Equifax (EFX) shares have dropped more than 22% over the past five days since the company disclosed a data breach that affected 143 million Americans.

While the company operates in an attractive industry and the valuation is starting to become attractive we think the risks still outweigh the rewards and investors may want to hold off on buying shares.

Equifax’s Business and Valuation

Equifax is one of the three major credit bureaus along with TransUnion (TRU) and Experian (OTCQX:EXPGY). Similar to Moody’s (MCO), S&P Global (SPGI), and Fitch with bond ratings the three major credit bureaus have an oligopoly when it comes to reporting and monitoring consumer credit. Approximately 76% of the company’s revenue comes from consumer and commercial credit reporting related services. The company’s asset light business model along with the natural oligopoly in the sector means the company is able to earn above average returns on capital. The widening use of credit scores for consumer lending and ancillary services that have grown up around that trend means the company has seen substantial profit and revenue growth. Over the past five years the company has grown revenue at 10.68% annually, operating income at 11.78% annually, net income at 15.98% annually, and free cash flow at 13.27% annually.

In the aftermath of the data breach disclosure, the company now only trades at a forward P/E of 17.2. Not only is this low compared to the market but also it is low compared to analyst consensus growth estimates of 11.3% for the next five years. The company looks cheap on a DCF basis as well. Using $681M in trailing twelve month working capital adjusted cash flow, $1.63B in net debt, a 10% discount rate, 3% long term growth rate, and 10 year short term growth period we find that the current valuation implies just a 8.6% free cash flow growth rate.

However, the problem is none of those estimates factor in the potential costs from the data breach.

Potential Costs

There have been numerous instances of sensitive consumer data being hacked in the past. In fact, it’s so frequent that a study found that data breach incidents have cost on average $225 per record. But, the most expensive incidents at an average of $244 per record were when the breach was caused by malicious or criminal activity (as opposed to human error or a system glitch) like we have with Equifax.

Using those estimates would peg the potential cost somewhere around $35B (143M records times $244) which is clearly absurd, Equifax only has a market cap of some $13B. Perhaps a better estimate would be to use 209,000 records that contained credit card information along with the 182,000 dispute related records that also contained personal information. Those two sets of records had the most information about consumers. That gives us a cost of $95M. But this seems to small. Using the data breaches at Target and Home Depot as a reference points analysts have estimated the cost to be between $200M and $325M. Another possible point of reference is the $864M settlement Moody’s reached with the Department of Justice and state partners regarding issues with bond ratings related to the financial crisis.

If we use a the high end of analyst estimates, $325M, for the cost and plug that into our DCF model the implied growth rate for Equifax jumps to 8.9%. Still well below the past growth rate and projected future growth rate. Bumping up the estimate to the same as the penalty Moody’s paid, $864M, the implied growth rates goes to 9.4%. Again, still well below the historical growth rate for the company.

Despite the fact that the stock looks undervalued we still think caution is warranted.

Ham Fisted Response

In our opinion, the biggest issue has been the company’s ham fisted response to the crisis. Seemingly, everything the company has done made things worse.

First, we have the fact that the breach occurred around mid-May, was noticed on July 29th, but wasn’t disclosed until six weeks later on September 8th! Then we find out that three company executives sold $1.8M in company stock three and four days after the breach was discovered. The company still hasn’t offered a great explanation of who knew what and when.

Next, the company puts up a website to help consumers find out if their data may have been compromised and offers a credit monitoring service. However it’s soon noticed that as part of the terms of service for the website and monitoring service include some ambiguous text that seems to limit consumers' ability to sue the company (agreeing to settle all disputes via arbitration). After intense public pressure, Equifax removes the arbitration language but only for “this incident”.

Then the company screws up again. It allows consumers to place a credit freeze on their account for free but the freeze expires November 21st (a seemingly random choice, why would the incident suddenly be resolved then?). After that, consumers will need to pay Equifax. Equifax is now being seen as essentially charging consumers to rectify its own screw up.

We already know that this is going to be a cause célèbre among politicians and consumer activists. The more the company screws up and the more it’s seen as “picking on” or treating consumers unfairly the more public pressure is going to build for various attorney generals, politicians, and regulators to “make an example” out of the company. We highly doubt anything will happen that will permanently impair the oligopolistic position of the company since regulators weren’t even able to break the bond rating oligopoly during or after the financial crisis. However, each time the company messes up in handling the situation the likely the higher the ultimate cost of the data breach becomes as the public pressure will be on regulators to push for higher fines and penalties.

In our opinion it’s best to wait until the company actually starts to behave in ways that improve the situation and is seen doing things that help consumers rather than looking like it is trying to (or even trying to) pull a fast one.

