An Equifax executive is going to jail, but not for letting your data get stolen

Justin Lane/EPA-EFE/Shutterstock
Originally Published: 

It's been nearly two years since the massive data breach that hit credit reporting bureau Equifax, exposing the personal information of more than half the adult population in the United States. Now, finally, someone involved in the mess is going to jail. It's just not for playing it fast and loose with your sensitive data.

Jun Ying, the former chief information officer at Equifax, will spend four months in prison for insider trading that occurred after the breach. According to the U.S. Department of Justice, Ying first learned of the breach near the end of August, several weeks before the company revealed the incident to the public. After learning of the massive security lapse, Ying began looking into how similar breaches have effected the stocks of companies.

Later that morning, he exercised all of his stock options and sold off his entire share of company stock. The sale netted him nearly $1 million, but more importantly for Ying, it saved him from a $117,000 loss that would have incurred if he held onto the stock through its tumble after the breach was made public. We also know that Ying knew the security lapse was bad, not just because he went and sold every bit of company stock that he could before it lost a significant amount of value, but because he fired off a text to another Equifax employee to say the situation "sounds bad" and note that "We may be the one breached." (Ironically, Equifax's stock bounced back to nearly the same levels it was at prior to the breach in just one year, and is now just a few points below its peak prior to the breach, because there is truly no justice in this world.)

Despite his awareness of how destructive the situation could be, here's what he didn't do: he didn't immediately inform the public their information was at risk. He didn't disclose to the more than 145 million Americans affected that their names, birth dates, Social Security numbers, addresses, and, in some cases, driver’s license numbers were in the hands of hackers and could end up being sold online. He didn't rush to make sure his company offered free, comprehensive protection for the millions of people who were put at risk. He instead opted to protect his bank account rather than the people who Equifax ostensibly is supposed to have a responsibility to protect.

Ying is one of the first people to actually be held to account for the Equifax breach with jail time, but it's not for the negligence involved in allowing the company's systems to be left vulnerable to an attack. There has still yet to be a real price paid for that. Several small lawsuits have managed to chip away some compensation from the company, including a data privacy expert who won $8,000 in small claims court and a librarian who got $600 for a similiar legal challenge. The company is still settling class action lawsuits that sprang up in the fallout of the breach and has started to set aside cash to pay for any lawsuits and federal fines that may still be coming. When all is said and done, the security lapse is projected to have cost Equifax $1.4 billion. That's almost exactly how much it is projected Americans spent on credit protection following the breach. Odds are, most people aren't happy with just calling that even.

If there are ever going to be real punishments for companies and their executives who are responsible for exposing people's sensitive information, the government will have to step up. Democratic Senator and presidential candidate Elizabeth Warren has called for jail time for CEOs who are at the helm of a company when a substantial breach occurs. And earlier this year, the Government Accountability Office called for more authority to be provided to the FTC and Consumer Financial Protection Bureau to keep companies like Equifax in line and punish them when they violate the public trust. Unfortunately, those agencies have been largely toothless, particularly under the Trump administration. Something has to change, otherwise companies that suffer massive breaches will continue to operate as if it's business as usual — and at this point, that's exactly what it is.