Equifax's (NYSE:EFX) data breach is not a run-of-the-mill credit card theft case. Social security numbers of almost all adult U.S. voters have been stolen. The company could face several surcharges over the typical fines and faces a risk of a politically motivated fine that could be high enough to liquidate the company. The valuation is not attractive enough yet to warrant these risks. The stock is not a safe short either. Its P/E has a lot of room to catch up to peers if the penalty outcome is benign.

This is the most serious security breach in corporate history

Let’s face it, Equifax is a hard-to-value stock right now. First, the legal costs from the massive security breach are hard to estimate, then there is reputational damage and its impact on future revenue and profit growth potential which may be making the current seemingly attractive forward P/E irrelevant, and then there is poor corporate governance risk stemming from insider stock sales before the public had a chance and a possible questionable stock buyback at a time when the company should conserve every cent.

Since this is the biggest and most serious personal data theft incident of all time in the U.S. corporate history, in addition to the direct penalty costs, we have to take into consideration the very real possibility that various groups will try to make an example out of this case. The case is sure to attract media attention. A concrete example is Elizabeth Warren and her aim to introduce a bill cracking down on credit companies. The FTC launched a probe and commented publicly, which is not usual for it. Also, former NSA security counsel commented. After all, the social security number of almost every adult American had been compromised.

How to estimate the penalty?

The best we can use is comparative “valuation” based on past cases and find the common “fine per account” figure and then adjust this number for specific factors in the Equifax case. The factors are the seriousness of the data stolen (the added danger of many pieces of data per person being stolen together), as well as the fact that data management is one of the core activities of Equifax where the company should have undertaken adequate safety measures above those of a random U.S. company that just collects customer data as part of their other main business.

Based on an excellent article written by a Seeking Alpha author Daniel Jones whom I like to follow, I decided to dig deeper into the numbers and come up with at least rough estimates of what the total data breach fine may end up being because the numbers from mainstream analysts seem way too low and optimistic.

The Target and Home Depot example

Target (NYSE:TGT) in 2013 paid $292 million over a period of several years for failing to safeguard data of 40 million U.S. consumers, but it later stated that up to 70 million customers could be affected, so let’s take the average, 55M, as the number of accounts affected. Home Depot (NYSE:HD) paid $298M for the 2014 data breach that affected 56 million credit cards.

Equifax numbers

Equifax said that data of 143 million U.S. customers had been compromised. Also, "limited personal information" had been stolen from up to 44 million UK consumers and some Canadian customers.

So in total, I estimate that roughly 187 million customers have been affected. Of that, I consider 143 million to be severely affected due to their social security number being part of the list of stolen data points.

There seems to be a “fine per account stolen” metric

The average fine per account stolen is around 5 dollars and 32 cents per account in case of Target and Home Depot, and the fine is remarkably close in both cases with just a one-cent difference amounting to a rounding error. This suggests that the “fine per account” metric was probably considered and will likely be considered in future cases, including Equifax.

Equifax penalty scenarios

If we assume the most optimistic scenario where Equifax pays just the same minor amount per account stolen that both Target and Home Depot paid, the company would walk away with a roughly $1B penalty.

If we treat the social security numbers stolen as more serious data breaches and add a 100% premium to their fines, plus add a 100% surcharge to the basic $5.32 fine per account for Equifax being a financial institution whose core business revolves around collecting and analyzing data, we get $15.96 per serious account breached (where a social security number was stolen) and $10.64 per account where minor data was stolen (“just” the credit card details, for example). This way, the total fine would be $2.75B, or $14.71 per each of the 187 million accounts affected. That’s about one year worth of sales and five years of net income.

Source: Author’s calculations, Equifax, Daniel Jones (Target, Home Depot data)

“The most serious data breach in history” surcharge

Finally, we should adjust the final bill estimate for the risk that regulators and lawmakers will make sure the company doesn’t walk away from this lightly because almost every adult American (almost every voter) was directly affected. This is too tempting to use for political capital and too risky for regulators to assign a mediocre fine. Regulators could attempt to hit the company with a fine that will effectively force it out of business or restructure heavily in order to safeguard U.S. voters. For example, a $10B fine would probably wipe the company out, and that would still be a penalty of just over $50 per citizen directly affected. Is that too much or too little for almost all adult U.S. social security numbers being stolen?

There will be other costs besides the regulatory penalty. On the other hand, Equifax may be able to recoup some amount from insurance.

Corporate governance questions and other risks

As Warren Buffett says, where there is one cockroach, there are always more. What if the company is hiding other surprises hidden in the closet? First, the top management sold $1.8M worth of shares before letting the public know about the breach. Then, it may have performed a sizeable stock buyback very soon after the breach, arguably wasting money it could need to pay the fine. This suggests the top management may care more about the stock price and its stock bonuses than about the long-term strategic problems this company is facing due to the breach.

The oligopolistic credit reporting sector may also be hit by a regulatory backlash, as Elizabeth Warren suggests. That would dampen future growth and margin prospects.

Conclusion

In conclusion, I believe "this time is different" in terms of the penalty size per account affected. The fine may be more severe than what the stock price and analyst estimates suggest. Why? Because this was the biggest and most serious breach of its kind and involved social security numbers and because the company’s business is directly related to managing sensitive data. Equifax’s case may also be politicized and medialized. While not cheap enough to buy, shorting the stock is risky as well. If the fine is small, the stock could leap up to catch up with peer P/E valuations of TransUnion (NYSE:TRU) and Experian (OTCQX:EXPGY).

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.