Equifax’s CEO exits after breach
Richard Smith will keep pension, valued at $18 million, but will not get 2017 bonus or a severance payment.
Richard Smith will keep a pension valued at $18 million but will not get a 2017 bonus or severance payment.
Equifax announced Tuesday that its chief executive would step down effective immediately, weeks after the credit-reporting company disclosed a massive data breach.
Richard Smith, who also served as chairman of the Equifax board, is the latest casualty at the company as a result of the breach, which exposed the Social Security numbers and birth dates of up to 143 million people.
Equifax’s nearly six-week delay in notifying the public about the intrusion into its vast database of sensitive information — and the bungled handling of potential fixes — led to an outcry from consumers and lawmakers as well as state and federal investigations.
The breach has caused much more concern than previous incidents, such as those involving Target and Yahoo, because of the amount of consumer data warehoused by Equifax and the nation’s other two major credit reporting companies.
“It’s one thing when you use your credit card and they get your credit card information and they can steal your number. You cancel that card,” said Michael Burg, founder of the Denver law firm Burg, Simpson, Eldredge, Hersh & Jardine.
“Here, the data that they have includes your Social Security number, includes where you shop, includes your credit history from all kinds of places,” he said. “It is so much more personal.”
Sen. Mark Warner (DVa.) on Tuesday called the Equifax breach “a travesty” and questioned “whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.”
The company’s stock price has tumbled as it scrambled to control the damage, including backtracking on initially making consumers give up their right to sue if they wanted free credit monitoring and identity theft protection.
Adding to Equifax’s troubles was the revelation that three executives sold thousands of shares of company stock in the days after the breach was discovered July 29 — long before the public was informed of the breach
this month and the stock price nosedived. Equifax has said the executives were unaware of the breach when they sold the shares.
The company’s stock was up slightly Tuesday, but it is down about 26% since the data breach was announced.
Smith’s abrupt departure came just days before he was scheduled to face angry lawmakers at two congressional hearings. He still will receive his full pension, which was valued at $18.4 million as of the end of last year, but he will not get a 2017 bonus or severance payment, Equifax spokeswoman Ines Gutzmer said.
The board appointed Paulino do Rego Barros Jr., a seven-year veteran of the company who most recently served as its Asia Pacific region president, as interim CEO. The board also appointed independent member Mark Feidler to serve as non-executive chairman.
Equifax said it would start a search for a permanent CEO and would consider candidates from outside the company.
“The board remains deeply concerned about and totally focused on the cybersecurity incident,” Feidler said in a statement. “We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again. Speaking for everyone on the board, I sincerely apologize.”
Feidler, a partner and cofounder of private equity firm MSouth, said the board has formed a special committee “to focus on the issues arising from the incident and to ensure that all appropriate actions are taken.”
Equifax, one of the nation’s three major credit-reporting companies, revealed the data breach Sept. 7. The company said a website vulnerability led to an intrusion that lasted from mid-May through July.
The breach was discovered July 29, and Equifax said it spent the following weeks working with a cybersecurity consultant and authorities on an investigation.
Investigations have been launched by regulators, congressional committees and state attorneys general. On Tuesday, San Francisco became the first U.S. city to sue Equifax over the breach.
Smith was scheduled to testify at a House Energy and Commerce Committee hearing Oct. 3 and a Senate Banking Committee hearing the following day. He is still expected to testify at the House hearing.
“I look forward to hearing directly from Mr. Smith on this unprecedented breach impacting millions of Americans,” said Rep. Greg Walden (R-Ore.), chairman of the House committee.
Rep. Maxine Waters (DL.A.) said Smith’s departure just days before the House hearing doesn’t remove the company’s obligation to explain the data breach and provide redress for people who were affected.
“The public deserves answers about what occurred at Equifax, and its entire board of directors and senior management team should be accountable for the enormous harm caused to consumers across the country,” Waters said. “There will be consequences.”
A Senate Banking Committee spokeswoman did not immediately respond to a question about whether Smith would still appear at the Oct. 4 hearing. But Sen. Sherrod Brown (D-Ohio), the committee’s top Democrat, said Tuesday that he expected Smith to testify.
Sen. Elizabeth Warren (D-Mass.) said Smith should be joined by Feidler and Do Rego Barros at next week’s hearing.
“It’s not real accountability if the CEO resigns without giving back a nickel in pay and without publicly answering questions,” she said.
Brown said Smith and other Equifax executives should not get a “big payday” on the way out.
“There’s no easy out for the working families that Equifax exposed to cybercriminals, so there shouldn’t be a big payday for the company’s CEO,” Brown said. “Equifax executives cannot be allowed to wash their hands of this while millions of Americans are left to deal with the consequences.”
Although a company news release said Smith was retiring, Gutzmer said Smith and the board “expressly agreed to defer any formal characterization of his departure and the determination of any payments or benefits” he is owed until after the review of the breach.
Smith earned $15 million in total compensation in 2016, including a $1.5-million base salary and $7.3 million in stock awards, according to the company’s securities filings.
As of Dec. 31, his pension was valued at $18.4 million, the filings showed. Smith is entitled to that pension “under any circumstances,” Gutzmer said.
Jay Clayton, chairman of the Securities and Exchange Commission, declined to comment directly about Equifax when pressed by Brown at a Senate Banking Committee hearing Tuesday.
Clayton said he generally believed that there should be a way to recover bonuses and other financial gains from executives if they have “profited from a high stock price that’s a result of failure to disclose or other acts that are clearly violations of our securities laws.”
But he would not commit to enacting rules to allow the SEC to order such clawbacks as opposed to relying on corporate boards to do it.
Smith is leaving after 12 years leading Equifax, the company said.
“Equifax is a substantially stronger company than it was 12 years ago,” Feidler said. “At this time, however, the board and Rick agree that a change of leadership is in order.”
Smith said in a statement that serving as the company’s CEO “has been an honor.”
Smith isn’t the first Equifax executive to step down since the breach. On Sept. 15, Equifax announced that its chief information officer and chief security officer were retiring effective immediately.
Equifax has said the hackers exploited a vulnerability in one of its U.S. websites.
Brian Krebs, a cybersecurity expert and author of the website Krebs on Security, said the attackers gained access to the inner workings of the site’s software, which “allowed the hackers to behave as if they were inside the company accessing that data.”
“It’s like you left the back door open to your house — wide open,” he said.
The software at issue is widely used by companies and others, and Krebs said that its vulnerability to attack was first spotted by the industry in March and that a patch was available to fix it.
“But Equifax didn’t patch it until after the damage was done,” Krebs said. “The bad guys beat them to it.”