By: Ben DiPietro

Five days is an eternity in the court of public opinion, especially when it involves one of the world’s most popular social media companies.

Crisis management leaders said they’re perplexed as to why it took Facebook Inc. Chief Executive Mark Zuckerberg so long to address how third parties such as Cambridge Analytics acquire and use data of Facebook users and their connections. However, the slowness of the company’s response offers a lesson to other companies facing crisis events.

The crisis hurt Facebook. Its stock fell more than 10% from last Friday through the close of trading Thursday, and continued to decline on Friday. Regulators in the U.S. and Europe are calling for greater oversight. Some users are calling for a boycott.

Mr. Zuckerberg emerged Wednesday, issuing a statement and speaking to media. He admitted Facebook made mistakes and promised to investigate further but his remarks left some people feeling he could have gone further.

Mr. Zuckerberg said in his interviews he was late in responding because the company “wanted to get it right.” But that answer is troublesome because Facebook knew about the problem for several years, said Richard Levick, founder and chief executive of crisis-management firm Levick.

Even if he didn’t have all the answers, Mr. Zuckerberg needed to “run into the fire,” he said.

Stand up, show up

“Crises do not get better with time,” said Mr. Levick. “It is never a good thing when [media outlets] are running headlines like ‘Where is Mark Zuckerberg?‘ and ‘Is It Time for More Adult Supervision at Facebook?‘”

You have to go public with what you know, when you know it, he said. “Seldom, if ever, in all our years in crisis, has a CEO been fully informed prior to the demands of media to make a statement. “We may not like everything they have to say at the time but they stand up and show up.”

Facebook didn’t respond to an emailed request for comment.

Mr. Zuckerberg’s response addressed a symptom of the problem, not the problem itself, when he chose to pin part of the blame on data-analytics firm Cambridge Analytica, said Peter LaMotte, senior vice president at crisis-management firm Chernoff Newman.

Cambridge Analytica worked with Donald Trump’s presidential campaign in 2016 and accessed and retained user data obtained from Aleksandr Kogan, a psychology professor at the University of Cambridge. Mr. Kogan followed Facebook rules in gathering the data but violated its policies by sharing it with Cambridge Analytica, Facebook said.

Cambridge Analytica has said it complied with Facebook’s rules.

“They finally got around to doing the right thing but the failure in Facebook and with Mark Zuckerberg was it took them so long,” said Mr. LaMotte. He said Facebook either spent too much time analyzing the problem or simply hoped it would fade away.

“That is the age-old failure: It always comes back to damage a corporation’s brand,” said Mr. LaMotte. “People are now talking about a post-Facebook era in a way I have never seen before simply because of this incident.”

Be prepared for a crisis

Facebook’s problems show great crisis management starts long before a crisis begins, said Jim Kaskade, chief executive of Janrain Inc., which provides customer identity and access-management services.

The use of tough external audits–including spot checks on suspicious behavior, targeted audits and random audits—would have let Facebook more quickly and effectively get to the bottom of whether users’ personal data had truly been destroyed with the required proof, he said.

“Facebook clearly didn’t have mechanisms to get to the bottom of what happened to the personal data of 50 million users,” said Mr. Kaskade. “Had Facebook had stronger policies to begin with in 2014–[like] the ones that will soon be mandated by the European Union’s General Data Protection Regulation–they would have acted much differently.”

GDPR takes effect May 25 and aims to hold accountable companies that process personal data associated with EU residents, regardless of whether those companies have a physical presence in the EU. The law will affect virtually any company in any sector around the world that processes the personal data of EU residents.

Suzanne Perez-Bernal, co-principal of crisis-management firm Ander & Co., said there is an expectation for an immediate response and companies need to be out with something within 24 hours of a crisis occurring.

Elements of crisis response

Companies looking to learn from the Facebook incident should take away the fact an initial crisis-response statement needs three elements: acknowledge the situation, express an sense of urgency to resolve it and show empathy with affected parties, she said.

“Silence breeds skepticism,” she said. “Transparency breeds trust.”

Adonis E. Hoffman, an adjunct professor at Georgetown University who teaches crisis management, said one public policy lesson other companies can learn from Facebook is to try to work with regulators and lawmakers and not wait for them to approach you, and also that there is a value to some self-regulation.

“Don’t wait for the next crisis, the next breach, get ahead of that curve,” said Mr. Hoffman.

The most important lesson, though, he said: Do what you say you are going to do.

“Facebook and other tech companies must enshrine the principles they espouse,” said Mr. Hoffman. For example. he said tech companies talk about transparency and opportunity to opt out and about consent but he’s unsure if they live up to their aspirations. “If a company puts it into a policy, a corporate brochure or in a CEO letter to investors, they’ve got to live up to those words.”

–Mara Lemos Stein contributed to this article.

Write to Ben DiPietro at ben.dipietro@wsj.com, and follow him on Twitter @BenDiPietro1.

Source