Equifax interim CEO Paulino do Rego Barros Jr. published a piece in the Wall Street Journal about his company’s response to its data breach. The tone and substance are ideal. Why does it always take at least 3 tries for a company to get its apology and reaction right?
The Barros Op-ed works because it’s sincere, specific, and not overblown
Here’s what Barros wrote. My commentary added.
On Behalf of Equifax, I’m Sorry
A new free service will let consumers lock or unlock access to their credit data any time they like.
On behalf of Equifax , I want to express my sincere and total apology to every consumer affected by our recent data breach. People across the country and around the world, including our friends and family members, put their trust in our company. We didn’t live up to expectations.
Commentary: Start with an apology directly to the the affected party (in this case, consumers). Check. Don’t overdo it (“sincere and total” is sufficient.) Don’t add “shareholders” and “businesses.” Also, notably, the title and lead here are factual and describe the most important elements, although the Wall Street Journal probably deserves some credit for that.
We were hacked. That’s the simple fact. But we compounded the problem with insufficient support for consumers. Our website did not function as it should have, and our call center couldn’t manage the volume of calls we received. Answers to key consumer questions were too often delayed, incomplete or both. We know it’s our job to earn back your trust.
Commentary: Describe in simple detail and active voice what you did wrong. Check. “We were hacked” and “Answers . . . were too often delayed” are passive, but overall, this paragraph uses “we” to effectively take full responsibility. It’s hard to write “we screwed up” sentences, but it’s easier than dealing with the fallout from weaseling out of them.
We will act quickly and forcefully to correct our mistakes, while simultaneously developing a new approach to protecting consumer data. In the near term, our responsibility is to provide timely, reassuring support to every affected consumer. Our longer-term plan is to give consumers the power to protect and control access to their personal credit data.
Commentary: This is vague, including the weasel words “quickly,” “forcefully,” and “timely.” And “Our long term-plan” isn’t specific enough. But at this point in the recovery, these promises appear to be in the right direction. They are sufficiently specific to allow us to check later if the company is living up to them.
I was appointed Equifax’s interim chief executive officer on Tuesday. I won’t pretend to have figured out all the answers in two days. But I have been listening carefully to consumers and critics. I have heard the frustration and fear. I know we have to do a better job of helping you.
Although we have made mistakes, we have successfully managed a tremendous volume of calls and clicks. And we’re getting better each day. But it’s not enough. I’ve told our team we have to do whatever it takes to upgrade the website and improve the call centers.
We have started work on our website, and I see significant signs of progress. I won’t accept anything less than a superior process for consumers. We will make this site right or we will build another one from scratch. You have my word.
The same goes for the call centers. There is no excuse for delayed calls or agents who can’t answer key questions. We will add agents and expand training until calls are answered promptly and knowledgeably. I will personally review a daily report on their operations.
Commentary: While some of these descriptions are vague, Barros has introduced a new word, “I.” This changes the tone, because he is now taking personal responsibility. He narrates this from a personal perspective and makes a some specific promises. You get the sense that unlike previous managers, Barros is applying the correct degree of focus to what is now an existential problem.
We will also extend the services we are offering consumers. We have heard your concern that the window to sign up for free credit freezes with Equifax is too brief, so we are extending the deadline to the end of January. Likewise, we are extending the sign-up period for TrustedID Premier, the complimentary package we are offering all U.S. consumers, through the end of January.
We hope these immediate actions will go a long way toward addressing the concerns we are hearing from consumers. We know they won’t solve the larger problem. We have to see this breach as a turning point—not just for Equifax, but for everyone interested in protecting personal data. Consumers need the power to control access to personal data.
Critics will say we are late to the party. But we have been studying and developing a potential solution for some time, as have others. Now it is time to act.
So here is our commitment: By Jan. 31, Equifax will offer a new service allowing all consumers the option of controlling access to their personal credit data. The service we are developing will let consumers easily lock and unlock access to their Equifax credit files. You will be able to do this at will. It will be reliable, safe and simple. Most significantly, the service will be offered free, for life.
With the extension of the complimentary TrustedID package and free credit freezes into the new year, combined with the introduction of this new service by the end of January, we will be able to offer consumers both short- and long-term support for their personal data security.
Commentary: This is clear, specific, and new. Customers are not Equifax’s customer; businesses are. For the first time, Equifax is acknowledging its responsibility to consumers with this free service to monitor and freeze their accounts. This could create pressure for other credit bureaus and businesses that hold consumer data to do the same. It is the first credible statement of the form “things are different, so we have to behave differently.”
There is no magic cure for data breaches. As we all know, every organization is at risk. When consumers have access to our new service, however, the cybercrime business will become a lot more difficult, and we are committed to doing what we can to help millions of consumers rest easier.
Commentary: A vague tacked-on conclusion.
Your response to a crisis should be quick, personal, and powerful
If Equifax had released this statement on the first day of the breach, 6 days ago, this story would have inflicted far less damage on the company and the industry of which it is a part, and the previous CEO would still have his job. The lesson is clear: playing defense, squirming away from responsibility, reassuring shareholders and employees, and failing to take clear, personal responsibility with statements that begin with “I” is a losing strategy. Not only does it fail; it wastes time and digs the hole deeper.
A crisis demands a statement just like this one: personal, clear, taking full responsibility, and with specific apologies and promises to the damaged parties (in this case, consumers). If you can do it on the first day, rather than two CEOs and six days later, you’ll save yourself a whole lot of pain.