Although the company was accused of “malfeasances” (by Senator Chuck Schumer, Democrat of New York), it appears more likely that it was a matter of nonfeasance: Equifax did not properly install a security patch to open-source software it had used, even though it was available weeks before the hackers exploited the flaw.
That failure may well have been negligent, but that level of intent is rarely the basis for prosecuting white-collar offenses. Negligence is used regularly only in federal criminal prosecutions for food and drug safety problems and environmental contaminations.
The claim that someone needs to be put in jail (by Senator Heidi Heitkamp, Democrat of North Dakota) was related to stock sales by three Equifax executives, including the chief financial officer, on Aug. 1, just a few days after the company became aware of the security breach. The Justice Department confirmed that it is investigating for possible criminal insider trading, but it is unclear what any of the executives knew about the hacking when they sold the shares.
Although the timing of the stock sales certainly looks suspicious, it may be that the executives did not know the extent or severity of the hacking, and therefore did not trade on material nonpublic information, a central requirement for pursuing a case.
On the regulatory side, Equifax and its two main competitors, TransUnion and Experian, come within the purview of the Federal Trade Commission and the Consumer Financial Protection Bureau. But the likelihood of significant civil penalties for Equifax for any violations is small, and perhaps nonexistent. The F.T.C., which broke with tradition by publicly confirming that it had launched an investigation of Equifax, cannot hit companies with heavy fines, at least for a first offense. And the C.F.P.B. has limited power to impose penalties because it deals primarily with misleading information or products provided to consumers.
A number of state attorneys general have opened investigations into the hacking, and Massachusetts filed a lawsuit seeking civil penalties from Equifax for not protecting sensitive information. These types of claims are often limited to the actual harm caused to consumers in a state, something that might take months or years to manifest.
Equifax is a publicly traded company, so the Securities and Exchange Commission could investigate whether it had improperly delayed disclosing the security breach by waiting almost six weeks before informing…