Government regulators and lawmakers continue to tighten their focus on Equifax amid CEO Richard Smith’s retirement
Equifax CEO and Chairman Richard Smith may be gone, but consumer and government criticism and scrutiny of the credit-reporting giant’s massive cyberbreach continues to mount.
At least one sign of potential new government action against Equifax surfaced within hours of the company’s leadership shakeup. Federal Trade Commission responses to questions from Sen. Mark Warner, D-Va. signaled that the cyberbreach could prompt sanctions against the company, which is operating under an FTC consent decree related to improper handling of consumer information.
The federal regulator said it is „considering whether any FTC order covers the practices at issue and, if so, what remedies may be available. A party that is found to have violated an FTC order may be subject to contempt sanctions and civil penalties.“
Separately, Equifax also faces:
Most congressional action so far has focused on getting Equifax’s explanations of how the cyberbreach occurred, details on electronic safeguards the company had in place, and what the company plans to do besides the offer of free credit monitoring and identity-theft protection.
Rep. Greg Walden, R-Oregon, who chairs the House Committee on Energy and Commerce, acknowledged the possibility of new federal regulations in a recent CNBC interview about Equifax. But he also sounded a cautionary note about over-regulating, citing a need to „get the facts first, the policy second, but always put the consumer ahead of both.“
Smith, 57, a 12-year Equifax veteran, bowed out Tuesday amid the continuing fallout from its Sept. 7 disclosure that hackers executed an electronic attack that compromised personal data for 143 million Americans — nearly half the U. S. population.
The company said it would delay decisions on his financial benefits and that Smith would forgo a 2017 bonus. Equifax board member Mark Feidler was named the company’s new non-executive chairman and it also appointed Paulino do Rego Barrow, a seven-year Equifax veteran who most recently served as president of Asia Pacific, as interim CEO. It said it is searching for a permanent successor.
Smith is the third top executive to leave since the cyberbreach. Equifax announced similarly sudden retirements for its chief information officer and chief security officer earlier this month.
On Tuesday, Equifax said a newly formed special committee of board members is examining the company’s security precautions and other issues surrounding the cyberbreach that has sent the company’s stock price tumbling.
„The board remains deeply concerned about and totally focused on the cybersecurity incident,“ Feidler said in a statement issued with the leadership change. We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again. Speaking for everyone on the board, I sincerely apologize.“
The electronic intrusion occurred from mid-May through July 2017 and primarily involved names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers, Equifax said.
Additionally, the hackers gained access to credit card numbers for roughly 209,000 consumers, plus certain dispute documents with personal identifying information for approximately 182,000 consumers.
Equifax also identified unauthorized access to limited personal information for certain residents of the United Kingdom and Canada.
Along with the cyberbreach itself, the company has faced widespread criticism of delays, electronic security concerns and other problems with the year of free credit monitoring and identity theft protection it offered to consumers.
The company is also dealing with scrutiny of company stock sales made by three executives after the cyberattack, but before the company alerted consumers.
Sen. Elizabeth Warren, D-Mass., an outspoken Equifax critic, said consumers deserve more than just corporate exits. „The American public deserves answers about what went wrong at Equifax and what the company plans to do going forward,“ said Warren.
Ratings issued in April by MSCI ESG Research LLC, a New York-based company that provides institutional investors with assessments of corporate governance, social and other issues, identified cybersecurity concerns that could be of interest to government regulators and lawmakers.
Equifax received a MSCI score of zero for its privacy and data security rating. Warning that the company is „vulnerable to data theft and security breaches,“ the rating cited a 2016 incident in which salary and tax data for 431,000 employees of the Kroger grocery chain, one of Equifax’s major customers, were compromised.
„Equifax shows no evidence of data breach plans or regular audits of its information security policies and systems,“ the rating concluded.
Equifax shares closed up fractionally at $106.05 Tuesday. The stock has now lost nearly 26% of its value since the $142.72 a share closing price shortly before Equifax publicly disclosed the cyberbreach.
Follow USA TODAY reporter Kevin McCoy on Twitter: @kmccoynyc