Sony sought to explain to PlayStation owners why it has taken seven days to reveal the extent of last week’s PSN hack. In a post on the company’s blog, Nick Caplin, head of communications at Sony Computer Entertainment Europe issued this statement:
“There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion 19th April and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.
It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly yesterday evening.”
In what world is it okay to have at least a reasonable suspicion of a personal data breach and then wait for seven days to inform your customers?
Where is the harm in letting people know what’s going on? “We shut down the PSN because we suspect the Network has been hacked and we’re working with forensic analysts to identify what, if any, personal data has been exposed. We’ll keep you updated as our investigation continues.”
Seems easy, right? Seems at least better than shutting down the Network and going dark for a week.
This little lesson doesn’t do much for our traditional emergency management folks. Explosion = can’t deny it. But for executive communicators, get ahead of the story! Set the tone! If you’ve got bad news coming down the pipe, let people know about it sooner rather than later. The reason why is because once you start holding off on releasing it, it becomes that much easier to continue holding off on it.
Consider Sony’s case. I’m sure the initial conversation had someone saying, wait, let’s just make sure we were hacked. Which quickly turned into, before we say anything, we should know how bad it is; and then into, I’m not breathing a word about this until we know for sure that personal data was compromised. And then–boom–it’s seven days later and the world knows you’re hiding something.
For a great example of how best to do it, check out my coverage of the WordPress.com hack.