Equifax was back in the news recently, promising that it is now a model of data security – although, of course, we could not help but be reminded of the circumstances of its massive loss of sensitive consumer data in 2017.
A quick refresher of the events two years ago.On September 7th, 2017, Equifax announced one of the largest cybersecurity breaches in history, affecting more than 140 million consumers.
The loss of data, including social security numbers and, in some cases, driver license numbers, was discovered in late July – the breach had happened over a two-month period from mid-May.
There’s so much to discuss and learn about this incident for crisis management professionals, but my point for this blog is about the apparent lack of any plan at Equifax to respond quickly and effectively to this kind of crisis (and they are primarily an organization that manages secure data!).
Fortune magazine noted that when Equifax publicly revealed details of the hack in September, several weeks after the company discovered it, it had no explanation how it happened or why it had not reported it sooner.
Also, social media exploded with frustrated people who could not connect with Equifax’s customer service.
It must have been anticipated that there would be many, many calls and web enquiries!
I have no connections with Equifax and no first-hand knowledge of events inside the company.
But here’s a bold observation – if Equifax had a crisis response plan at all, it was no good or no-one bothered to consult it when the worst happened.
Which brings me to Lesson #4 in our occasional series.
Whether you are inside an organization or an agency partnering with the communications function, one of the most agonizing annual rituals is the pitching of a new crisis plan.
In early Fall when the long list of projects for the next year is compiled, everyone always agrees that, in such uncertain times, it’s time to draw up a new crisis plan or update the old one.
Weeks later, as budgets constrict and the list of projects becomes shorter, it’s decided that the new crisis plan can wait until ‘next year’.
Aaaaargh!
I personally wasted hours preparing proposals, sitting in long meetings and prepping persuasive presentations.
But now it turns out that, in the digital age, we can avoid all that wasted time.
We don’t need to pitch the big crisis plan in the first place.
Let Equifax be our symbol of the folly of pitching the old style, complex crisis plan that doesn’t matter even when there is a crisis.
To replace the old-fashioned bulky plan in a 3-ring binder, it’s now all about smart response protocols that can be put in place right now.
The new approach focuses on the kind of tools and nimble processes that guide the inspired crisis response that earned KFC, Sanofi and Nordstrom so many plaudits.
In our next blog in this series, Lesson #5, we will look more closely at what we mean by ‘smart protocols’.
This is #4 in an occasional series of blogs under the overall theme of ‘The Ten Digital Age Crisis Management Lessons for Everyone’.
Check out the #1 lesson here.
Check out The #2 lesson here.
Check out the #3 lesson here.
