Equifax sidesteps fines in a deal with 8 US states while former employee is charged with insider trading

Regulators in eight US states – Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas – approved terms for Equifax to avoid steep fines in exchange for agreeing to a heightened security plan.

Under the terms, Equifax is obligated to develop a detailed security assessment with increased board oversight of cyber threats, as well as improve their process for patching known vulnerabilities, such as the Apache Struts VCE-2017-5638 that opened the door to the original massive hack where close to 150 million people’s information was stolen last year. Equifax still holds the information of over 800 million people and 88 million businesses globally.

Equifax claims it has already completed some of the requirements and expects to meet or exceed the rest. The US states moved to take this action due to the lack of action on the part of federal authorities, who to date have made no move to impose sanctions or penalties.

Equifax escaping fines leaves many feeling a bad precedent is being set. One would think meeting subsequent security obligations would be a mandatory expectation and only the beginning of restitution. Financial consequences carry much more weight in terms of being effective motivators for avoiding future mishandling of consumer and business information – a concept the European GDPR put firmly into practice last May.

A second former Equifax employee charged with insider trading

Meanwhile, a second Equifax employee, a software developer, has been charged with insider trading relevant to the breach. The former developer bought 86 put options from his wife’s account after he knew of the breach but before the public knew. The span of the put options was from September 1 to September 15, and as with put options, a profit would result if the stock were to drop during that span. The breach was announced publically on September 7, 2017, causing the stock to tumble and resulting in a profit for the developer of $75,000. The developer became aware of information about the breach and revealed some of what he knew with a colleague. Equifax had imposed a trading blackout on August 25 for employees who knew of the breach.

The first Equifax employee to face similar charges by the SEC is former Equifax CIO, indicted last March. Four other executives including the CFO also sold shares together worth $1.8 million just days after Equifax became aware of the suspicious activity on its network on July 29, but it was concluded that they weren’t aware of the breach when they made their trades. Separate from security trades but related to the breach, additional top executives left Equifax as a result of the breach.

The Equifax breach, which spanned from mid May through July of 2017, is still the largest of its kind in history, exposing information of about 147.9 million Americans. Because the stolen data included actionable information such as names, Social Security numbers, birthdates, addresses and for some, drivers license numbers, the threatening effects of the breach will continue for years to come.