[mikeyouse]

This is a good clarification, but the guy shoudn't be absolved in either case. Here's the description of his duties from their website:

> Trey Loughran leads the company’s United States Information Solutions (USIS) business, which includes U.S.-based services that provide businesses with consumer and commercial information and insights related to areas of risk management, identity and fraud, marketing and other industry-specific solutions.

He would definitely be in the loop regarding a breach of this nature.

[bodz]

I don't necessarily think so. Just because he manages the risk management offering which is sold to other companies doesn't mean he would be aware of or involved in day-to-day risk management at his own company.

At my consulting firm, the execs in charge of our cybersecurity consulting practice are absolutely not involved in any internal cybersec investigations that happen to our own firm. In fact, we have specific procedures which say that our cybersecurity consultants cannot be involved with internal incidents. All internal investigations have to be done by outside, impartial firms.