Yahoo has seen a run of bad PR strikes of late. There was the massive data breach of 500 million records that happened in 2014 but only made public recently.

And then came yesterday's report from Reuters that Yahoo Mail had been scanning all incoming mail for intelligence interests of the U.S. government. A secret government directive -- hardly a new experience for internet companies -- ordered Yahoo to search hundreds of millions of Yahoo Mail accounts for some "set of characters."

Reuters also said that that it was "the first case to surface of a U.S. Internet company agreeing to an intelligence agency's request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time." In other words, at a time when the company is selling off its most recognizable assets to Verizon because of poor overall financial performance, this is bad news for Yahoo. So you might expect them to do some crisis PR in the best way possible. Except, it already seems to be going south quickly.

Yesterday, Yahoo sent off a one-line statement in answer not only to Reuters but to others asking about the report. Here's the line: "Yahoo is a law abiding company, and complies with the laws of the United States."

But then this morning came another statement from a PR group claiming to represent Yahoo:

The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.

Huh? First day: "You know the report that supposedly spoke with three former Yahoo employees and a fourth person who had been informed of the practice? Hey, we follow the law like we have to." Second day: "We take back that we follow the law. The report is misleading. The email scanning mentioned? And we narrowly interpret every government request for data, which doesn't mean that a narrow interpretation eliminates the possibility of widely applied scanning. Plus, it doesn't exist on our systems and we know the meaning of the word 'is' and specifically didn't say it has never existed on our systems."

If the practice had never actually existed, why not just say so in the first place? When something comes out that is this explosive in a reputational sense, you don't have someone say whatever without knowing what they're saying. Get the CEO and other appropriate executives and the lawyers all on the phone because that's what they're paid to do, and make sure the story is straight. Tacit acknowledgement on day one and then a carefully constructed statement the next day makes you look like you either don't know what's going on or you do know and are trying to obfuscate.

Crisis communications is important when things go far off from what you expected. There are plenty of firms that are experienced in the area. Here's how to handle a situation:

  • Don't say anything in a knee-jerk reaction.
  • Get experienced professionals on the phone now.
  • Get top executives who know what happened and lawyers who understand the issues.
  • Figure out what you're doing to say.
  • Don't lie and don't play games, because you look even worse.

And if you have to change your story part-way through, then you screwed up in the first place and should be doing something else for a living.