Public relations people like to talk about “getting out in front” of a crisis; in fact, for a taste of real-life preparation, check out this stress-inducing story about a crisis simulation by The New York Times‘ Sapna Maheshwari. Yet it’s a myth to think you can prevent any event that could wreck a company’s reputation. Sometimes it’s a struggle just to mitigate the damage in the days and weeks after a crisis blows up. Still, one goal of all communicators – similar to the physician’s creed of “first, do no harm” – should be to avoid making the situation worse.
Unfortunately, that’s exactly what happened when the news broke that credit-reporting giant Equifax suffered a breach that could compromise the privacy of some 143 million consumers. How did it escalate? And what can we learn from how Equifax handled the crisis?
Take the full measure of the situation
Maybe Equifax believed that the media and public would shrug off the breach. If so, that was a big error in judgment. The situation was unprecedented in its sheer size and the number of people it placed at risk. YouGov BrandIndex, which tries to quantify reputation impact of negative events for brands, compared the Equifax situation unfavorably to the Volkswagen diesel scandal. One difference, however, is that not everyone owns a Volkswagen. As a YouGov spokesperson put it, “Equifax is on a different scale – much wider and more personal.” My personal theory about the company’s failure to assess the situation is that as a largely B2B brand, Equifax underestimated the level of concern and anger on the part of those affected.
Prepare for a negative reaction
Yes, this one’s laughably obvious, especially when a company is lucky enough to be able to control the announcement of the bad news. And Equifax did have that luxury; it disclosed the breach a full six weeks after it occurred, and new information suggests it had experienced a similar intrusion in March of this year. With so much time to prepare, it should have started an internal security investigation, and maybe it did. But it also needed to stage carefully crafted communications with customers, stakeholders, and regulators, as well as a media announcement and full plan for mitigation of harm to those affected. Instead the company seemed unprepared for the response to its disclosure. The site it set up for customer inquiries was quickly overwhelmed, and after the initial statement, the CEO did not formally respond until four days after the announcement.
Let professional communicators lead the way
This is what top PR professionals and crisis experts are paid for. In the wake of the breach Equifax offered free credit monitoring to customers – but the offer required anyone who enrolled to waive their right to sue the company. (Equifax later backpedaled on the waiver.) This is a sign of a classic crisis management mistake — letting lawyers manage the response messaging. An attorney’s goal, of course, is to limit liability. But this particular move worsened the reputation damage by making Equifax look like it was trying to avoid culpability at the customer’s expense.
To some extent, Equifax did this, despite the liability it can bring. CEO Richard Smith‘s apology is frank and forthright. “Protecting your data should have been our highest priority”… his comment in the press release notes. “We let you down, and it’s going to cause enormous pain. For that, I apologize. Obviously, we’re overhauling our security now.”
Yet, plans for the “overhaul” were not explained. And if you look closely at the language in the company press release, it’s – well, weaselly. The headline details a “cybersecurity incident” (not a “breach”) and later refers to “the application vulnerability” – huh? It also apologizes for the “frustration and inconvenience” experienced by consumers, which obscures the graver potential consequences of damage to one’s credit rating or even identity theft. Again, lawyers are crafting the communications, at the expense of clarity and transparency.
Tap a crisis response leader
When things blow up, it truly takes a village – or a skilled team – to cover rapid media response, on-the-record media interviews, social media communications, stakeholder and government outreach, and other aspects of a swift and appropriate crisis response. But there should be a single expert who is empowered to lead the response — a communications professional, not the CEO, and not the on-camera spokesperson. Too often, companies give decision-making power to a group of individuals that may comprise their legal counsel, Board of Directors, and key executives, leading to group paralysis.
Address any questions about the company’s response
Surely one of the senior executives planning the public announcement of the breach noted sales of Equifax shares by insiders just days after the breach was discovered. Those officers included the Chief Financial Officer and the U.S. Information Solutions president, who, along with another senior executive, sold nearly $2 million in company shares. Corporate officers sell stock all the time, and the timing of the transactions may have coincidental, but the optics are terrible. Equifax responded by dismissing the insider sales as “a small percentage” of its shares, emphasizing that the executives weren’t aware of the breach when they sold. That’s not an ideal response, as it sounds far too casual about the transactions, and it raises the question of who did know about the breach, and when they knew it.
It may seem a small thing, but the day after it disclosed a cyber-intrusion affecting nearly half the U.S. population, @equifax tweeted, “Happy Friday.” Of course, the tone-deaf tweet was pounced on by critics, with good reason. It’s hard to imagine why the brand’s social media communications weren’t looped in as part of a unified response to the announcement of the breach. Ditto customer relations; those who called the number provided by Equifax and managed to reach someone or receive a return call were told that the call-center company brought in by Equifax had no information to share. Aligning and centralizing communications to respond to a business crisis is simply PR 101.
The good and bad news for brand Equifax is that this situation will drag on for a very long time, as lawsuits mount, an FTC investigation proceeds, and a DOJ inquiry into the insider trading commences. Just yesterday we learned that the Consumer Financial Protection Bureau and 34 state attorneys general have announced inquiries into the attack. And, of course, this is the kind of thing that members of Congress jump on. Smith, the Equifax chief executive, will appear before the House Energy and Commerce Committee in October, and the Senate Finance Committee has requested information about the timeline of events. He may very well lose his job over the breach, and such a move, though traumatic for any such corporation, might help Equifax move past the worst of it.
There’s plenty of time for the brand’s reputation to sink even lower, and yet there’s every opportunity for Equifax to learn from its mistakes and take steps to improve the situation over the longer term. The best thing is can do is to explore the causes and ramifications of the breach so thoroughly, and invest in solutions so heavily, that it becomes a data security poster child for other companies who are vulnerable – and that means everyone.