The past few weeks have been a distressing time for those in the business of data security – and equally testing for those in the business of convincing consumers that their data is in safe hands. But with Lulzsec, unofficial symbol of the hackstravaganza, disbanded and drawing an at least conceptual line beneath the recent spate of data breaches and security hacks, can we condemn the experience of the last few weeks as yet another brief blip in internet history? Or do we have to come to terms with the simple fact that our identity and details are not secure and in fact may never be?
Web evangelists tell us that our very self-definition is radically altered by the internet. We’ve already started to wake up in a world in which the majority of our interactions with other human beings are mediated by data, and in which our personalities and preferences are preserved in digital amber and displayed in a public gallery in perpetuity. In this new world order, the notion of privacy is rendered into quaint superstition.
The PSN hacking episode and following spate of attacks attributed to Lulzsec constitute only the most recent events in a much broader narrative of traumas that remind us we do not have control over the data that defines us and that the companies which purport to protect our data are as vulnerable as we are. At least in the UK, they probably hit their apex during the spree of public sector data breaches towards the end of the 00s. Stories of public servants misplacing memory sticks on trains or between the seats in cabs seem to have desensitised us – the same sort of tabloid outrage that was so fashionable at the time doesn’t really seem to wash today.
After all, most consumers’ pragmatic response is: “Yes, you’ve lost my password and what else? Tell me so I can fix it.” To cancel your credit card and change all your passwords is inconvenient today, a stressful process that challenges your faith in the people that hold your data. But, as insecurity becomes a more routine part of life, managing it will surely get easier. This places new demands on the organisations under attack who have the job of protecting fragile consumer confidence in them.
Crisis management for companies always used to be about two things: owning up to mistakes to appear honest and righting wrongs to compensate the victims of your errors. It’s a balancing act between trust and a perceived level of incompetence. The PSN hacking episode particularly seems to have introduced a critical third dimension into the equation: whether the organisation can keep up with the speed of information.
Sony made two mistakes that exacerbated the damage to its brand during the breach on PSN. It took a week to announce that there had been a breach and then only made ambiguous declarations on the critical matter of whether credit card details were stolen in the attack. What’s so interesting about the public reaction is that instead of being focused on the breach itself, the point of contention was Sony’s response.
To reiterate, this new attitude isn’t shocked by the loss of private data. In fact, it almost expects it. What it does want, when the inevitable happens, is the swift movement of information so it can assess the damage and take action. Any amount of mollycoddling and corporate condescension is offensive.
The challenge here is how do organisations tool up to keep up with the speed of information, which is to say, be faster than the whirlwind of destructive rumour and hearsay that is kicked up in response to a crisis? The Sony case is here particularly interesting because, despite its earlier dithering, Sony quickly made significant efforts to catch up with the speed of information. Other companies which have found themselves in comparable situations have typically fallen into either traditional or more progressive camps.
The traditional response to a crisis of this nature is through one big official statement mediated by the press, a route that Sony initially took. I’ve labelled this response “traditional” because it assumes a world view in which information is transmitted through a mediating party (the press) rather than directly to consumers. In spite, of course, of the fact that consumers were rattling the gates, demanding answers through social media. This is not to say these organisations are ignorant, rather that bureaucracies tend to prevent the two-way interaction afforded by more direct communication. It is also not to say the role of the press is anything less than critical when it comes to talking to the public at large when the message needs to be extended beyond worried consumers.
The more progressive response that Sony eventually began to lean towards was to use the much more dynamic system of realtime direct to consumer media that most brands have today built around them. Over time, its PlayStation blog (US/European) became a far more crucial tool than any number of press releases. Press releases are cold and distancing; they expect consumers to get information thirdhand and, especially when valuable and sensitive as data is at stake, can be pretty condescending.
When Bethesda suffered its own breach a couple of weeks ago it got this point right from the off, speaking direct to affected users through a channel they know they’d reach them – its blog. It did so in words Bethesda wanted them to read which were unmolested by journalists – who would then go on to find the story to propagate it wider without any pointers.
From social media to plain old email, the opportunities to respond directly to distressed consumers in times of crisis – and do it quickly – are enormous today. There is no single approach that can be prescribed for every problem, but any organisation worth its salt should always take its lead from the behaviour and demands of the people to whom it owes the most, its customers.