6 crisis lessons from Equifax’s data-breach response

Instead of negating a PR disaster, the credit bureau fueled online criticism with its handling of news that stolen information could have affected 143 million people.


How could this happen?

That’s one of many questions erupting in the aftermath of Equifax’s recently disclosed data breach, along with the following queries:

  • Was my personal information compromised?
  • Are they protecting themselves or the public? Is all the bad news out, or is there more to come?
  • Did senior execs dump stock before public disclosure?

Equifax is a leading consumer credit reporting agency, responsible for safeguarding highly sensitive financial and other personal data for more than 800 million consumers and businesses globally.

In a corporate crisis, the first challenge is the precipitating issue (in this case, the breach itself). Here, Equifax failed. For any corporate crisis, how an organization responds can hasten reputational recovery—or accelerate damage to it. Here, too, Equifax failed.

Consider these six takeaways from Equifax’s communications stumbles:

1. Timing is everything. “What did the president know, and when did he know it? was Sen. Howard Baker’s famous question posed during the congressional hearings on Watergate. It’s a question that’s now routinely asked of organizations’ leadership teams when a scandal goes public.

Equifax first learned on July 29 that personal data had been exposed, but it notified the public on Sept. 8 (as national news outlets were distracted with 24/7 hurricane coverage).

Yes, it takes time to ready for public disclosure, work with law enforcement and so on. Fair or not, the perception of corporate stalling while millions of affected Americans were left in the dark for six weeks hurts public trust, and just when Equifax needs it most.

2. When you fall down, step up. When an organization fails at its responsibilities, stakeholders rightfully expect its execs to engage and communicate head on. Equifax hunkered down.

As The Atlantic observed after it requested an interview, ” Equifax offered no further comment beyond the materials they had published on an informational website. Other outlets experienced similar silence.”

3. Prepare to own—or get owned—on social media. During a crisis, much of the reputational battle will occur online, so the social media team had better be briefed, savvy and caffeinated when it goes public. It’s telling (and a bit stunning) that—with Equifax having had more than a month to prep for public disclosure—Mediaite offered the headline, Equifax Slaughtered on Twitter For Wishing Customers ‘Happy Friday’ After Data Breach.”

Equifax got “slaughtered” not for the breach itself, but rather for the insensitivity of a tone-deaf social media post right as the issue was blowing up. Good reminder, too, when bad things happen, immediately turn off any pre-programmed posts that could be in the queue.

4. Data breaches suffer unique challenges. The Washington Post reported,” Equifax asks consumers for personal info, even after massive data breach.” Consumers worried their online data was stolen were encouraged to input even more data (the last six digits of their Social Security numbers, as opposed to the typical last four) to get free credit monitoring via an Equifax website. Here again per the Post, ” Equifax did not immediately respond to queries about why its website asks for such information.”

5. Offer real solutions with no strings attached. Equifax offered one free year of credit monitoring to help consumers guard against fraudulent charges; read the fine print, and you’ll find that there’s a catch. You get this service (which also is a great sales tool for Equifax after the first year) only if you sign away all rights to sue Equifax.

What appears to be a good will gesture for those harmed by Equifax’s failings is in fact a slick legal move to disadvantage them. People on social media did not react well. Equifax dropped this requirement after the New York attorney general excoriated the company saying the forced legal waiver was “unacceptable and unenforceable.” This also extended its bad news cycle.

6. A crisis is often not a single event, but rather a series of events. Organizations in crisis often find themselves fighting on multiple fronts, which can overwhelm their crisis response teams. As if the data breach itself was not a big enough problem, Equifax drew more outrage after reports broke the news that company executives netted $2 million in stock sales after the data breach but before the public announcement.

Equifax said the executives in question, including the CFO, did not know of the breach when they sold their shares. Investigations should confirm or disprove those allegation. If it’s ultimately proven the CFO was not in the loop from the start, that, too, would raise questions.

The public can be incredibly forgiving when bad things happen. (After all, cybercriminals are really the bad guys, and no online system is perfect.) However, the public is far less forgiving if a company fails to communicate swiftly, transparently and remorsefully, and if it fails to take sincere, diligent actions to address the problem in both the near and long terms.

Cybersecurity is hard. The public gets it. Communicating is far easier and can reinforce trust or undermine it. The public gets that, too.

John F. Fitzpatrick co-manages Stratacomm, a strategic communications consultancy with offices in Washington, D.C., and Detroit. A version of this article originally appeared on the agency’s blog.

(Image via)

COMMENT

Ragan.com Daily Headlines

Sign up to receive the latest articles from Ragan.com directly in your inbox.