Michael D. Moberly St. Louis October 5, 2017 firstname.lastname@example.org 314-440-3593 ‘The Business IP and Intangible Asset Blog Where Attention Span Really Matters’!
…the current Equifax matter actually-has less to do with a data
breach and/or computer security than it does with c-suite
arrogance, opportunities to generate additional revenue, and
disregard for fiduciary responsibilities to safeguard the personal
data of 140 million citizens.
I respectfully commence this post by stating I do have more than a rudimentary operational familiarity with company reputation risk which is a significant, but I sense, is a variously overlooked aspect of the ‘Equifax’ story that is not being adequately reported, aside from a few like Daniel Marans of POLITICS, Huffington Post, myself, and Dr. Nir Kossovsky.
Through my lens, when there is a highly consolidated industry, e.g., credit reporting, with just three major players that collectively hold a very substantial percentage, perhaps 90+%, of the market, i.e. Equifax, Experian, and TransUnion, incentives for c-suites to ensure deployment of effective data safeguards beyond the minimum, and monitoring vulnerability, probability, and criticality of inevitable breaches and/or attempts may be below ‘best practice’ relative to other industries.
More to the point, not taking active steps to mitigate and thwart the inevitably of data breach probing and risk materialization, would, for most companies, rapidly and adversely affect their corporate reputation and cascade – escalate throughout the enterprise being targeted, in this instance, Equifax over a period of years.
However, this obligation – fiduciary responsibility, was wholly absent from the testimony given in Capitol Hill hearings on October 4th by now former Equifax CEO Richard Smith, at the behest of the U.S. Senate’s Committee on Banking, Housing and Urban Affairs. I, like countless others, are appalled upon reading Smith’s testimony regarding the security-data breach to Equifax which exposed the personal data of more than 145 million Americans to identity theft and fraud.
Should my assumption be a correct characterization of the decisions and operational realities conveyed by Equifax’ Smith, which I believe it is, is confirmation Smith, in a combination of arrogance, disregard for fiduciary responsibilities, i.e., Stone v. Ritter, and recognizing how ‘the company’s breach’ could be lucratively exploited insofar as ‘add on – feel good’ fees and charges to potentially 140 vulnerable customers made sense to them. Thus, leaving little rationale for Equifax to feel particularly uncomfortable or apologetic, even if their reputation ‘took a hit’ because there were enormous revenues to be made.
And, when there is little sector competition, devoting significant resources to mitigating reputation risk may be a misread of competitive advantage economics. For me, such c-suite strategies are insulting, especially when such inaction invites – contributes to risk materialization, leaving consumers with no viable alternative or option when significant problems (data) breaches occur.
In addition to the inexcusable delay in reporting “the breach of your system, Equifax has actually-created more business opportunities for itself” Sen. Elizabeth Warren (D-Mass.) remarked during the October 4 hearings, to which Mr. Smith replied, “yes, Senator, it (the breach) has been a huge opportunity for Equifax”.
For readers who perhaps are unfamiliar with U.S.’s consolidated consumer credit tracking firms, i.e., Equifax, Experian, and TransUnion, each track individual credit histories and use the collected data to compile credit “scores” which they sell to lenders for assessing the creditworthiness of prospective borrowers. One outcome, Senator Warren said, is a company (like Equifax) has little incentive to invest in safeguards for the consumer data they collect and store.
Senator Warren’s claim arose from the fact that Equifax, and other firms had already sought to make money from the September 2017 breach by offering affected consumers a year of free credit monitoring, after which the company would begin charging for the service. Of note, “from 2013 until today, Equifax has disclosed at least four separate data compromises and/or breaches (hacks) to personal data. In those four years (2013-2017), Equifax’s revenues rose by more than 80%, a fact which Smith admitted to Senator Warren.
Another frustrating (troubling) aspect is that organizations frequently (initially) treat these types of materialized (catastrophic) risks as mere public relations challenges which can be rapidly repaired – remediated, not the misdeeds of a few. Yes, in many instances that’s probably true, but, shouldn’t it prompt us to wonder about the circumstances in which those contributions – donations originated? It wasn’t that many years ago when, the realities of apartheid could no longer be subjugated – forsaken to profits by numerous U.S. companies and institutions, i.e., divestiture!
..the person who elects not to read has little or no advantage over the person who cannot read! (Variously attributed to Samuel Clemens, adapted by Michael D. Moberly.)