ABSTRACT:
Companies adopt response strategies to mitigate the negative consequences of data breaches. While prior research has examined the efficacy of these strategies, it is unclear whether companies must employ the same strategy for all breaches. Given that each response strategy demands varying levels of resources, optimizing resource allocation is crucial for companies to adopt costly strategies only when necessary. Utilizing situational crisis communication theory, we investigate how stakeholders assign different levels of responsibility to companies based on the specific attributes of each data breach and assess the severity of these events. Additionally, we discuss the critical role of effective communication post-data breaches and utilize social-mediated crisis communication to examine how organizations effectively communicate with their stakeholders. We conduct a multi-method study to investigate two primary stakeholders, namely customers and investors, with respect to organizational responsibility and communication. Study 1 employs a factorial survey (n = 849) with a 2 x 2 x 2 experimental design to analyze customer behavior. For Studies 2 and 3, we collect official data breach response letters to analyze 307 data breaches from 2006 to 2022. Study 2 investigates company sales data to understand customer behavior further. In Study 3, we conduct an event study and analyze stock market data to examine investor behavior. We find that stakeholders react to data breaches based on specific characteristics that reflect the organization’s responsibility and how incidents are communicated. Furthermore, customers and investors interpret the same data breaches differently. For example, locus of causality and controllability matter only to customers, and only investors turn to social media platforms (e.g., Twitter) to gather additional information about data breaches alongside company announcements. For research and practice, the findings of three studies collectively suggest a data breach-response match, highlighting the importance of situationally appropriate responses rather than always adopting costly, superior strategies (e.g., compensation). The findings also emphasize the need for companies to strategically plan their post-breach communication, as the source and form of data breach announcements affect stakeholders.
Key words and phrases: Data breaches, stakeholder communication, crisis management, multi-method research, data breach response