You think your crisis is over; it may have been years ago. Then it comes back to bite you and resurrect negative memories in the minds of your audiences.
So it was with Thomas Cook that found itself in a court ten years after the tragic deaths of customers in a fire in a Corfu hotel. So too now with Equifax.
Back in 2017, Equifax came under fire after taking six weeks to admit that a data hack had stolen the personal information of 143 million Americans. Five weeks later it announced 15 million Brits were also affected.
Nine months later the Information Commissioners Office fined Equifax £500,000. And now, two years later, a Cheshire-based law firm specialising in no-win, no-fee class actions has filed court documents seeking compensation for those affected.
It’s why we still use this case study in our media training sessions when coaching how not to handle a crisis. Not least because the CEO, Rick Smith, who was forced to resign, had tried to claim that “Equifax will not be defined by this incident but rather by how we respond” (you can watch his statement here and enjoy the benefit of hindsight.
So what can PROs learn from this sorry episode?
If you don’t own up to the problem as soon as you discover it, you stand to be accused of a cover up and not caring about those affected.
Equifax waited six weeks before publicly admitting to the data breach. This was plenty of time for the hackers to start misusing the data and Equifax’s delay meant victims couldn’t mitigate the threats to their identify and finances. Maybe law enforcement authorities requested Equifax not go public. If that’s the case Equifax hasn’t said so. So not only did the six week silence set the narrative for the media’s coverage of the story but lack of trust in Equifax became the lens through which new, emerging information was viewed.
Example. Three days after Equifax learned of the hack and five weeks before it went public, three senior executives between them sold Equifax shares worth almost $2 million. According to the company, none of them had been told about the hack at the time they placed the trades and it only represented a small percentage of each of their holdings. That may well be the case – incredible though it may seem, especially given that one of them was the company’s CFO. But perception is everything during a crisis, a message we highlight in our media training. One doesn’t have to be a conspiracy theorist to draw some damning conclusions about the company’s priorities and the self-interests of its senior people over those of the victims.
Your nightmare crisis is a journalist’s dream assignment.
The share sale sub-plot above shows how your ‘trial by media’ will involve questions on all aspects of the organization (including those not directly related to the crisis). Journalists will dredge up stories you thought were history; they will find new angles; and they are all in competition to unearth more information than their competitors.
I wonder if Equifax was surprised by the story that broke in Argentina that an Equifax online employee tool could be accessed by typing ‘admin’ as both a login and password. What kind of checklists do you have for thinking through the consequence of your crisis? For example, if you have a data/ privacy incident, do you have processes for making everyone in the organisation immediately review and revisit all data security – from PCs to mainframes? Do you have a process that means that your customer service people would not have tweeted “Happy Friday!” from your Twitter account after the story broke.
Have a team thinking about how the story could escalate and become multi-dimensional.
Equifax gathers and sells data about people to other people and companies. You do not need to be a customer of Equifax for it to hold significant amounts of personal information about you. You are the product. Will Equifax – and the other credit reporting firms – now find their very business model under attack since people are more aware of what it is doing? Our media training highlights the need to identify all aspects of the crisis – the issue at hand could end up being a proxy for something bigger and longer term. You can start communicating some core messages now – while the media is all over you like a rash – rather than in a year’s time when it may be harder to get positive media coverage.
Think through and put yourself in the shoes of those affected – not those of the organisation.
Fundamentally, just do the right thing. Not only did Equifax delay announcing the hack but it chose not to notify directly those affected (back to the caring about people thing). Instead it set up a new website (which apparently didn’t work properly) and its call-centre was overwhelmed. Since the company had given itself six weeks to plan its response, surely its response should have gone like clockwork?
It also offered free credit monitoring to anyone who thought they might be affected. So far so good. But – cock-up or conspiracy, you choose – it initially required those who signed up for it to waive their right to sue the company. Victims could also protect themselves by freezing credit but Equifax charges for freezes and only “in response to consumer feedback” did it waive the fees (and then for only 30 days). It then compounded the problem and reinforced its burgeoning reputation for slack security by assigning easy-to-guess PINs to people who froze their credit.
Ironically, Equifax has a product which it sells to companies so they can offer their own customers monitoring for signs of identity theft after a breach. And Equifax has an identity fraud expert called Lisa Hardstaff. She was quoted last year in one of their press releases saying: “Crucial to tackling loss of reputation after a breach is being able to provide customers with as much support as possible as quickly as possible”. Oops.