After Equifax disclosed a breach that exposed Social Security numbers for 143 million accounts, its stock initially plummeted nearly 40 percent, and top executives including its chief information officer, chief information security officer and CEO stepped down.
The troubles continue to snowball, with dozens of lawsuits filed so far by customers, shareholders and one credit union.
We now know that Equifax could have taken steps to prevent the breach. It’s a critical mistake, but was the company’s response to the crisis fundamentally a failure?
Equifax will be judged not just on the scale and severity of the hack, but on its response to the crisis.
With this in mind, I’ve evaluated Equifax’s response and found four things that marketers can learn from its brand-management playbook.
PR needs to move quickly
Speed is critical when responding to a crisis—particularly one that involves consumers’ personal information. Equifax waited six weeks after discovering the breach to disclose it. (It doesn’t help that during this window, three executives sold $1.8 million in shares.)
The company is also reported to have experienced another undisclosed and unrelated breach in March.
Other organizations have waited months to disclose data breaches—the Securities and Exchange Commission recently revealed one from 2016—but this doesn’t change the fact that Equifax responded too slowly and gave hackers a longer period in which to use stolen data.
While the stock-selling issue will be investigated by the Department of Justice and the SEC, the court of public opinion won’t be understanding. Consumers will be forced to be on high alert for identity fraud for the rest of their lives.
For speed, Equifax gets a “C.”
Think ‘customer-first’ and use social effectively
Helping customers ensure their safety should have been Equifax’s priority. Rather than notifying affected consumers, however, Equifax pointed people to a website that had a number of security issues. It was classified as a phishing site and blocked for days. When it was finally available, the site required people to enter the last six digits of Social Security numbers—the kind of information that was hacked in the first place.
In the midst of this blowback, Equifax offered free credit reporting, but it initially required enrollees to waive their rights to sue. The company later addressed these mistakes, but the reputational damage had been done.
Equifax gets an “F” for its many customer-service blunders.
Accountability is key
Equifax has shown humility, which is the right tone to strike during a crisis. In an op-ed published Sept. 12, then-CEO Richard Smith called the incident “The most humbling moment in our 118-year history” and offered one year of free identity-theft protection and credit monitoring for affected customers.
While the message feels sincere, Smith’s offer was tone-deaf given that victims will have to pay for these services for the rest of their lives to stay safe. Smith retired a few days after this misstep.
Following the announcement of Smith’s departure, interim CEO Paulino do Rego Barros Jr. wrote an op-ed taking accountability for the breach and how it was handled. Had Smith made this statement on day one, acknowledging the gravity of the situation and maneuvering accordingly, the company would be in a much different position now.
For this reason, Equifax gets a “C” for accountability.
Transparency requires ongoing work
Equifax has been fairly diligent in keeping the public updated after its disclosure of the breach Sept. 7, via press release and video. The company created a website for breach-related news that was updated five times in the following week.
The most significant update came Sept. 15, when the company identified the vulnerability that the hackers exploited and provided a comprehensive timeline of events, including all of the missteps in its customer response. It also announced that the company’s CSIO and CIO were “retiring.”
In a statement Sept. 26, Equifax announced that Smith would be stepping down as CEO and acknowledged that cybersecurity remains a concern for customers and a priority for the company and its board.
It is evident that Equifax has tried to be proactive in communicating the steps that it is taking to minimize future risks. Its transparency efforts warrant a “B.”
The bottom line
The Equifax breach will go down in history as a cybersecurity incident turned brand-management disaster. By failing to empathize with customers and taking three weeks to properly apologize, Equifax undermined its appearance of concern and lost consumer trust. Only time will tell if the public and markets forgive the company.
Bill Bourdon is a 20-plus-year communications professional and president of Bateman Group.