Via The Guardian: PlayStation Network Hack Headsmack

Sony sought to explain to PlayStation owners why it has taken seven days to reveal the extent of last week’s PSN hack. In a post on the company’s blog, Nick Caplin, head of communications at Sony Computer Entertainment Europe issued this statement:

“There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion 19th April and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.

It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly yesterday evening.”

In what world is it okay to have at least a reasonable suspicion of a personal data breach and then wait for seven days to inform your customers?

Where is the harm in letting people know what’s going on? “We shut down the PSN because we suspect the Network has been hacked and we’re working with forensic analysts to identify what, if any, personal data has been exposed. We’ll keep you updated as our investigation continues.”

Seems easy, right? Seems at least better than shutting down the Network and going dark for a week.

This little lesson doesn’t do much for our traditional emergency management folks. Explosion = can’t deny it. But for executive communicators, get ahead of the story! Set the tone! If you’ve got bad news coming down the pipe, let people know about it sooner rather than later. The reason why is because once you start holding off on releasing it, it becomes that much easier to continue holding off on it.

Consider Sony’s case. I’m sure the initial conversation had someone saying, wait, let’s just make sure we were hacked. Which quickly turned into, before we say anything, we should know how bad it is; and then into, I’m not breathing a word about this until we know for sure that personal data was compromised. And then–boom–it’s seven days later and the world knows you’re hiding something.

For a great example of how best to do it, check out my coverage of the hack.


There Are No Crisis Communications Rules

There was an article that’s been sitting in my queue for a while now about the so-called “rules” of crisis communications. Gerald Baron’s latest post on Taco Bell’s recent troubles has caused me to resurrect this post and confirm that my original feelings were correct.

An article from March in The Globe and Mail’s The Manager blog relayed an article from the Harvard Business Review that examined Apple’s so-called AntennaGate. You remember AntennaGate, right? After the release of the iPhone 4, there were complaints from across the country that if you held the phone just so, one’s connection to the network would be significantly degraded. The media, at the time, was full of stories about refunds and recalls and free cases and Apple being in turmoil. Less than a month after the launch, Apple held a press conference to address the situation.

Crisis communications experts around the globe all finished watching/reading/hearing about the press conference with their jaws on the floor. The response broke every one of their sacred rules for how to address calls for one’s company’s head. Within weeks, the issue was gone. Not in the media, not online, nowhere in any force.

Most PR folks were quickly engrossed in the next meltdown and moved on. (Experts and gurus and ninjas, hmph.) Until HBR came out with a review in mid-February, it was pretty much out of the public’s eye. And what they found was that Apple broke all the rules, and survived. And that there’s something we can learn from that.

Amongst the rules broken:

  1. Apologize and take full responsibility.
  2. Don’t create expectations with a media event.
  3. Announce the give away first.
  4. Avoid specific comparisons with competitors.
  5. Don’t air your industry’s dark secrets.

I advise you to visit the HBR or Globe and Mail pieces for the full breakdown, but the bit that I found interesting wasn’t how they broke the rules, but instead why. Plain and simple, they broke the rules because the rules didn’t satisfy their needs. They’re Apple and they’re disliked by their industry and are widely considered to be the premier cellular phone manufacturer in the world. Cowing and and bowing and scraping doesn’t do them any good—so they didn’t do it. They maintained throughout the situation that this was not their fault and not unique to their handsets. And then proved it.

This applies to all of us in PR and emergency public information not because it means we can throw away the rulebook, but because we should understand why the rules are what they are. What are you trying to accomplish by apologizing right off the bat? Does that set you up poorly for future problems? What are you saying when you minimize the problem and why are you saying it that way? If the problem has always been around, say so.

This applies to the Taco Bell piece because they did something similar. Instead of cowering when accused of having not enough “meat” in their meat, Taco Bell grabbed the offensive. Not only did they use the crisis as an opportunity to educate the public about their product (Geez, how many times can I push the whole “take advantage of the media attention” bit?), but they fought back because they were right.

What I’ve learned from all of this? There are no crisis communications rules. There is only your response to your crisis. And that should change according to the situation, the players and the world around you. In emergency planning, they say the first casualty of a situation is the plan. Why do we feel that communicating in a crisis should be any different?

Quick Response Bar Codes for Emergency Preparedness

Do you want to know what I consider a missed opportunity? All of the great work that folks in public health and emergency management put into poster development. See Something, Say Something. Get Yourself Tested. Be Ready. The Flu Ends with U. Great slogans each of them. And frankly, they look great on posters. Edgy images, bright (or dark) coloring, extreme close-ups, all caps san serif fonts; they can be really well done.

The problem is that the messages above are all that really fits on these posters. And I don’t think anyone would believe that these messages are the full amount of what we need to tell our publics about them. Get Yourself Tested is, as an example, pleading for more information to be included: tested for what, is it safe, is it private, I don’t sleep around, etc., etc., etc. See Something, Say Something? Say what, about what, to whom, is it wasting time, what if the police are the ones that are doing something weird, and on and on.

Our normal reaction to this obvious shortcoming (besides minuscule text at the bottom of the poster) is to print a website address on the poster and direct people for more information. For people with so-called “dumbphones” this is completely unhelpful unless they take out a pad and paper and jot the information down and hope to get it to later. Double-u, double-u, double-u, dot, pea, aitch, eye, el, ay… People with smartphones, though, have it a bit easier. All they have to do is type the address into their phone’s browser and get instant access to all of the relevant information when they need it most. Double-u, double-u, double-u, dot, pea, aitch, eye, el, ay…

There is another way to do it, though. So-called Quick Response Bar Codes, or QR codes, are increasingly finding their way into recent ad campaigns. They are being included for the same reasons I complain about above. Signs about, “Big Sale!” don’t really give all of the necessary details, and rather than refer people to some website or handout with all of the rules and regulations of the sale, stores have been including QR codes as a way to get deeper response from their customers. Special deals, the latest styles and more information is right at your fingertips.

How do QR codes work? Well, they’re just like the barcodes you see on every product you buy. But instead of some fifteen- or twenty-digit number identifying the product, they can hold oodles of information, like a website address or really anything else (What if it held an entire offline website accessible only by those who scan the code? I totally believe that QR codes are going to explode in use as coders continue to learn how best to use them). Using any of dozens of QR code readers freely downloadable to smartphones, the phone’s camera “scans” the QR code and “does” whatever the code says to. For the most part right now, they instruct the phone to open a browser and head to a particular website. Even with that rudimentary level of interaction, it is miles better than our current efforts. Couple that with it being free to create QR codes, essentially free to include on our posters and free to download QR code readers and this should be a no-brainer.

The End of Crisis Communications

About a month ago, there were a couple of posts that I came across that really resonated with me. I know that the majority of my posts here deal with crisis communications and emergency public information, but this post kind of turns that whole thread on its head. Or reinforces my thinking. It’s not very straightforward, which is why this post has sat so long without being published.

On March 8th, Gerald Baron asked his readers if they thought crisis communication was, “going the way of the dodo.” Was it becoming obsolete? A quick scan of the internet shows that as a career, there are few specialties as hot as crisis communication right now. And there are a million people (myself included) who spout off on who did what right and (more likely of the two) wrong in response to a crisis. Self-proclaimed “experts” and “gurus” and even “ninjas.” So, one has to wonder, why the disconnect? Why does someone whose made a sawbuck or two in this field think it might be over?

Gerald says:

Because as companies and organizations shift from a mass mediated engagement with their audiences, to a far more direct engagement, crisis communication becomes simply a part of the on-going, direct conversation that they have established with the people important to them.


Organizational communication is becoming more and more like an on-going conversation. In a crisis, the event that occurs becomes the dominant topic of conversation. But it is just seen as a continuation of the conversation—faster, more intense, more important—but not substantially different from the day to day conversation you have been having.

The thing is, I think I agree with him. Granted, this is a ways down the road. Crisis communication will continue to be a hot thing to have on your resume or LinkedIn profile. But as day-to-day communication gets better and easier (see the slowly blossoming field of Community Managers) and the public begins to realize, en masse, that communicating directly with companies and agencies is more effective than anything else out there, the need for crisis communicators will start to fade away.

The biggest reason that I think this might be happening is because of single, disparate tests and efforts and beta tests and rogue bloggers (points at self) trying this stuff out. Take, for example, the work done by the Walsall Council, a dot in the middle of the English island. (West Midlands? Apologies for my poor understanding of English geography, but I’m on a bus here.) They recently held an event dubbed, “Walsall24.” The idea was that local government employees would take 24 hours, beginning at 6am March 4th, and tweet everything they did. And they did, 1,400 times. On police deployments, on noise complaint investigation, on classes being held, on meetings, on materials being made available to the public, on what’s going right (and I hope what could be done better), you name it, they tweeted it.

The idea behind the effort was to give the folks who live in Walsall an idea of what local government does for them. (On a side note, I LOVE this project for that single reason. The vast, vast majority of people have no clue what their government does for them. They think we just sit around and play Solitaire all day, when the truth is that we work harder and do more to protect and support them than they could possibly imagine. We should all strive to tell those good stories about the great work we do.) They’ve established that local government can be open as possible and still get stuff done. The next time something like this happens, perhaps the tweeters will be allowed to engage in discussions with the public. Why they’re doing something, why they’re not doing it differently, what can be done better or faster or cheaper, and on and on. (We’re already seeing some of that in Cory Booker’s snowstorm tweets.) Combine Walsall24 with Mayor Booker, and well, you can see where things are heading in government. It’ll take a while, no doubt, but I totally see the dodo-esque nature of what we’re all doing.

Via National Clearinghouse on Families & Youth: A Media Emergency Plan Can Help You Survive a Crisis

Form Alliances

One thing that saved Family Youth Interventions from greater public misunderstanding was their long-established relationship with local media, specifically the Detroit Free Press. In a situation like theirs—which quickly escalated into a public disagreement with the Sheriff about the proper response to runaway youth—it helped to have reporters who knew how seriously the FYI staff took their work and their youths’ safety. “There’s a reporter there who knows to contact us when writing about the area’s runaway population,” claims Baarck, and that trust carried over to the coverage of this delicate situation.

Moreover, your program can approach an unexpected media crisis as an opportunity to publicly share the work you do. Baarck, acknowledging that most nonprofit agencies lack a means of mass communication, says that “any time the media wants to talk with you, it can be a good thing. We took the opportunity to tell our local media and police what exactly we do. And we got quite a bit of support from the community. People came out of nowhere, saying, ‘We had no idea that you were doing that kind of work.’”

Few programs would choose to be thrust into the media spotlight during a moment of such turmoil, but with preparation, you can spring into action with a plan—and maybe even turn a moment of crisis into a moment to shine. By showcasing your organization’s competence and core mission, you can publicly assert your program’s strength and commitment to helping local youth.

This is a great article about how a runaway shelter dealt with a situation involving the sheriff, a runaway and the media. I’m sure your first thought when reading that sentence is that’s a recipe for disaster, but they handled it with aplomb.

The reason /why/ they were able to is the cool part. Relationships, relationships, relationships. Based almost solely on their relationship with a local reporter, they were able to clarify the situation in the print media the first time. It really would’ve been impressive if everyone knew what the agency’s role was beforehand, but one reporter is better than none. Especially when your “internal” disagreement is with the police.

Via Security Incident

Security Incident

by Matt

Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

Now for some good stories.

This is my favorite, favorite, favorite crisis communication study this week. On the morning of Wednesday, April 13th, the blogging software company Automattic discovered a break-in on several of their servers. Potentially sensitive information may have been exposed and copied.

First step, be first. This blog post is the first mention I could find on the subject anywhere, on the web, on Twitter, you name it. They’ve immediately become the go-to place and have set the tone.

Second, be honest. The post, while short and not altogether technical, describes what happened and what they’re doing and have already done to correct the situation and make sure that it doesn’t happen again. Furthermore, the author acknowledges that this situation may take some time to resolve as opposed to saying something like, “Yep, we fixed it, all done. Pat, pat, pat on your head.”

Third, be clear. There is only one really jargon-y part of the post, and the author attempted to clarify it (see the parenthetical “root” used to differentiate low-level not that bad from low-level very serious). The rest of the post is written at around an eighth-grade reading level with short sentences, lots of paragraphs and bullet points.

Fourth, tell what it means. My biggest complaint with the radiation situation in Japan is the frustrating INES scale. It tells me nothing about what I, as someone affected by the disaster, should do. Should I worry more because it moved from a six to a seven? How to counteract the danger? The Automattic post gives three great bullet points on how to stay protected AND information on how best to manage the new behavior.

Finally, be available. Comments are open on the post and a direct link to Support is given in the body of the post.

This type of response is EXACTLY what I want to see from my internet host (and that’s one of the reasons I hosted my old BreakGlass blog and my personal family blog on Truly a model of crisis communication. Full round of applause for the folks at Automattic and keep up the great work.

Radioactive Water and Crisis Communications

Note: I know about some of the subjects in this article, and know some of the people. My discussion of this topic is informed solely from the content of the linked article and should not be construed as the official policy or stance of my Department. In addition, because I know some of the people whose actions are presented, I feel confident in saying that each is acting in the very best interest of the people of Philadelphia and working as hard as possible to remediate the situation. I present this article solely to illustrate a point about the difficulty in speaking about difficult situations and believe that I would write the same thing about any spokespeople in this situation.

And now onto the meat.

In the aftermath of the unfolding disaster in Japan, the US EPA has been testing drinking water supplies for radioactivity. One of the treatment plants in Philadelphia was identified as having the highest concentration of Iodine-131 of the 23 sites in 13 states where particles were found. Finding radioactivity is to be expected as radioactive particles are known to spread on prevailing winds, and it was further expected that they would fall out into communities around the globe. The real problem, though, is that the EPA released to the local newspaper that the levels collected after the earthquake are just about half of what were collected in August of last year. The full article that I’m referring to can be found here.

This obviously raises a ton of questions. How safe is it, where is it coming from, what’s being done to stop it, who is at risk, and on and on.

“At this point, that is not really know,” said EPA spokesman David Sternberg. “We’re investigating.”

The thing I wanted to talk about is two comments made to the paper by two different spokespeople at the local Water Department. Neither are wrong, neither are egregious mistakes. Both actually speak to good crisis communications concepts. But the messages, when presented together, show the thin line between coordinated communication and mixed messages.

“This is just unacceptable that this stuff is showing up.” “We’re not happy about this. To find that this stuff showed up in the river before [the Fukushima emissions] means that something is coming from somewhere that is not Japan and we need to track that down and stop it.”


“The water is safe. We were all drinking it today.”

Again, neither is incorrect. In fact, both are valid statements that speak to different parts of an agency’s response. And maybe the statements are intended for wholly different audiences. One is, we’re going to figure this out and fix it. The second is, but in the meantime, we’re all perfectly safe.

I see two problems. The first is, why are you fixing something that’s not a problem? The second is, they’ve assigned a level of acceptable risk to the public (read: it’s good enough for me, so it must be good enough for you).

Be careful with assigning levels of acceptable risk. What’s acceptable to people who have studied radiation in drinking water and seen all the studies is much different than people who only know the scary myths (and realities, in some cases) of radioactivity. Instead of dismissing their fears, use this as a teaching opportunity. It is scary, even if there’s nothing to be afraid of.

I do, however, like the statement about how they are doing something to fix this. “We’re working to figure out the problem, and in the meantime, this is what we’re doing to fix it until something more permanent is identified.” It didn’t come across in the article, but I would’ve loved to have seen an announcement of how they’ll keep the public up-to-date on the situation.

All in all, I think that the Water folks did a good job with their crisis communications. Not perfect, but which crisis comms effort ever is. Both statements attributed to the agency were positive and showed effort. I think this is a great time to take this situation to another level and become a leader on the topic by making public as much information as they can about the situation, as often as it becomes available and publicly announcing what’s being done and what the public can do to feel safer. Maybe that’s in the works, but in the meantime, I think they’re doing a great job.