Crisis Communication in the Face of Data Breaches

TL;DR

This paper analyzes strategies for crisis communication during data breaches, emphasizing early communication, responsibility, and compliance with regulations, based on qualitative case studies from Finland.

Contribution

It provides a focused examination of data breach crisis communication, highlighting specific practices and regulatory considerations often overlooked in existing research.

Findings

Successful cases involve early communication and responsibility

Unsuccessful cases include blame shifting and lack of authority notification

European regulations are crucial in managing data breach crises

Abstract

Data breaches refer to unauthorized accesses to data. Typically but not always, data breaches are about cyber crime. An organization facing such a crime is often also in a crisis situation. Therefore, organizations should prepare also for data breaches in their crisis management procedures. These procedures should include also crisis communication plans. To this end, this paper examines data breach crisis communication strategies and their practical executions. The background comes from the vibrant crisis communication research domain. According to a few qualitative case studies from Finland, the conventional wisdom holds well; the successful cases indicate communicating early, taking responsibility, offering an apology, and notifying public authorities. The unsuccessful cases show varying degrees of the reverse, including shifting of blame, positioning of an organization as a victim, and failing to notify public authorities. With these qualitative insights, the paper contributes to the research domain by focusing specifically on data breach crises, their peculiarities, and their management, including with respect to European regulations that have been neglected in existing crisis communication research.