Equifax, one of the “big three” credit reporting firms, recently disclosed that social security numbers and other personal information of some 143 million mostly U.S. consumers had been compromised through hacking. This was not a sudden discovery of a serious security issue. Equifax had been alerted in March 2017 by Cisco of an online security flaw affecting servers. Cisco urged users to upgrade immediately. Equifax asserts it addressed the security flaw at that time. However, in July it found suspicious online activity and discovered the same security flawexisted elsewhere in its system. Credit bureaus, which collect vast amounts of data from lenders and other sources (in the case of Equifax according to its CEO, managing 1,200 times as much data every day as in the Library of Congress) and provide reports to prospective lenders, are an essential link in the flow of credit in the nation’s economy.
Since the credit bureaus’ business model depends critically on accumulating and managing this data, it would be expected that their boards and senior management would be incentivized to institute a robust cybersecurity system to ensure the integrity and security of its database. But this may not have occurred in Equifax’s case. We expect further disclosures and investigations will fill in some of the details on its internal controls and risk management.
Strategic business priorities logically flow from a company’s main profit-making lines of business. Equifax’s primary revenue source would appear to be from lenders, employers, and other businesses rather than the hundreds of millions of consumers it tracks. Equifax’s U.S. Information Solutions segment is its largest revenue generator. The company does not break out the contributions of consumer and commercial business lines in this segment, but based on its description in SEC filings it is likely that commercial customers are its principal clientele. This is in contrast to other businesses such as social media firms that hold vast, confidential troves of data whose primary clientele are the original owners of such data and whose add revenue depends on the continued loyalty of these data owners.
The size of Equifax and its two main competitors, TransUnion and Experian, may also lessen the incentive to deploy resources in order to safeguard consumer borrowers’ data. Quite simply, a data breach may not have appeared to be an existential threat, as it would be to a smaller business organization. As in the credit rating industry, Equifax is one of a “big three.” That said, Equifax’s stock price has plunged over 35% since the security breach was disclosed.
Security breaches due to hacking have been occurring – often in the same company – with unsettling regularity. Like Equifax, Yahoo suffered more than one major security breach. In September 2016 it revealed that over 500 million users’ confidential data had been stolen in 2014. It then revealed even more users’ accounts had been compromised back in 2013. Its president and CEO, Marissa Mayer, left the firm with a compensation package of over $23 million with the closing of Verizon’s purchase of the company despite the enormous security breaches on her watch. This represents a failure in corporate governance regarding the priority to be ascribed to protecting customer data. Yahoo’s board had approved Mayer’s allocation of capital away from cybersecurity towards growth initiatives that later failed. In Equifax’s case, the firm announced that its chief information officer and chief security officer are retiring, “effective immediately,” but did not indicate what compensation package they might be receiving. We await more details about board practices at Equifax.
Hacks at companies such as Equifax also put a spotlight on the fragmented regulatory patchwork in the U.S. governing these important intermediaries between lenders and borrowers. As a former Consumer Financial Protection Bureau (CFPB) assistant director noted, ““Credit reporting agencies are the plumbing of our financial system but are much less regulated than many banks.” As the New York Times noted, the CFPB has supervisory and enforcement authority over the bureaus, but the Federal Trade Commission (FTC) has data privacy enforcement.
Much more highly regulated industries, where it is clearer which agency has “ownership,” have put in place much more robust systems. For example, the SEC’s second Cybersecurity Examination Initiative, whose findings it announced last month, indicates broker-dealers and investment advisers have shown an overall improvement since its first cybersecurity initiative two years ago. The SEC noted that all broker-dealers, all mutual fund companies, and nearly all advisers examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information, with relatively robust internal controls.
It is ultimately up to Congress to ensure that lightly regulated businesses that house vitally important confidential data do not fall through the regulatory cracks. In the case of the credit reporting industry, their market structure and business model, among other factors, promise that more security breaches are in the offing.
 Rohit Chopra, quoted by the New York Times. See “Equifax Hack Exposes Regulatory Gaps, Leaving Consumers Vulnerable,” NYT, Tara Siegel Bernard and Stacy Cowley (Sept. 8, 2017).