By: Laurie Griffin
Here’s a riddle:
What is the worst possible sound to come from a company following a tweet like this:
“We are looking into the claims about reports of attacks on Sony Pictures websites. Please follow us for latest updates.”
The answer is: crickets. And in most crisis communications case studies, the sound of crickets coming from your company is like the siren call for trouble.
The tweet came from Sony’s @Sony , @SonyPictures and @PlayStation accounts, literally a day after Sony Computer Entertainment’s PlayStation officially recovered its Network and Qriocity services from the April 20th security breach which saw tens of millions of PlayStation accounts jeopardized.
Recent reports from PC World and hacker group LulzSec claim that one million users of SonyPictures.com may have been exposed to personal information theft, including email addresses and passwords, mailing addresses, birthdates and more.
As we write this post, the last tweet about the potential hack was issued 18 hours ago from the @SonyPictures account (as of 5:00 p.m. MST). Since then there has been nothing. Just crickets.
It’s a one-two punch for the tech juggernaut which recently came under fire for their slow crisis communications response effort in April and May. Not only did the company take nearly a week to fully disclose the reality that a breach to account users’ personal information had taken place, but nobody heard from their CEO until over two weeks later when the company issued an apology from him in the Sony PlayStation blog.
Winston Churchill once said, “All men make mistakes, but only wise men learn from their mistakes.” In the case of Sony, it would appear there were a few missteps the first time around. We’re still holding our breath to see how many of them will be repeated. The first mistake has already been made – failing to keep customers in the loop about what had happened, how it was affecting their accounts and why it was taking so long to restore the servers (in the second hacking case they have failed to provide a timely follow-up on their original tweet).
In the weeks following the CEO’s May 5th apology, there was little to no information updates around what was happening with its Network and Qriocity services – why were they taking so long to restore them and how that was going to affect individual customers? Granted, there were probably a lot of unanswered questions within the company, in addition to some legal sensitivities and security concerns that took priority over transparency.
In crisis communications, and issues management, we learn that full transparency does not mean full disclosure. In the case of Sony Playstation, specifics around what technicalities were taking place to restore people’s personal information and to protect accounts was not what the public needed to hear. What the public needed was: a) frequent assurances from the company that the security holes were being plugged and b) two-way communication channels for customers who were experiencing difficulties as a result of the service disruption.
As we wrap up this post, numerous tweets and Facebook posts from concerned customers are piling up. Their voices are being met with crickets. But from a critical communications perspective, what is happening is more than a mere case study in crisis communications and the importance of early and frequent communications.
This is but one example of a larger issues management case study – how security threats, which come with a range of motivations, are potentially impacting the larger tech industry. In the last few months, security breaches with NASDAQ, Google, and Epsilon revealed that the issue of security is growing in volume and frequency. The stakes are also getting much higher. Just yesterday, The House Subcommittee on Commerce, Manufacturing and Trade met to examine the risks of unprecedented data breaches and to begin the process of crafting new data breach legislation.
Just a few months ago, the news of Wikileaks taught us that no organization is safe when it comes to security threats. But there are proactive measures companies can be taking, both in terms of communications and operations. Most importantly, companies need to take proactive measures to ensure they are doing everything they can to protect sensitive information. Numerous sources show Sony has been ignoring compliance requirements and basic security best practices, such as encrypting basic information.
So the final lesson to be learned here is the best crisis communications plan and response effort is no substitute for sound and ethical day-to-day business practices. Going forward, the industry may have to pull together to collaborate on long-term solutions as threats become more sophisticated and more widespread. From a communications point of view, the tech industry needs to respond better to customer concerns on a day-to-day basis and also increase channels for two-way communication, especially when things go sideways. It’s a different world -one in which the sound of crickets can immediately be overwhelmed by echoes of outrage, concern and misinformation reverberating across social media.
{ 1 trackback }