When Sony's PlayStation Network was taken down by hackers last spring, spilling some 77 million customers' records, the electronics giant responded by doing just about everything wrong, says Christopher Budd, a former member of Microsoft's worldwide crisis response communications team.
After the network went offline last April, Sony failed to acknowledge or explain the cause of the outage. For a week the company provided virtually no information -- allowing the press and blogosphere to fill the gap with speculation and misinformation, says Budd, who now runs his own crisis communications company.
The reason? Sony lacked an effective incident response process for online security and privacy issues, something even smaller organizations need to implement. "Any organization that's a custodian of customer data needs to spend time figuring out what it's going to do if something happens to that data," he says. "Besides avoiding damage to their reputations, they also need to protect themselves against legal and regulatory risks."
Nearly every state has laws requiring organizations to notify customers in the event of a data breach. Publicly traded companies must also worry about the impact of security and privacy incidents on their share price.
Building an emergency response team means marshaling resources across the organization -- legal, communications, and technical. It also requires a mandate from top management that empowers the team to do what needs to be done, swiftly and without interference, Budd adds.
"You need to get out there as quickly as possible and be as transparent as you can be," he says. "You need to say what has happened, and also what hasn't happened. Because one way or another, the story will get out. You want to be the one to step out onto the stage, grab the microphone, and take charge of the situation."
Because it bungled its initial response, by the time Sony finally did something right -- shutting down the network for a month and rebuilding it piece by piece, taking a huge financial hit in the process -- it got almost no credit for it, says Budd.
However, Sony may have learned its lesson, he adds. After thwarting attempts by hackers to access nearly 100,000 PSN accounts earlier this month, Sony got ahead of the crisis by reporting it quickly and in detail, minimizing further damage to its reputation.
So, if this is such a great idea, why isn't everyone doing it? Most organizations are focused on generating revenues, not on the bad things that might happen to them, says Budd. Crisis response can be expensive, and many companies simply lack the expertise.
"When people get in trouble, a lot of them automatically start acting like five-year-olds," he adds. "Their first response is to cover it up. It takes a certain amount of courage to go out on stage in front of a hostile audience and say, 'Here's the bad thing that's going on now.' It's easier to adopt a bunker mentality."