Some Early Lessons from the Equifax Crisis

CRISIS

As you know, crisis has become ubiquitous and quotidian, maybe to the detriment of brands and the in-house communicators who practice crisis management. Once the word crisis is uttered, communicators and C-suite execs assume pre-planned crisis mode roles. Everyone should know what to do, but do they know how to do it well?

Certainly that’s part of the early read with Equifax, one of the country’s three major credit organizations. The brand announced Sept. 7 that its data network was breached. The sensitive data—Social Security numbers, driver’s license info, addresses and perhaps credit card data—of some 143 million consumers might have been compromised, it said. Some analysts are calling it the worst data breach in history. Chances are, one analyst told the NY Times, if you have a credit card, you've been compromised.

On the surface, Equifax’s crisis response seems textbook and good. It’s issued a written apology; its CEO also has mea culpa-ed on video. In addition, it's tweeted an apology and invited consumers to call a hotline for information. It also put information on a website, allowing concerned consumers to check if their data was compromised.

(We contacted Equifax for a comment about its next steps in terms of communications; it has yet to respond.)

Klieg Lights

A deeper look at the brand’s response, though, indicates cracks in the plan. When a brand is in a crisis it’s hard to avoid the glare of the media's and social media's klieg lights. Nearly everything a brand or its executives do or have done is subject to scrutiny once the company has entered a significant crisis. Ask Wells Fargo. One year has passed since its bogus accounts incident and yet the bank remains under the bright lights. The number of bogus accounts, first thought to be 2 million, was revised to 3.5 million recently. Volkswagen still is reeling, so is Chipotle. Have you boarded a United flight recently without thinking of Dr. David Dao?

But it's Equifax's time now to absorb the bright lights. Within hours of Equifax issuing its statement, the media reported several related stories. The first story concerned timing. Equifax discovered its network was compromised in late July. The breaches occurred in May, June and July. Yet, as we know, Equifax chose to say nothing in public until just the other day. Reaction time can be critical in a crisis. Perhaps one month was too long to be silent.

In any case, that period gave Equifax weeks to get its house in order, implement its crisis plan, investigate the extent of the intrusion, and alert authorities. OK, fair enough. It's often a delicate dance between reacting too quickly and too slowly to crisis. Still, with 143 million consumers' personal information involved, the case can be made that waiting five weeks was a poor choice.

Triple Play

Another element relates to that 5-week gap. During that time three members of the company's senior brass had the opportunity to dump stock in advance of news of the data compromise going public. The breach was discovered July 29, the brand tells CNNMoney. Just days later chief financial officer John Gamble let go of nearly $1 million worth of Equifax stock. Joseph Loughran, Equifax’s president of U.S. information solutions, sold nearly $700,000; Rodolfo Ploder, the workforce solutions president, unloaded just north of $250,000. All three transactions were dated August 1.

Needless to say, those sales may turn out to be the proverbial PR nightmare. Attempting to minimize damage, Equifax tells CNNMoney those sums, totaling nearly $2 million, were but a “small percentage” of the executives’ holdings. It’s rarely wise to describe millions in stock as a “small percentage.” That’s especially so when millions, we mean millions of consumers, many with far smaller portfolios than the three Equifax execs, may have had their data compromised.

And now the-chicken-and-the-egg conundrum: Equifax tells CNNMoney the trio of executives had “no knowledge” of the breach when those stock sales were made. Senior members of the company were unaware of the compromise? Did any of  the top brass know at that point? What does that say about Equifax?

Of course, it’s possible the Equifax executives planned weeks or months in advance to sell shares on Aug. 1. Executives sell shares all the time. Still, perhaps the Equifax three should have rethought their plans in light of how it would play in the court of public opinion. That assumes, of course, they knew about the compromise, which Equifax insists they did not. Hmmm. Equifax (EFX) shares closed Friday down 14%.

Executive of the Year?

And speaking of the court of public opinion, time will tell if it was poor judgment for Equifax CEO Richard F. Smith to accept an award Sept. 1 for being among Atlanta’s most admired CEOs, writes Kathy Klotz-Guest. We’ll assume Smith knew the Sept. 7 announcement was coming, even if his CFO and two division presidents were in the dark.

While Smith apologized to consumers on behalf of the brand, several phrases in his announcement were nebulous, seemingly to allow Equifax wiggle room in case of lawsuits. For example, Equifax failed to use the words "breach" or "theft," as Josh Bernoff notes. One also could argue with the 5-week time between the discovery and announcement, Equifax could have issued a far more definitive statement.

Hours after Equifax's September 7 announcement, a proposed class-action lawsuit was brought. Filed in a Portland, Ore., federal court, the suit charges Equifax failed to protect consumer data vigorously enough, Bloomberg reports. Apparently Equifax chose to cut costs rather than beef up protection of consumer data.  In terms of a built-in market, the suit has 143 million people who might join.

Customer Service

And the customer service Equifax is offering via phone is suspect apparently. The online option seems to have brand-damaging strings attached. Ashley McCown, president, Solomon McCown & Company, in an interview with us, notes Equifax is insisting “that consumers…waive their right to sue…or be part of a class-action suit in order to check [on its web site] if their data was stolen. That...demonstrates a serious tone-deafness to the climate of corporate responsibility that today’s consumers demand.”

Speaking of tone-deafness, why did Equifax tweet "Happy Friday" today? 

McCown adds, “This incident shows that organizations can’t merely go through the motions when it comes to a crisis response…. With Senator Elizabeth Warren tweeting about how poorly Equifax has acted in the wake of the breach and how it must be held legally responsible, congressional hearings can’t be far off.”

Follow Seth: @skarenstein