The Equifax breach happened because today’s executives know they’ve got nothing to fear

This Saturday, July 21, 2012, photo shows signage at the corporate headquarters of Equifax Inc. in Atlanta. A Wall Street Journal report says that hackers…
This Saturday, July 21, 2012, photo shows signage at the corporate headquarters of Equifax Inc. in Atlanta. A Wall Street Journal report says that hackers…
Image: AP Photo/Mike Stewart
We may earn a commission from links on this page.

Right now, somewhere in the darkest regions of cyberspace, somebody is very possibly using bitcoins to buy highly sensitive information about you ­– your phone number, address, Social Security number, and driver’s license number. Some day, maybe months from now, maybe even years down the road, a criminal could use that treasure trove of data to drain your bank account, access your credit card, or take out a loan in your name.

Thanks to the gigantic Equifax data breach — what Massachusetts Attorney General Maura Healey called possibly “the most brazen failure to protect consumer data” her office has ever seen — Americans will be looking over our shoulder for the rest of our lives. So what should happen to the well-compensated executives responsible for this mind-blowing mess?

Last week, some members of Congress condemned executives at Equifax and at Wells Fargo, where millions of fraudulent savings and checking accounts were set up on behalf of bank clients without their consent.  When questioning Wells Fargo CEO Tim Sloan before the Senate Banking Committee, senator Elizabeth Warren of Massachusetts, a Democrat, noted that when corporate leadership encourages wrongdoing, ordinary workers often get screwed by losing their jobs. She added that executives should be on the hook personally and that it’s time “to fire the people who are responsible and when they break the law, to march some of them out in handcuffs.”

Her words echoed those of Senator Heidi Heitkamp, a Democrat on the Senate Banking Committee, who recently said that“ somebody needs to go to jail” if the Equifax executives who dumped stock can be proven to have broken insider trading laws.

Unfortunately, executives know that they have little to fear. Individual executives, and especially top corporate management, have only rarely ended up with serious fines or jail time.

To date, a couple of Equifax honchos have “retired,” and can now enjoy lounging poolside at the country club because they will retain their benefits. Erstwhile Equifax CEO Richard Smith, who breezed out the door with a $90 million exit package, could buy his own private island. After his little moment of embarrassment on the Congressional hot seat, in which he blamed a single tech employee for his company’s mammoth screw-up, he can relax in the knowledge that Equifax is a business that operates with little government regulation and lax enforcement of laws.

A handful of individual corporate leaders, like Jeffrey Skilling of Enron, have actually done jail time for hurting Americans. But these instances are quite rare. The privileges of wealth and the sophistication of expensive lawyers mean that executives have a big advantage over the ordinary person when they find themselves in a criminal justice proceeding.

It would help us all if executives like Smith were much more worried about the consequences of their actions. Corporate leaders are people who think a lot about risk. They weigh the future benefits and the costs of various actions every day. They don’t fail to protect data by accident. They do it because they are making calm calculations about what they can get away with. If those calculations involved real threats of harsh prison sentences in scary maximum-security facilities, or personal fines large enough to crash their lifestyle and social status, they would probably make different choices.

Smith can also comforted by the idea that the Equifax data theft occurred because of negligence rather than active fraud. In the rarefied world of white-collar offenses, that doesn’t generally merit jail time unless the pills you sold made people sick. Criminal prosecutions for food and drug safety issues and environmental contaminations can happen, but not data breaches.

The possibility of insider trading might merit criminal prosecution, but it’s not easy to prove. In the case of Equifax, you would have to establish that the senior managers who did the dumping knew about the breach and its seriousness.

Economist and business historian William Lazonick of the University of Massachusetts Lowell notes that in the cyberage, we probably need new laws to catch up with a fast-changing data landscape.

“There may be new types of activity that should be made illegal,” he suggests. The laws concerning data protection vary from state to state, and are often vague in terms of things like when people have to be notified about theft of their personal information.

But the bigger problem, he says, is the amount of high-level white-collar crime that is not investigated in the first place, or even when it is investigated, fails to generate the faintest hope of prosecution. He notes that senior corporate executives who commit crimes often find ways to have their subordinates take the rap.

“There is a word for all of this,” says Lazonick. “Corruption.”

At a minimum, the credit bureaus should have more oversight, and consumers should have better protections following identity theft. We also need to put an end to the noxious practice of companies forcing customers into arbitration when something goes wrong, as Equifax tried to do after the breach. But it’s also time to serve justice to individual executives who harm the public. If we lose faith that the wealthy and powerful are accountable to our legal system, the fabric of society gets shredded.

It seems pretty obvious that a corporate culture in which problems like massive negligence or widespread fraud occur starts at the top. And it seems further obvious that executives who engage in activity that causes harm to others should be held personally unaccountable under the law.

Personal accountability is key in terms of both justice and deterrence. We expect to see people who harm others receive punishment, because fairness and equality under the law holds our society together. We also want people to be held accountable because we don’t want the same problems to happen again. If a corporation receives a fine, the shareholders end up paying the cost—not the individuals who committed wrongdoing.

And so corporations can wind up seeing fines as simply the cost of doing business. Certainly fines don’t prevent executives responsible for wrongdoing from receiving gigantic personal payouts and benefits. A lack of personal liability creates perverse incentives for leadership to keep breaking the rules, with no regard for people hurt by their actions.

Thus far, Equifax executives have gotten off easy. In this era of money-driven politics, laws are made, and regulations enforced, by people and organizations that tend to play to the tune of the wealthiest campaign donors. (For proof, look no further than the fact that Equifax received a $7 million government contract with the Internal Revenue Service immediately after its massive breach.) Nothing is going to change until the public lets its elected representatives know that this state of affairs is neither normal nor acceptable. If we care about business ethics at all, we need to give the nation’s most powerful executives something to be afraid of.