The Equifax data breach, in which 143 million accounts were compromised and which might have years-long consequences for consumers, was historic in its scope and potential for damage. But it's also notable for how extraordinarily badly the company, at least from a public-relations standpoint, handled the fallout.
Photo: Lane Pearman
A brief review: The company had at least a month to prepare, offered an anaemic remedy in the form of one free year of credit monitoring -- but only if you waived the right to sue -- and waived the fees for credit freezes and thaws... and then kept changing the deadline for accepting even those rather measly remedies. There was no front-and-centre point person, no hotline, and no easily accessible information on how to assess if one were affected by the breach. Lifehacker US' EIC had to resort to Twitter to get the company's attention. Last week the news broke that Equifax has been directing customers to a fake phishing site for almost two weeks.
"It was a model of the worst case imaginable," says Davia Temin, president and CEO of Temin and Company, a crisis and reputation-management firm.
If you're running a business, crises are inevitable. It's how you handle them that will determine whether you'll move on relatively unscathed -- or whether you'll lose customers or even be forced out of business entirely. I spoke to a couple of experts in the field about how they would have handled the Equifax breach better.
1. Consider the Point of View Of Those That Have Been Hurt
"The Equifax response was overdue, muddled, left consumers in the dark, and lacked empathy," says Ben LaBolt, who has handled strategic communications and crisis management for individuals and companies such as Barack Obama and Fortune 500 CEOs, and is a partner at Bully Pulpit Interactive, in an email.
Temin echoes the theme of empathy: "You have to think about the victims, and let that guide you. Hopefully you have a good crisis manager, because the crisis manager is also representing the voice of victims."
Temin notes that taking a little time before announcing is not necessarily terrible, and may even be requested by law enforcement. "Before you mount a response, you'd better get your ducks in a row. Get your plan together about what you're going to offer. I don't think it's unreasonable to take a month, but for all of that time, the [Equifax] response was tepid and emotionally disconnected. 'We're disappointed'? No -- you are 'deeply and profoundly sorry'. They made it about them and not about the people they harmed. It was a non-apology."
3. Make a Remediation Plan
Your planning should include the specific plan to remedy the situation. "Give them a real fix," says Temin. It seems likely that no one on Equifax's PR or crisis-management team read the fine print of the deal they were offering. I ask Temin, "If they'd hired you, would you have read every word of the contract to anticipate problems?" "Are you kidding me?" she replies. "Of course I would."
Ben LaBolt also notes that the company's plan and communications were extremely weak: "Equifax should have taken immediate steps to identify the scale and scope of the crisis, to communicate it to regulators and consumers, and then to provide consumers with easy-to-understand recourse in an online hub." In other words, no one should be tweeting at you to tell you what's going on.
4. Learn From Past Disasters
LaBolt notes that we can learn from companies who have handled similar crises in the past. "Many companies, from Target to Sony, have handled data breaches poorly. But Anthem sticks out as a good example of a company that got information out to customers early and on their own terms, while establishing a one-stop online hub with complete information on steps consumers could take to protect themselves." A good crisis manager will assess what comparable companies have done wrong, and done right, in similar circumstances. If you don't have one, start doing your own research.
5. Prepare Better for Next Time
Crises are inevitable, and some industries even have predictable crises -- aeroplanes crash sometimes, for example. Data hacks fall into the "predictable" category. "In 2017, all companies should be prepared for a data breach -- especially companies like Equifax that keep sensitive consumer data on hand. That means establishing a crisis team and drafting a plan long before crisis strikes."
There is such a thing as a "PR fire drill", as the New York Times recently reported: The newspaper hired a crisis-simulation firm to create a mock disaster, complete with a social-media frenzy, a barrage of phone calls from the media, and a hacker threatening to sic a virus on their network.
Both LaBolt and Temin stressed sincere empathy and humanity as the key to surviving mistake of this magnitude. Temin said, "If you're authentic, people will cut you some slack."