Whether you're interested in information security or tabloid gossip, you're likely to have heard about the recent Sony hack. Hacker group Guardians Of Peace (GOP) have revelled in taking responsibility for the hack, which has uncovered personal details of clients and staff, internal email communications and financial details galore. The revelations have been making daily news for nearly three weeks now; and it doesn't look like it's going to stop any time soon, with Sony cancelling The Interview and GOP warning Sony that there will be more leaks in time for Christmas.
The technical details of the hack are still unclear, as is the attribution of and reasoning behind the attack, despite a lot of accusations. As a reader though, the news is in the leaks. Internal emails slating very high profile stars, the wage discrepancies between male and female actors and even some casual racism are just a few of the surprises the GOP have served up for us to feast our eyes on.
It has already been said that this hack makes for a PR disaster for Sony. As with any high profile hack, the element of trust in said company's systems and operations is left in the balance. In this case, as a production company with relatively limited direct customer-interaction, you could argue that this could be overcome in time. However, the seemingly never ending list of moral wrong-doings are tough to shake off. Sony has quite a list going so far -- an internal culture of racism, sexism and downright rudeness are claims that can be leveled against the organization with some conviction.
Whilst no one can (or should) blame a company for being hacked and humiliated as a result, they can comment on the actions they choose to take afterwards. Sony had kept a relatively consistent line of 'no comment' besides from the odd apology and a statement from Kevin Mandia, who is now looking after their security systems. Other than that, things had been kept rather quiet from the Sony side.
This was until December 15, when Brian Krebs detailed a letter he received from Sony lawyers demanding that he "cease publishing detailed stories about the company's recent hacking and delete any company data collected in the process of reporting on the breach." Analysis of the legal implications of this from Krebs' own blog and The Washington Post suggest that publication of very specific data from the Sony hack might lead to a successful lawsuit; but really, the company doesn't have a leg to stand on in demanding that reporters do not report on the hack.
It is an interesting approach to take, not least because it is the most literal interpretation of 'shoot the messenger' that I have ever seen. Aggressive threats to reporters doesn't sound comfortable even when it is 100 percent legally sound. As this has come from their legal team, one can only assume (and hope) that the PR team had no say in this latest development.
There are a few good reasons as to why this violates traditional rules of crisis communications, with the obvious few being:
1. Journalists are not your enemy or your colleague. As the company that is sometimes centre to the content of their stories, you are there to be an informative, open and reliable source of information, from a safe distance. There needs to be acceptance that journalists have ultimate editorial control and you are there simply to supply content that helps them create the most informative and balanced version of that story as much as you possibly can. The more closed off and aggressive you are, the more creative license you give them. In this case, sticking to Freedom of Press rules and regulations is the job of the reporter, their editors and publishers - not Sony.
2. Don't try to deny or hide what cannot be denied or hidden. This mistake can sometimes be made as a pre-emptive action (as in this case with Sony) but it will not work. Being honest will avoid future crisis because the truth always comes out eventually. Acknowledging your mistakes and faults will increase trust and respect in your company and brand. People are generally more willing to forgive and forget an error in judgement or action, than they are to forgive a lie.
3. Consider all your audiences in your line of communication. Any statement or treatment you make to press, you are also making to your enemies, employees and customers. Does an aggressive statement threatening legal action increase trust and respect from any of the three parties mentioned? I'm not so sure.
It is hard to say what the best line of practice would be for a company like Sony in its current situation. The revelations have crossed a line from corporate to very personal and these require different managerial tactics. However, basic rules of acknowledgment, honesty and information-sharing could still be applied. Whilst these disclosures are potentially damaging and certainly interesting, they are not all-too surprising. Wage discrepancies between men and women is a well-known fact by now and the film industry has been revealed before to be brutal and superficial. Maybe a well thought out piece from someone at Sony addressing these issues that exist within their own industry could be a considered next step. Once they're readily available, more information on how this happened to them could remove some of the question marks that still exist.
Of course Sony is angry and embarrassed that this has happened and it is unforgiveable that the hackers have leaked private information on employees and actors. But the press are not the villain here. Though they might report on the fact that it has happened, they are yet to report any specific details that might endanger those individuals. Instead, Sony is opting to shoot the messenger in a weak attempt to save face. As more revelations appear, it will certainly be interesting not only to see the contents of the hack but also to see how Sony continues to handle it from a technical, business and PR perspective.