INSIGHT. 09/25/17

Equifax Data Breach Exposes Personal Information… and the Urgent Need for Crisis Preparedness!

By Michael Fox, Managing Partner, ICR

The immediate aftermath of the latest Company data breach – this one affecting a record 143 million people at consumer credit bureau Equifax – brings to mind the popular definition of insanity:  namely, doing (or in this case not doing) the same thing over and over again, yet expecting a different result.

After watching countless corporate brethren fall victim to a cyberattack and suffer the ensuing consequences of lost customers, declining share prices, irate regulators, damaged reputations and more, you would think most companies – especially one with a business model based on storing and safeguarding sensitive consumer financial information! – would have prepared for the potential of this catastrophic event.

Yet clearly Equifax did not.

Of course, a company’s first responsibility is to do its best to prevent unauthorized access to its systems in the first place (a duty which Equifax is reported to have neglected, based on allegations that the company failed to install a basic web server software patch in a timely manner and that it was using weak, generic passwords at one of its overseas subsidiaries).  But if there has been one clear lesson from the data breach epidemic over the past five years, it is that every system has vulnerabilities and there is no way to protect yourself or your data completely.

Against this backdrop, it is even more important – and one would think obvious – that companies need to presume this could happen to them and develop a response plan in advance.  Doing otherwise would meet the aforementioned definition of insanity.

A lack of preparation is evidenced across the board in the case of Equifax: the absence of a robust website able to withstand a large volume of consumer traffic; insufficient call center capacity; unclear and, at times, conflicting statements about what occurred and when; tweets that accidentally directed consumers to a fraudulent website (which could have been used to wreak further cyber havoc); extended delays in answering basic questions; and flip-flopping announcements on what remedies they would provide impacted individuals.

Yes, 143 million people is record scale for a data breach, and even the best planning may have been deemed insufficient by certain members of the public, but the depth and breadth of confusion, disorganization and inertia in this instance is staggering.

The disciplined process of a Crisis Vulnerability Assessment is expressly designed to unearth the broad range of threats that an organization could potentially confront.  Could Uber have predicted the flurry of sexual harassment claims?  Should United Airlines have anticipated the possibility of an innocent passenger being forcibly removed from a plane?  Was Facebook surprised to learn that one of its advertisers was not who they said they were?

All of these scenarios can be anticipated, even if not in excruciating detail, in advance. More importantly, developing Crisis Scenario Plans, which “war-game” each individual threat through its myriad permutations, are necessary to fully understand, and thus to fully prepare for, exactly how a crisis might manifest in real life.  Through this, the company can better understand the specific implications of the event and the required response, allowing it to take the preemptive steps to identify the right response team, define precise action steps, develop actual material and assets – websites, call centers, third-party support, etc. – and, importantly, expose the range of questions it would need to answer in response to the hypothetical event (and then work to determine what those answers should be).

But even with a comprehensive plan in place, the mind has a way of blocking out pain, or the expectation of pain.  We have all sat in the exit row of an airplane and received the instructions for what to do in case of an emergency. But how many of us are actually able to visualize exactly what we would do if that plane crashed in the water – which way would we turn first? Would we grab the life jacket? How and when would we open the emergency exit door?  Would we look to assist other passengers?

In the fog of war, it is very difficult to make the right decisions if they have not already been practiced and ingrained in the minds of the first responders.  That is why a Crisis Simulation Exercise is absolutely critical to completing the preparedness process.   Over the course of a 4-5 hour period, the key corporate executives are chaperoned through a real-life crisis in real time, where they confront the scenario and the inevitable escalating flow of events head on, including media inquiries, social media posts, regulatory pronouncements, employee reactions, NGO protests, shareholder revolts and whatever else could result from the given event.  The individuals are forced to work together to develop response plans and action steps, seeing firsthand the implications of their decisions and the speed at which the situation unfolds.  Only then are they able to truly appreciate the magnitude of the task and the critical need for advance preparation.  Invariably, this process exposes holes in the process that need to be addressed.

To be clear, creating detailed crisis plans and simulating these situations at Equifax in advance would not have saved the company from the illegal breach it experienced.  But it would have been much stronger, quicker and effective in its response.  It is important to remember that while a crisis is technically a negative event, it is also one that places the company in the spotlight – a place that most want to be.  It is an opportunity, even amidst the controversy, to build brand equity and strengthen relationships.  That opportunity has been missed in this case and the reputational damage suffered will likely impact the business for many years to come.


Equifax Data Breach Exposes Personal Information… and the Urgent Need for Crisis Preparedness!

The immediate aftermath of the latest Company data breach – this one affecting a record 143 million people at consumer credit bureau Equifax


PR Nightmares and Social Media: Winning Back Customer Trust

If 2017 has taught us anything so far, it’s that PR disasters can be made a hundred times worse by social media ineptitude.


The Issue of Guidance

As a trusted advisor, we are often asked about earnings guidance and whether or not a company should provide it. And if they should, how often and what metrics should be provided.



For many B2B companies, it’s become something of a self-fulfilling prophecy: “We don’t focus much on mobile,” they say. “It just doesn’t generate business for us.” The numbers do seem to bear…


Want a Successful IPO in the US? Asian Companies Need to Work Harder

Asia What’s in a name? That which we call a meigui, by any other name would smell as sweet. Me-i guey? What’s a me-i guey? Well,…


How to manage late SEC filings

Strategic planning and communications around late filings of an annual 10K or quarterly 10Q is critical for a company to manage the negative fallout. Companies must act quickly to reassure investors and other stakeholders when required to file an SEC Form 12b-25 Notification of Late Filing, which gives the company a short extension to file its SEC statements.


The Ten People Who Determine Your Valuation

There is a tee shirt popular among social psychologists (admittedly a niche market) that reads, “Stereotypes are a Real Time Saver.” These scientists, many of them management professors, appreciate the ironic humor. They know, through their close study of behavior, that we are all cognitive misers with too much to do and too many things to understand.


‘Hype vs. Reality’ – Managing the Delicate PR Balance for Innovation-Driven Businesses

But there is a fine line running between the reality of promising innovation and overhyped expectations that PR professionals must walk when helping companies


Key Takeaways from Annual Tulane M&A Conference

Interestingly, and perhaps unique to this conference, the most heavily attended panel is one specific to the dynamics around media coverage of M&A.


Dual-Listed IPOs: The Keys to Success in Managing a Cross-Border Offering

There is no expected slowdown in the pace of Canadian, or TSX-listed, companies looking to list in the U.S.


A List for Listings: Considerations When Choosing a Stock Exchange

ICR President Don Duffy discusses which exchange to choose for your IPO in a new interview, via National Investors Relations Institute (NIRI). Read more about the interview.    


Getting Social with Investor Relations

Only 28 percent of IR practitioners use social media for IR, according to a 2016 social media survey conducted by the National Investor Relations Institute. The same study reported reluctance among analysts, with only 15-18…


Integrated Communications in the Life Sciences

One of the biggest challenges to achieving communications integration in the agency and corporate setting is culture.


How to Handle Bad Financial News

To say the markets have been dizzying this year is an understatement. Stock instability, the Brexit vote, and an uncertain political climate in the U.S. have required companies to adjust to…


Focus on Life Science and Healthcare Sectors

ICR Healthcare, a newly-branded specialty practice that provides communications counsel and support for ICR’s growing roster of clients in the biopharmaceutical, medtech and healthcare services sectors.


The Value of PR: Lighter on Clip Books, Heavier on Revenue Creation

A significant transfiguration has occurred for PR in recent years as the internet and emerging technologies have reshaped the business landscape. Today, through its newfound ability…


PR Seeks Social Media: A Match Made in the Digital Era

ICR As public relations professionals, we can’t so much as “swipe right” today without considering the important impact social media makes on every story we tell, every connection we make…


Washington and Crisis, a Unique Relationship

Crisis communications and Congressional hearings are inevitably intertwined, proving the adage that the most dangerous place to be in Washington is between a politician and a TV camera. The recent…



Don’t let Unicorns Fool you – The Tech IPO is not an Ancient Myth

Remember the market clamor about a possible tech bubble in 2014? It was a different time with dozens of successful IPOs and newly emerging unicorns – those hot private companies claiming…



Communicating in the Golden Era of Shareholder Activism

Carl Icahn. Bill Ackman. Nelson Peltz. Daniel Loeb. These are the names that have struck fear into the hearts of every public company CEO in America since the corporate raider days of the 1980s…


Navigating the Growing Healthy Living Industry

Increasingly more companies are focused on health and wellness. The paths of two divergent sets of consumers – boomers and seniors who are living to older ages and managing new health…



The art of IPO communications, and why it matters

With the short amount of time between an IPO filing becoming public and the completion of the IPO, the transition from private company to public can feel like a whirlwind. In a matter of weeks…



The Communications Role in the M&A Rebound

The use of strategic communications unquestionably plays a significant role in helping to ensure the success of a transaction through its different phases. It helps inspire confidence, minimize…



The mainstreaming of shareholder activism

The prevalence of shareholder activism signals a new frontier for crisis communications. The practice of activism has evolved, its players have grown more sophisticated, and companies and their…