No, I think the corporate death penalty is a perfectly valid outcome here. Equifax had literally one job: to control and broker the sale and secure transmission of sensitive personal identifying information and financial records for basically every adult in the United States. They failed at adequately performing that job, with the result that now millions of Americans are subject to an elevated risk of identity theft, and every other company on Earth that offers them credit is subject to an increased risk of fraud.
This isn’t like Target or Home Depot, whose breaches were terrible but not directly centered around the core operational purpose of their business, and whose data leaks contained far less personally identifying information. Equifax has wielded tremendous power over the financial lives and futures of virtually all Americans, and was obviously always going to be a massive target because of the fact that they centralize and collate detailed identity and financial records for millions of people by design. The fact that they were breached, that the breach occurred through such a pedestrian means of attack (an improperly-configured web server connected directly to their data back-end? c’mon…), that they failed to inform anyone of the breach for over a month, that their executive board members appear to have engaged in illegal insider trading during the period between discovery and disclosure, and that the company’s response post-disclosure has been atrociously managed and executed is more than enough proof to me that they are too incompetent and corrupt to continue existing.
Shit like this has to start having real, serious consequences. This:
is simply no longer an acceptable response to this sort of incompetence. Even if the government doesn’t outright rescind their business license, they should be subject to so much civil liability that it puts them out of business permanently.
