Games and Online Harassment Hotline

The Games Hotline closed in October 2023. Read more →

Online Safety Policy Recommendations for Game Studios

Anita • 12/15/2022

Online harassment is an all-too-common strategy used by bad actors online to silence and dehumanize people online. In the games industry, we often see online abuse tactics used against employees at studios and companies when some parts of their audience or player base are upset about an aspect of a game or other communications from the company. They find one or more employees to target and funnel their anger and rage into. These kinds of cyber mobs and harassment campaigns are all too common and can be incredibly traumatic and isolating for the person targeted as well as causing secondary harm to their co-workers or other bystanders. Especially for employees with more public-facing roles, this harassment also feels impossible to walk away from, since they are logging into it every day for work.

Game companies have a responsibility to anticipate harassment affecting their employees and build-in comprehensive ways to support and protect them. When crisis happens, it’s important to have a comprehensive studio-wide policy and a transparent plan of action.

We’ve gathered some light guidelines for companies to build their own internal policy. These policies should be regularly revisited and updated to integrate new forms of threats that arise.

The Games Hotline also offers customized and integrated support for building harassment response policies. Reach out to us via our contact form.

Understanding Online Abuse

Online abuse has many names such as online harassment, cyberstalking, cyberbullying, and trolling. It is when an individual or a group of individuals uses online tools to attack a target. It can take many forms such as a massive hate campaign launched targeting an individual or a smaller-scale attack from one individual such as digital or physical stalking. Targeted harassment campaigns can vary in length anywhere from a few days to years.

In addition to attacks on a target, many campaigns also target a victim’s friends, families, children, and employers. These satellite attacks work to isolate, silence, and shame the original target and do as much damage as possible.

Just because an employee may have said something inappropriate does not mean they deserve to be attacked or doxxed for it. No one deserves to be harassed or abused online. If an employee says something offensive or oppressive and is receiving pushback from the community that was harmed, this might not be harassment as much as an expression that the community was harmed by the words and actions of the employee. In this case, it is recommended to create a policy for how to repair harm and be accountable when an employee has caused harm. 

You never know who will be targeted or when. However, employees in higher profile or more public facing positions such as communications are often more likely to be targeted, as well as employees with marginalized identities.

What Should Employers Expect?

  • It is common to bombard a target’s place of work with messages, false complaints, and threats. These are often coordinated attempts to overwhelm the employer with the hopes of getting the employee fired. They often pressure the employer to feel that the targeted employee is too much of a risk to their business, even if the threats are empty and the complaints are without merit.
  • Physical threats to the employee such as death threats, rape threats, as well as bomb and shooting threats to the individual, to the company office, or at conventions and public events.
  • Commercial threats are also common such as canceling orders, demanding returns, negative reviews, and slandering the company.
  • For larger-scale attacks, harassers often attempt to inflate their numbers by recruiting more people or by creating many fake accounts to seem like a more significant threat or that they embody a legitimate public outcry.

Consider Before You React:

  • Capitulating to empty threats or baseless accusations from an attacker often encourages them to continue these tactics.
  • The public perception that a company has responded inappropriately to hoaxes or abuse is often far more damaging than any fleeting, small-scale positive attention from the instigators.
  • Respectable publications and news outlets rarely investigate unfounded or transparently meritless outrage at a company. However, they are quicker to report on a company inadvertently siding with someone’s attackers out of risk-aversion.

What Can Employers Do When An Employee Is Facing Online Abuse?

An employer’s response during online attacks can make a world of difference to the employee being targeted. We’ve gathered some example protocols employers could put into place to set up a best-case-scenario of support for these moments of worst-case-scenario harassment. 

Before

We start by rewinding to some building blocks to prepare.

  • Create a robust policy and protocol that is clearly communicated to all employees
    • Create a resource hub that includes information for employees to understand what tools are available to them to protect themselves online and during an incident of online harassment. This resource can also include generalized material for all employees to support and educate bystanders and managers.
    • Create a peer support space to offset how isolating online harassment can be. Offering an ongoing peer support space for employees to be validated and in communication with one another can help offset the isolation. This also has the added benefit of providing space for bystanders to support targets and each other since bystander secondary trauma can also create feelings of helplessness in the face of hate. This space should be carefully moderated and monitored to make sure it remains a supportive space. It is highly recommended that moderators be trained in trauma-informed communication such as Take This’ Crisis Listening for Managers or a Psychological First Aid Program
    • Create a secure reporting form that employees can use to report incidents of online harassment. This form should be short and simple but also provide enough information to begin the support and investigation processes. A unified form for all employees can help if an employee doesn’t feel comfortable reporting directly to their supervisor. Since these are often high-stress and high trauma situations encourage employees who might need extra support to seek aid from a colleague to help fill out the form. Be sure the questions are not written in a way that might feel like they are being blamed for the incident. The form should be monitored and responded by a specifically trained task force (not default to HR). 
    • Create an internal task force that is empowered to handle reporting, investigation, and target support. The task force should be made up of a diverse set of people from different identity backgrounds as well as different levels of team members (i.e. managers, employees, leadership). Keep in mind that even witnessing online abuse as a bystander can be a traumatic experience so having a range of people with different skillsets can not only create a stronger support process but also can help relieve the burden on one or two individual members of the task force. Be clear on the responsibilities of the task force such as being offered adequate training, how to monitor the reporting form, what rapid response looks like in terms of immediate care of the person harmed, investigation and documentation of the incident, and communication with all necessary parties, as well as follow up and care after the incident.
  • Create an environment where employees feel comfortable talking to managers if something occurs or if they fear something occurring.
    • Clearly communicate that you prioritize the online safety of your employees and that you take online harassment and the targeting of employees seriously as an organization.
  • Provide specific trainings to employees and managers before an incident occurs
    • Support the digital health of all employees via digital safety workshops including Tall Poppy online safety software.
    • Train your managers in crisis communication and mental health support. Review Tall Poppy’s Manager Guide for digital safety.
    • Provide paid access to apps like Optery or Kanary that identify and scrub an individual’s personal information off people finder websites. At a minimum, this should be provided to any public-facing employees. Providing it company-wide would be even better.
  • Have a discussion with all external partners and internal teams about your protocols so everyone can hit the ground running in case an incident happens. This can be publishing companies, gaming platforms, social media companies, legal teams, PR teams, security experts, counseling and therapy support.  

During

  • Prioritize the needs and wellbeing of the employee: how the employee feels and what they need to be okay.
    • Have a conversation with the employee about how involved they’d like to be in incident response. While being very hands-on and informed might help make them feel more in control, sometimes it can end up as a kind of “poke the bruise” situation. Understand that a targeted employee might change their mind as to how involved they would like to be throughout the process.
    • There is a lot of shame and embarrassment attached to being targeted, especially if the attacks are intimate in nature. Often this leads to feelings of helplessness and a loss of agency. In the immediate aftermath, sometimes just having something to do helps targets feel more in control of their situation. This can take the form of locking down online safety, documenting the abuse, or taking personal time for activities away from the internet and work.
    • Work with the employee to understand the employee’s specific situation. Be sure to work with them rather than punish, terminate, or silence them. Ask how they’d like to see this managed in a best-case scenario from you as the employer.
    • Offer immediate time off (this should be emergency PTO not just the standard time off all employees have access to — you don’t want to punish the employee for what is happening to them).
    • Remind the employee what resources are available to them, for example does your company have paid, confidential, third-party emotional support resources with therapists knowledgeable and experienced in issues around online harassment and gaming culture.
      • Be mindful that managers or the task force are not dismissing their responsibilities of care and support to the employee by only offering resources. Be sure to offer check-ins, support, and contact info as appropriate, and open avenues of communication in a non-judgmental way.
    • Pay for temporary relocation if threats include their home address or if they feel unsafe.
    • Allow for temporary work from home if threats include the physical office address.
    • Extend safety support to family and loved ones who are also targeted via doxxing and other invasive abuse.
    • Do not give out any personal information of the employees without asking for consent first.
  • Assess The Threat And Investigate
    • Investigate: Create a risk assessment and learn what is happening. What are the immediate safety needs, and what partners need to be involved immediately (security experts, PR team, legal, external platforms, etc.)? We recommend working with a security expert to do this assessment. Review this document from OnlineSOS to learn more about threat modeling. Remember attacks are often highly personal, complex, and difficult to understand or evaluate at first glance.
    • Aid in Documenting and recording the harassment. Learn more about documenting abuse in our Safety Guide.
    • Carefully investigate the merit of claims or threats. Once this has occurred then you can decide, together with the employee on what actions should take place, sometimes not engaging with the attacks is the best course of action, and keep your focus on the wellbeing of your employee.
    • Collectively if you decide to take action publicly, use caution when engaging with attackers, even from a distance. Often, acknowledging the harassment and abuse can encourage ramping up and an increase in the abuse. However, in some instances, an official company statement supporting the employee can be powerful. Since all incidents of harassment are unique, public statements should be treated on a case by case basis. The best statements are short and concise with clear support for the person targeted and unequivocal condemnation of abuse and harassment. Include the targeted employee in this process since it could cause more harm to them.
  • A note about Law Enforcement – do not engage law enforcement without the explicit consent of the employee. Law enforcement can make situations worse, and often do not understand online harassment. Learn more about engaging with law enforcement in our Safety Guide.

After

  • Check-in at a frequency that feels good to the targeted employee.
    • Make sure they feel safe – whatever that might mean for them.
    • Overwhelming support can be suffocating so be mindful not to overload them with support from too many people, or too frequently. Bystanders who reach out because of their own anxiety can place victims in the position of managing bystander emotions in addition to their primary trauma.
    • Recommend ongoing therapeutic support after the crisis phase has ended.
  • Ask if they feel like they have adequate support and resources for what they need to feel safe moving forward.
  • Be mindful of not punishing the employee upon return for unfinished work or missed deadlines due to emergency time off. At the same time, don’t dance around the issue or pretend like nothing happened. Instead, acknowledge that the harassment happened, and it understandably impacted their life and work in a terrible and unfair way, and let them know that you’re here to work through the aftermath of it with them, even if you don’t have all the answers.
  • Reiterate educational components for managers such as with training like Take This’ Crisis Listening for Managers.

Of course, although these cover a lot of the common threads of harassment experience, every case is different, and also every person’s response and needs will be different. While these protocols are a solid place to start, we also recommend digging in deeper (perhaps with the task force you’ve formed) and creating action plans for various angles of harassment. What should be done if it’s on social media versus threatening an in-person event versus private blackmail or revenge porn? 

For more specific and customized guidance, the Games and Online Harassment Hotline provides safety consulting. Inquire through our contact form.

Considerations

LAW ENFORCEMENT & LEGAL ACTION

Choosing to seek support from law enforcement can be a fraught decision. For many, especially people of color and trans folks, law enforcement may bring more harm rather than more safety. US law enforcement is still woefully behind in their understanding and sympathy when it comes to online harassment. There are still very few jurisdictions that have laws supporting victims of online harassment, and police often won’t engage in prevention of harm. They typically will only act after a crime (in the legal sense) has been committed. For all of these reasons, we do not tend to recommend law enforcement or legal action in most instances of online harassment. 

If you would like to reach out to law enforcement, officials recommend that targets report online harassment that directly threatens you to law enforcement immediately and with as much documentation as you can. This ensures that there is a timely, documented record of the abuse on file.

In some instances, such as bomb and shooting threats at physical locations such as events or company offices law enforcement engagement may become mandatory or imposed. If this is the case, be sure to have a knowledgeable company representative take point of these communications. Commonly in the United States, law enforcement will file a report and those reports become public record (often within days). Be sure you do NOT include the target’s personal information such as phone number or home address. Use company information when possible. Officers will push back on this but it’s imperative that you do all you can to support the safety and privacy of your employee.

Similar to considering whether to seek out law enforcement, legal action can be an extremely fraught process in the United States. There are some laws, state by state, that protect against particular aspects of online harassment but overwhelmingly the legal system does not understand or fully respect the seriousness of online abuse. Additionally, the legal process can be extremely lengthy, costly, and taxing on the individual.

To learn more about online harassment laws in the United States please reference PEN America’s Online Harassment Field Manual.

Recommendations

We highly recommend creating or reviewing and updating the existing a Social Media Policy, Comment Moderation Policy, and Community Guidelines with issues of online harassment in mind.

We also recommend creating a policy for what to do when an employee causes harm to another employee or to a community (we can help with this!).