Scandals often play out in a set pattern: the news breaks, there is public outrage, followed by calls for action. Next, Congressional hearings are held, partisan wrangling ensues and, by the time it is resolved, the scandal has faded from the public eye and any action taken is minimal at best. Equifax (EFX), the credit reporting company that failed to prevent hackers from exposing the personal information of 143 million Americans, is in the early days of this cycle. Late Monday the company disclosed that another 2.5 million accounts were hit, bringing the total to 145.5 million.
Continue Reading Below
Before a similar incident happens again, Securities and Exchange Commission (SEC) Chairman Jay Clayton has a very small window to do the right thing. The SEC should immediately require all companies to promptly disclose any significant computer hack to investors and the public, which I call the “Equifax Rule.”
Computer hacks, resulting in the theft of personal information by criminals seeking to rip off as many Americans as possible with the stolen data, have become an epidemic. In addition to the Equifax breach, Target (TGT) stores disclosed in December 2013 that it had been hacked and credit card and other data of 70 million customers had been stolen. Yahoo, now a unit of Verizon (VZ), has been breached twice, the most serious being in 2013, which affected over 1 billion accounts. Yahoo did not tell the public its information was stolen until late 2016, almost three years later. Equifax was better, but it still took executives six weeks to disclose the hack.
There is no doubt that hacks are very important information to investors (in addition to customers). For example, when the hack was announced, Yahoo’s stock dropped 4.4% the next trading day, and Target reported a 40% drop in fourth quarter profits following the breach. Equifax’s stock dropped from $143 per share to $93 per share, or about a 33% decrease over the course of the following week after the hack was announced. It has since rebounded about 15% to the $107 level. That means the information is “material” to investors, which the SEC typically requires companies to disclose. However, fearing reputation harm as well as liability, companies have been slow and reluctant to disclose hacks. The SEC needs to remove any doubt and declare significant hacks material so that companies and their legal teams will disclose them.
To be sure, detecting, halting and investigating a computer hack is usually very difficult and often takes substantial time. That is why an “Equifax Rule” is needed. With such a rule, there will be no more delays while facts are gathered and conclusions are drawn. After all, the criminals don’t delay. They immediately start using the stolen information to rip off Americans who don’t even know their information has been stolen.
A simple “Equifax Rule” will directly fix that: if a company suffers a significant hack, it is promptly disclosed and Americans can take action to protect themselves. Such a rule will also ensure that Americans are not victimized twice: first by the criminals and then by the corporations who fail to tell them of the hack.
Continue Reading Below
Dennis M. Kelleher is president and CEO of Better Markets, a Washington-based independent, nonpartisan, nonprofit organization that promotes the public interest in financial reform, financial markets and the economy.