The Equifax breach serves as a cautionary tale for CEOs and board members.
The massive breach in September 2017 exposed the identifying information of more than 143 million people, led to congressional hearings and the resignation of CEO Rick Smith.
There is no arguing that we’ll be feeling the ramifications of this breach for a long time coming, and it should ultimately change the way companies respond to critical breaches in a post-Equifax world.
To recap, the Equifax breach stands out for three reasons:
- Sheer size.
- The highly personal nature of the data at risk (Social Security numbers, birth dates, addresses and driver’s license numbers), and
- While credit-reporting bureaus serve a critical role, almost none of these 140 million consumers consciously and directly agreed to share this information with Equifax. On some level, there was consent, but it’s very different when a company with which you have a relationship is compromised than a third-party such as a credit bureau.
Watershed event? Sure, but it’s also the “new normal.” Adam Levin, our chairman and founder, said it perfectly in his Inc. column: “The Equifax Breach Is Every Day.” Breaches are going to happen. That’s not going to change. What can and will change is how executive leadership publicly responds to them.
Today, I’m not going to discuss how this breach could have been prevented, or what consumers can do to steel themselves in the face of future events of the sort. I’d like to briefly look at a template for future corporate and executive responses in the face of impending security events.
Mistakes Were Made
While Equifax’s crisis communications will be the subject of many business school classes to come, I see three lessons that come out of this breach, lessons relevant to leaders of organizations large and small alike.
- Tell the truth quickly and completely—with full transparency. The time to disclose a breach is when you know it occurred. There will always be the desire to determine the forensics and weigh the cost of disclosure: Can we patch this before anyone knows? The answer is no. Whether you are a small chiropractic practice or a major corporation, you need to share the news about your data breach as soon as you know it happened, in a fully transparent fashion. Even if you don’t know the complete ramifications or the extent of the data loss, prepare all parties for a worst-case scenario.
- Take consumers’ needs to heart and offer them easy access to answers. As you disclose the event, do so with the consumer in mind. Do not make this complicated—let consumers know where they can turn for solutions, and ensure fixing the problem will not cost them anything. Set up an easy means for consumers to speak with a representative rather than filling out a web form, and ensure they are updated throughout the process. At the same time, state your plans to ensure that this doesn’t happen again.
- Remember, CEOs: The buck stops with you. It’s unlikely that the breach was your fault, but ultimately, you are the face of the company and your leadership will be associated with this incident. Your ability to maintain control will likely be determined by your management of the incident from identification through resolution.