A hack at Equifax exposed the data of 147 million people. Here's what businesses can learn from the company's response

Yet six years later, Equifax is still going strong. Its stock price has soared 34% above where it was just before the breach, and the company raked in $5.12 billion in revenues last year, suggesting the agency was able to place the scandal behind it. But analysts say there are still many lessons businesses can learn from Equifax’s mishandling of the situation in regaining consumer confidence.

“What other businesses can learn from Equifax’s response is if you choose to reach with truth as transparency publicly from the first moment you were alerted to the issue, you can better control the narrative. Don’t let others write your business history for you,” Ronn Torossian, founder and chairman of 5W Public Relations, previously told Forbes.

Equifax, which didn’t respond to Fortune’s request for comment on this article, was slow off its mark to respond to the crisis, waiting six weeks after discovering the breach to alert consumers. In that time, multiple senior executives sold off a total of $2 million worth of company stock. 

Equifax said the three most senior executives, including the CFO, who sold their shares days after the breach was discovered, hadn’t been made aware of the breach at that time. Two other lower-ranking managers, who sold shares roughly a month after the breach, were later found guilty of insider trading.

When Equifax finally did tell the public about the breach, it fumbled again. The company created a new website—equifaxsecurity2017.com—where customers could check whether they had been a victim of the leak. However, the site’s security protocols, Ars Technica reported that same year, were subpar, which exposed customers to another potential security threat. 

In another major slipup, Equifax’s public relations team directed users to the wrong site multiple times, instructing concerned customers to check securityequifax2017.com instead. The domain holder of securityequifax2017.com had acquired the URL to make a point of Equifax’s lax security standards. The phony site received 200,000 hits before the domain holder took it down.

Meanwhile, language on the actual crisis site implied that customers waived their right to sue by checking if they had been impacted, although that language was changed after media flagged the practice.

“It is troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company’s breach put their personal information at risk. Equifax could remove this clause so that consumers can receive this service without condition,” a statement from the Consumer Financial Protection Bureau chided at the time.

Today, companies aren’t legally able to sit on data leaks for as long as Equifax did in its 2017 case. The Securities and Exchange Commission passed a regulation this July that requires companies to declare data breaches to shareholders, consumers, and regulators within four days of discovery.

The rule also requires companies to be proactive in mitigating cybersecurity risks, demanding companies “describe their processes…for assessing, identifying, and managing material risks from cybersecurity threats.” That’s another area where, in 2017, Equifax was caught lacking.

With more companies hoovering up greater volumes of data now than six years before, data leaks are almost inevitable, so having a game plan ready for that is essential to maintaining consumer trust.

“Buckle up,” Equifax chief information security officer Jamil Farschi told industry news site SC Media in April. “The regulators are upset, and they’ve seen where this is going. This is a different game. We all have to step up.”

Eamon Barrett
eamon.barrett@fortune.com