Building Crisis Capacity: Stakeholders Forgive Data Breaches in Organizations with Good Reputations

Data security breaches are an increasingly common and costly problem for organizations, yet there are critical gaps in our understanding of the role that stakeholder relationship management and crisis communication in relation to data breaches. This research with my colleagues Amelia Symons and Cheng Zeng, which has been published in Corporate Communications: An International Journal provides important insights from a stakeholder perspective about the importance of building crisis capacity before crises occur.

In this study, we identify a ‘typical’ response strategy to data breaches and then evaluate the role of this response in comparison to situation, stakeholder demographics and relationships between stakeholders, the issue, and the organization using an experimental design. This experiment focuses on a 2 (type of organization) x 2 (prior knowledge of breach risk) with a control group design. Findings suggest that rather than employing reactive crisis response messaging the role of public relations should focus on proactive relationship building between organizations and key stakeholders.

When we put this together with the context, my core argument is that we already know – both in terms of this particular study and overall – that situation will influence stakeholder attitudes. However, we also know across the last 50 years of study in risk and crisis communication that there are a lot of factors that can affect the pathway between a situation and how stakeholders react to that situation. Our goal was to try to better understand those in the context of data security breaches.

The question is what does a ‘typical’ response to a data breach look like. Well, in the UK 27 data security breaches were analyzed between January and October 2019 and a mixed tactic approach using accommodative, framing both the situation and organization, excellence, and interorganizational collaboration typified how organizations responded to data security breaches.

The first question to ask is what factors make the ‘typical’ data breach response most effective. We found that material blame – that is an objective categorization of blame– in combination with the industry meant that a doctor’s office that had the latest technology and pre-crisis reputation accounted for about 17% of the variance alone.

In this case it suggests that it’s not only about taking preventative measures, but the effectiveness of the response will also be based on type of organization and the pre-crisis reputation.

Second, we explored the factors most influencing peoples’ intention to use the organization post-crisis accounting for about 30% of the variance with the combination of material blame and industry with pre-crisis reputation as the significant predictors.

In this case, behavioral intention was lowest when it was a bank who knew that there was a risk to the data security of customer’s account and didn’t take measures to fix the problem and the highest with it was a GP’s office that was not aware and had the latest technology that significantly affected post crisis behavioral intention. However, the pre-crisis reputation was also critical.

Third in exploring the factors influencing the reputational threat a data security breach would have on organizations, we found that that the most damage occurred when the organization was not viewed as competent to handle data security threats and especially damaging for GP surgeries that knew there was a threat and did not take preventative action. So, a doctor’s office that fails to safeguard their patients’ privacy has the most to lose in terms of reputation.

However, interestingly, reputational threat was also amplified when participants themselves had a high level of self-efficacy regarding their ability to safeguard themselves against data security breaches.

So, let’s bring this back to the big picture, but let me say first – nothing about the messaging influenced behavioral intention nor reputational threat. When all of the factors were put together, the single factor that made the most difference was pre-crisis reputation – even more than crisis response, institution type, material blame, or competence in an overall regression model.

While this is only based in the UK and relevant to data security breaches, this does force us to ask the question as to whether the field of crisis communication has put too much stock in post-crisis response and not enough in supporting risk reduction, issues management, and pre-crisis reputation building. While a post-crisis message is always going to be necessary and appropriate – it may not the most relevant actions to take in ensuring that consumers and stakeholders both like and will use the organization afterwards. This has meaningful implications on the field and the emphasis that we place on resources allocated before, during, and after crises.