It took Equifax just 35 days to determine that four of its executives did nothing wrong when they sold stock, saving themselves hundreds of thousands of dollars, just days after the company learned that it might have had a security breach. That was four days faster than it took the credit-reporting agency to tell the public about the hack.
The ill-timed stock sales have been one of the more damaging public relations issues facing Equifax in the wake of the giant hack, which led to the theft of data on more than 145 million people. So it makes sense the company would want to quickly dispatch the issue and more generally the idea that its executives put their bank accounts before the safety of consumers' private information. But the report, and how Equifax conducted it, should make shareholders, regulators, lawmakers, lenders and the general public even more skeptical that the company, which has a long history of consumer complaints, is actually interested in changing its culture.
First, Friday's announcement, which is the first public statement by the board in its investigation into the hack, was a blatant PR move. It doesn't truly clear the executives, all of whom are still employed by the company. The Securities and Exchange Commission and the Justice Department are the ones actually responsible for determining whether the executives acted on nonpublic information. Rather than releasing a report on the matter, the board should have turned over whatever evidence it had and let the authorities decide. Equifax puts itself in a bad position if the SEC or Justice Department disagrees with the board's all-clear signal.
Second, the board's bar is too low. The board should focus on whether Equifax executives damaged the credibility and reputation of the company, not whether they simply didn't break the law. And the report finds plenty evidence of boneheaded behavior, regardless of legality. Halting insider stock sales should be the first thing a company does when it finds out privately about a hack or some other potentially damaging piece of information. Anything else simple invites troubling questions later. Instead, the report found that Equifax's chief legal officer, John J. Kelley, approved some of the stock sales on the same day that he called the FBI to alert it that the company had a problem. It took him nearly two more weeks to inform executives that they were no longer allowed to dump their stock. That should have been enough evidence for the board to call out Kelley for his behavior and discipline him. Yet the report is silent on Kelley. It just says that the executives who sold stock didn't know about the hack yet. Case closed.
Third, a more pressing issue for the board should be the fate of the company's former CEO Richard Smith and the potentially millions of dollars in stock bonuses he could still receive. The board allowed him to publicly "retire" but said said that it could revise the nature of his exit later. As is, Smith is entitled to receive as much as $7.6 million in stock bonuses early next year and an additional $11 million the year after that. Determining Smith's role should be board's first focus. Yet Friday's report is mum on the matter.
But the biggest problem is how the company is conducting its investigation. In similar corporate scandals, outside firms have led the investigation. Instead, Equifax's is being conducted by members of the board, although they have hired a separate law firm. Worse, two of the three board members leading the investigation were also on the board's technology committee, which had the express responsibility of reviewing and monitoring the company's data-security efforts. Clearing executives of wrongdoing will also clear the board and in particular its technology committee.
It took a massive data breach to expose significant problems at a company that is a key part of our credit system. Equifax's response has failed to instill any confidence that it is properly fixing them.
This column does not necessarily reflect the opinion of Bloomberg LP and its owners.
To contact the editor responsible for this story:
Daniel Niemi at firstname.lastname@example.org