The stunning data breach recently disclosed by Equifax, one of the nation's top three credit reporting agencies, has imperiled millions of consumers, opening them up to identity theft, monetary losses and colossal headaches.
Equifax investors are also shouldering the burden associated with the company's apparently lax security practices. Since disclosing the breach, Equifax's stock has fallen more than 20 percent, losing its shareholders nearly $4 billion in market capitalization.
It remains unclear, though, whether the company's executives will take a financial hit for the failures that allowed thieves to steal Social Security numbers, driver's license numbers and other sensitive data. Indeed, Equifax's top managers may not feel any financial ill effects, given the company's past compensation practices.
More from New York Times:
Trump confirms support for law to protect 'Dreamers'
Martin Shkreli is jailed for seeking a hair from Hillary Clinton
'False peace' for markets? A Trader Is Betting Millions on It
Over the last three years, when Equifax determined its top executives' incentive compensation, it has used a performance measure that excluded the costs of legal settlements made by the company. If it follows this practice after dealing with the costs of settling legal claims arising from the security breach, Equifax's top managers will essentially escape financial accountability for the blunder.
This troubles Charles M. Elson, a professor of finance at the University of Delaware and the director of its John L. Weinberg Center for Corporate Governance. "To the investors in the company, the legal settlement does impact earnings and stock price," Mr. Elson said in an interview. "If the shareholders suffer because of this breach, why should management be excluded? These folks take home all of the upside and want none of the down."
I asked Equifax whether its board would stop excluding legal settlement costs from executive compensation calculations so that management would be required to absorb some of the pain.
An Equifax spokeswoman supplied this statement: "The board is actively engaged in a comprehensive review of every aspect of this cybersecurity incident."
Equifax is not alone in excluding certain costs of doing business from the financial factors it uses to determine executive pay. Such practices have become prevalent among large United States companies.
Equifax uses two main performance measures to decide incentive pay. One, called corporate adjusted earnings per share from continuing operations, is not calculated using generally accepted accounting principles, or GAAP. It is figured by excluding certain costs — such as those related to acquisitions — that normally flow through a company's profit-and-loss statement. This has the effect of making Equifax's earnings per share look better in this measure than they actually do under accounting rules.
Equifax says in regulatory filings that it uses the adjusted earnings figure because it best represents the company's profit growth. Top managers at the company get a larger or smaller annual incentive award based on increases in this measure over the course of a year.
Acquisition expenses make up the bulk of the costs Equifax has excluded from its profit calculation in recent years. But Equifax has also excluded costs associated with impaired investments and legal settlements from the figure.
In regulatory filings, Equifax said its exclusion of legal charges from certain financial results "provides meaningful supplemental information regarding our financial results" and is consistent with the way management reviews and assesses the company's historical performance.
This approach is not unusual. Roughly one-fifth of the companies in the Standard & Poor's 500-stock index excluded legal settlements and fees in their non-GAAP earnings measures in 2016, according to Jack Ciesielski, publisher of The Analyst's Accounting Observer and a close follower of companies' financial reporting.
When settlements are small, of course, excluding the legal costs associated with them is a nonevent. And in recent years that has been the case at Equifax, with settlements equaling around 1 percent of net income.
In the fourth quarter of 2016, for example, Equifax recorded a $6.5 million charge for a settlement with the Consumer Financial Protection Bureau. Under that settlement, which involved deceptive marketing of credit scores to consumers according to the bureau, Equifax paid $3.8 million in restitution to customers, a fine of $2.5 million and $200,000 in legal costs.
But the scope of Equifax's recent security breach is so far-reaching that legal settlements arising from it will most likely be enormous. And this brings up another question: whether Equifax executives should return past pay because of the security failure. Certainly, last year's proxy filings indicate that the pay received by the company's top three executives was based in part on their accomplishments in keeping consumers' data secure.
Consider Richard F. Smith, the chief executive and chairman of the Equifax board, who received $15 million in total compensation in 2016, up from $13 million in 2015. One rationale for his pay package, the proxy said, was Mr. Smith's "distinguished" work in meeting his individual management objectives for 2016. Among those objectives was "employing advanced analytics and technology to help drive client growth, security, efficiency and profitability."
Or take John Gamble, Equifax's chief financial officer. He also received a rating of "distinguished" on his individual objectives, the proxy said, because he continued "to advance and execute global enterprise risk management processes, including directing increased investment in data security, disaster recovery and regulatory compliance capabilities." Mr. Gamble received $3.1 million in 2016.
John J. Kelley III, the company's chief legal officer, also achieved a "distinguished" rating from the Equifax board last year. One reason: He continued "to refine and build out the company's global security organization." Mr. Kelley received $2.8 million in compensation last year.
Will these executives be asked to return any of this pay given that their ratings on security are now looking a little less distinguished?
Equifax declined to answer this question.
What the Equifax mess seems to show, yet again, is the heads-I-win, tails-you-lose deal between executives and shareholders that is so prevalent at major corporations today.
As for Equifax's exclusion of litigation costs in its profit measure, Mr. Ciesielski, the accounting expert, said that should only be allowed for events that are outside of management's control. "A hurricane, an earthquake, falling space debris — all those things are exogenous, outside of management's control and ultimately more forgivable," Mr. Ciesielski said. "Bad management leading to customer harm is exogenous and forgivable? That's a lot harder to accept."