Does the MBTA Need a Lesson in 21st Century PR?
Boston’s old world attitude may attract tourism dollars, but it isn’t likely to win it fans when it comes to IT security or public relations strategy. The MBTA’s decision to file a lawsuit to halt three MIT students from presenting CharlieCard security flaws was a giant misstep given this is the Internet age and not the Middle Ages.
For the MBTA, this was a case of winning the battle but losing the war. Within hours of the restraining order being filed, tech journalists and bloggers alike hit their keyboards. The result: the presentation, which had been distributed to attendees days before the restraining order was issued, was all over the web. A quick Google search today found more than 300 news articles and nearly 400 blog posts on the subject, many of which contained links to the presentation.
While it’s absolutely reasonable for the MBTA to want to protect its data as well as the data of its riders, it’s the method that I question. Having many security clients here at the agency, we are in the business of helping those clients publicize research, much of which is newly discovered vulnerabilities. Most clients follow a loose industry guideline for disclosing vulnerabilities. It can be argued that the MIT students did not follow protocol, but the CharlieCard security issue is not really new. Back in March Hiawatha Bray of the Boston Globe, as well as a slew of reporters nationwide, wrote about a different, but similar flaw.
The problem with the MBTA’s gag method is that it just doesn’t work. Companies today must have an aggressive and proactive strategy for dealing with negative information since not only are print and broadcast journalists likely to run with negative news, but the army of citizen journalists are too.
In addition to assembling a better strategy, that strategy needs to be communicated to and understood by all departments within an organization because most business decisions ultimately have some level of public impact. In the case of the MBTA, previous stories indicated security flaws existed with the CharlieCard and similar wireless cards used by transit agencies around the globe. But the MBTA most likely arrived a similar cost/risk analysis conclusion that researchers did: the low probability of profit from a hack made this a low risk. And when the MBTA’s legal team decided to file for an injunction, it too made a decision that has PR repercussions. In this case, the choice to file suit made the very documents they were trying to conceal public record.
Posted by Kristin Amico on August 12, 2008 at 3:38 PM
Comments (0) | TrackBack (0)
