After the revelation that a cybersecurity incident impacted roughly 143 million consumers in the United States, Equifax Inc. is facing fallout from the company's response to the breach, planned probes from Congress, investigations from state attorneys general – including New York's AG – and potential class action litigation.
At the helm of the consumer credit reporting company's legal department, and surely a major player in handling the company's legal and reputational risks, is John Kelley III, whose responsibilities include security and compliance, according to Equifax's website.
Kelley, who could not immediately be reached for comment, has been Equifax's corporate vice president and chief legal officer since 2013, presumably having a hand in guiding the company through a number of previous security issues. Along with security and compliance, he is also responsible for everything from corporate governance and privacy functions to government and legislative relations. In a March 24 U.S. Securities and Exchange Commission filing, Equifax noted that Kelley's total compensation last year was nearly $2.8 million, adding that he had received a "distinguished" rating on several individual performance objectives. Listed among these goals: "Continuing to refine and build out the company's global security organization."
In a 2012 independent service auditors' report from KPMG, the "global security organization" at Equifax was described as a unit that reports to the general counsel and CLO and is responsible for "defining information security policies and standards and monitoring compliance with security policies and standards" as well as conducting monthly security scans of the Equifax network.
Going forward, Kelley and Equifax's legal department will face litigation related to the breach, which though revealed last week, was actually discovered on July 29. A Sept. 7 suit filed just hours after the announcement in U.S. District Court for the District of Oregon in Portland–which reportedly may seek as much as $70 billion in damages and requested class certification–alleged that Equifax "negligently failed to maintain adequate technological safeguards" to protect consumers' information from hackers.
It will also be necessary in the coming weeks and months to outline the steps taken by Equifax to mitigate harm and possibly to even prove how the company is going to protect its customers going forward. Two committees in the U.S. House of Representatives, the Financial Services Committee and the Energy and Commerce Committee, have already announced hearings on the breaches. And in a Sept. 8 letter, the U.S. Senate Committee on Commerce, Science and Transportation requested that Equifax provide a number of details about the breach, including a detailed timeline of events and the types of data compromised, no later than Sept. 15.
Beyond just answering to consumers and regulators, Kelley will have questions to answer from other company leaders.
In recent years, top legal execs have taken on more of a role when it comes to cybersecurity efforts within a company. And while it's true that a company the size of Equifax, which has approximately 9,500 employees worldwide, likely has others in the legal department who focus on cybersecurity, it's often the case that the top lawyer takes ultimate responsibility when there are issues.