A CEO's Demise: Lessons From Equifax

Equifax CEO Rick Smith just resigned amidst the company’s catastrophic data breach. While the impact of the incident, its ramifications for customers, and the long-term viability of the company are all very much still in question, it is not too early to analyze the many mistakes Equifax made and the lessons that other executives can learn from this cautionary tale.

Crisis management is more complex than ever before. At a time when any consumer can make their voice heard through social media — a phenomenon I refer to as the Age of the Citizen-leader — the spotlight has never been hotter and the stakes have never been higher. Equifax is a case study in just how quickly a CEO can go from business-as-usual to out of a job.

Given our 24/7 news cycle, it’s tempting to view the fall of Equifax through a short-term lens. It is true that many of the decisions the company made immediately after the data breach came to light were regrettable and only made things worse. But it’s more instructive to take a longer view and learn from the mistakes Equifax made long before the damaging headlines surfaced.

The companies and executives best equipped to manage a crisis are those who have proactively shaped a positive public narrative for themselves. There is a tendency to think of strategic positioning as a marketing effort. Some CEOs are even reticent to see their name in print, not wanting to appear vain. The vital truth, however, is that careful executive positioning is actually a company’s most powerful inoculation against crisis.

Think about visible leaders like JP Morgan Chase CEO Jamie Dimon and Salesforce CEO Marc Benioff. Both have spent years investing in executive positioning, establishing extraordinary levels of credibility for themselves and their businesses through savvy thought leadership, innovative business practices, and a compelling public profile. One of the most important yet least understood benefits of this approach is that when faced with a potential crisis, CEOs who have established public trust and credibility will earn the benefit of the doubt. In a fast-moving, high-risk scenario, this breathing room can make all the difference.

While Equifax is a well-known brand, there are no faces, personalities or values associated with it. Smith’s apology video was his first significant public statement in his 12-year tenure. Equifax is part of an industry that has long been the subject of public skepticism. Credit reporting companies’ widespread access to personal information like consumers’ social security and bank account numbers is a source of controversy and decades of criticism. Rather than taking steps to address these concerns, companies like Equifax have chosen to operate in relative anonymity. 20 years ago, that approach may have made sense, but at a time when consumers are empowered to make their voices heard and bad news travels around the globe at lightning speed, this is a recipe for disaster.

Failing to invest in strategic positioning (and to establish more consumer-friendly practices and narratives) made Equifax extraordinarily vulnerable when the data breach news hit — yet the company’s immediate response only poured gasoline on the fire. Here’s what they could have done differently:

Announce Sooner. When Equifax discovered the data breach, they knew the situation would require further investigation before they could provide a full picture to the public. However, the 40 days Equifax waited between discovery is simply unacceptable and rightly caused many consumers question their motives for withholding the information. Equifax badly miscalculated the risk and benefits of waiting before going public, and in doing so made their temporary concealment a prominent part of the data breach story. Consumers are actually quite forgiving of corporate mistakes – if companies are up-front, honest, and consumer-friendly in their response. Equifax failed badly on this measure.

Anticipate media coverage. Any communications professional could have seen the media storm coming from a mile away, but the two public steps Equifax took — sending out a press release and posting an apology video on Youtube – were not close to sufficient. Neither offered a comprehensive explanation of why Equifax withheld information from the public for nearly six weeks, and neither conveyed an authentic sense of empathy for the consumers whose privacy and trust were violated.

Be self-aware and forthcoming.Upon disclosing the breach, Equifax published a dedicated website to help consumers track their information and offered a free data protection service. So far, so good. But the company then failed profoundly by including an arbitration clause that limits users’ legal rights in the terms of use of their free identity protection package. Whether this was intentional or an oversight, it yet again compounded a problem and conveyed a lack of caring or common sense. Another high-profile concern was the disclosure that CFO John Gamble sold thousands of shares of stock three days after the company discovered it had been hacked. While evidence has not surfaced that Gamble did so based on insider information, the optics are troubling – and require a close review of internal communications practices at the very least.

With legislation already making its way through Congress that would reform the consumer credit industry, Equifax may still be in the early stages of pain. And while the crisis could have been mitigated to some extent by more empathetically managing the immediate aftermath, the truth is that this incident was decades in the making. In a 24/7 world, companies must invest as much in long-term crisis inoculation as they do in crisis response.