What can businesses learn from how Equifax dealt with its massive data breach?
With the recent Equifax breach exposing sensitive data for 143 million people, consumers learned, yet again, that their data continues to be a high value target. But there’s also a lot that businesses can learn from this breach, as well as Equifax’s response to it.
A proper response to a crisis like this can make or break the organization. Our Kevin Donahue teamed up with Erica Cummings from SecureState to offer two perspectives on Equifax’s data breach – what businesses should be doing in the face of increased data security threats, and how they can better handle communicating in the wake of breaches.
1. What did Equifax do right?
If there’s any bright spot to the way Equifax handled this breach, it’s that the Equifax CEO was the face of the official statement. When there is an incident of this magnitude, it’s important to show that top officials are leading the response effort.
The statement explained the incident, offered what appeared to be a sincere apology, and presented Equifax’s plan to remediate some of the damage. It certainly doesn’t undo the wrong, and Equifax didn’t exactly take responsibility for the breach (likely at the advice of legal counsel), but consumers appreciate when executives show a little humility and concern. Whether this will be enough to restore consumer faith in the organization is yet to be seen.
Equifax also set up a website, separate from their main site, dedicated to the response. This provides consumers a central location to find information about the breach. This strategy will also help funnel consumers away from the main site so it can operate without interruption.
2. What did Equifax do poorly?
There’s plenty to list, but here are a few of the biggest concerns.
Not the first time: This is not the first time Equifax has suffered a security breach. Incidents from 2013, 2014 and 2016 also exposed sensitive information. Though we can’t speak to what Equifax may or may not have done to address the exposures that led to the previous incidents, it will be increasingly difficult for the company to assure consumers that their data is safe with Equifax after this latest breach.
Continued confusion: Equifax may have set up a dedicated website and call center to handle the incident; however, a scan of news coverage and social dialogue suggests that many consumers are still confused on where to go and whether they’ve been impacted. Call centers are overwhelmed, and some consumers aren’t getting a clear answer. Consumers want to talk to a real person with a clear yes or no answer as to whether they’ve been affected. In addition, there are bogus phishing sites asking users to submit their Social Security numbers to check whether they’ve been impacted (the real one is equifaxsecurity2017.com). This may not be Equifax’s fault, but it highlights the need for clear and precise direction from Equifax. Moreover, Equifax’s tool to verify which consumers have been impacted seems at times to be giving inconsistent or random results.
The wrong message: Some Equifax executives sold off nearly $2 million worth of stock in their own company after the breach was discovered on July 29 but before the breach was publicized. This certainly undercuts much of the concern Equifax intended to show in their initial response and at the very least gives the wrong impression.
Too little, too late: Equifax discovered the breach on July 29 but did not alert the public until September 7. Why wait so long? Equifax may say it needed time to establish call centers and set up their response website, and there is some truth to that. You want to make sure you can sufficiently meet consumer demand once the breach is known. Still, consumers want to know they are affected as soon as possible so they can take steps to protect themselves. With a strong crisis management plan in place before the breach occurred, Equifax may have already had these protocols established and not needed to scramble at the last minute.
Broken trust: Equifax is offering free credit monitoring, but why should consumers trust them to protect the information they couldn’t safeguard in the first place? Also, there is some concern that signing up for this service relinquishes the consumer’s ability to take legal action against the organization. Consumers may not yet be convinced that Equifax’s solutions are really in their best interest.
3. What should a proper response entail?
Situations like this demonstrate the need for a defined crisis management plan and preparedness program. This plan should clearly establish a crisis management team, define roles and responsibilities, and outline response and escalation protocols, including when to involve top executives. For an incident of this scale, the crisis management team should be notified and activated immediately so members can quickly assess the potential impact, make decisions and take actions, as well as determine what and how to communicate to those affected by the situation. The crisis management team should include members from across the organization, including Operations, IT, Consumer Relations, Investor Relations, HR, Legal, Communications, Regulatory and other key functional areas across the organization. Actions such as establishing a dedicated website and call center to handle the incident should be tested to assure enough capacity to manage the anticipated spike in demand from worried consumers and others.
From the cybersecurity side, this incident is another in a long list of events that proves cybersecurity must be a priority, especially for organizations like Equifax that handle extremely sensitive information. Within 24 hours of the breach announcement, Equifax stock fell 13 percent, or about $2.28 billion in market value. If only a fraction of that was reinvested in cybersecurity improvements, the entire incident likely could have been avoided. Organizations need to make sure they have strong defenses as well as a defined incident response plan so they can prevent such events. Additionally, organizations should review whether they need to store so much data to begin with. Often, by taking a deeper look at business processes, organizations will find areas to reduce the risk of data exposure.
4. What will happen next?
Nobody can say for sure, but Equifax will certainly be under intense scrutiny. The attorneys general of New York and Illinois, along with the U.S. House Financial Services Committee, have started looking into whether Equifax met its risk management obligations. The executives who sold their stock will likely face an investigation. Congress is already discussing an investigation of the entire organization, which could result in fees and penalties. Equifax will continue damage control, fielding what will seem to be endless questions and trepidations from media and consumers. While the company’s stock may be in for a rough period, it should be noted that other corporations who have experienced massive breaches (Yahoo, Target and Home Depot) are still around. It remains to be seen if Equifax will use this event as an opportunity to revamp its cybersecurity and crisis management efforts to avoid facing yet another incident.
The net result of this unprecedented breach on the public will be that consumers lose even more faith that their private data is really private. Consumers should freeze their credit and remain vigilant as always. As for all other organizations, this experience should strengthen their resolve to make cybersecurity and crisis management a top management priority.
This blog was written in partnership with SecureState.