On July 31, just 48 hours after Equifax’s chief executive officer was alerted to what the Atlanta-based credit bureau would soon learn was a breathtaking data breach, it enlisted the help of King & Spalding and the law firm’s data security team, former CEO Richard Smith testified at a hearing Tuesday.
But despite retaining the firm and its data security experts, Equifax waited more than a month before on Sept. 7 notifying the public that hackers had accessed personal and financial information for about 145.5 million consumers, Smith testified Tuesday before the House Subcommittee on Digital Commerce and Consumer Protection.
In response to often pointed questions from committee members, Smith insisted the delay was because he and his top executives, despite an Aug. 2 decision to call in King & Spalding and notify the FBI, knew only that “suspicious activity” had been detected on one of the company’s internet portals, not that their data banks of consumer information had been accessed.
King & Spalding partner Phyllis Sumner confirmed she is representing Equifax on Equifax data security matters. Sumner, the firm’s chief privacy officer, leads its data security and privacy practice. According to the firm biography, she counsels the corporate board, senior executives and other clients regarding data breach prevention, emergency response, remediation, compliance, regulatory enforcement, internal corporate investigations and addresses other critical privacy and data security concerns.
“At that time, to be clear, we did not know the nature or the scope of the incident,” said Smith, who retired from the company last week after accepting responsibility for the hack that occurred on his watch. “It was not until late August when we concluded we had experienced a major breach.”
Only then, Smith said, did he notify the company board of directors. He said he notified the presiding director, Mark L. Feidler, on Aug. 22 and the entire board at a meeting two days later. Still, the company waited two more weeks before going public with the massive hack.
Equifax was still 24 hours away from bringing King & Spalding on board when Equifax Chief Legal Officer John Kelly on Aug. 1 personally approved a sale of Equifax stock by Chief Financial Officer John Gamble, Smith testified Tuesday. Gamble’s stock sale was worth nearly $950,000, according to the SEC.
On Aug. 2, the same day King & Spalding was hired, Kelly approved two additional stock sales by Joseph Loughran, Equifax’s president for U.S. information solutions and Rodolfo Ploder, president of workforce solutions, Smith said. The three stock sales totaled more than $1.8 million. When Kelly approved the sales, Smith acknowledged in response to questions from committee members, Kelly had known for two days of what Smith described as “suspicious activity” regarding the company’s data banks.
But Smith insisted, to the best of his knowledge, the executives who sold stock with Kelly’s OK were unaware that any suspicious activity involving the potential compromise of company-held consumer information was under investigation.
Kelly was already aware of the problem, having been informed July 30 by Equifax’s chief security officer of the “suspicious activity,” and had notified Smith by email, the former CEO acknowledged.
But Kelly, he insisted, “did not know of a [data] breach” when he approved the executive sales. “All he knew at the time, was there was suspicious activity. … We had no idea PII [personal identifiable information] had been compromised. We had no idea data had been exfiltrated.”
Smith insisted it was not Kelly, a former King & Spalding partner, who had brought in the venerable Atlanta law firm. Instead, he testified, Equifax’s Chief Security Officer Susan Mauldin “reached out to forensic experts and outside counsel King & Spalding, and she engaged them at that time.”
Kelly’s role in approving the stock sales—which Smith said was a company requirement before executive shares could be sold—prompted Rep. Tony Cardenas, D-California, to ask for another hearing at which Kelly would be asked to testify.