This past Thursday we shared the news of Equifax CIO Jun Ying going to prison for four months related to the hack which leaked the information of 150 million people.
One might imagine the reason for the sentence was related to allowing the hack to happen but this is not the case. It was related to insider trading – he avoided a loss of $117,000.
Before we go on – let’s acknowledge, a determined hacker can sadly get into just about any organization.
Let’s also stipulate that our system of justice is based upon biblical law – an eye-for-an eye. We no longer bash each other in our quest for justice, we use fines, payments and jail to punish people who are convicted of wrongdoing.
But often, the system seems out of whack.
Equifax has 121 million shares outstanding. The company is worth about $16.3 billion.
Insider trading laws are designed to protect shareholders from financial loss – to ensure the system is fair. It’s tough to imagine a trade saving just over $100,000 hurting anyone.
Yet this action caused a prison sentence of four months to be handed down.
Looking at this another way. Shareholders are actively buying stock in a company and are protected when a company makes a mistake. In this case, an officer did not do the right thing, did not follow the rules and subsequently paid the price.
One could argue the hack which took place was also the result of making a mistake – not keeping systems updated.
The hack affected almost every person in the U.S. with credit. These people did not ask to be part of the Equifax database. They are not customers of the company. The insider trading affected perhaps thousands. And even then – their losses, if any, can probably not even be calculated as they might be a fraction of a cent per share.
The hack could be responsible for identity theft which could hurt tens of millions of people. Bank accounts can be cleaned out in this manner.
20 million people losing $10,000 each equates to $200 billion.
The hack has led to no jail time – tremendous financial loss but no jail.
At some point regulators will have to make cybersecurity laws tougher. GDPR is one way to push companies to take the issue more seriously but what many do is just up their insurance.
In short, eventually more needs to be done and looking at the unfairness of the situation above shows we can enact laws to protect shareholders. When will we have better laws to protect the unwitting member of a corporate financial database which could have been secured more effectively.