Equifax stock fell 19.5% the day the credit reporting agency revealed its massive data breach from six weeks earlier, affecting 143 million customers.
Six days later, it was down 31%.
Equifax’s bumbling response has come under withering criticism from the public,media, lawmakers, regulators, analysts, and crisis experts. Despite a belated, profuse public apology by CEO Rick Smith, Equifax’s response has been dubbed a “dumpster fire” and a “public relations nightmare.” It offers a cautionary tale about the critical importance of effective crisis communication when sensitive information has been put at risk. What lessons can communicators take from Equifax?
- Speed is critical. It does take time to analyze a breach and determine the extent of harm. Yet 6 weeks seems awfully long to figure out the “facts” and decide on a course of action. The result of the lag: it only served to sow more public skepticism and panic.
- Don’t offer half-baked measures to affected stakeholders that appear to be more self-serving than helpful. Equifax’s initial short-term “solution” was mercilessly criticized within hours as a measure that protected Equifax more than its customers by (a) requiring a waiver from lawsuits, and (b) initially requiring a fee to sign up for a credit-freeze. The fee and waiver requirements were later dropped in response to the public furor.
- Set strict controls in place that prevent insiders from selling stock before a crisis is made public. Three Equifax executives sold $1.8 million worth of stock before the breach was disclosed, further causing distrust and spawning lawsuits. The claims that these sales were made before they knew about the breach, or that it was a small amount of stock relative to holdings, did not fly well in the court of public opinion.
- Learn from similar previous crises. Yahoo’s response to its late 2016 data breach affecting 1-billion worldwide e-mail accounts was widely criticized as “too little, too late.” Though smaller in size, Equifax’s is potentially more damaging in scope because it includes tens of millions of social security numbers.
Equifax’s response may well go down as a textbook example of how not to respond to a crisis. Apologies and after-the-fact promises from the C-Suite to do better in the future don’t easily restore confidence or shareholder value.