How to Respond (and Not) to a Public Relations Incident
There have been a number of significant data breach and service outage incidents lately. The difference in how organizations respond illustrates both good ways and bad ways to handle a public relations crisis.
First, we have Apple. After the revelation that iPhones and iPads are storing time-stamped location information, and that the data is in an unencrypted file that is also backed up to the PC when the iOS device is synced with iTunes, the Apple response was essentially "it wasn't me". Apple often handles public relations incidents by simply pretending they don't exist, and working hard to convince customers they don't exist as well.
Then, you have companies like Sony and Verizon. Sony is in the midst of a public relations firestorm over the PlayStation Network outage, which then turned out to be a data breach, which then may--or may not--have exposed all 77 million credit cards on file. And, you have Verizon, which is still recovering from a massive outage of its 4G wireless services.
Both Sony and Verizon are ahead of Apple in that they at least acknowledge the issue exists. But, Verizon did the bare minimum--essentially acknowledging that it is experiencing an outage, and then (much) later communicating that service was being restored. Meanwhile, Sony goes one step farther and issues the semi-obligatory communication letting customers know how much Sony values their privacy, and truly appreciates them as customers.
Technologizer's Harry McCracken recently broke down exactly how such a message should look. I agree. Telling me you value the privacy you just allowed to be breached, and how much you appreciate my business just seems like a veiled plea for me not to leave. Quit whining, own responsibility for what happened, and apologize.
The Texas State Comptroller, Susan Combs, got it right. Following the discovery that sensitive information on millions of Texas had been left exposed on the public Web, Combs took swift action, but most importantly she took responsibility, and she apologized to the affected individuals and the state of Texas as a whole.
Yes, customers want the company to acknowledge that an incident occurred, or is still occurring. And, yes, customers want the company to be as open as possible about what caused the incident, how the incident is being resolved, and what is being done to prevent similar incidents in the future. But, the most important part of incident response from a customer service perspective is to take responsibility and apologize.
In Sony's defense, it did finally apologize, and it seems to be providing more details about the incident. It is understandably difficult for a company to be forthcoming with information while it is still trying to understand what happened itself. But, the apology should come sooner--like first.
Don't try to pretend the problem doesn't exist. Don't try to play the victim card--like it just happened to you and there was nothing that could be done--even if that is true. Put a little more 'mea culpa' in your response. As the company entrusted with sensitive information, or relied upon to deliver a service, you have a responsibility to guard that information or provide that service, and at the very least when you fail to do so you must take responsibility and tell customers you're sorry.