Opinion: Equifax CEO: What I’ve learned in three weeks

September 15, 2017 Atlanta - Exterior of Equifax Corporate Headquarters on Peachtree Street NE in Atlanta on Friday, September 15, 2017. Because of lax laws and loopholes, businesses may be able to escape severe penalties for putting sensitive consumer information at risk, as Atlanta-based Equifax is accused of doing with the massive hack revealed this month. HYOSUB SHIN / HSHIN@AJC.COM

Credit: HYOSUB SHIN / AJC

Credit: HYOSUB SHIN / AJC

September 15, 2017 Atlanta - Exterior of Equifax Corporate Headquarters on Peachtree Street NE in Atlanta on Friday, September 15, 2017. Because of lax laws and loopholes, businesses may be able to escape severe penalties for putting sensitive consumer information at risk, as Atlanta-based Equifax is accused of doing with the massive hack revealed this month. HYOSUB SHIN / HSHIN@AJC.COM

Since Equifax announced a data breach affecting more than 145 million consumers in September, the public scrutiny on us has been enormous, and the criticism of the company’s response has been extreme. Days after I was appointed interim CEO, I apologized to the public in a column in The Wall Street Journal. I do so again now. We had a massive breach, and we failed to support consumers as well as we should have. Acknowledging these facts is painful, but I believe the road forward for Equifax begins with candor.

Although the investigations of this incident by regulators, Congress, an independent law firm retained by the Equifax Board of Directors and others, are continuing, I want to offer a few thoughts on the lessons I have learned so far.

First, this breach was a clear reminder that even though our customers are, primarily, other businesses, we are also a consumer company. This point may sound simple and self-evident, but it is critically important. We are not a consumer business like Coca-Cola or Apple or Toyota. We do not generate a large percentage of our revenues through the direct sale of services and products to individual consumers.

Yet it is through the collection and analysis of consumer data that Equifax creates value for its customers. As interim CEO, my most important job is to make sure that the best interests of consumers are protected in every aspect of our operations. I expect every one of our 10,000 employees to bring this mindset to every meeting and every decision, every day.

Second, it is our responsibility to fix the breach, but the implications of the incident go far beyond our company and our industry. Social Security numbers, driver’s license data and home addresses are no defense to seasoned, determined cyber thieves. We need a better defense.

Also, we need to consider consumers’ desire to control their personal financial data. No one thinks it makes sense for individuals to have to rely on a business – any business – to control access to their information. As part of our commitment to support consumers, we have announced that by January 31st we will offer consumers a new service that will allow them to control access to their personal credit data. The service will be easy to use and available for free, for life. We hope our competitors will join us to give consumers the power to protect their credit data.

Third, Equifax has to do a better job of explaining the value we offer to consumers and the economy as a whole. Historically, we have not placed a high priority on communicating our purpose. But each day our data and analytics help millions of people get car loans, mortgages and other forms of credit. We owe it to the thousands of businesses and hundreds of millions of consumers we serve to explain our business in a more understandable and forthright manner.

Fourth, it is time for business and government to come together to confront the massive economic and national security threats represented by cyber criminals. I repeat, it is our responsibility to address the breach. Any comment about a larger societal problem is not an attempt to minimize our issues or deflect responsibility. I have made it clear that strengthened security must be, and will be, a daily priority for Equifax. I pledge that we will engage the best minds, utilize the best resources, and spend the necessary dollars to make our company as secure as we know how.

But an improved Equifax does not answer the larger problem. Since our cybersecurity incident was announced on September 7th, there have been other major breach announcements involving government agencies and private companies. As Treasury Secretary Steven Mnuchin recently said, “I think public/private partnerships on cyber is critical, as this is not something that the private sector can do alone, and it’s not something the government can do alone.”

Protecting data is becoming more important and more difficult. For a company like Equifax, the attempted cyberattacks number in the millions in any given year. Sometimes hackers are lone wolves and relatively unsophisticated. Many other times, the would-be thieves are extremely well organized and technically advanced. No matter who they are, or the nature of their support, our job is to stop them – 100 percent of the time.

The entire Equifax team has been humbled by this incident. We are also highly motivated and extremely determined. We will get through this by doing the right things for consumers. And we will be an eager and devoted partner with other businesses and government to help build stronger cybersecurity defenses. We are proud to call Atlanta home. We want Atlanta to be proud of the work we do.