Right
Not enough should be 10x. Plus the Chinese treatment for the executives.
Data-spaffing consumer credit biz Equifax is offering a package of roughly $700m in order to kill off lawsuits regarding its 2017 super-cyber-heist. The credit reporting agency announced on Monday it has proposed the payout in hopes of settling class-action suits, as well as state and federal investigations, over its conduct …
There are several confident-sounding solicitors firms in the UK offering no-win no-fee group claims but they don't give the impression of representing many people yet. I suppose, ironically, the solicitors have trouble reaching affected individuals in part because their contact data is so well protected now by GDPR.
Most of the money will used for "credit protection services" from guess who?
I believe Widen is right. It's about time execs start taking some heat to more than their bonuses. But it that happens, they'll end up at the so-called "country club prison". Maybe Alcatraz needs to be re-opened for executive miscreants?
Yes, Wyden is right, there should be personal accountability on such matters.
But isn't Wyden a lawmaker? It falls to him and his colleagues to pass laws that have criminal responsibility, deterrents and punishments.
Oh, and whilst you're at it Sen. Wyden, make sure the law includes the same criminal responsibilities for politicians too.
But isn't Wyden a lawmaker? It falls to him and his colleagues to pass laws that have criminal responsibility, deterrents and punishments.
There are criminal liabilities for these actions. Negligence, fraud and many other crimes could be seen to have been committed.
However, it is up to the executive, that is, the DoJ, or state AG's, etc., to choose to file and then prosecute criminal charges. The executive has absolute, sole, discretion, and absolute immunity, on whether or not to file criminal charges. Someone could murder someone right in front of an AG, and the AG would be entirely within their legal authority to refuse to prosecute the murderer. And there is nothing anyone can do, legally, to force the AG to do so. Of course, the AG could be fired and another AG appointed who could then pursue charges, but the previous AG would have done nothing legally wrong.
No-one else, not the public, not the legislature, has the authority to file, or force the executive to file, and prosecute, criminal charges.
Hmm, no. In the UK you can bring a private prosecution for a criminal offence, with the same punishments under law possible as under a Crown prosecution.
This lets people exert justice even where it's politically deemed undesirable. Public interests are served by the ability for the CPS to take over and close down a prosecution should it be deemed inappropriate, but they'd need strong reasons for such action and it would force a public action (rather than the private inaction of choosing not to prosecute).
The US would benefit greatly from such a capability.
Whether elected or appointed, they're politicians. And yes, it's a bit weird to effectively elect someone who can choose not to prosecute something. However, someone has to choose, and as stated above, there are benefits to having that choice. The alternative is that someone still has that power, but they're not elected. That is the same from the possible conflict of interest perspective, but in that case it'd be harder to get rid of them if they did something citizens didn't like but wasn't technically illegal. Completely fair government is hard.
Indeed BS
Jail time and a data retention exclusion for complete management team along with a security review of every other credit reference company and bank they shared data with.
Taking off and nuking the planet from orbit is the only way to get the message across to these leeches
I have to say, I think the security was basically left lax on the grounds that it would give them an opportunity to sell more "security" products and services, on the grounds that not many other people do what they do. A licence to print money.
Just for once, I agree with a politician here. (I usually don't, but that's basically a reflex action on the grounds that... well, they're a politician)
You can't opt out. None of their customers were harmed. I didn't hear of any customer being sold false data as a result of the hack. How would loss of credibility to those of us who have zero choice about them gathering our data and selling it affect anything whatever about their viability as a business? Maybe we vote for someone who won't just be bought like 100% or so of all previous elected officials?
We, ie the public, are not their customers, we are their product, therefore if we get harmed they don't give a shit.
However you were correct, none of their customers were harmed - their customers are the banks and financial businesses that use their credit check services.
"All right, you've got your identity stolen, lost your house and car, here is $5 for your troubles." Seriously? This is definitely taking the piss.
But the even bigger problem is that if they get away with it, every information pusher out there will know they don't really need to worry about losing information.
On the other hand, if the Equifax execs go to prison, I'm pretty confident everybody else will suddenly behave...
US Sen. Ron Wyden (D-OR) put out a statement on Monday blasting the proposals and arguing that company execs should have been personally prosecuted for their negligence in handling the personal information of others.
Jail for corporate officers? Won't happen. I'm pretty sure that the US constitution bars that except for those, like Bernie Madoff, steal from the wealthy. (Mr Madoff -- age 81 -- is currently serving a sentence of 150 years for a long list of indiscretions).
Seriously. Do you folks have any idea what would happen if corporate officers were routinely held legally responsible for their actions?
The constitution doesn't contain corporate law. But the corporate "veil" can be pierced if there's demonstrable malfeasance and I believe sufficient negligence.
Somehow, even in utterly egregious cases like this, it never seems to happen, though.
Something about the big guys being able to afford the better legal help, or golf clubs for the judge.
So they're kind of hard to sue and win big.
"Do you folks have any idea what would happen if corporate officers were routinely held legally responsible for their actions?"
Yes. Instead of anyone in the lower ranks proposing improvements to security being told to GFO they'd be being asked anxiously if they were sure there wasn't something else that could be done.
Fines don't mean a thing, that just gets passed on to shareholders. Any activity that results in profound human damage (and I think having to fight to keep yourself from having your identity stolen with all the fun financial consequences amongst that) ought to mandatory result in some time in public pillory, with the sale of rotten vegetables automatically authorised in the near vicinity.
The US approach to white collar jail time is more a Club Med with locked doors, which is why it is not helping.
Either that, or mandatory publishing of all their details and being barred to change any of it without that being out in the open too.
The behavior we want is for companies like Equifax to take security breaches seriously, "too big to fail" banks to take knowingly making bad loans seriously, etc. The way you do that is to make sure that shareholders and bondholders lose everything in the event of a major breach of trust, and this definitely qualifies.
If there was a possibility of losing everything, shareholders would force management to assign a much higher priority to keeping information secure, acting ethically etc. They'd also insist on management having skin in the game so they'd probably force them to earn their bonuses in stock and hold it for several years before they could sell it. Then the interest of management, shareholders and consumers would all be aligned as far as preventing security breaches or other breaches of trust.
Making them pay a fine, no matter how large, doesn't accomplish this. They need a "death penalty" for a corporation - not one that ends the corporation because you don't want to punish employees for bad decisions of management. One that zeroes out the stockholders and bondholders of the company. Hit the 1% where it hurts, and behavior will change.
Its not that simple, it isn't like the market cap of a stock is a bank account, you can't "down the value" by a specific amount. What I suggest is really an all or nothing thing. Either you zero the value of the stock/bonds or you fine, there is no middle ground. The zeroing would be done only for egregious cases where the corporation deserves the "death penalty", for lesser cases a fine would continue to be the only viable option.
it isn't like the market cap of a stock is a bank account, you can't "down the value" by a specific amount
No, but in theory (and ignoring the fact that there's no legal precedent for this, and quite likely no legal foundation for doing it), some authority could implement a fine by attaching an additional tax penalty to transactions in Equifax stock and dividends issued for same. That would make it less attractive and increase Equifax's cost of capital.
Probably that would have to be implemented by passing a law creating a new classes of short-term and long-term capital gains with a higher tax rate, and giving some branch of the executive the power to assign shares of stock issued by particular corporations to those classes. It would be a bit of a bureaucratic mess, but in the world of tax law that'd hardly be noticeable.
But why not fine the company itself? That way the loss is distributed equally to shareholders, and without the huge expense of administering a special tax for trades/dividends on those shares to collect the fine (and it wouldn't be distributed equally - if I hold my shares and the stock pays no dividend I get off scot free)
@ DougS
I like your idea but many times employees of the corporation are forced to invest into it for their retirement plan. This would hurt the bees more than the queens, maybe. Although with the stock options most C-level positions get it might hurt them enough to get their attention.
There would be need to be laws that give employees a choice - and the stock market might pay attention to the investment level of the employees. They see a company where the employees own little stock they might think "they know something" and stay away themselves.
many times employees of the corporation are forced to invest into it for their retirement plan
Is this actually all that common? Apparently (according to various online sources of varying dubiousness) many 401(k) plans include an employer-stock option, and of course many firms offer ESPPs or similar. But those are options - employees are not forced to use them. How common is it for corporations, particularly large ones, to offer only investments in their own stock for retirement plans? Is that even legal?
It was legal until the Enron. WorldCom, Lucent fiascoes.
The law was changed after all of the value of these companies was essentially zero'd out, by mismanagement and fraud.
There was a time when 401K plans could be directed to company stock, and a second option was a guaranteed interest fund. Since there is no return on the GI fund, everything was "forced" into company stock.
Now they are no longer allowed this option, but you can have, I believe, up to 15% of your 401K invested in company stock, but it is the employees option, and cannot be decreed by the company.
Companies that offer ESPPs often require holding the stock for a certain number of years before being full vested, when purchased below market price. These programs would be less attractive at companies where the employees suspected management was playing fast and loose with the regulations.
Thousands of employees at the big banks knew how poor their mortgage underwriting standards were, if they thought there was a chance of losing their stock they'd either not participate in ESPPs or sell them early and lose the vested part. Probably fewer would know about the Equifax breach, but the IT people would at least know how little attention they paid to security, and tell their friends in other parts of the company "sell your stock, it is a matter of time before disaster strikes!"
There are a number of ways to force employees into investing in company stock. One easy method is to ensure that any stock they have is on a vesting schedule that makes it hard to sell. For example, while they can't force employee retirement contributions to be in company stock, they can offer a matching plan that is in company stock. This would be seen as a major benefit--it's essentially free money--but if the stock becomes zeroed, that benefit is retroactively erased. And if they really wanted to prevent this from happening, there are lots of ways to try to make sure employees get hurt in the scenario. Some of those might be later shown as illegal, but not before regulators get nervous that a company might have a way around it.
"This comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,"
Of course it is. It establishes the price of the industry's raw materials as being quite low.
Why is this even a thing? If someone commits a crime, they don't get decide what the appropriate punishment for themselves should be. Equifax shouldn't be in a position to propose anything, they should be told exactly what they have to do and then be forced to actually do it.
> If someone commits a crime, they don't get decide what the appropriate punishment for themselves should be.
Welcome to the world of the wealthy and powerful. Laws don't apply to them, at least not directly, old boy networks take care of any problems which were accidentally revealed to the great unwashed:
"I've got a couple hundred thousand set aside for employee bonus pay. What about you fine me that, and in return we promise to run an internal investigation to secure our systems: My daughter, the one which is studying modern dance, is looking for an internship."
Yes but well, people can take a lot of abuse. They usually don't get violent unless a problem is affecting them personally (like famine killing their children), and in our modern societies this doesn't happen very often.
And then there is entertainment, taking your mind off things. French peasants wouldn't had beheaded their king if they had had television, and the October Revolution would probably had just been a vocal Facebook group...
Look it's a huge figure but per individual it's barely a coffee. Even 100x that fine doesn't really add up to a whole heap per individual and it'll probably end up in the pocket of some law firm anyway.
Nope I'd much rather forgo any payout personally and see the executives do some time. That will make my information much more secure for much longer. A fine just becomes a part of the accounting process.
If executives think their penny pinching might make them end up as 2yrs of fresh meat for a horney prisoner they might chose to protect my stuff a bit better.
Sadly Lee, under the GDPR they have a right to collect data for the purposes of conducting their business. We may not like it, but credit reference agencies are a necessary evil.
However Equifax should be sanctioned for failing to properly protect that data, and that was and is possible under previous data protection laws as well as GDPR.
The data they collect was passed to them by other firms who collected it for various other purposes. By the time Equifax have processed it and turned it into credit scores it must be legally dubious as to whether there's a chain of informed consent.
I don't know if the term chain of informed consent is in use but seems a useful concept rehter like chain of continuity handling court evidence.
Only with explicit (not implied) consent, for a reasonable period, only for that legitimate business function, never to be shared with anyone else without additional, optional and specific consent.
Credit reference agencies literally are the only organisation apart from the government to have the last 20 years of my addresses, not to mention pushing that information to organisations that I may well not consent to, not to mention providing little to no reasonable method to correct errors, and also collect far too much information than that necessary for the purpose.
They're gonna be the "big" test of GDPR as soon as all the early test cases build confidence to take them down. My own bank can't hold the information they do, for as long as they do, and I'm a paying customer of theirs - I never consent to Equifax holding or collating that information, seemingly into perpetuity.
Well, I for one am completely satisfied with Equifax's settlement - I mean it is the equivalent of what I get for one full week (almost) of my share of the great US tax cut bill of 2017, and reinforces my belief in the fundamental fair and equitable treatment that individuals receive under the legal system when compared to corporations and those that head them, and the sense that the lawyers involved earned every million of the dollars that they were paid to negotiate this most honorable and hurtful of punishments. It is nice to know that Equifax's credit rating will now go up because the uncertainty of this issue is resolved, and that they will be able to get lower interest rates on their corporate car loans and qualify for cheaper mortgages on their facilities.
Please sir, may I have some more - porridge, punch in the face, feces smeared on me, whatever......
Allowing a settlement cap like this, or bailing out a failing company just shouldn't be allowed, as they won't learn their lesson.
Capitalism is designed to allow companies to fail and nothing should interfere with this process. Maybe then companies will think twice on things like how they handle your data.