As the fallout from the, people are increasingly looking at the company's CEO. For many, the question is not whether Richard F. Smith, who has led Equifax since 2005, will step down, but when.
The size of the breach, which affected 143 million customers, and the months it took for Equifax (EFX) to disclose it, hit hard at Smith's ambitions to build the company into a big data "powerhouse," as The Wall Street Journal reported. It's also not clear when Smith found out about the breach. At an August meeting two weeks after it was discovered, he extolled the importance of data security and said protecting data was "a huge priority" for Equifax.
"I'd draw the analogy with Wells Fargo -- it seems like a fall-on-your sword kind of incident," said Brett Horn, an analyst with Morningstar.
The comparison with Wells Fargo (WFC) is apt. Massachusetts Democratic Sen. Elizabeth Warren last week called for Federal Reserve to ditch Wells Fargo's board, noting the central bank has the power to remove directors. Speaking on CNBC's "Mad Money," she linked the malfeasance at the bank with Equifax's mishandling of customer data.
"For Equifax, this means there is going to be tremendous pressure coming from Congress to do a complete replacement of senior management," said Cowen analyst Jaret Seiberg in a note.
Moreover, the company is facing pressure to improve from banks, which are among some its biggest customers, Reuters reported. Banks are essential to the operations of the credit-reporting agency because they give Equifax the financial information it compiles into reports and credit scores.
The company's stock is down 27 percent since the breach was revealed.
"If you look at the latest cases of security breaches, it has cost management, or the CEO, his job," said Florencia Marotta-Wurgler, a professor law at New York University who specializes in corporate governance. For a beleaguered company, removing the CEO is one way to salvage what remains of its reputation. "It's a very strong signal to the public that the firm is taking it seriously," she said.
Equifax seem to be following a pattern that emerged over the last few years of data breaches. When Ashley Madison, the website for extramarital affairs, got hacked in 2015, the CEO resigned within a month. Target's (TGT) CEO stepped down five months after revelations of a data breach that affected 41 million Americans during the 2013 holiday season.
For that reason, investors will be watching carefully on Oct. 3, when Smith is set to testify to Congress.
A few things give the Equifax case particular gravity. Unlike breaches of email or even credit-card data, this one affected sensitive financial information, even Social Security numbers. And it's unprecedented in scope, touching nearly half of the U.S. population.
"This is a big one," said Kimberly Foss, founder and president of Empyrion Wealth Management. "On a scale of 1 to 10, I'd put this at 9.9."
Still, a changeover might not happen immediately for a few reasons. Equifax's CEO is also chairman of the board, which comprises mostly retired executives. And boards typically want a succession plan in place before a CEO is given the boot, said Horn.
"To some extent it will hinge on, do they have an internal candidate to come in and take the role? I don't think that's necessarily clear," he said.
If nothing else, Equifax's board might decide to give its CEO the boot to avoid a worse fate: the prospect of government regulation. If Smith doesn't shine during his Congressional testimony, Seiberg wrote, that "raises the risk for negative legislation such as bills requiring consumers to opt-in to having credit bureaus keep their data or legislation requiring lifetime credit monitoring for free for any credit bureau that keeps a consumer's data."