week foot-dragging before publically announcing the breach. Instead of keeping its customers and investors in the dark, the company should have immediately alerted and begun advising them on safeguarding procedures. Not only that, the website, which the company set up in response to address questions and offer free credit monitoring for the millions of affected consumers, was itself riddled with vulnerabilities.

Separately on September 21, a week after the Equifax revelations, the Securities and Exchange Commission (SEC) disclosed that hackers breached into its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system and the stolen data was possibly used for illegal stock trading. The SEC Chairman Jay Clayton stated that EDGAR’s test-filing component had a software vulnerability that was exploited to gain unauthorized access.

Also, on September 25th, Deloitte disclosed that it too was hit by cyber-attack, revealing clients’ non-public information. Hackers possibly accessed usernames, passwords and personal details of the firm’s blue-chip clients. The company’s global email server was compromised through an “administrator’s account.” It possibly gave the hackers privileged and unrestricted “access to all areas.” Per media reports, the account access authentication simply required a single password and did not have a “two-step” verification.

Equifax CEO Richard Smith, resigned on September 26, 2017, just days before he was to appear before Congress. Potentially, he will still be allowed to keep roughly $70 million he made since 2016 from selling Equifax stock. Richard Smith is testifying before Congress.

When faced with crises, most executives and boards increasingly put their hands up in the air and say, “How should I know?”

Even though Equifax executives have shown incompetence and foot-dragging in protecting sensitive data, it is unlikely anyone will face criminal charges. Probably no one is surprised? Considering not many corporate executives face harsh legal consequences for their mismanagement conducts. Therein lies the problem. Equifax executives who sold their stocks, after the intrusion but before the public announcement, may face insider stock trading charges, but will probably escape severe consequences for their recklessness in executing their fiduciary responsibilities which resulted in damages to millions of customers. They may also face compensation clawbacks, without possibly any criminal charges. Fines and clawbacks with no serious legal consequences serve as mere condemnation and not as a deterrence to inhibit recurring bad executive behavior.

In corporate cases, prosecutors are increasingly using deferred prosecution agreements (DPA) as a voluntary alternative to adjudication. If the defending company agrees to pay fines, implement corporate reforms, and fully cooperate with the investigation, the case might be settled using a DPA. Fulfillment of the specified requirements will then result in dismissal of the charges at a later date. This approach has yielded head-line grabbing fines with apportioned restitution funds or forfeitures directed towards the victims of these corporate crimes. However, these agreements usually entail executive immunity; a critical weakness in these arrangements. By paying these huge fines, corporations are essentially buying “get-out-of-jail-free cards” for the executives and employees.

Professor Brandon L. Garrett of the University of Virginia and author of the book - “Too Big to Jail: How Prosecutors Compromise with Corporations,” states, “There are real challenges and obstacles when bringing individual prosecutions for corporate crimes.” His recent article highlights that the chief obstacle can be the complexity of the organization that can obscure fault. Intent can be hard to show when responsibilities are diffused and shared. Hence, establishing culpability of individuals acting within complex organizations with the division of tasks can be very difficult. He further states that corporate settlements should be used to incorporate structural reforms; change incentives for employees and officers to avoid future misconduct. The solution could be a range of statutory, sentencing and policy changes to tighten the connection between corporate and individual culpability. Corporate prosecutions need not come at the cost of individual immunity.

According to the work of Villanova University Professor Josephine S. Nelson, “the intracorporate conspiracy doctrine, an immunity doctrine, has been pushed by businesses to insulate corporate individuals from conspiracy charges. She further finds, "[h]armful behavior is ordered and performed without consequences, and the victims of the behavior suffer without appropriate remedy." Professor Nelson summarizes,” the overexpansion of intracorporate conspiracy doctrine triggers the wrong inquiries and imposes inappropriate liabilities throughout the law on corporate and individual responsibility.”

Professor David F. Larcker and researcher Brian Tayan at Stanford University Business School note, how in modern times the same businesses are fined for repeat behavior, effectively making such fines a mere slap on the wrist and a routine cost of doing business rather than a mechanism of deterrence for executives.

Since the announcement of the breach, Equifax stock has dropped over 30%. According to media reports, regulatory filings show that five weeks before the public announcement of this incident, three company executives: Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran, and Workforce Solutions President Rodolfo Ploder transacted stock sales totaling about 2 million dollars. Bloomberg also reported that "none of the filings list these transactions as being part of 10b5-1 scheduled trading plans. In a statement, Equifax says the executives "had no knowledge that an intrusion had occurred at the time they sold their shares."

The audacious nonchalance on the part of the Equifax executives shows a brazen corporate culture. Executives acted with impudent carelessness in protecting sensitive consumer data. They not only allowed the data storage in a way that enabled hackers to steal but also failed to update a critical piece of the software patch that might have averted the breach. This software patch to address the vulnerability in their system had been available for months, and for company executives whose core business is managing sensitive consumer data, ignoring timely mission-critical software updates is simply reckless behavior. Ironically, Equifax Security Chief, Susan Mauldin had an undergraduate and a master’s degree in fine arts and music with no formal academic training in technology. Equifax spokesperson did not respond or comment on this report.

Professor Scott J. Shackelford from Indiana University, states, “Equifax is quickly becoming a case study of what not to do in response to a data breach, from withholding vital information from customers and regulators to charging customers to protect their breached data and directing them to a phishing site.”

These incidents underscore the seriousness of cybersecurity events, bringing focus to the vulnerability of corporate entities to hacks and breaches.

Professor David P. Weber at the University of Maryland business school, who previously served as the U.S. SEC chief investigator, states, “In each case, failure to incorporate timely software updates resulted in commercially fatal breaches.” From his vantage point, “there appears to have been a top-down failure to value the importance of comprehensive information technology safeguards. Each of the organizations failed to incorporate software updates to address apparently known security vulnerabilities.” He also thinks that Equifax management team did not appreciate or understand the threat posed by an un-addressed vulnerability in the website. He notes that the barrage of cyber-attacks demonstrates a failure of comprehensive enterprise risk management at these organizations. Board of Directors and Audit Committees must be vigilant to consider cyber risk as part of corporate governance. In the age of Big Data, this underscores the critical need for companies to safeguard their clients’ data from cyber-criminals while still servicing their needs.

The prosecutorial immunity given to corporate executives engaged in reckless behavior and malfeasance are frustrating for the law-makers, judges, investigators, reporters, academics and the public. It is time to remove such immunity from prosecution agreements to encompass individual executive accountability and induce harsher personal consequences.