The Sony PlayStation Network Breach – Yet Another Lesson in Crisis Communication
C. Edward Brice - June 13th, 2011
Ah, another day, another dollar marketing misstep in the unfortunate context of a crisis communications. Actually, ‘misstep’ for many companies in the age of social communications is far too lighthearted a term to use. Consider the news headlines devoted to the Sony data breach of 100 million user records. This seemingly never-ending saga is yet another reminder that in today’s networked world, there is an increased demand for open, honest, rapid and ongoing communication. Failure to do so will result in lost brand equity and customers.
As Senator Richard Blumenthal put it in his scathing letter to the chairman and CEO of Sony, these actions (or more appropriately, inactions) are “simply unconscionable and unacceptable.” And while Sony is a perfect example of what not to do when it comes to crisis communication in the age of social media, they certainly aren’t the first. Does the recent Toyota recall debacle ring any bells? According to Gene Grabowski, a world authority on litigation and crisis communications, the Toyota recall of 2010 was “the worst handled auto recall in history.” Even companies with social DNA at their core still miss common principles of communication during a crisis. Look at the recent story of Facebook and Burson-Marsteller, which turned into an ugly finger pointing match from which neither company emerged unscathed.
A crisis can serve as a stage to either show the world that your company is either unorganized and uncaring or responsible and human, as noted from the still considered best practice playbook of effective crisis communication, Johnson & Johnson’s handling of the Tylenol poisoning of 1982. Clearly, Sony should have taken a page from their playbook.
In this day and age the chances are pretty good that your company will need some form of crisis communication, particularly in the areas of information security and data loss. Information is now the new currency of the 21st century. Your data in its entirety – from intellectual property, to customer databases, patient records, and even facility blue prints are extremely valuable. In many cases (think banking, healthcare, aerospace etc.) data protection is tied inextricably to your brand equity. Securing that data is obviously critical on many fronts. Today a severe data loss could be a going-out-of-business event for many companies.
In this regard, your marketing and communications teams play two important roles. First, know that the marketing department often serves as the Achilles heel of information security. With the increasing advent of cloud-based marketing automation, your customer data is now sent to third party companies who may not be as security conscious as you. Note the recent breaches suffered by major brands due to their marketing vendors’ security missteps. Also be aware that your marketing department often handles some of the most sensitive documents in your company – from RFP’s to blueprints and of course your customer and prospect database. Conversely, the marketing team is often the least likely to be trained in any form of IT security preparedness or processes.
Second, it’s important to note that in the event of a major data loss (especially if you are a larger organization) there will be powerful interests at play that could in fact harm your company more than the breach itself. In a data breach, legal and corporate communications teams will often be at odds with each other. Legal seeks to stop all communications and reduce liability while communications teams end to get overly aggressive and spin all communications in the most positive light they can. These different points of view often cause delay, confusion and often contrite, invaluable messaging at the worst possible time. Case in point – Sony waited a full six days before alerting Playstation users of the data breach which infuriated not only customers, but legislators as well.
When managing a data breach crisis, here are some general guidelines that may help:
1. Expect to have a crisis event. It’s less about if you will have a crisis and more about when, which is especially true in today’s networking age, where there is no such thing as a 100% secure networking environment. Chances are good that you will have a data loss or breach event especially if you’re in a targeted industry like consumer, hi-tech, banking, and aerospace and defense, healthcare, etc.
2. Have a predefined crisis communication plan in place. This plan at a minimum should be a framework of how to handle a breach and guiding principles for communications. For those companies that have identified some specific risks, like stolen customer data, the plan can have one or several scenarios charted out. For example, what does the plan look like if credit card numbers were stolen? Your plan should also detail the members of the crisis team, the guiding principles of your communication (open, honest, factual etc), designated spokespeople, and even templated communications pre-reviewed by legal. Review this plan from time to time to ensure it stays fresh in everyone’s mind.
3. Acknowledge the problem immediately. Take a lesson learned from the Sony saga; this is not the time to circle the wagons. According to Jonathan Bernstein, president of Southern California-based Bernstein Crisis Management and author of Keeping the Wolves at Bay: A Media Training Manual, “you can’t hide anymore.” Bernstein says that now “if a crisis occurs in Biloxi, Miss., or Muskoka, Iowa, if it appears in the local paper, it is an international situation instantly because of the Internet.” Thus, any communication professional who thinks they can just shove an incident under the rug is grossly mistaken. The longer you wait to disclose the issue and its potential risks to customers or stakeholders the worse off you will be.
4. Become the News breaker. Where companies lose it today is they do not become the news breakers, but instead remain the newsmaker. It’s your crisis so use that to turn the tide and start becoming the irrefutable source of accurate and timely news.
5. Leverage social media. As we learned with the recent revolution in Egypt, Twitter is often the first place news breaks. As Fast Company blogger (and principal analyst at Altimeter Group) Brian Solis recently wrote, “News no longer breaks, it tweets.” Understand that in the era of socially enabled communication, you’re no longer in control. At the same time, also understand the new and more powerful tools you have to help you turn the tide from newsmaker to news-breaker.
Consider how this was recently done during another crisis – SeaWorld tragically lost a trainer last year due to an accident with one of their animals. SeaWorld is a powerful brand in the area of entertainment parks but SeaWorld has also been at the center of a long-stringing controversy – should they keep these animals in captivity? When the news initially broke, they risked a huge loss in business and brand equity as well as fueling the debate of their detractors. A few interesting things they did:
a) Upon releasing the initial news via press release, they stopped tweeting from their Shamu account, and directed everything to their corporate website for more information.
b) They used their blog, and live streaming communications of their CEO to release news as they had it and planned next steps.
c) They monitored their social channels (i.e. Facebook, Twitter ) and only removed posts that were considered derogatory or disrespectful to the trainer’s family. They let comments ride that were critical of their position on animals and captivity, and responded to many questions from both reporters and customers.
d) Most of these actions happened within the first day of the event.
In effect, they used their social media platforms very effectively to become the sole source of news about the event and in managing their crisis. They did so in a transparent, open and honest way.
6. Be accountable. Once the news about the crisis is out in the open, people will automatically begin to question who is at fault. Respectfully, the answer, from one communication professional to another, is you. I know, I know, you probably had absolutely nothing to do with it. It may have been Bob in IT, evil hackers, or some third party you worked with two years ago, but your customer could care less. As a member of the marketing and communications team, you are ultimately responsible for communicating to not only your customers, but the general public. Own the issue and identify what you’re doing to resolve it. If you don’t know the full details say so, but give a timeline and series of steps your taking to shed light on what you’re going to do next. Be honest, open and transparent. The public and your customers will respect you more and your brand will face less scrutiny in the end. The moment that doubt of transparency or honesty has been seeded you will be behind the 8 ball in managing the crisis.
7. Make it right. And by that I don’t mean offer your affected customers (or whomever) free movies or other ridiculously inadequate consolation prize as we have seen far too often. Even if you can’t make it right instantly, as Sony was clearly unable to do given the fact that the PlayStation Network was down for weeks, tell those affected what you will do. And do it quickly. This should be enumerated upon in step one - you need to figure out what the best resolution will be ahead of time, even if it is impossible to resolve the problem right away.
Sony did attempt to make amends by offering U.S. users a year of free identity-theft protection, backed by a $1 million insurance policy, along with a package of free games and movie services as compensation. However, Sony waited weeks to present users with what ended up being little more than a peace offering. Once again, we can learn from Johnson & Johnson here because they recalled everything and they did it immediately. The first Tylenol-related death was discovered on September 29th and on October 5th, Johnson & Johnson recalled all 31 million bottles of Tylenol in circulation in the U.S. they moved at internet speed even though there was no internet at the time.
These steps, while a good start, are by no means comprehensive. Every brand and situation is different and your communication team may have anywhere from these basic four to 25 steps. Regardless, the point is, to think ahead and expect the unexpected! Given the fact that Sony is a multibillion dollar corporation, I’d venture a bold guess that they actually had a crisis communication plan stored away, collecting virtual dust on a server somewhere. And I’m certain that remaining silent was not part of it.
Don’t just have a plan, but make sure your team knows the plan and is able to implement it when necessary. After all, you don’t want to become another “lesson learned” in the marketing annals. Security breaches will happen, they always do, and in the instance that you fall victim, you want to become a shining example of “how it’s done.”