I don't want to hop on the meme-train here but the saga of Trevor gave me some ideas so here they are. Humor is rare in crisis communication but it's not unheard of. Rumor, on the other hand, is common. People seek information and explanation in a crisis and aren't as critical of the information they receive - scarcity lowers standards. Rumor has impacted the infosec community in a lot of situations so talking about how to counteract it is important.
Trevor wasn’t really a rumor. It actually happened. I’m talking about rumors because the story of Trevor spread with the same virality as a rumor in other crises. Remember this image?
It pops up basically every time there's a hurricane or major coastal flooding. People don’t even change the image, they just recycle, and it still makes the rounds on social media and frequently gets covered by local news (calling out as a fake image, but still talking about it). Most people know that it’s fake at this point but many don’t. Rumors take time and resources to address. They make it harder for people to find accurate information and take proper protective action. FEMA has actually started a “rumor control” program to go along with major events like Harvey and Irma. They set up special Snopes-like websites to address rumors related to the incidents.
Rumors can also be the direct cause of a crisis. SCCT (the standard approach to crisis communication based on responsibility) categorizes rumor as a victim type of crisis. The organization is supposed to respond to rumors by denying anything has happened; attacking the accuser; or pointing to a scapegoat. All of the language used in those descriptions has negative connotations and I don’t like them but that’s how SCCT describes them. The gist of it is that a rumor is a victim crisis because the organization doesn’t have any responsibility for what is happening and they need to highlight evidence of that in their communication. The problem is getting people to see and absorb the evidence if the rumor is juicy and getting a lot of attention.
This is where #trevorforget splits from rumor. The organization does have responsibility for what happened. This was a preventable crisis, not a rumor. The appropriate response here is apology, compensation, and corrective action. “We are sorry, we are changing our policy, here is a voucher.” Very standard response – companies do it all of the time. Except this happened on infosec Twitter during a major conference. Things escalated, to say the least. There was a trending hashtag, a memorial, even songs I think.
Usually with a crisis like Trevor, the organization wants to handle things quickly and privately. Usually when you complain about a company on Twitter, they respond asking you to DM or email them information and take the anger out of the public sphere. Unfortunately for smashburger, this crisis became a meme with the full power of Derbycon behind it. Infosec breaks the rules again. There are two key ways this situation broke the norms for crisis response that we can learn from.
Levity instead of outrage?
This isn't the only time a crisis will be ridiculous and public response will focus more on the humor than the outrage. Organizations aren't prepared for this. They aren't great at sounding casual in a normal situation let alone navigating humor during a reputational crisis. It's nearly impossible for someone in corporate communication to know when it is or isn't appropriate to get in on the humor on a smaller level. Maybe it will defuse the situation, maybe it'll escalate it. You never know how a person's going to respond.
Once a situation reaches Trevor levels though, I think joining the levity a little is worth considering. I would keep it very light "Trevor and his roach family are in our thoughts. We're working to ensure all roaches remain in appropriate living situations - outside our restaurants." It shows corrective action to the public while engaging with the tone of the conversation. One common critique of crisis communication is that it's tone-deaf. Usually that means missing the remorseful, apologetic tone. In this case, it was missing the tone of sarcasm and hilarity infosec can be so good at.
Being heard over the meme
With smaller customer-service crises, the goal is to keep it small and quiet. Major crises attract more attention because more people need the information. When a crisis goes viral, the small one-on-one interactions of a typical customer-service issue get the attention of a major incident, usually with lower stakes. In that sort of situation, it's hard to get you standard communication through to the people you want to see it because the other communication out there is louder.
Once a situation goes viral, it builds its own steam separate from the reality of the situation. The truth is almost always less interesting than the meme. There are more stories written about the rumors than about the rumor control websites. I was excited to hear about FEMA's program and then I thought - how many people will actually check that before sharing something on social media? I don't have an answer to this issue. It mostly comes down to pre-crisis efforts, I think. If you build strong networks - have people on your side who will share your communication - and have a good reputation, your crisis messages might rise above the noise. I think matching the tone of the conversation could also help. If your response complements the narrative, it's more likely to get shared. Speed is also a key component, if you can catch it before it becomes a total monster, it's easier to defuse a rumor and be heard - the rumor hasn't quite taken on a life of its own. This requires monitoring channels closely which can be a hefty use of resources for some.
Rumor and premature opinions are common in infosec. Establishing an effective way to address rumor might end up being a critical component of incident response communication. Unless it's a major incident, you won't need a website like FEMA's but even small incidents can trigger rumor-mills. Rumors can create a crisis out of nothing. Viral stories can turn a commonplace incident into a serious crisis.
Now, Trevor was a very special situation but it did highlight a few things infosec communication - and communication in general - needs to consider more. Humor is difficult for corporations and is usually too risky to try but being more empathetic in communication can make a difference. Matching your audience's tone and language use shows that you're listening and can do a lot to build trust. Infosec communicators need to think about how they'll address rumors.