Last week, I went through the findings from my textual analysis of the Sony hack in 2014. I originally planned on covering the entire Sony case study in one post but that first post got away from me a little. Today, I’ll get into the implications of my findings, what it all means.
Why didn't the media adopt Sony's narrative?
The last post ended by highlighting the role news media played in countering Sony’s narratives of the hack. Media outlets consistently contradicted Sony’s characterization of the incident and promoted narratives from other entities. There are a lot of factors that could have led to this: the narratives from Sony weren’t as factually accurate as the others; Sony’s methods for promoting its narratives weren’t effective; Sony's reputation made reporters suspicious of the narratives; just to name a few. From my perspective, this was a failure of media relations (among other failures). I can’t say to what extent (if at all) Sony was open to media inquiries but, based on its handling of internal communication, I can guess not very open.
“We got more information from blogs and websites than we did from Michael [Lynton, CEO of SPE] and Amy [Pascal, co-chair of SPE]” (Corona v. Sony Pictures Entm't, Inc., 2015).
I can’t imagine what it was like inside of Sony’s communication operation, I don’t want to, but media relations is the cornerstone of any crisis communication (or strategic communication, or public relations, whatever you call it) effort. A measure of successful PR is if the organization’s frames are adopted by the media (Schultz et al.). If you aren’t working with the media effectively, they won’t adopt your frames and you’re not going to succeed.
Another reason Sony’s framing of the crisis was not adopted by the media was that there were so many other parties jumping in to offer their perspectives. This isn’t unique to infosec crises. Crises frequently have multiple interpretations. What makes infosec crises unique is the lack of knowledge the public has about them. Most of the public has some level of comfort attributing responsibility in more traditional crises: natural disasters, product tampering, defective products, etc. but infosec crises are new enough to the public that they rely more heavily on the media to drive their attributions.
Don't assume yours is the only narrative
Sony seems to have taken this lack of knowledge for granted. Its behavior indicates it assumed the public would accept its narrative because it was the only one available. This was not the case and that bit them right on the assumption. Particularly when it came to the unavoidable/unprecedented frame, several other entities came forward to offer counterframes, different characterizations of the situations to compete with Sony's. I touched on it briefly in my last post but the unavoidable/unprecedented frame was vehemently rejected by the media. Most importantly, these pieces included quotes from both experts and internal employees which are particularly convincing to a public looking for reliable information. Sony’s failure to adapt to this competition made them look completely out of touch.
There are likely a myriad of reasons Sony did not or could not come out and say “maybe it wasn’t unprecedented” but not even addressing the counterframes gave the perception that Sony was putting out announcements and walking away. Set it and forget it, not a good look. As I said in the last post, Sony did attack some entities accusing it of responsibility, it even went after the media in the form of a cease and desist letter. That wasn’t an effective way to defend against these accusations. Silencing detractors isn’t an advisable way to drive the narrative in any direction. A more effective way is to work with the media to reinforce organizational frames with evidence and statements. Instead of advocating its own narrative, its own framing of reality, it tried to shut the narrative down entirely and did more harm to its reputation in the process.
A data breach isn’t just about data
Even more now, the “not if, when” understanding of breaches and hacks is permeating the general public and the idea that a company was absolutely powerless to protect PII isn’t going to fly. Particularly when it came to former employees, the question was “why do you still have these records?! If you can’t protect my personal information, you shouldn’t keep it.” University of Maryland faced similar questions after it’s breach in 2013. Individuals are understandably protective of their PII and breaches like Sony and UMD makes people think that the entities collecting their PII aren’t as protective of it as they should be.
[Plaintiffs] accepted SPE’s employment offer and provided the PII SPE required, expecting that SPE would exercise reasonable care to safeguard and maintain the confidentiality of his PII
People feel unsafe when their PII is lost. They’re afraid of identity theft and, in the Sony case, the hackers made direct threats. Situational Crisis Communication Theory is meant to be used for reputational threats and its application is predicated on the fact that the public safety threats have been addressed. Do not try to salvage your reputation while people are still at risk.
This distinction is easier to make with some crises than others; it is particularly slippery with a crisis like this. Communication from organizations like Sony doesn’t treat the loss of PII as a safety threat. The individuals’ whose PII is published online see it differently.
SPE has focused on its own remediation efforts, not on protecting its employees’ sensitive records or minimizing the harm to its employees and their families. Rather, SPE has focused on securing its own intellectual property from pirates and a public relations campaign directed at controlling the damage to SPE associated with the release of embarrassing internal emails (Corona v. Sony Pictures Entm't, Inc., 2015).
When Sony, or any other organization, responds to a loss of PII by trying to protect its reputation and not the people whose PII was compromised, it’s seen as uncaring and irresponsible.
Why are breaches worse for some companies than others?
An important factor in the success of crisis responses is an organization’s previous experiences with crisis and its reputation before the crisis. If the organization has mishandled a similar crisis before (*cough* Yahoo) the public will be more critical and prior, successful, response leads to more goodwill. Prior reputation interacts similarly. Companies with reputations for being trustworthy, open, treating employees well, good customer service, etc. are given more leeway in a crisis and vice-versa. On both of these fronts, Sony wasn’t on the best footing. When an organization is facing a crisis, telling them they should have been more careful about their reputation is less than helpful. However, knowing the organization's prior reputation and past experience with crises makes it easier to strategize effective responses. If the organization has a bad reputation, you know it’s going to be more of an uphill battle.
These represent major themes and implications from my Sony case study: the neglect of media relations; being unresponsive to the important challengers; and the importance of prior experience and reputation. Other findings were interesting to me but these were the most general. I’ll probably come back to this case later, specifically to explore the difference in how the data lost in the hack was perceived by different parties - employees seeing it as a threat to their safety versus organizations seeing it as a threat to their reputations.
The Sony case is the incident that pulled me into information security communication which is why I wanted to cover it first. Now that it’s out of the way, I want to move on and discuss how communication theories and principles can be used in non-crisis situations. I’ll be bringing in areas like risk communication and privacy management to explore how communication can be used more generally to improve security in a variety of settings.
Entman, R. M. (2003). Cascading activation: Contesting the White House's frame after 9/11. Political Communication,, 20(4), 415-432.DOI: 10.1080/10584600390244176
Fisher Liu, B. (2009). An analysis of US government and media disaster frames. Journal of Communication Management, 13(3), 268–283. https://doi.org/10.1108/13632540910976707
Schultz, F., Kleinnijenhuis, J., Oegema, D., Utz, S., & Van Atteveldt, W. (2012). Strategic framing in the BP crisis: A semantic network analysis of associative frames. Public Relations Review, 38(1), 97-107.