Equifax is in trouble. The credit reporting company failed to protect the personal financial data of as many as 143 million Americans. Equifax’s failure exposed not just names and addresses, but also Social Security numbers, birth dates, drivers’ license numbers, and credit card numbers.
The Federal Trade Commission, Congress, and about 40 state attorneys general are investigating the data breach, and both the Massachusetts attorney general and the city of San Francisco are suing on behalf of residents whose information was compromised.
That’s a start. But it’s not enough. Equifax’s failure calls for the corporate death penalty, through a rare but vital procedure called judicial dissolution.
Under the law of Georgia, where Equifax is incorporated, the state attorney general may file a lawsuit in state court to dissolve a corporation if the corporation “has continued to exceed or abuse the authority conferred upon it by law.” (All 50 states have similar provisions.) State attorneys general don’t invoke these corporate death penalty statutes often, especially not against large, well-known corporations. But Equifax could not have obtained its unusually important position in our economy without the privileges of a corporate charter conferred by law, and it has forfeited its claim to those privileges.
Equifax’s entire reason for existence is to collect and maintain private financial data about individuals who are not customers of the company. This isn’t like other data breaches, such as the 2012 credit card data breach at Barnes & Noble, or the 2015 hack of frequent-flyer account data at British Airways. Those breaches were bad. But they affected people who had chosen to do business with these companies by buying books or airplane trips. Most of the people whose data was compromised by Equifax’s lax security don’t even know that Equifax exists, let alone that it maintains their private financial data.
While there’s never an excuse for major companies to be sloppy with customer data, Barnes & Noble and British Airways aren’t in the business of securely storing private financial data. They’re in the businesses of selling books and flying airplanes. When a bookstore or airline doesn’t manage customer data well, then the company needs to compensate its customers for its negligence, accept its punishment, and reform. But when a company’s entire reason for being is managing individuals’ most sensitive private financial data, and it fails spectacularly, it should not be further entrusted with that important responsibility.
Equifax’s conduct after the breach has given little comfort. Before revealing the breach to the public, senior executives sold $2 million worth of stock. Meanwhile, after the breach was made public, Equifax offered consumers free credit monitoring—but tried to force them to accept a mandatory arbitration provision clause buried in the fine print.
In fact, Equifax wasn’t even competent enough to close the stable door after the horse had bolted. Over a week after the US breach was revealed, a small computer company in Milwaukee noticed that in one Equifax computer system based in South America, customer records could still be accessed by entering the username “admin” and the password…”admin.”
This is not the conduct of a company that deserves to continue to be entrusted with a critical role in our economy. State laws enable the creation of corporations because they are thought to confer a benefit on society. But not in this case. Equifax had one job, and it failed. More than half of American adults woke up one day to learn that a corporation that few had ever heard of had lost control of financial data that they never knowingly gave it.
MORE ON EQUIFAX
Dissolving Equifax would not require putting innocent people out of work or demolishing its office buildings. Working with a court-appointed receiver, the Georgia attorney general could develop a plan to deconstruct Equifax’s current corporate structure. It could continue to operate and pay its staff and vendors while dissolution is pending in court, and legitimate business lines could operate successfully afterwards under new ownership.
Equifax’s core customer data business, meanwhile, has some assets that could be sold to competitors or other new owners. Some of the main so-called assets, however, are questionable: the private financial data, which the company can no longer be entrusted to maintain; the computer code that maintains and protects that data, which evidently is inadequate to the task; and the intangible value of Equifax as a going concern, known in accounting as “goodwill.” Dissolving the company would certainly eliminate any remaining goodwill. But frankly, Equifax doesn’t have much goodwill these days anyway.
To be fair, Georgia’s attorney general, Chris Carr, hasn’t ignored the Equifax breach. He signed a group letter to Equifax along with over 30 other state attorneys general, and joined the larger multi-state investigation. Yet Carr has been content simply to participate in a broader coalition, emphasizing his duty to protect Georgia’s consumers. That’s a start, but not the end. Because of his office’s unique oversight powers over Georgia corporations, Carr needs to ask larger questions—including whether Equifax’s abuse of its state-granted corporate powers justifies revoking its corporate charter.
A few years ago—starting soon after the Supreme Court’s 2010 Citizens United decision, which held that corporations have the same right as people to spend money to influence elections—a popular bumper sticker proclaimed, “I’ll believe corporations are people when Texas executes one.”
We shouldn’t use the corporate death penalty lightly. But at this point, Equifax has lost its justification for existence.