Clarity Matters in Crisis Communication: Two Tries is not a Great Effort Equifax

In early September, Equifax made the following statement:


September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”

Data breaches are a serious problem for any organization that handles desirable consumer information.  Cyber criminals want that valuable data and usually are ahead of the security programs and practices designed to secure the data.  Customers, perhaps unfairly, view all data breaches as preventable, thus, attribute high crisis responsibility in most cases.

Equifax did disclose the breach along with instructing and adjusting information.  However, their second message about the breach was unclear.  As one reporter noted:  “A day after announcing that hackers stole personal information tied to 143 million people in the US, Equifax’s response to the breach has come under scrutiny. Language on the website where people could find out if they were affected seemed to say that by signing up they would waive any right to join a class action suit against the company.”

Equifax responded by clarifying this was not the case: “In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”  You will see that language if you visit the site now.  The problem is the damage was done by the initial lack of clarity.  The digital world and traditional media are reporting the event.  The narrative casts Equifax as the villain trying to trick people into opting out of a lawsuit.  You get one chance to make a first impression and crisis response by Equifax needlessly created a negative one.

Questions to Consider

  1. Why might managers in an organization feel they have limited responsibility for data breach while customer feel the opposite way?
  2. What risks do organizations face when they try to highlight the robustness of the security measurers prior to the breach when discussing the breech? Why might manager select to present such information to stakeholders?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s