63 comments

[ 8.5 ms ] story [ 204 ms ] thread
One wonders what 90m in security spending would have accomplished...
(comment deleted)
In a company like Equifax ? Not much.

The issues are/were so systemic without complete change of culture and engineering processes not a lot of improvement in security can be achieved. This is very expensive change management and needs lot of will to push through . Companies of this size generally do not have the appetite for any type of change unless there is clear and present immediate danger that everyone perceives as one.

Sadly it takes a breach like this , one that impacts business significantly for most management to move in the right direction as they do not understands the risks fully until then. Just as home/medical insurance is really appreciated by someone who had to pay out of pocket.

A big problem with modern capitalism is that there is hardly any risk anymore. Risk is like a rocket ship that has left Earth, gone out of the solar system, and is not present on or near the planet anymore.

Your stock can drop 20% in a week, you can oversee the largest theft of valuable information ever recorded in history, and really the only thing that can happen to you is you make just as much money, perhaps more, if none of those things happened.

Can’t wait until the “Steve Bannon” of the corporate justice movement emerges to go after these individuals / the structure that creates them.

There is risk, it's just transferred. We saw a lot of transferred risk around 2008.
How do you define "modern capitalism?"
Anything pre-dating the fractional reserve system. Allowing entities to create value from no effort is not raising capital. Fractional Reserve systems lessen the skin-in-the-game spoken of earlier and transfer to societal decision making from the people doing the work and taking the risk to bureaucracies that are 'too big to fail'.
Interesting. Now I'm gunna go read up on those concepts. TIL.
> Can’t wait until the “Steve Bannon” of the corporate justice movement emerges to go after these individuals / the structure that creates them.

I'm sorry to sidetrack on this, but I was really puzzled by this sentence, that does it mean?

Steve Bannon is kind of known for having a “hit list” within the political establishment. So first it was the Bush’s/Clinton’s, then it was the Koch Brothers, and now he is saying “the day of reckoning” is coming for Karl Rove and Mitch McConnell. Sometimes I think Steve Bannon is crazy, but other times I read his remarks and am shocked by how liberal some of them seem, e.g. his recent comment that Republican plan of tax cuts to the rich is “an economic hate crime” against the working class.
Liberal? Have you read Breitbart? Bannon has ideas about class and economy that support egalitarianism - if you're a Christian, support old-school western cultural values, and are white. Apart from a few populist notions I don't think there's anything about Bannon that could be called "liberal".
People can have different political leanings on different subjects
I force myself to read Breitbart now and then, to understand what people with different views are thinking. What you've said is accurate. At the same time, Bannon displays intelligence and straight talk at times. For example, when tensions with NK started to heat up, he called Trump's "fire and fury" threat toothless because any opening of hostilities with NK sees 4 million+ residents of Seoul die within 48 hours. He was "telling it like it is", and he was fired from the White House immediately after. Now I don't agree with most of what he says but I can see how his followers admire his plainspokenness.
Totally agree with you here, I think I could have made my point better. He has a consistent ideology and sticks to his guns to be sure. What I meant was he is not liberal in the classical economic sense, nor in the American social sense.
I'm reminded of Howie Hubler, the man responsible for the single largest trading loss in history. His trade cost Morgan Stanley $9 billion. He resigned and was given $10 million in back pay.
He shouldn't get anything. He costed Equifax lots of money. His handling is going to have Equifax hundreds of millions of dollars going forward.
A rigged game where if you lose, you win.
For all the people who scream at this as unjust -- what do you propose instead?

I know your knee-jerk is "pay him $0!"

But seriously. If you were on their board. You disregard his employment contract? You don't honor contracts? You make a huge scene and have the CEO exit furiously?

And, you do realize the CEO didn't actively facilitate the breech?

I'm not defending him, but what would you really suggest?

(comment deleted)
I propose the CEOs payment is put on hold, behind all other creditors. Until all lawsuits are settled and all the creditors arising from them are paid in full he shouldn't see a dime of that money. In several years time, if anything remains of the company, he can collect.
People aren't mad that his contract is being honored, they're annoyed that there are no provisions for gross failure.

As for actively facilitating the breach, almost no CEO ever does. One of his jobs is to solve problems indirectly before they show up by appointing the right people to react to them. Appointing his college buddy as the chief of InfoSec was a gross failure to do that.

Totally fair response.

Do you think the board failed to minimize the total financial impact, and that shareholders will now vote to replace most of the board seats?

Shareholders run the company. Are we mad at the CEO, or mad at the shareholders?

It's hard to say what will happen, but the shareholders would be justified in replacing board members over this. Shareholders don't run public companies directly, I think the farthest that you can logically assign blame is with the board.

Did the board fail to minimize total financial impact? In this case, yes. At the same time, adding a "failure" provision to the contract may have scared off good CEOs. I find it unlikely that this CEO has created more value than an overall worse CEO who would have avoided this, but it depends on the outcome of the lawsuits and PR fallout.

Isnt't it implied as part of any work contract? I am pretty sure it is the case everywhere in older Europe.
I'm not a lawyer, so I can't say, but with numbers like that the former CEO could afford to have an entire law firm working on the case for him. I can't imagine that implications would go very far.
I agree that the shareholders might be justified in assailing the board.
> And, you do realize the CEO didn't actively facilitate the breech?

As CEO he is responsible for his company. If a breech happens, it’s because he mismanaged it. They take home huge salaries, stock options and other forms of compensation, supposedly because their job carries so much responsibility, then he should also take responsibility when the shit hits the fan. Not only should he not get a cent, every single dollar that the company loses as a result of this should be recovered from him. Bankrupt the fucker and have him live the rest of his days in a box under a bridge.

You cannot claim ridiculous amounts of money because of your responsible job and then not be held responsible.

I agree that he is responsible. But his contract doesn't read, "if any big bad thing happens, we pay you $0!"

That would surely be a great contract, but they would have a tough time hiring a CEO.

By analysis, every landlord should put a "if anything really bad happens at this property, you are fully responsible."

Landlords often require renters insurance for this exact reason and definitely try to hold tenants liable for damage. Many states have laws to prevent landlords from doing exactly this.
Right -- many states have laws to prevent landlords from writing such clauses.
> By analysis, every landlord should put a "if you burn the fucking house down, you are fully responsible."

FTFY.

> "if any big bad thing happens, we pay you $0!"

No, it should read 'if big bad things happen, you pay us the damages'.

The question is simple: Is the CEO (directly or indirectly) responsible for how the company operates ? If (s)he is, then it's fair (s)he gets a decent bonus when the company does well, but that would also mean they are responsible when everything goes south, and then they should pay for the damage. Otherwise they can basically take huge risks with the company in the hope they score a big bonus, and there will be no consequences when it goes tits up.

You cannot only be responsible when things go well, that's not how responsibility works.

>No, it should read 'if big bad things happen, you pay us the damages'.

It would be utterly ridiculous for any person to sign a contract that said "In the event this company gets hacked, you a personally liable." I wouldn't, and you wouldn't either.

I did this frequently when I was a contractor/consultant. I also retained insurance to mitigate the risk to myself.
That's fine, but then you get a normal salary.

If you claim you are responsible for the performance of the company, that goes both ways. You can't claim responsibility ONLY when things go well (and rake in large amounts of cash) and then when things go to shit suddenly act like you had nothing to do with it.

Such a contract would attract charlatains -- guys like Bernie Madoff. And then, when they found a data breech, they'd pull every trick to keep it hidden.

No doubt that CEOs should be held responsible. And here the board would say, yes, that's why we fired him.

> Such a contract would attract charlatains

No it wouldn't. The current contracts do that. The CEO can basically take huge risks with the company at zero personal risk. If it pans out, he gets a huge bonus, if it fails he bails out with a huge severance package and no personal consequences.

It's the same mechanism that got us into the financial crisis. Executives have every reason to take huge risks and none to play it safe.

> It would be utterly ridiculous for any person to sign a contract that said "In the event this company gets hacked, you a personally liable." I wouldn't, and you wouldn't either

Same claim was made before SOX forced attestations.

Where is the CIO/CTO in all of this? Would we expect a US President (or any Chief Executive of any country) to understand the importance of two-factor authentication? Or to audit his Nuclear Football? How many breaches of the VA occurred and we do not blame the President. We do criticize the response to these breeches and this CEO's response is "Thanks for all the fish," but we do tend to like it when heads roll; so I have no idea who is to actually be blamed and I think it is unreasonable to even begin assessing blame at this time.
> Would we expect a US President (or any Chief Executive of any country) to understand the importance of two-factor authentication?

No, but I would expect him/her to hire competent people who do.

Either you are responsible for the performance of the company or you aren't. If you are you can be richly rewarded when it performs well, but that should also include penalties when you fuck up.

(comment deleted)
Why is the employment contract structured so that the CEOs pay goes up with shareholder value but doesn’t go down when shareholder value is destroyed? It doesn’t have to be this way. Companies used to be structured as partnerships in most cases with the executives personally liable for harm to the company and caused by the company.
Because otherwise they couldn't hire a good CEO. Unless the shareholders and the board are making bad hiring decisions.
Maybe companies should filter CEOs based on their own confidence in their performance. I wouldn’t hire a sales person that wanted a large salary or guaranteed bonus; that means they don’t believe they will perform and earn a larger bonus.
We could also decide, as a society, that this is a problem; that the perverse incentives in place are harmful and change how companies are allowed to operate. For example, until the 90’s investment banks could only be general partnerships, meaning each banker was personally liable for the debt of the firm. What do you think that meant for how seriously they took underwriting risk? Similarly, law firms cannot sell stock and must only be owned by lawyers because society believes any other ownership structure would have a conflict of interest and harm clients.
You're right that we could collectively define new laws and rules. But what would they be?

Their are downsides to investment banks being private partnerships. On the other hand, I've talked with execs that wish the banks hadn't gone public. Yet they had strong incentives to go public.

The thing is they _didn’t_ hire a good CEO. This happened on his watch.
>The thing is they _didn’t_ hire a good CEO. This happened on his watch.

I guess nearly every US President and global leader, along with 80% of global CEOs aren't "good" either, because bad things happened on their watch. Some much, much worse than a data breach.

I'm not saying this guy was good, but that your standard is impossible to reach.

I disagree. The "this" that happened on his watch was not, in my opinion, that there was a breach, but rather the shitstorm about how it was handled - this happened on his watch and he did not handle it well and that is what makes him a bad CEO in my opinion.

Things happening isn't necessarily an indicator that the person is bad, but how they deal with it (in this case, he didn't for many months!) is an indicator. That's not an impossible standard to reach.

Well if CEOs aren’t responsible for the negatives they shouldn’t claim responsibility for positives.

Something tells me this guy had no problem collecting performance related bonuses.

> Because otherwise they couldn't hire a good CEO.

Yet they expect to hire good lawyers / engineers / team managers / janitors etc without such golden parachutes.

Why is the CEO position rewarded so greatly? Because the board comprises CEOs of other organisations.

They are the nobility of our era and look out for one another.

Haul the CEO in before a panel of senators like we did with Washington Mutual. Or, better yet, nationalize Equifax.

He didn't actively facilitate the breach but he certainly precipitated it with neglect and terrible leadership. That's why he's stepping down to begin with.

On that note, yeah, you are totally defending him.

Passive aggressive-language like "for all those people scream at this as unjust" and "your knee-jerk", indicates you're (weirdly) assuming superiority over those who are unhappy about an obvious injustice. Or perhaps you don't view his crime as injustice at all: "make a huge scene and have the CEO exit furiously", yes that kind of drama would be totally unfitting for one of the most serious data leaks in history.

Don't patronize us.

Have we seen his contract? There's likely a clause about gross misbehavior that would be grounds for termination.

"You make a huge scene and have the CEO exit furiously?" That would probably be very popular and maybe increase the stock value.

Put him on trial for criminal negligence.
When corporations behave in evil ways (e.g. exploit users, sue independent engineers extending their products, etc.) there is often a mention of shareholder interests making them do this.

Where exactly are shareholder interests in this story?

> "After all, the main benefit of Smith retiring from Equifax, as opposed to being fired for cause—besides preserving his dignity—is that he'll get to continue earning his unvested stock compensation, including options and performance-based awards, as though he were still working at the company, according to Equifax policy. That perk, however, could still be revoked."

Generally when you leave a company your vesting stops. This is such a sweet deal, it's disgusting. They should have fired him for gross negligence and sue the lot of them.

(I know, they're probably thoroughly protected by corp vs individual status, layers of bureaucracy, etc, etc but it makes me feel good saying "sue the bastards!" so let me. ;) )

I think the issue here is that Equifax's systems are in a bad way. They need a new CEO but if they left the current one in the cold, they'd have a hard time finding a new CEO who'd be willing to bear ultimate responsibility for a system they had 0 influence in building. I believe that's the deal with golden parachutes - in the eyes of corporations, there are very few qualified CEO candidates and these candidates dictate terms - the first of which is a golden parachute.
I heard a commentator (I think from Forbes) say that it is bad that the CEO is leaving because you now have an additional crisis of finding a new one on top of the current mess. Although I suppose this assumes that the now retired CEO has knowledge of the company that is valuable... Time will tell.
So as a CEO, what is his motivation to ensure the security of his custommer's data? This seems like a motivation to get hacked!
The risk is all borne on the little people. If strategic direction is an abject failure, C-suite leaves with golden parachutes and the workforce is "rationalized" which means 3rd party consultants are used as justification for draconian cuts. The American Dream these days is to get to the protection (and unjust/unfair risk-free status) of the C-suite umbrella asap.
I guess that's just how it works in present day capitalism though there might be a gap for some new laws and court system that could assess damage to the public and fine the directors something based on a guess of their responsibility even if you can't really prove who's fault things were. I doubt the odd injustice of someone not quite guilty losing a chunk of their assets would worry people that much. Like in this case you could fine the ceo say $90m even if he only has part responsibility for the breach.