How could this happen? Was my personal information compromised? Are they protecting themselves or the public? Is all the bad news out or is there more to come? Did senior execs dump stock before public disclosure? These are but a few of the many questions erupting in the aftermath of Equifax’s just disclosed data breach.
Equifax is a leading consumer credit reporting agency, responsible for safeguarding highly sensitive financial and other personal data for more than 800 million consumers and businesses globally. In a corporate crisis, the first challenge is the precipitating issue (in this case, the breach itself). Here, Equifax failed. And yet, also for any corporate crisis, how the company responds can hasten reputational recovery – or accelerate further damage to it. Here, too, Equifax unfortunately failed.
Consider these six takeaways for organizations to learn from Equifax’s communications stumbles:
Timing is everything. “What did the President know and when did he know it?” was the famous question posed during the Watergate impeachment hearings. It’s a question that’s now routinely asked of organizations’ leadership teams when a given scandal goes public. In Equifax’s case, they admit they first learned personal data was exposed back on July 29 – but only told the public on September 8 (right as the national media was distracted with 24/7 hurricane coverage). Yes, it takes time to ready for public disclosure, work with law enforcement, etc. Fair or not, the perception of corporate stalling while millions of affected Americans were left in the dark for six weeks hurts public trust at the very time Equifax needs it the most. {Update: more than a week after Equifax finally owned up to the July 29 breach, it became clear they did not fully disclose all their breaches at that time. Anonymous sources now confirm to the news media that Equifax suffered another data breach five months earlier – back in March. They failed to get all the bad news out at once so the “drip…drip…drip” of negative news continues.}
When You Fall Down – Step Up. When an organization fails at its responsibilities, stakeholders rightfully expect its execs to engage and communicate head on. Equifax hunkered down. As the Atlantic observed when they requested an interview, “…Equifax offered no further comment beyond the materials they had published on an informational website. Other outlets experienced similar silence.”
Prepare to Own or Get Owned on Social Media. During a crisis, much of the reputational battle will occur online, so the social media team better be briefed, savvy and caffeinated when it goes public. It’s therefore stunning that – with more than a month to prep for public disclosure – Mediate reports, “Equifax Slaughtered on Twitter For Wishing Customers ‘Happy Friday’ After Data Breach.” See what happened there? Equifax got “slaughtered” not for the breach itself, but rather for the insensitivity of a tone deaf social media post right as the issue was blowing up. Good reminder, too, when bad things happen, immediately turn off any pre-programmed posts that may be in the queue. {Update: more than week after the story broke, the New York Times reports someone created a fake website to spoof Equifax, and Equifax mistakenly tweeted it out several times and linked to it from their own website, driving at least 200,000 hits to the bogus site. Another online security failure that breaks public trust anew.}
Data breaches suffer unique challenges. As The Washington Post reports, “Equifax asks consumers for personal info, even after massive data breach.” It’s cruel irony that consumers worried their online data was stolen because Equifax failed to protect it are encouraged to go to an Equifax website to input even more data (last six of SSN, as opposed to the typical last four) to get free credit monitoring. Here again per the Post, “Equifax did not immediately respond to queries about why its website asks for such information.”
Offer real solutions with no strings attached. Equifax is offering one free year of credit monitoring to help consumers guard against fraudulent charges. But read the fine print – there’s a catch. You only get this service (which also is a great sales tool for Equifax after the first year) if you sign away all rights to sue Equifax. What appears to be a good will gesture for those harmed by Equifax’s failings is in fact a slick legal move to disadvantage them. As one would expect, people on social media did not react well to this news. {Update: Equifax later dropped this requirement after the New York Attorney General excoriated the company saying the forced legal waiver was “unacceptable and unenforceable.” This only served to extend their negative news cycle.}
A crisis is often not a single event, but rather a series of events. Organizations in crisis often find themselves fighting on multiple fronts, which can overwhelm their crisis response. As if the data breach itself was not a big enough problem, the Washington Post also reports, “Outrage builds after Equifax executives banked $2 million in stock sales following data breach {before the public was warned and stocks tumbled}.” Equifax says the executives in question, including the CFO, did not know of the breach when they sold their shares. Investigations will confirm the facts. If it’s ultimately proven the CFO was not in the loop from the start, that too would raise questions about their internal communications during a crisis considering the fast-approaching, significant financial considerations for which the CFO should have been addressing.
The public can be incredibly forgiving when bad things happen (after all it’s cyber criminals who are really the bad guys and no online system is perfect). However, the public is far less forgiving if a company fails to communicate swiftly, transparently and remorsefully and if it fails to take genuine actions to address the problem near term while also offering longer term redress.
Cybersecurity is hard. The public gets it. Communicating is far easier – and can reinforce trust or undermine it. The public gets that too.
John F. Fitzpatrick co-manages Stratacomm, a strategic communications consultancy with offices in D.C. and Detroit. He and the firm offer a range of services, including crisis planning and response, media coaching, social media support, dark website creation and more to help corporate, association and government interests avert, prepare, respond and recover from crisis situations that threaten their reputations.