How a company and its leadership adheres to its core principles and responsibilities during a crisis speaks volumes about its ethics. The Equifax data breach that exposed the personal data of about 143 million U.S. consumers is a crisis of epic proportions.
Equifax, like its two rivals, is the gateway to consumers’ access to financial credit. Equifax’s customers also include the users of this data to make credit decisions. If you had to boil down the two most core ethical principles that were required of Equifax given these unique roles, it should be integrity and security.
Ironically, Equifax updated and reissued its corporate code of ethics in July, about the same time it discovered the breach. Equifax’s code touts the importance of honesty and fair dealing in maintaining appropriate business relations, protecting the privacy and confidential information of others, advising employees to watch out for company property that is not secured, and prohibition of insider trading. Former Chairman and CEO, Richard F. Smith has an introductory message to the code discussing his commitment to the code and compliance.
So, how well did Equifax’s executives live up to its own code of ethics? Several things strike me about the ethics of Equifax’s handling of the situation.
Equifax had an ethical duty to its customers to maintain personal data with utmost security.
Equifax used an open-source software tool known as Apache Struts that supported Equifax’s online dispute portal web application. The company believes that the hackers gained access to its data through a vulnerability in Apache Struts. This vulnerability was known to Equifax since March 2017. The hackers gained access to Equifax’s data from May 13 through July 30th, when Equifax took down this web portal.
Why didn’t Equifax take down the web portal as soon as it knew the software was vulnerable, and not brought the portal back up until the security flaw was patched?
Companies lacking in internal controls tend to be more exposed to ethical failings than companies with strong internal controls. We normally think of accounting processes when we discuss a company’s internal controls, but its internal controls over its computer systems are equally important, especially for a company whose product is digitally maintained.
Equifax had an ethical duty to inform its customers of the breach as soon as the breach was discovered.
Equifax has not said why they waited until September 7th before announcing the cyber incident. Could it be that the hacking was too embarrassing for a proud company to announce, or was there another reason?
This delay deprived its customers the opportunity to take early actions to mitigate the potential damage from the exposure of their personal data. Credit freezing and monitoring could have started months ago.
The creditors and financial institutions that rely on Equifax were considering credit applications and approving loans for this period. They were totally unaware that the applications they were processing could be fraudulent and contain personal information stolen from Equifax. These companies were unable to consider whether they required other forms of identification and information to verify that they were not processing credit applications for fraudsters.
Was it fair to these customers that Equifax did not tell them of the breach? What losses will result from this lag in reporting the breach?
Equifax executives who knew about the data breach had an ethical duty to inform all “covered insiders” not to sell any stock until the pending material information about the breach was made public.
The CFO and two other executives sold a combined $1.8 million in Equifax stock in the days following the company’s discovery of the breach. Equifax stated that these three executives did not know about the breach. Really … Why not?
Equifax’s ethics code requires that Human Resources, the Corporate Ethics Officer, or the Audit Committee of the Board of Directors be notified of any suspected fraud or theft of company assets. Given the size of the breach, were these people notified? Whether the answer is yes or no, why didn’t the CFO know?
We know that the Chairman and Chief Executive Officer, the Chief Information Officer and the Chief Security Officer knew about the breach. All three have since left the company in the wake of the fallout. Certainly, other employees working in the offices of the three since-resigned executives had to know. Did they follow Equifax’s ethics code reporting requirements, even if their bosses did not?
An SEC investigation into the stock sale is pending. These three executives will be incurring major legal bills, whether they are guilty of insider trading or not. They may be subject to criminal penalties, including incarceration. How fair and honest was it on the part of the executives in the know not to inform the other executives to hold off on any stock transactions?
Ethical conduct of companies and executives is a hot-button topic in corporate America precisely because ethical failures are commonplace. Equifax is one example of many. An ethics policy or code is only as good as the leadership implementing it. People are fallible and do things that others will simply say, “What were they thinking?”, when unethical conduct is exposed, as it almost always is.
Equifax’s problems could have been prevented if certain executives had followed the company’s code of ethics, their individual personal values and common sense. But, this is a prime example how a lapse in ethics can have a significant adverse impact on 143 million consumers and countless institutions that rely of quality credit information to conduct their business.