Sony's hack response: Too pushy or not aggressive enough?

The cyberattack against Sony Pictures Entertainment will go down as a landmark event in IT security and email etiquette. But will the studio's response be remembered as a step too far or not strong enough?

James Franco and Seth Rogen. Photo from The Interview's Facebook page.
James Franco and Seth Rogen. Photo from The Interview's Facebook page.

Sony Pictures Entertainment came out aggressively this week in its communications response to a cyberattack that has leaked embarrassing emails and confidential employee information – and resulted in it shelving a highly anticipated film.

Some crisis communications pros say the strategy shift was overdue, but others question the merits of the position.

All agree Sony is in a tough spot. The company seemed defenseless to prevent the leaks, which have exposed everything from intellectual property to disparate compensation between male and female executives to racially insensitive comments made by top brass.

On Wednesday, Sony said it was cancelling the Christmas Day release of The Interview, which features a fictional plot to assassinate North Korean leader Kim Jong-un. The studio cited a "decision by the majority of our exhibitors not to show the film" due to threats issued by the hackers, who call themselves the Guardians of Peace.

The company reiterated, "we stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome."

Communications executives gave the studio’s strategy mixed reviews.

Even after the company pulled the flick, "Sony has had to take some steps to look like they’re actually trying to gain some command of the situation," explains Scott Monty, EVP of strategy at Shift Communications and previously Ford Motor Company’s global digital comms leader. "But the moment they put David Boies on the case as their corporate lawyer with this heavy-handed approach threatening the media is when I think they lost some public sympathy."

He reiterates that strategy may have cost the company in the court of public opinion.

"The leak is so deep and comprehensive that at a certain point the public did feel something akin to sympathy," Monty says. "Now Sony just seems like this big corporation with the high-powered lawyer."

Boies sent a letter to media outlets such as The New York Times and Wall Street Journal demanding they destroy any data obtained after the cyberattack and cease reporting on their contents. In the three-page letter, he wrote, "If you do not comply with this request, and the stolen information is used or disseminated by you in any manner, Sony Pictures Entertainment will have no choice but to hold you responsible for any damage or loss arising from such use or dissemination by you."

Monty also notes that even if the strategy is successful in getting most media outlets to stop disseminating leaked information – Reddit, for one, has already banned the documents – the result will only heighten interest in the hacked documents.

"The content then becomes even more valuable because of the rarity and exclusivity of it. Sony is actually stirring the water a little bit and ironically creating more interest rather than letting it die down," he explains. "What is also ironic is they are trying to use ethics as a lever with the media when all these Sony emails expose how unethical certain individuals within the company were."

Instead, the studio could have been more targeted in what it asked from media outlets.

"They could have requested news companies stop publishing any documents or data that contains personally identifiable information such as Social Security numbers, email addresses, and phone numbers, which would have perhaps led the public sympathy to extend even more," Monty explains.

Other PR pros generally agree that Sony has focused too much on media coverage of the salacious email contents and the reputation of Sony Pictures co-chairman Amy Pascal, who apologized for snide comments she made in some messages. Instead, Sony should concentrate more messaging on how the breach has affected everyday employees and what it is doing to prevent that data from being used for identity theft.

To that end, Amy Pascal did reportedly tell employees on the studio’s movie lot in Culver City, California, that "it devastates me that something I did or said in a second would hurt any one of you and for that I am profoundly sorry," according to audio obtained by Good Moring America.

But Pascal could have made those statements more publicly, contend crisis communications experts.

"Sony should have humanized themselves a little more at the start by showing genuine concern for those people because they came off like a big corporate target," says Mitzi Emrich, chief social media strategist at MWW. "They also could have put out more credible spokespeople – someone new within the organization who has some authority to make changes and can speak to this from a personal perspective."

Emrich adds that Sony could help itself by engaging key influencers on social media about how it is moving forward.

"It seems Sony didn’t have a lot of friends in the media. I don’t see a lot of media coming to their defense or talking about how Sony gave them a peek behind the curtain to see how they are updating their technology and security to make sure their information isn’t leaked again," she explains. "And the worst time to call on someone for a favor is in the middle of a crisis."

Sony also needs to take more responsibility for its Internet security practices, given there were warnings that North Korea would retaliate against the film. US government sources have told various media outlets that they have determined the country is in fact responsible for the hack.

Two former Sony employees also filed a lawsuit against Sony Pictures earlier this week for failing to protect their private information and putting them at risk by greenlighting the film.

"What Sony did was the equivalent of waltzing into a bad neighborhood with a pocketful of cash hanging out when it named [Kim Jong-un] as the target of its new film," says Jonathan Bernstein, president of Bernstein Crisis Management. "What the people there should be saying is: ‘We take responsibility for this, we used poor judgment, and here’s how we’re going to fix it and cop a better attitude in terms of the two executives steeped in it.’"

Rubenstein Communications, which is aiding Sony with its response to the crisis, and Sony Pictures Entertainment did not respond to requests for comment.  

Others counter that a more aggressive stance was overdue to mitigate the damage of the leaks.

Juda Engelmayer, SVP at 5W Public Relations, says that "Sony has the right to demand that it is wrong for media to lay it out. How many of the media who wrote about the leaks have similar skeletons in their emails about people they’ve interviewed and covered regularly?"

"[Sony] should have done this sooner while also being cognizant of the fact that some of what was exposed can be construed as racism, hatred, or animosity," he contends. "Sony should apologize for its people seeming inconsiderate and mindless in certain comments. They shouldn’t dwell on it, but take responsibility."

Like others interviewed for this article, Engelmayer believes Sony is a prime example of why many companies need stronger policies about communications via email and text message.

"[They should] either have a daily delete policy or try to enforce a realistic set of rules about how we speak to one another about our clients, staff, and even friends," he says. "Eventually people will get to a point where they police themselves and not write what can be a regretful comment later if ever found out."

The letter from Boies, who represented former Vice President Al Gore in the landmark 2000 case Bush v. Gore, "was smart even if the legal argument is tenuous," agrees Ross Johnson, founder of Los Angeles-based Johnson Public Relations. Johnson is the former head of the strategic communications arm of entertainment PR firm PMK-BNC and former executive editor of The Hollywood Reporter.

"It sends a strong signal to publications that they are taking this seriously," he adds. "They are also probably playing hardball in other ways. My guess is they’re threatening to pull their ads [including for their Oscar campaigns] from publications who fail to cooperate with them as much as they might not want to do that."

The case should be a wake-up call for the entertainment industry, which he says has been arrogant about its chances of being the victim of a cyberattack.

"In other businesses, you just don’t put negative stuff in an email," he says. "I don’t think these people have really been held accountable for what they’ve put in an email until now."

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in