Everything about Equifax’s inept handling of its massive data breach in September suggested that the credit bureau had put no time or effort into planning for how to respond to such an incident. From accidentally publicising a phishing website aimed at affected consumers to forcing people who used the company’s credit monitoring service to waive their rights to sue it for failing to protect their information, Equifax gave the impression it had no plan in place for dealing with a major security breach. But in one respect the company was prepared: it had insurance.