Information is still coming out about the Equifax breach impacting 143 million Americans, but we can already see the impact of major communications failures over the last 24 hours.
The main goal of cyber crisis communications is to maintain customer trust and confidence through credible, reliable, and empathetic communications. Clearly, Equifax either failed to include cyber crisis communications in its incident response plan, or else they’re just really bad at it.
Failure #1: They waited too long to notify victims. Equifax knew about the breach on July 29th but chose to wait an additional 40 days to make a public announcement. Now, rather than focusing on the work they’re doing to resolve the problem, every story is already referencing the delay, or questioning the decision to wait. Regardless of whether a valid explanation eventually comes out, this was an entirely avoidable situation. You may not know everything, but you have to say something.
Failure #2: They talked about themselves first. The statement released online by the Equifax CEO starts off by talking about the impact on his company, saying that “This is clearly a disappointing event for our company.” Ummm…I’m sorry this is hard for you, but what about the 50% of all Americans who just lost control of all the personal information they rely on to keep every aspect of their lives secure? It’s hard to convince customers you care about them when you talk about yourself first.
Failure #3: Their customer facing response is awful. In the immediate aftermath of a breach, when no one knows what’s going on, it is critical to put out consistent and reliable information. Equifax has apparently not equipped its call center operators with sufficient information, there is a delay before any additional protections will kick in, and they have the nerve to require you to enter more PII before even telling you if you’re impacted! People are already venting their frustrations on social media, so whether these complaints are valid is now irrelevant. The story already says Equifax doesn’t know what’s going on and doesn’t care enough about its customers to give them the full story. Every person with an external facing role has to be fully equipped with useful information from Day 1.
Failure #4: They’re still digging! Just over an hour after news of the breach broke, news came out that three Equifax executives sold nearly two million dollars worth of stock after the breach was discovered – but before the public was notified. This new story just makes it that much harder to trust that the company is doing the right thing. In the wake of a cyber attack, you’ve got to keep your hands clean – and it goes without saying, but you really should avoid the appearance of personally benefitting from the incident.
In the chaos of a breach, it’s hard to get everything right, and even if you do, people will still find fault. But if you put the effort (and resources) into a good cyber communications plan ahead of time, you can keep the focus on the breach itself, and avoid setting your own reputation on fire.
Loren Dealy Maler is a cybersecurity expert and is President of Dealy Mahler Strategies LLC