In 2017, consumer credit rating giant Equifax suffered one of the country’s largest data breaches, exposing the personal information of 147 million U.S. citizens, or roughly 40% of the population, to hackers.
The breach led to a record settlement with the FTC, a dramatic downgrade in Equifax’s own credit rating, and close to $3 billion in expenses for the company as it restructured both its C-suite and data practices, including dishing out $1.4 billion in settlement payments.
Yet six years later, Equifax is still going strong. Its stock price has soared 34% above where it was just before the breach, and the company raked in $5.12 billion in revenues last year, suggesting the agency was able to place the scandal behind it. But analysts say there are still many lessons businesses can learn from Equifax’s mishandling of the situation in regaining consumer confidence.
“What other businesses can learn from Equifax’s response is if you choose to reach with truth as transparency publicly from the first moment you were alerted to the issue, you can better control the narrative. Don’t let others write your business history for you,” Ronn Torossian, founder and chairman of 5W Public Relations, previously told Forbes.
Equifax, which didn’t respond to Fortune’s request for comment on this article, was slow off its mark to respond to the crisis, waiting six weeks after discovering the breach to alert consumers. In that time, multiple senior executives sold off a total of $2 million worth of company stock.
Equifax said the three most senior executives, including the CFO, who sold their shares days after the breach was discovered, hadn’t been made aware of the breach at that time. Two other lower-ranking managers, who sold shares roughly a month after the breach, were later found guilty of insider trading.
When Equifax finally did tell the public about the breach, it fumbled again. The company created a new website—equifaxsecurity2017.com—where customers could check whether they had been a victim of the leak. However, the site’s security protocols, Ars Technica reported that same year, were subpar, which exposed customers to another potential security threat.
In another major slipup, Equifax’s public relations team directed users to the wrong site multiple times, instructing concerned customers to check securityequifax2017.com instead. The domain holder of securityequifax2017.com had acquired the URL to make a point of Equifax’s lax security standards. The phony site received 200,000 hits before the domain holder took it down.
Meanwhile, language on the actual crisis site implied that customers waived their right to sue by checking if they had been impacted, although that language was changed after media flagged the practice.
“It is troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company’s breach put their personal information at risk. Equifax could remove this clause so that consumers can receive this service without condition,” a statement from the Consumer Financial Protection Bureau chided at the time.
Today, companies aren’t legally able to sit on data leaks for as long as Equifax did in its 2017 case. The Securities and Exchange Commission passed a regulation this July that requires companies to declare data breaches to shareholders, consumers, and regulators within four days of discovery.
The rule also requires companies to be proactive in mitigating cybersecurity risks, demanding companies “describe their processes…for assessing, identifying, and managing material risks from cybersecurity threats.” That’s another area where, in 2017, Equifax was caught lacking.
With more companies hoovering up greater volumes of data now than six years before, data leaks are almost inevitable, so having a game plan ready for that is essential to maintaining consumer trust.
“Buckle up,” Equifax chief information security officer Jamil Farschi told industry news site SC Media in April. “The regulators are upset, and they’ve seen where this is going. This is a different game. We all have to step up.”
Eamon Barrett
eamon.barrett@fortune.com
IN OTHER NEWS
PTO
Research from Bloomberg suggests that companies offering employees unlimited time off might outperform the S&P 500, as investors see substantial upsides in the policy. The crux is that “unlimited paid time off” allows companies to scratch “pay in lieu” from their books for employees who don’t cash in on all their vacation days. Meanwhile, the research also suggests unlimited PTO doesn’t dramatically reduce attendance as most employees feel too guilty to take advantage of the scheme.
Out with it
Corporate America is pushing back against jargon in the boardroom—especially when the cryptic language is coming from the heads of technical roles, such as chief information security officers. The ability to communicate technical issues to nontechnical investors was one of the crucial skills several chief trust officers highlighted in their role when I spoke with them last month. According to Fortune’s Nick Rockel, demand for that skill is ballooning.
Robotaxi revolt
In April, I wrote about whether consumers would ever learn to trust autonomous vehicles. Well, the city of San Francisco is accelerating full speed to find out as state regulators just extended licenses for robotaxis to operate all hours of the day. Some San Franciscans, including emergency responders and citizens already up in arms against the influx of AVs on their streets, are objecting to the additional purview granted to companies like Cruise and Waymo.
Cancel that subscription
I’m a sucker for a free trial of a subscription service, but I’m also shameless in canceling that subscription as soon as I’ve received the service I want—like speedier Amazon delivery. But many more people continue to pay for subscriptions well after they've stopped using them. So much so that, according to new research from Stanford and Texas A&M, inattentive subscribers can boost a company’s top line by as much as 200%.
TRUST EXERCISE
“This is one of those things that seems too crazy to be true, even for Twitter, until you see it inexplicably take five seconds for Chrome to receive 650 bytes of data.”
That’s Twitter’s former head of trust and safety, Yoel Roth, writing on rival short-messaging platform Bluesky after reports that Elon Musk’s X app was throttling outbound connection speeds for users linking to sites the X owner doesn’t like. Links to sites like the New York Times, Facebook, and Bluesky all connected with delays of up to five seconds, according to a Washington Post report. Since the report was published, those delays appear to have been eliminated.
Learn how to navigate and strengthen trust in your business with The Trust Factor, a weekly newsletter examining what leaders need to succeed. Sign up here.