Equifax Engages in Almost Wholly Reactive Crisis Communications
Big crises typically offer big lessons, and Equifax Inc.’s security breach is shaping up to be one of the year’s biggest crises. Clearly, the credit-scoring company is getting pummeled for its uninspired response. Its strategy and messaging have really fallen short. This especially disappoints given how much time it had to plan.
The company announced the cyber intrusion on Thursday, Sept. 7, but had discovered it six weeks earlier. Granted, sometimes a breach’s scope is unclear at first. It turns out this one may involve as many as 143 million people in the U.S.; potential data at risk include names, Social Security numbers, addresses, and dates of birth. This is not Equifax’s first data incident — but it’s among the largest for any company.
Despite having all that time, Equifax has constantly been reacting to backlashes because it hasn’t thought through how its response and its policies would be received.
The Sept. 7 press release contained the basic facts. As for messaging, Equifax seemed to feel the breach wasn’t a big deal because it didn’t penetrate its “core credit-reporting databases” (that hardly matters given the personal data at risk). The release made almost no attempt to connect with consumers. This is the start of CEO Rick Smith’s quote: “This is clearly a disappointing event for our company.” For our company? He does “apologize to consumers and our business customers for the concern and frustration this causes.” Weak tea.
That same day, Equifax made the strange decision to post a video message from Smith (pictured) that is clearly aimed at employees, not consumers. In addition, Smith drones on in a monotone while reading from a TelePrompTer. He appears completely bored. The video script has essentially the same apology to consumers as the press release.
The company did launch a website dedicated to the breach. Unfortunately, it has led to a lot of the blowback. Over the weekend, people complained that the help site was too complicated or inaccessible due to the traffic. Consumer confusion was so widespread that, the day after the announcement, Equifax put out an update to clarify a number of issues, including problems with the site.
The press homed in on several controversies. The help site’s terms of service said that signing up to see if your data was stolen meant waiving your right to sue. Equifax said the waiver didn’t apply to “this cybersecurity incident.” Forbes’ headline: “Consumer Backlash Spurs Equifax to Drop ‘Ripoff Clause’ in Offer to Security Hack Victims.”
Equifax will not be defined by this incident but rather by how we respond.
— Equifax CEO Rick Smith
Equifax said people could freeze their data files — but there are fees involved. That infuriated people: No consumer asks a credit-scoring company to collect his or her data, and Equifax’s own inability to keep that data safe is what caused the debacle. On Monday, it said it was suspending those fees for 30 days. Again, the company should have predicted the reaction.
Also on Monday, Equifax put out yet another update in which it addressed several issues. It denied that a credit card was required for the free credit-file monitoring and identity-theft protection it offered for one year, and denied that people would be automatically renewed after that for a cost. Critics accused the company of trying to profit from the breach — these services are provided through its own TrustedID Premier product.
One channel Equifax basically ignored was media relations. Countless stories said the company didn’t get back to reporters who had specific queries. New York Times personal-finance writer Ron Lieber actually listed in his column all his questions that Equifax hadn’t answered. (On Tuesday, CEO Smith came out of hiding with a more contrite op-ed in USA Today.)
One factor contributing to Equifax’s reputational challenge is that its business can cause headaches for consumers whose credit scores are hurt by a tiny mistake, like a late payment. “This is the one corporation whose job it is to keep track of every single time that you’ve messed up,” Daily Show host Trevor Noah said during his flaying of the company.
We think partly due to that, consumers are almost gleeful in their attacks.
Toward the end of his video statement, CEO Smith declared that “Equifax will not be defined by this incident but rather by how we respond.”
Unfortunately for Equifax, that’s true.
Image Credit: Equifax
This is an abridged version of an article that appeared today on the CrisisResponsePro paid subscription portal. (CrisisResponsePro subscribers can access the full version by clicking here. ID and password are required.) To take advantage of all of the content, data, and collaborative resources CrisisResponsePro has to offer, contact us at email@example.com.