Skip to main content

The performance of Equifax Inc.'s board of directors is likely to come under scrutiny after the consumer credit reporting agency said the names, Social Security numbers, birth dates and drivers license numbers of more than 143 million Americans were exposed as result of a cyberattack.

The breach has sparked investigations by the attorneys general of New York and Illinois, as well as a probe by the the U.S. House Financial Services Committee and a $70 billion class-action suit brought by two women in Oregon.

At issue is how well the board lived up to its risk management responsibilities, which includes cybersecurity, according to corporate governance experts. Equifax has apologized to consumers and business customers.

"It's not a good day to be on the Equifax board," said David Finke, who leads global technology sector at the executive search firm Russell Reynolds Associates. Cybersecurity "needs to be a regular topic of discussion, particularly for an industry with sensitive information."

Equifax Chief Executive Officer Richard Smith, 57, is also the chairman of the board of directors. "While we've made significant investments in data security, we recognize we must do more. And we will," Smith said in a statement. The company said it has engaged an independent cybersecurity firm to "conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again." It didn't name the company.

Equifax didn't respond to questions about what investments the company has made on data security, how much it has spent or what changes they are planning on making. The Atlanta-based company has a market capitalization of about $14 billion.

Equifax faces legal liability because "they simply haven't invested the proper resources to protect client data," said Andrew Stotlmann, a securities lawyer in New York who has brought lawsuits and arbitration actions against firms including Merrill Lynch and Morgan Stanley (MS) involving claims for fraud, unsuitable investment recommendations, excessive trading and breach of fiduciary duty.

"The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report," New York Attorney General Eric Schneiderman said in a statement announcing his investigation into the data breach.

Illinois Attorney General Lisa Madigan urged state residents to take precautions, such as freezing their credit, to reduce any damage, the Associated Press reported.

Georgia Attorney General Chris Carr did not respond to a request for comment on whether his office would be investigating by the time of publication.

In certain industries, a board may wish to have a director who is knowledgeable about cybersecurity, or to create a separate technology committee whose responsibilities include cyber-risk oversight, according to David Katz and Laura McIntosh of the law firm Wachtell, Lipton, Rosen & Katz in a May 2017 post on the Harvard Law School Forum on Corporate Governance and Financial Regulation

"We'd never advocate for a board having single issue directors," said Finke. "You need good board members who can address all issues." Still, Finke said that companies should be looking at their board composition to ensure that they have the right level of expertise to address cybersecurity concerns. He said it's time for boards to add a "qualified technology expert," similar to the qualified financial expert that is required by the SEC.

Five members of Equifax's 11-member board serve on the technology committee, which may have responsibility for cybersecurity, though the company didn't respond to queries about whether any particular board committee has that duty. John McKinley, 60, the chair of the committee, has been the Chief Technology Officer at General Electric Capital Corp., Merrill Lynch & Co., Time Warner Inc. (TWX) and Twenty-First Century Fox Inc. (FOXA) - Get Free Report , according to BoardEx, a relationship mapping service of TheStreet Inc. Mark Feidler, a former chief operating officer at Bellsouth Corp; G. Thomas Hough, a former vice chairman at Ernst & Young LLP; Elane Stock, a former group president at personal care company Kimberly Clark Corp. (KMB) - Get Free Report ; and Mark Templeton, a former CEO at software company Citrix Systems Inc. (CTXS) - Get Free Report are the other directors on the committee.

All of those directors except for Hough earned more than $238,000 in compensation for their board work in 2016, according to a filing with the Securities and Exchange Commission. Smith, the CEO and chairman, was paid $14.9 million by Equifax in 2016, a $2 million raise from 2015, according to SEC filings.

Three senior Equifax executives, including the company's chief financial officer, John Gamble, sold shares worth collectively almost $1.8 million in the days after the cyberattack was discovered. The trio had "no knowledge that an intrusion had occurred," Equifax told Bloomberg.

"The best defense-from attacks, from the attendant consequences, and from subsequent litigation-is a carefully tailored and constantly updated protective scheme accompanied by a detailed response plan," wrote Katz and McIntosh.

Shares of Equifax fell 13.7% to $123.23 in Friday trading on the New York Stock Exchange.

More of What's Trending on TheStreet:

Stick with TheStreet for updated storm coverage as Hurricane Irma moves the market:

Editors' pick: Originally published Sept. 8.