Let’s look at the Equifax breach as a teachable moment
Raise your hand if you believe Equifax!
Raise your hand if you like Equifax!
Equifax has made billions of dollars aggregating your personal and business financial data, packaging it and reselling it to others without your knowledge. And you didn’t make a buck on the deal.
Whether it’s done so with your consent – express or implied – is speculative. Certainly, when you use the service personally or for your business, or even when you buy financial services, you are asked to authorize data-sharing with the three major credit-evaluation agencies.
When Equifax designs a data security system that allows you to become a victim of a hack of your personal and business data, what’s your role?
Does it bother you that, after Equifax detected the hack on July 29, Equifax withheld publicly announcing it until Sept 7, leaving you vulnerable to scammers and the bad guys for weeks?
Does it bother you that Equifax executives sold more than $2 million of Equifax stock in the weeks before the public disclosure that caused Equifax stock to tank?
Did it bother you that total gross incompetence marked Equifax’s crisis management, sending victims of the hack to a bogus website that shared a similar address to its intended destination?
Did the bureaucracy-speak – “mistakes were made” -from now former CEO Richard Smith to a Congressional committee on Oct. 3 offend you?
This really is becoming a bigger and bigger issue for large businesses, like Equifax and Wells Fargo and Chipotle, as well as small to midsized. It’s my view that smaller businesses, e.g., less than $5 million in revenue, won’t have the capacity, capital and endgame to fight and manage a crisis, and they’ll simply disappear from sight, failing as businesses.
Situations like what happened to Equifax are often self-inflicted sins of omission or commission.
Handling them is not rocket science, but it’s a skill set that many businesses either don’t have, or, even when they have it, they don’t deploy it.
Frankly, part of it is simply delusional: “Oh, this can’t happen on my watch!!”
Steps in a crisis are obvious:
“¢ “Stop the bleeding.” Identify the crisis as a crisis
and deal with it.
“¢ Restore the organization and its stakeholders to normal operations
“¢ Assess the longer-term damage. Go back and repair it. Rebuild reputation, credibility and relationships.
One difficulty for senior leadership is that, because a crisis requires navigation where few if any navigational markers exist, they sometimes move into denial.
Another problem is that when someone – a customer, an employee, the public, other stakeholders – often feels a sense of injury, it becomes tough for leadership to say “I’m sorry.” Regret and apologies signal ownership, and few senior leaders want to own a bad day or a bad incident. Their aversion to that often is reinforced by their attorneys, who counsel them to give no comment.
Frankly, I always encourage people to assess their weakness in advance of a crisis, because crises can be predicted, almost with the accuracy of hurricanes. A good issues-and-crisis audit can identify and uncover strategic weaknesses, which, in turn, allows management to develop strategies to mitigate them.
I always tell leaders that an organizational or business crisis stems from one of four likely sources:
“¢ Mission failure – the hospital that kills a patient admitted for a relatively minor issue.
“¢ Management failure – leaders are not doing their job with regard to stewardship. Examples are Sears, a chronic underperformer, and Wells Fargo with its bogus accounts.
“¢ Human failure, – the Howard Weinstein scenario where human weakness damages the organization.
“¢ Acts of God – a lightning strike that sparks a fire at a manufacturing plant.
Now, you have no excuse for not preparing your organization.