[BreachExchange] 6 crisis lessons from Equifax’s data-breach response

Tue Sep 12 19:34:52 EDT 2017

https://www.prdaily.com/Main/Articles/23237.aspx

How could this happen?

That’s one of many questions erupting in the aftermath of Equifax’s
recently disclosed data breach, along with the following queries:

- Was my personal information compromised?
- Are they protecting themselves or the public? Is all the bad news out, or
is there more to come?
- Did senior execs dump stock before public disclosure?

Equifax is a leading consumer credit reporting agency, responsible for
safeguarding highly sensitive financial and other personal data for more
than 800 million consumers and businesses globally.

In a corporate crisis, the first challenge is the precipitating issue (in
this case, the breach itself). Here, Equifax failed. For any corporate
crisis, how an organization responds can hasten reputational recovery—or
accelerate damage to it. Here, too, Equifax failed.

Consider these six takeaways from Equifax’s communications stumbles:

1. Timing is everything. “What did the president know, and when did he know
it? ” was Sen. Howard Baker’s famous question posed during the
congressional hearings on Watergate. It’s a question that’s now routinely
asked of organizations’ leadership teams when a scandal goes public.

Equifax first learned on July 29 that personal data had been exposed, but
it notified the public on Sept. 8 (as national news outlets were distracted
with 24/7 hurricane coverage).

Yes, it takes time to ready for public disclosure, work with law
enforcement and so on. Fair or not, the perception of corporate stalling
while millions of affected Americans were left in the dark for six weeks
hurts public trust, and just when Equifax needs it most.

2. When you fall down, step up. When an organization fails at its
responsibilities, stakeholders rightfully expect its execs to engage and
communicate head on. Equifax hunkered down.

As The Atlantic observed after it requested an interview, “ Equifax offered
no further comment beyond the materials they had published on an
informational website. Other outlets experienced similar silence.”

3. Prepare to own—or get owned—on social media. During a crisis, much of
the reputational battle will occur online, so the social media team had
better be briefed, savvy and caffeinated when it goes public. It’s telling
(and a bit stunning) that—with Equifax having had more than a month to prep
for public disclosure—Mediaite offered the headline,“ Equifax Slaughtered
on Twitter For Wishing Customers ‘Happy Friday’ After Data Breach.”

Equifax got “slaughtered” not for the breach itself, but rather for the
insensitivity of a tone-deaf social media post right as the issue was
blowing up. Good reminder, too, when bad things happen, immediately turn
off any pre-programmed posts that could be in the queue.

4. Data breaches suffer unique challenges. The Washington Post reported,“
Equifax asks consumers for personal info, even after massive data breach.”
Consumers worried their online data was stolen were encouraged to input
even more data (the last six digits of their Social Security numbers, as
opposed to the typical last four) to get free credit monitoring via an
Equifax website. Here again per the Post, “ Equifax did not immediately
respond to queries about why its website asks for such information.”

5. Offer real solutions with no strings attached. Equifax offered one free
year of credit monitoring to help consumers guard against fraudulent
charges; read the fine print, and you’ll find that there’s a catch. You get
this service (which also is a great sales tool for Equifax after the first
year) only if you sign away all rights to sue Equifax.

What appears to be a good will gesture for those harmed by Equifax’s
failings is in fact a slick legal move to disadvantage them. People on
social media did not react well. Equifax dropped this requirement after the
New York attorney general excoriated the company saying the forced legal
waiver was “unacceptable and unenforceable.” This also extended its bad
news cycle.

6. A crisis is often not a single event, but rather a series of events.
Organizations in crisis often find themselves fighting on multiple fronts,
which can overwhelm their crisis response teams. As if the data breach
itself was not a big enough problem, Equifax drew more outrage after
reports broke the news that company executives netted $2 million in stock
sales after the data breach but before the public announcement.

Equifax said the executives in question, including the CFO, did not know of
the breach when they sold their shares. Investigations should confirm or
disprove those allegation. If it’s ultimately proven the CFO was not in the
loop from the start, that, too, would raise questions.

The public can be incredibly forgiving when bad things happen. (After all,
cybercriminals are really the bad guys, and no online system is perfect.)
However, the public is far less forgiving if a company fails to communicate
swiftly, transparently and remorsefully, and if it fails to take sincere,
diligent actions to address the problem in both the near and long terms.

Cybersecurity is hard. The public gets it. Communicating is far easier and
can reinforce trust or undermine it. The public gets that, too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170912/7398e4ec/attachment.html>