Much is being written about the Equifax data breach, even speculation that it will spell the end of using Social Security numbers as identifiers (something that many say is long overdue).
What I want to focus on from a reputational standpoint, though, is the challenge of countering an entrenched narrative, particularly the one surrounding allegations that some Equifax senior executives, including their CFO, sold Equifax stock during the time between July 29, the date the company says it became aware of the breach, July 29, and Sept. 7, when it was announced.
As this article from the L.A. Times explains, there are a number of legal hurdles that would have to be overcome before the government could establish whether the sales constituted illegal insider trading under the federal securities laws. But in the court of public opinion, the company is already in trouble, and Capitol Hill is already demanding answers.
A congressional hearing may not be the equivalent of a criminal trial, but it can be devastating both for a company and for its CEO if not adequately prepared. Just ask any number of CEOs who have lost their jobs following major crises.
The challenge in situations like this is twofold. One, the individual involved faces potentially serious criminal charges. As a result, public relations and reputational considerations may have to be sacrificed to avoid saying things that will land him in jail. The second is that, from the public’s standpoint, the narrative is already entrenched: “The greedy bastards screwed the little guy and then dumped stock to avoid taking a loss when it got found out.” In the Equifax case, we know there was a 30-day delay in revealing the breach to the public, and we know the stock was sold – so it is all too easy for members of the public, members of Congress, and the media, to fill in the blanks in a way that follows that pre-set narrative.
So, if you’re advising executives in that situation, what can you do to change the narrative? Of course, there are the various legal defenses to an insider trading charge, and indeed Equifax has emphatically stated that the executives “had no knowledge” of the breach at the time they sold their shares.
But more broadly, you need to remember that every story has a villain. Right now, the villains are Equifax and the executives. And there are a variety of reasons for this. Consumers aren’t really “customers” of credit reporting agencies; they have no emotional ties to them, and if anything credit agencies are perceived as obstacles to consumers getting the credit they want. Beyond that, Equifax was widely reported to be charging people to “freeze” their credit after the breach, essentially making money off the event, until it was pressured to offer the service for free (the other major reporting agencies are continuing to charge). And, of course, the executives are reported to have dumped stock.
But here’s what’s at least as important: as in most major breaches, the real criminal – whoever it was who actually committed the breach, is not the villain in the popular narrative. It’s difficult to portray a faceless entity as a villain, but the effort must be made. When we recently advised a company that had been the victim of a ransomware attack, we missed no opportunity to remind customers and others that the company as much as anyone had been the victim of a criminal act. Fortunately, we were not also dealing with questions about executive stock sales (the company is privately held), but nevertheless, the importance of identifying the true villain cannot be overstated.
Sometimes, though, the only way to counter an entrenched narrative is a high-profile change in leadership. Equifax has already forced its chief information officer and its chief security officer into retirement. It would not be shocking if others followed them out the door.