WASHINGTON — In announcing Tuesday that Equifax CEO Richard Smith will take early retirement, the credit reporting bureau observed an increasingly well-worn ritual of scandal-ridden firms: apologize, promise to do better in the future, and sacrifice your top executive in the hopes it will ward off action by Congress and regulators.
It's a playbook that Wells Fargo used just a year earlier, although Equifax made at least one crucial change. It jettisoned its CEO before he was due to appear before two congressional committees next week, a move that Wells made only after its top leader had been excoriated by lawmakers first.
“We’ve seen this ceremonial sacrifice dozens of times in the wake of scandals,” said Isaac Boltansky, an analyst at Compass Point Research & Trading. “The only difference this time is that the decision is occurring before the public flogging by members of Congress.”
The House Energy and Commerce Committee scheduled a hearing with Smith for Oct. 3, while Senate Banking has a hearing on Oct. 4.
It remains unclear, however, if Equifax's attempt to get ahead of lawmakers will help ease their criticism — or backfire. The committees may now ask for testimony from not only the company's former management, but also current, new management, in order to examine what actions are being taken going forward to ensure another data breach can't happen again.
“This hearing wasn’t just about the breach — it’s about the company’s actions in response to the breach,” Boltansky said. “So if someone else is going to be directing those actions, doesn’t it stand to reason that the new person running point on the response should step before Congress as well?”
Several lawmakers were already demanding that Smith and his successors, interim CEO Rego Barros Jr. and nonexecutive chairman Mark Feidler, appear next week in front of the committees.
"Mr. Smith, along with the new chairman and the new interim CEO, should all testify before the Senate Banking Committee," Sen. Elizabeth Warren, D-Mass., said in a press release. "The American public deserves answers about what went wrong at Equifax and what the company plans to do going forward."
Other Democrats demanded the same thing, including Sen. Sherrod Brown, D-Ohio, and Jon Tester, D-Montana.
“His resignation is less about spending time with his family and more about not spending time with us," Tester said.
Feidler said in a statement Tuesday that Equifax’s board remains “deeply concerned about and totally focused” on the data breach, in which more than 143 million customers’ personal information may have been compromised.
In many ways, Equifax is in a far more precarious position than Wells was when regulators revealed that former employees had opened up millions of phony accounts to meet sales goals. Though there was a call from some Democrats like Rep. Maxine Waters, D-Calif., to carve up the bank as a result, the appetite to place more regulations on banks has slackened following the enactment of the Dodd-Frank Act in 2010.
But that is not the case with regard to credit bureaus. Warren and other Democrats are already pushing a bill that would create a federal requirement for credit bureaus to offer free credit freezes to consumers affected by a data breach.
And such legislation may turn out to be relatively kind compared to what other lawmakers are seeking. Sen. Mark Warner, a pro-business moderate Democrat from Virginia, sharply questioned Tuesday whether Equifax should be allowed to continue to operate given its cybersecurity lapses.
“I question whether Equifax even has the right to continue providing these services with the level of sloppiness” it has shown, Warner said.
Sen. John Kennedy, R-La., suggested the Senate Banking Committee should look at how credit bureaus interact with consumers.
“In my opinion, many Americans are curious about the credit reporting agencies,” Kennedy said. “I didn’t hire them. I didn’t hire them to collect information about me. They don’t represent me. … Now all of sudden my information is out there somewhere on the dark web.”
He added, “It seems to me at some point … that is something we need talk about in this committee. What is the role the credit reporting agencies play and who do they have an obligation” to?
To be sure, most Republicans on the banking panel didn't appear willing to go as far, at least not yet. Sen. Mike Crapo of Idaho, the panel chairman, said Tuesday that the breach has “highlighted the need to protect this sensitive and valuable information."
Crapo later told reporters he was still evaluating whether he would summon Smith to testify.
Andrew Ricci, vice president of strategic communications and crisis management firm Levick, said the lesson that other firms need to take away from Equifax’s experience is that data intrusions are inevitable. The key thing is having a plan once the breach happens, he said.
“Companies that think they aren’t going to be the subjects of a data breach … are living in a fantasy land,” Ricci said. “Step one is not asking yourself if you’re going to get hacked, but asking when you’re going to get hacked and to have a plan in place.”
Ricci said that if he were to give Equifax a grade for its response to the breach to date, he would give them a C+, noting that its notification of the breach was robust and fairly prompt and came from the chief executive, rather than from a lower-level staff member. But the real test, he said, is how the company repopulates its c-suite positions that have now been vacated.
“I think they really have to look at making sure they don’t try to cut corners,” Ricci said. “As they do the search … they really need to be looking toward someone who can rebuild trust in the brand, and someone who understands that this probably isn’t going to be a one-off thing.”
Meanwhile, Equifax continues to be slammed with lawsuits over the data breach. The latest financial institutions to sue are the $79 million-asset Bank of Louisiana in New Orleans; Aventa Credit Union in Colorado Springs and First Choice Federal Credit Union in New Castle, Pa.
Those three companies jointly filed a lawsuit Friday that is seeking class-action status. It follows a similar case brought recently by Summit Credit Union in Wisconsin.
In the latest lawsuit, the plaintiffs argue that the massive data breach at Equifax will impose considerable costs on financial institutions as they try to monitor, prevent and respond to fraud.
“With a breach of this magnitude, there is virtually no limit to the amount of fraudulent account openings financial institutions may face,” the complaint states.
Kevin Wack contributed to this article.