Missouri governor Mike Parsons threatened criminal prosecution against a reporter for the St. Louis Post-Dispatch after the newspaper reported on a security error that made the Social Security numbers of 100,000 schoolteachers and educational staff available online. That threat--which legal and technology experts say may be difficult or impossible to carry out--has turned an embarrassing state incident into a national news story. It showed a deep lack of emotional intelligence and a profound misunderstanding of how to deal with the press, or just about anyone else. It's a story that offers several important lessons for every leader in how not to respond to a crisis.
1. When crisis strikes, don't respond with empty threats.
The trouble began with a state website intended to let parents and others review the credentials of Missouri's elementary school teachers. Although the site showed only the staff members' credentials, their Social Security numbers were contained within the page's HTML code. As you may know, most web browsers make it extremely easy to see the HTML code of any page you're looking at. (You can try it right now by right-clicking on a blank part of the page and choosing "View page source" from the drop-down menu that will appear in most browsers.)
Josh Renaud, a news designer and developer for the Post-Dispatch, broke the story last week. As is customary when a serious security flaw is found, the newspaper alerted both the teachers' union and state officials, and waited for the page to be taken down before publishing a story about it.
To most observers, it was clear that Renaud and the newspaper did their best to avoid harming any teachers or letting sensitive information fall into the wrong hands while also doing their job or reporting the news and alerting the public to serious shortcomings in the state's technology management. Nonetheless, Parsons's first move was to call a news conference, vowing that the reporter and the paper would be punished. "Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them," he said.
The governor claims the reporter is guilty of having "converted" or "decoded" the information on the website, which he says "was clearly a hack." It's not entirely clear what Renaud did beyond viewing the page's source code, but Kelli Jones, communications director for Parsons told Inc.com that there was more to it, and that eight separate steps were required to find an individual's Social Security number. Whatever steps he took, it's likely that someone with identity theft in mind could have done them as well.
Whatever he did, some legal experts doubt that there's much there to prosecute. University of Missouri Law School professor Frank Bowman told the New York Times that the odds of the state prosecuting Renaud or the Post-Dispatch are "between zero and zero."
Cole County prosecuting attorney Locke Thompson told the Times that he's awaiting the completion of an investigation by the State Highway Patrol before deciding whether to prosecute. Since the reporter has already shared his findings with the state and published them in an article, it's not entirely clear what the State Highway Patrol is investigating and Jones said she could not comment on that.
2. When you get bad news, don't punish the messenger.
According to Plutarch, when a messenger told Tigranes, the king of Armenia, that the enemy was drawing near, Tigranes was so displeased that he had the messenger beheaded. After that, everyone around Tigranes was terrified of telling him bad news and so no one did. "Without any intelligence at all, Tigranes sat while war was already blazing around him, giving ear only to those who flattered him," Plutarch wrote.
Parsons is in danger of becoming a modern version of Tigranes because, as The Verge pointed out, companies and other organizations usually give rewards--not punishments--to those who identify their security vulnerabilities so that those vulnerabilities can be fixed. Most organizations definitely want to know those security flaws are there. State of Missouri officials just threatened to punish someone who alerted them to a security flaw, though. So the next person who finds one is unlikely to tell them.
3. Take a look at your own source code.
If you learn nothing else from these events, make sure you remember this: The source code of every page on your website can easily be viewed by anyone and everyone who visits that page. Is there anything in that source code you wouldn't want the real hackers out there to see? Now might be a good time to check.