Mathias Trier Mortensen 201209790 Total Characters: 54.975 Excl. Blanks
Total Page:16
File Type:pdf, Size:1020Kb
Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
OBLIGATORISK FORSIDE Prescribed front page
HJEMMEOPGAVER, PROJEKTER, SYNOPSER U/ MUNDTLIGT FORSVAR Home Assignments, Project Reports, Synopses without oral defence
INSTITUT FOR ERHVERVSKOMMUNIKATION Department of Business Communication
STUDIENUMMER 201209790 Student No. HOLD NR.: H03 Class No. Ex.: U02
FAGETS NAVN: Bachelor project Course/Exam Title
VEJLEDER: Silvia Ravazzani Name of Supervisor
ANTAL 54975 (2434 for Summary) TYPEENHEDER I DIN BESVARELSE (ekskl. blanktegn): Number of Characters in your Assignment (exclusive of blanks):
Page 1 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
Crisis communication An investigation of crisis response strategies for data breaches
BA in Marketing and Management Communication Supervisor: Silvia Ravazzani, Aarhus BSS Department of Business Communication Student number: 201209790 / Exam number: 528461 Total number of characters excl. blanks: 54974 (thesis) / 2434 (summary)
Page 2 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
Summary This BA thesis, titled “Crisis Communication: An investigation of crisis response strategies for data breaches”, employs social constructionism in an empirical research to characterise data breaches in a corporate context and expand the theory of crisis communication. Crisis communication efforts through crisis response strategies should serve to reduce the reputational threat of a crisis. Yet, it is vital for organisations to navigate in the different crisis response strategies to avoid pitfalls and optimise corporate reputation based on the perception from stakeholders. Therefore, the topic of this thesis is of high interest for managers responsible for corporate communication prior to, during and following a crisis, in order to apply effective crisis communication in their practices. Specifically, the concept of data breaching is in interest due to the recent series of IT crises in the corporate world, wherein payment systems have exposed consumers’ credit card information
The need for an adaption of contemporary theory on crisis response strategies to the practice of crisis communication in the event of a data breach is therefore a key to respond immediately and thereby protect the corporate reputation. To acquire empirical data for analysis, the thesis investigates two cases of data breach, from 2011 and 2013, in which Sony and Target had to respond, respectively. The case studies will serve to answer the following questions:
1. How should communication practitioners contemplate data breaching as a crisis?
a. Which type of crisis is a data breach?
b. How can communication practitioners plan crisis response strategies for data breaches?
c. Which pitfalls do crisis response strategies and discourses following a data breach present?
Based on the discussed findings of the analysis, this thesis concludes that data breaching is an IT crisis associated with the victim cluster as malevolence. Hence, the communication practitioners should employ victimage to reduce the reputational threat initially as well as corrective actions to retain a positive corporate reputation by stakeholders. Organisations should be wary of misleading stakeholders by minimisation as legitimisation of the crisis response. The strategy can be applied, but can quickly backfire if stakeholders perceive they have been misled by the organisation. In events with high reputational threat, the organisation should aim to rebuild their corporate reputation, for instance through compensation to the involved stakeholders. Lastly, it is important to be coherent in the application of crisis response strategies and respond immediately and decisively.
Key words: Crisis Communication; Corporate reputation; Reputational threat; Crisis response strategies; data breach; Image Restoration Theory; Situational Crisis Communication Theory.
Page 3 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
Table of content
1. Introduction Crises in a corporate context have established a necessity amongst communication practitioners to master crisis commmunication. Thus, the theoretical framework of crisis communication has become extensive within the existing paradigm with regards to crisis management (e.g. Hearit 1994, 1999; Coombs 2006, 2007).
However, the digitalisation and globalisation of society including organisations present new crises that have not previously been addressed within the area of crisis communication. First, the emergence of social media platforms empowers the rapidity of information sharing amongst consumers, which “more than previously are conversing online about organisations” (Li and Bernoff 2011) and corporate reputation can thus be affected by the conversation. This notion becomes critical in the event of a crisis as consumers can make the crisis escalade quickly if a negative perception is advocated in conversation – therefore organisations must respond immediately after a crisis (Cornelissen 2011) to assess the crisis before it escalades. Secondly, the digitalised customer data in information technology (IT) can be exposed and exploited by IT criminals, especially in features of online credit payment systems that contain consumer credit card information. Thus, consumers with credit card information stored online have a financial stake, in the organisation that maintains the payment system, which can be deprived. Therefore, the consumers as a stakeholder group are key contributors to the development of corporate reputation that can quickly act as a catalyst in the development of a crisis likewise.
Organisations maintaining online payment systems thus have to respond to a new form of crisis, namely data breaching. In 2006-2007 hackers pioneered IT crime during the TJX data breach crisis in which supposedly credit card information for up to 95million credit cards had been compromised (Shurman 2007). Since then, other companies, such as Heartland Payments Systems and most recently the insurance company, Anthem, have been victims on a large scale of the same category of IT crime (Palermo 2015). The strategic management of crisis communication in cases of IT crises, thus, has to be prepared in advance of a potential reputational threat to manage the situation optimally.
The concept of crisis communication needs to evolve in order to adapt to the added practice of IT crises and accommodate the apparent pitfalls. Hence, it will be beneficial to critically analyse the crisis communication
Page 4 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks of previous occurrences of data breaches. A comparative analysis of two recent data breach crises can determine whether the communication practice of crisis management has changed.
The two companies in question of this research are Target, the retailing company, and Sony, the electronics conglomerate. Both have experienced data breach crises in recent years and thus present updated cases eligible for analysis. The analysis will investigate the following articles for both companies: press release, CEO statement and annual reports, as the official sender of the articles are the organisations and they can be accessed easily online for consumers to converse about. Thus they present discourse and crisis responses meant for stakeholders as the intended receiver of these articles is stakeholders to protect the corporate reputation.
1.1 Problem statement As a mean to structure this research paper, the following questions will be answered in the course of the thesis through a case study of Sony’s and Target’s data breaches:
1. How should communication practitioners contemplate data breaching as a crisis?
a. Which type of crisis is a data breach?
b. How can communication practitioners plan crisis response strategies for data breaches?
c. Which pitfalls do crisis response strategies and discourses following a data breach present?
1.2 Structure of thesis The structure of this thesis can be divided into three main parts: framing, analysis and discussion of findings.
Initially, the scientific framework of the analysis will be presented in order to contemplate on the effect of the scientific position, in which the analysis is framed. A delimitation of the thesis will frame the analysis and, thus, impose a cohesive thesis. Thirdly, the literature review forms the theory background for the analysis and discussion of the problem statement with a description of each theoretical field. Theories applied to the analysis include Coombs’ Situational Crisis Communication Theory (2007), Benoit’s Image Restoration Theory (1997) and Van Leeuwen’s Legitimation in Discourse Analysis (2007.) The theories will be reviewed in terms of relevance to the formulated problem statement. Subsequently, the methods and methodology in relation to the scientific framework will be accounted for prior to the empirical analysis. The initial fragment of the analysis will briefly introduce the two case crises for Sony and Target and their articles as crisis communication materials (Sony 2011a, 2011b, 2011c; Target 2013a, 2013b, 2013c). The findings identified in the analysis will be discussed in the succeeding discussion paragraph to interpret the ramifications of those findings. Lastly, the conclusion and
Page 5 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks implications paragraph will offer insight on the future perspective on crisis communication for data breaches.
1.3 Scientific Framework The scientific perspective on this research paper is of social constructionist character. Burr (2001) defines social constructionism with four premises to describe the ontological and epistemological level of social constructionism. The first premise is that it takes “[…] a critical stance towards taken-for-granted knowledge” (2001: 3) in the sense of being open to find new perceptions and of reality in order to understand the socially constructed nature of science. Therefore, social constructionists should be able to apprehend observations to find a deeper meaning. The second premise dictates that data and observations are “historical and cultural specific” (2001: 3) with regards to the position of the observer and previous findings, their position in the historical and cultural continuum. Hence, it becomes necessary for a social constructionist to comprehend the relevance of historical and cultural background of the research in question. Thirdly, the researcher should recognise that “knowledge is sustained by social processes” (2001: 4), and thus, that it is socially constructed between human beings rather than through a universal true reality. Therefore, knowledge is both sender and receiver oriented. The fourth and final premise for social constructionism is the notion; that “knowledge and social actions go together” (2001: 5) in terms of the engagements incited in human beings derived from knowledge constructed by social interactions.
From the four premises a postulation about the ontological, epistemological and methodological levels of social constructionism can be made. Thus, the ontological level is based on the notion that knowledge is socially constructed between human beings in relation to the history as well as culture with a critical stance towards taken-for-granted knowledge. On an epistemological level social constructionists believe that knowledge is best developed through a broad understanding of the interrelation between human beings and their perception of reality constructed by their previous knowledge. Accordingly, it becomes necessary for researchers to contextualise their analyses to fully adapt the notion of knowledge from a social constructionist’ perspective. The ontological and epistemological level thus constructs an understanding of how knowledge is acquired through methods during the analysis. The prerequisite of knowledge through broad understanding of human beings and the perception of reality invites researchers to analyse the discourse in which the research takes place. Additionally, it becomes necessary to analyse findings with an acknowledgement of their in correlation with the historical and cultural context.
Page 6 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
The manner in which the analysis questions the discursive elements in the crisis communication, suggests that societal elements affect the background and application of theories due to the exhaustive relevance of events in society. This notion follows that of Burr (2003) as she stresses that discourse analysis is now referred to as social constructionism “due to the conception that humans are social animals [and] the construction of different aspect of human nature and society,” [such as] philosophy, sociology and linguistics, serve as influencers in the scientific spectrum (2003: 1-2). Critics in form of realists would argue that the constitution of the different aspect is contemplative rather than real (Searle 1995). But it can be argued from an anti-realist’s perspective that the philosophy of science is immense and thus is constituted of our socially constructed knowledge (Potter 1998 in Nightingale and Cromby 2002). As such, it is the socially constructed knowledge that produces whole articles in an analysis.
1.4 Delimitation For the purpose of critically reviewing the scientific perspective applied in the thesis, social constructionism entails certain rationalisations of the chosen area of focus. So, the thesis follows the essential parts of social constructionism described in the previous paragraph, explicitly discourse analysis. While knowledge is gained via receiver as well as sender, this thesis is sender-oriented to analyse in-depth with that emphasis. Therefore, the focus will be on the data collected from articles within the cultural and historical context of the crisis that forms the two discourses. In connection, the two cases presented revolve around the niche part of IT crises, data breaching, to offer relevant implications to the specific niche fragment of crisis communication.
2. Literature review The following sections will conceptualise crisis communication by definition through crisis, crisis types and crisis response strategies in order to characterise the rationale of the analysis and embedded assumptions in IT crises. Thus, the literature review serves to discuss the findings well along within the existing research field of crisis communication. Originally, the term crisis stems from the “Greek word krisis [that] implies a pulling apart, a separating” (Ciborra 1998: 7). The notion can be applied to different types of crisis in the separation between two or more parties. However, in a corporate context and for this thesis, the concept of crisis is defined as “an untimely but predictable event that has actual or potential consequences for stakeholders’ interests as well as the reputation of the organisation suffering the crisis” (Heath and Millar 2003: 2). Additionally, Gamble (2009) argues that “a crisis is not a natural event, but a social event and, therefore, is always socially constructed […]” (cited in Laffan 2014: 267). Hence, the crisis can hurt an organisation through stakeholders due to the stakeholders’ socially constructed reactions to the crisis. A crisis should then induce a response, which should be “decisive and immediate [,] from the organisation” (Cornelissen 2011: 200) in order to accommodate and diminish the crisis’ effect on
Page 7 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
the corporate reputation. However, a crisis can occur as different crisis types determined by the cause for the crisis, which is identified by Coombs (2007: 168):
Victim Cluster The organisation is a victim of the crisis
Natural disaster - Acts of nature damage an organisation Rumour - False and damaging information about the organisation is circulated Workplace violence - Employee attacks emplooyes onsite Product tampering/Malevolence - External agent causes damage to organisation
Accidental cluster Unintentional crisis caused by organisation’s action
Challenges Stakeholders critic the manner of organisational operation - Technical-error accidents Technology failure causes accident - Technical-error product harm Technology failure causes product recall -
Preventable cluster Hazardous actions done by organization
Human-error accidents Human error caused accident - Human-error product harm Human error caused product recall - Organisational misdeed with no Stakeholders are deceived without injuries injuries - Organisational misdeed Legislations are violated by management management misconduct - Organisational misdeed with Stakeholders are at risk and injuries occur injuries Table 1: Overview of crisis types by clusters in accordance with Situational Crisis Communication Theory (Coombs 2007)
As Coombs (2007: 167) argues, “it does matter if stakeholders view the event as an accident, sabotage or criminal negligence [, hence] how much stakeholders attribute responsibility for the crisis to the organisation”. He divides the crisis types into three identified clusters as declared previously; 1) the victim cluster, in which the organization is the victim of the crisis; 2) the accidental cluster, in which the crisis in unintentional or uncontrollable; and 3) the preventable cluster, wherein the crisis is purposeful (2007: 167). The first two have weak attributions of crisis responsibility, to which degree the organization is considered accountable, whereas the preventable cluster has strong attributions of crisis responsibility (Coombs 2007). Additionally, the reputational threat increases ranging from 1) the victim cluster – mild reputational threat to 3) the intentional cluster – severe reputational threat (2007: 168).
Page 8 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
In the modern business world, new potential crises can arise through the application of information technology. Following the emergence of online data collection, “companies are busy seeking strategic applications of information technology (IT), savouring the delights and pitfalls of more and more sophisticated networks” (Ciborra 1998: 6). IT does therefore not only provide opportunities to businesses but also challenges that can potentially evolve into crises, which can thus be defined as IT crises. An example of such an IT crisis is the “Heartland Payment System data breach” in which credit card information was stolen by hackers to access customers’ credit card accounts and thus their personal assets. The IT crisis eventually cost Heartland “50 percent of its market capitalization and, as of August 2009, had spent more than $32 million on legal fees, forensic costs, reserves for potential card brand fines, and other related settlement costs” (Cheney 2010: 18). Therefore, management should serve to employ “efforts aimed at improving information sharing and data security within the consumer payments industry” (2010: 1) to avoid such crises.
So, for this thesis, an IT crisis takes point of departure in an untimely, but predictable event related to the implementation or utilisation of information technology. The crisis carries potential consequences for stakeholders’ interests as well as the reputation of the organisation suffering from the crisis. The characteristics of an IT crisis correspond with the accidental cluster of Coombs’ (2007: 168) crisis types by cluster due to the technological aspect and potential failure to correctly manage that technology.
However, in the case of the Heartland data breach the intrusion of the IT systems was done by an external agent who deliberately breached the system and stole personal payment data intentionally. Hence, the organisation becomes the victim in the crisis as the intrusion constitutes malevolence. The Heartland data breach will thus establish a general definition of data breaching in a crisis context. Thus, a data breach will be defined as a crisis with an illegal act of information theft done by an external agent. Additionally, it is assumed that the stakeholders hold the organisation less responsible due to the external agent’s wrongdoing.
It is thus essential for organisations to be able to convey the crisis to the stakeholders in an appropriate manner. Kim et al. (2009: 86) argue that “[stakeholders] make sense of the crisis based on not only the objective facts regarding the crisis, but also on the aspects of reassurance emphasized by the company in the media or news releases”. This argument is backed by Benoit’s statement that the conveyed message is crucial as “perceptions are more important than reality” (Benoit 1997: 178). The application of communication in crises can therefore diminish the criticism by stakeholders towards an organisation.
2.1 Defining Crisis Communication The field of crisis communication is a subcategory of crisis management with “[…] objective to exert control [and] reassure stakeholders […]” (Cornelissen 2011: 199). The emphasis on the communication aspect of crises is due to the assumption that “a crises response […] is essentially communicative” (Coombs 2010:
Page 9 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
337). Crisis communication can thus be summarized as the visual, textual and/or verbal interaction by the company and its stakeholders, whether it is before, during or following a crisis (Fearn-Banks 2001: 480). Hence, organisations should serve the interests of their stakeholders in order to uphold a certain level of corporate reputation, as Coombs (2010) state that “once [stakeholder] safety is addressed, the crisis response shifts to reputational repair” (: 338). To apply the term “safety” in this context, it is viewed as safety of the stakeholder’s investment in the organisation rather than physical safety, which is unlikely in the event of a crisis through information technology. In the event of a data breach the stakeholder safety is thus entrenched in their credit card information. The corporate reputation is here defined as “[…]a perceptual representation of a company’s past actions and future prospects that describes the firm’s overall appeal to all of its key constituents[…]” (Fombrun 1996 cited in Wartick 2002: 374). This signifies an emphasis on the perception of the stakeholders, the need to be wary of the impact it has on an organisation and the need to apply assets of reputational character in the crisis management.
The crisis response strategies to repair corporate reputation are comprehensive and it is thus essential to be able to navigate in the countless theories within the field. Therefore, two main principle of crisis communication are presented below for adaption to highlight the cases in nuances.
Previously stated, crises can damage the corporate reputation and affect how stakeholders interact with the organisation in a negative manner (Barton 2001, Dowling 2002 in Coombs 2007: 163). According to Rousseau (2006), the approach to counter the crisis and thus protect the corporate reputation is “through evidence-based guidance […] supported by scientific evidence rather than personal preference and unscientific experience” (cited in Coombs 2007: 163). This notion should however still be seen in the light of social constructionism that acknowledges that scientific evidence is founded in social interactions.
So, the Situational Crisis Communication Theory developed by Coombs (2007), serves the apparent need for evidence-based guidance in a scientific matter. Throughout the thesis, Situational Crisis Communication Theory will be referred to as SCCT in short on Coombs’ own invitation (2007). SCCT can be applied as a strategic tool to 1) determine the crisis type, 2) identify possible crisis response strategies and 3) evaluate the strategies through guidelines for crisis responses (Coombs 2007). However, for the identification of possible crisis responses, the Image Restoration Theory (Benoit 1997) will interchange Coombs’ own crisis response strategies through primary and secondary crisis response strategies (Coombs 2007). This is due to the augmented variety of strategies, in which, for instance, the possibility of corrective action is possible in Benoit’s theory (1997) and not in Coombs’ (2007). Coombs (2007: 171) argues that “Image Restoration Theory offers no conceptual links between the crisis response strategies and elements of the crisis situation”. Yet, an adaptation of the Image Restoration Theory to Coombs’ terminology, through the three general crisis
Page 10 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks response strategies; Deny, Deminish, Rebuild and Victimage (Coombs 2006), allows the application of Coombs’ crisis response strategy guidelines of SCCT (Coombs 2007) specified subsequently.
SCCT assesses the reputational threat of a crisis situation via three main points 1) initial crisis responsibility, 2) crisis history and 3) prior relational reputation (Coombs 2007: 166). The initial crisis responsibility is defined as “[…] how much stakeholders believe organisational actions caused the crisis” (Coombs 1995 cited in Coombs 2007: 166). Thus, it is important to determine to which level the crisis is perceived as self-induced. The crisis history and prior relational reputation of an organisation can further enhance that perception, as “either a history of crises or an unfavourable prior relational reputation intensifies attributions of crisis responsibility thereby indirectly affecting the reputational threat” (Coombs 2007: 167)
In relation to the three main points of reputational threat, it is necessary for managers to determine the crisis type to find the initial cause or offender in the crisis situation. The crisis type has previously been elaborated in the 3 crisis types by clusters: victim, accidental and preventable cluster (Coombs 2007: 167)
Coombs’ SCCT (2007)emphasises swift assessment of the situation at the point of crisis, however, the crisis history and prior relational reputation indicates the manner in which a crisis can be alleviated or aggravated dependant on the two attributes.
Following the crisis types, the crisis response strategies, which previously stated will be presented in Benoit’s (1997) terminology offer initiatives for communication practitioners to apply in crises. The strategies will 1) shape attributions, 2) change perceptions and 3) reduce reputational threat (Coombs 1995 in Coombs 2007). Benoit emphasises that “perceptions are more important than reality [and] as long as the audience thinks the firm at fault, the image is at risk” (1997: 178). Benoit’s concept of image can thus be related to Coombs’ corporate reputation, as they describe the perception of the stakeholders. Henceforth, the term corporate reputation will be applied throughout the thesis. The augmented variety of crisis response strategies includes five general message options with subordinate description within the first three. Image Restoration Theory‘s descriptions are briefly described below (Benoit 1997: 179-181): 1) Denial, wherein the organisation applies either simple denial or shifts the blame to deny its responsibility;
2) Evasion of responsibility that is in form of provocation, defeasibility, accidents or good intentions. Thus the crisis was provoked by another event, due to poor information, an accident or based on good intentions;
Page 11 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
3) Reducing offensiveness of event that is either based on bolstering of the organisation, minimisation of the crisis, differentiation from other similar crises, the means for transcendence , attack(ing) the accuser or compensation to the victims of the crisis;
4) Corrective action, wherein the organisation will assure stakeholders that the problem will be corrected or prevent the reoccurrence that problem; 5) Mortification that implies the organisation confesses to stakeholders and takes responsibility for the crisis. This strategy can, however, be hazardous as “[…] it might invite lawsuits from victims” (1997: 181).
Benoit’s Image Restoration Theory (1997) has theoretical connections to Frandsen and Johansen’s crisis communication and apologetic ethics (2010) through the emphasis on crisis communication through apologies, which can be applied to some cases of 3) reducing offensiveness of event, 4) corrective action and especially 5) mortification. However, the apologetic approach does not apply well with 1) Denial or 2) Evasion of responsibility. A more suitable notion of apologia by Hearit (1994: 115) is, however, more differentiated as it does not necessarily carry an apology to right the wrongdoings of an organisation. He argues it to be “[…] a defense that seeks to present a compelling, counter description of organizational actions […] in a more favourable context than the initial charges suggest” (Hearit 1994: 115). As such, the apologia is applied to a discourse by the organisation to minimise reputational threats. The concept of apologia thus translates well into the SCCT (Coombs 2007) and Image Restoration Theory (Benoit 1997) without providing an extensive strategic tool compared to SCCT.
Lastly, Coombs offers a set of recommendations for the use of crisis response strategies through the crisis response strategy guidelines (Coombs 2007). For the scope of this thesis the response guidelines included will concern the premises of data breaching, defined previously as an illegal act of information theft done by an external agent. The definition stresses minimal attributions of crisis responsibility by the organisation. Hence, only the following guidelines concerning minimal attributions of crisis responsibility and a singular guideline concerning strong attributions of crisis responsibilities, in case of organisational misdeed with no injuries (Coombs 2007), will be applied to this thesis.
The guidelines suggest that “informing and adjusting information alone can be enough” when the reputational threat is low (2007: 173), but as the reputational threat growths the crisis response should move towards diminish responses onwards to rebuild responses in pari passu with the growth. Also, “victimage can be used as part of the response for […] malevolence […]” (2007: 173). Lastly, the guidelines suggest that consistency in the application of response strategies should be in place to avoid erosion of effectiveness (2007: 173-174).
Page 12 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
Crisis response strategies can thus provide an overview for communication practitioners to apply in crisis communication. Overall, the two theories, SCCT (Coombs 2007) and Image Restoration Theory (Benoit 1997) supplement the other in terms of application and conceptualisation. An adaption of the two in unison is thus applied to this thesis with emphasis on crisis response strategies:
Crisis response strategies Denial - Deny doing the act Simple Denial - Blame another for act Deny Shift the blame Evasion of responsibility - Claim that something else caused it Provocation - Blame lack of information Defeasibility - Claim that act was a mishap Accident - Claim that act was meant for the best Good intentions Reduce offensiveness of Event Diminish Bolstering - Stress good traits Minimisation - Claim that act was not serious Differentiation - Claim that act was less offensive Transcendence - Claim that the end justifies the means Attack accuser - Reduce attacker’s credibility Compensation - Reimburse victim Rebuild Corrective action - Prevent/solve problem Mortification - Apologise and take blame
Adapted from Benoit (1997)
Victimage - Reemphasise the role as a victim Adapted from Coombs (2007) Table 2: Adaptation of Image Restoration Theory (Benoit 1997) and SCCT (Coombs 2007)
3. Method Subsequent to the methodology of the scientific position of this analysis, the methods will have focus on the socially constructed knowledge presented in the collected data. Additionally, social constructionism is the rationale for the chosen methods with historical and cultural context in mind. In the following two sections the data collection and data analysis will be presented.
3.1 Data collection The social constructionist perspective on this thesis entails the premise that knowledge is socially constructed and that the discourse in a given context is constituted by multiple perceptions. Hence, in order to gain knowledge, a “holistic examination – using multiple sources of evidence […] of a single phenomenon ([for example] an event) within its social context” (Daymon and Holloway 2011: 115) can determine the key points of crisis communication in the presented cases.
Page 13 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
The data collection of this analysis is reliant on articles in form of annual reports, CEO statements and press releases as qualitative empirical data in the case study of Sony and Target’s respective IT crises, specifically data breaching. Sony has made the following articles official in a chronological order: a two-page press release at May 3 2011 (Sony 2011a), CEO statement May 5 2011 (Sony 2011b) and annual report July 6 2011 (Sony 2011c). Subsequently, Target released a press release December 19 2013 (Target 2013a), a CEO statement December 20 2013 (Target 2013b) and an annual report March 14 2014 (Target 2013c). Collection of data from the annual reports will exclusively target the paragraphs explicitly addressing the data breach of the respective companies. That is page 8 from Sony’s annual report (Sony 2011c) and pages 17-18 from Target’s annual report (Target 2013c: 1-2). The articles can be viewed in Appendix A to F, however throughout the analysis; they will be referred to the sender and year of publication.
A noteworthy distinction between the companies’ articles is time, as Sony’s crisis material stems from 2011, whereas Target’s is more recent, from 2013. The parameter of time can thus play a role on the crisis communication efforts when the two cases are compared to each other, as new understanding of the subject after Sony’s crisis in 2011 can have aided Target in their crisis communication. The rationale for three different communication channels is a holistic perception of the crisis communication embedded in instant communication, press releases; reactionary communication, CEO statements and finally the settled communication integrated in the annual reports and more explicit in certain paragraphs of that article. Thus, the articles present more than one aspect to the same challenge of successfully communicating within a crisis discourse.
3.2 Data analysis As determined previously, social constructionism is the foundation of this thesis, which is reflected in the chosen theories for analysis of the crisis communication by Sony and Target. An adaptation of Coombs’ SCCT (2007) and Benoit’s Image Restoration Theory (1997) will investigate the setting for the crisis communication for each company qualitatively through an analysis of responses and discourses. These adaptations of crisis response strategies from existing theory can be viewed in Table 2. In supplement to the adaptation, Van Leeuwen’s Legitimisation in discourse analysis (2007) serves as an expansion of the analytic approach to crisis communication in a rhetoric perspective that can illustrate the intention to affect stakeholders’ perception of the organisations.
Fairclough (1992: 225) defines discourse as the “[…] practice of signifying a domain of knowledge or experience from a particular perspective”. To paraphrase that definition, a discourse analysis is thus an analysis of the signals used to describe a field of study or involvement from a particular perspective. Thus, the discourse analysis identifies elements of rationale from the provided perspective.
Page 14 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
Van Leeuwen (2007) developed the legitimisation in discourse analysis theory to effectively interpret and analyse discourses in question through legitimisations applied in the communication material. He defines legitimisations as “the answer […] to the question ‘Why’ – ‘Why should we do this?’ and ‘Why should we do this in this way?’ (2007: 93).
The legitimisation in discourse analysis is divided into four major categories of legitimacy: 1) authorisation, 2) moral evaluation, 3) rationalisation and 4) mythopoesis (2007: 92-111).
The 1) authorisation in legitimisation employs either personal authority, expert authority, role model authority, impersonal authority, authority of tradition or authority of conformity. Personal authority implies the authority embedded in the status of the sender. Contrary, through expert authorisation, legitimacy is delivered via expertise rather than. Hence, the legitimacy becomes empowered via an expert role. Role model authority relies on the sender’s role as an opinion leader or role model within the context. Impersonal authority is present in legislations and is, thus, impersonal due to the prohibitions of the law. Authority of tradition relies on “[…] what we have always done” (2007: 96). Lastly, authority of conformity applies the legitimisation by stating that “most people are doing it, and so should you” (2007: 97).
2) Moral evaluation legitimises via values. IT can be subdivided into evaluation, in which evaluative adjectives are used to legitimise; abstraction, wherein the abstract references form the legitimisation, and lastly analogies that imply the use of comparisons as legitimisation (97-100).
3) Rationalisation applies the use of logic to rationalise the legitimisation. It can be subdivided into instrumental rationalisation and theoretical rationalisation (2007: 101-105). Instrumental rationalisation emphasises the purpose legitimised through means, effect or goal, whereas theoretical rationalisation emphasises the nature of circumstances by definition, explanation or prediction.
Lastly, 4) mythopoesis applies legitimisation through storytelling. Mythopoesis can be either positively, moral tales, or negatively, cautionary tales, influencing as the legitimisation (2007: 105-107).
Kress’ analysis shows “that a single text can invoke many different, sometimes even contradictory, discourses” (1985 in Van Leeuwen 2007: 108). Hence, it is necessary to attempt to view the legitimisations from different perspectives to avoid misinterpretation. This notion is supported by Van Leeuwen’s statement “[we] need to consider not just legitimation, but also and especially the intricate interconnections between social practices and the discourses that legitimize them” (2007: 111). Thus, to support the crisis communication analysis, an in-depth discourse analysis through legitimisations in
Page 15 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks discourse analysis by Van Leeuwen (2007) will provide an understanding of the discourse in which the crisis communication operates.
Thus, the crisis communication and discourse analyses take the context of the crises into account. However, while the analyses emphasise the socially constructed discourses there is little or no emphasis on the stakeholders and their perception prior to, during and post crisis. Hence, this thesis will provide insight in the rationale of the chosen crisis communication strategies; however it will not examine the effect on stakeholder perception.
4. Background information A brief description of the two data breach crises will provide the analysis with a context in which the communication transpires. Thus, the background information will precede the analysis to make grounds for the value and corporate reputation of the two.
4.1 Crisis: Sony Online Entertainment’s data breach One of Sony’s most salient product groups is PlayStation, a series of video gaming consoles and software. The entertainment service network developed for the consoles, PlayStation Network, had 75million users in March 2011 and 150million in September 2013 (Statista 2015). In the registration process of PlayStation Network consumers state data collection of private personal details, such as credit card information to purchase content through the network.
In April 2011, Sony’s first major crisis occurred after the hacktivist group, Anonymous, allegedly hacked the PlayStation Network and Qriocity servers and thus compromised 12,3million registered users’ credit card information at April 3 (VentureBeat 2011). The hack attack was rumoured to be an act of retaliation of the lawsuit against George “GeoHot” Hotz at January 11 2011 due to his distribution of “jailbreaking” tools to PlayStation users, thus circumventing Sony’s security system against unauthorised software. The hack
attack, thus, created a sudden technological crisis (Tench and Yeomans 2009: 386‐837) that happened expeditious. Therefore, the crisis communication had to be swift in order to react timely to the hacking.
However, according to VentureBeat (2011), Sony noticed the intrusion on the servers at April 20, 17 days later after the intrusion occurred, and decided to shut the system down in order to investigate the attack. The users were given the following statement: “[…] we are aware certain functions of PlayStation Network are down. We will report back here as soon as we [have] more information” (PC World 2011).
Page 16 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
Furthermore, they did not publicise a press release until May 3 2011 (Sony Online Entertainment 2011), which had left users without a legitimate reason for the shutdown of servers for almost two weeks. Two days later CEO, Howard Stringer, released a statement on the crisis (PlayStation Blog 2011), in which he apologised for any inconvenience caused by the crisis.
Following the shutdown, Sony strived to accommodate the affected users of PlayStation Network by the “welcome back” programme that included free games and premium access to PlayStation Plus for the users as compensation for the time excluded from the Network (Huffington Post 2011). During the span from April 20 to May 20, Sony’s stock price went down ≈10% from 30,14US$ to 27,05$US, which indicated a loss of confidence in Sony as a public limited company (Yahoo! Finance 2015).
4.2 Crisis: Target’s data breach In 1995 Target introduced their credit card solution for customers, Target Guest Card, which was later renamed to REDcards in 2004 (Corporate Target 2015). Customers can apply for a REDcard with their personal information in order to receive the credit card that ensures exclusive discounts and advantages for the cardholder (Target 2015).
In the winter 2013, Target’s first corporate crisis hit as hackers were able to steal 40 million customer’s; names, credit or debit card numbers, expiration dates and three-digit security codes from November 27 to December 15 (New York Times 2013). Initially, Target claimed that “to date, there is no evidence that unencrypted PIN data has been compromised” (TIME Business 2013). However, at December 19 2013, Target released a press release, wherein they confirmed “unauthorised access to payment card data in US stores […] that may have impacted certain guests” (Target 2013a). Thus, within the few days, Target switched deposition from disregarding the crisis to an acknowledgement that it “may have” happened. The stolen PIN data could then be used by “cybercriminals [to] make withdrawals from a customer’s account through an ATM” or it can even be sold on cyber black markets for others to mismanage (New York Times 2013).
In the wake of the discovery of the crisis at December 21 2013, the bank, JP Morgan Chase, announced to “debit card customers affected by the Target breach that it [would] place daily limits on spending and withdrawals as it works to reissue cards in the following two weeks” (Wall Street Journal 2014). Hence, the statement by JP Morgan Chase further strengthened the distrust in Target. In order to regain some of the trust and thereby repair the corporate reputation, Target offered customers, an additional 10 percent off their purchases, whether they were victims of the crisis or not (NewsCred n.d.). Target eventually announced at January 10 2014 that “70 million customers had their personal information stolen during the holiday data breach” (Wall Street Journal 2014).
Page 17 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
5. Findings In this section the case material of Sony and Target will be analysed to identify key findings that can substantiate the impact of crisis communication in cases of data breaching. The two company cases will be analysed separately under each theoretical section to form a foundation for a comparative analysis in the end of each section.
5.1 Crisis communication The crisis response strategies relevant for the adaptation of Coombs’ SCCT (2007) and Benoit’s Image Restoration Theory (1997) will be scrutinised. Firstly, the crisis types by clusters adapted from SCCT will be identified, then, crisis response strategies adapted from Image Restoration Theory.
Despite the emphasis of crisis history and prior relational reputation of reputational threats, the two factors will be omitted as there has been no prior crisis in the companies’ history, which is evident in the background information. The study of prior relational reputation carries ample research question on its own beyond the scope of this analysis and will therefore not by investigated.
5.1.1 Sony Sony denotes that the crisis is due to external agent’s malevolence on the company as “hackers may have stolen SOE customer information” and “SOE accounts may have been stolen [which were][…] illegally obtained” (Sony 2011a: 1). The bias towards this crisis type continues in the CEO Statement (Sony 2011b) with the comprehensive exert of the word, attack, thus connotes that Sony is a victim in the crisis; “[…] caused by this attack”, “If attacks like this happen again” and “a criminal attack on us”. Similarly, in the annual report (Sony 2011c) the “cyber-attack launched against the PlayStation Network and Qriocity […] forced [Sony] to temporarily shut down all of these services” connotes the victimage of Sony in this crisis as they have fallen victim to “sophisticated criminal intrusions”.
The press release (Sony 2011a) introduces the crisis via a shift of blame interconnected to the malevolence described above, as “hackers may have stolen SOE customer information on April 16th and 17th, 2011” (: 1) and “hackers […] do their best to cover their tracks” stated in the CEO statement (Sony 2011b). However, the predominant response strategy applied is corrective action. This is evident from reaction in which, “upon discovery […], the company promptly shut down all servers related to SOE services” also “the company is working with the FBI and continuing its own full investigation while working to restore all services”(Sony 2011a: 1). By responding immediately, Sony denotes a corrective action has been done. The “$1 million identity theft insurance policy” will in the future protect the interests of the customers to prevent the problem from reoccurring (Sony 2011b). Compensation is briefly managed by “rewarding [customers] for [their] patience” (Sony 2011b) with the “30 days of additional time on [customers] subscription” (Sony 2011a: 2)
Page 18 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
The annual report (Sony 2011c) only has few traits of crisis response strategies in form of shifting the blame, “cyber-attack launched against PlayStation Network […], which forced [them] to temporarily shut down all of these services”. The other strategy evident is corrective action, as“[they] have worked around the clock to strengthen [their] information security systems” and eventually “all serviced territories have been restored”.
5.1.2 Target The crisis type of Target’s data breach is characterised via the victim cluster in form of malevolence. It is evident from the press release (Target 2013a), wherein Target “confirmed [it is] aware of unauthorised access to payment card data”. Additionally, the “unauthorised access to payment card data” is succeeded by a statement that “[the data breach] was a crime against Target, [their] team members and [their] valued guest” (Target 2013b). The recurrence of “unauthorised access” denotes that it was an external agent. Which is explicitly stated in the annual report; as “an intruder stole certain payment card and other guest information from our network” and that the intruder accessed “[…] approximately 40 million credit and debit card accounts” (Target 2013c: 1).
The crisis is minimised through the ambiguity of the statement that “card accounts” and “card data may have been impacted” (Target 2013a) and still customers “can shop with confidence at target” as “there are typically low levels of actual fraud” (Target 2013b) . It thus remains unresolved in the press release and CEO statement, whether there really was cause for consumers’ concern over their credit card information. Hence, the crisis threat is minimised due to the low risk of affecting customers and they should therefore disregard the threat and purchase unaffectedly.
However, corrective actions are applied as Target has “resolved the issue” and are “working with law enforcement to bring those responsible to justice” to correct the crisis (Target 2013b). Target ”removed the malware from virtually all registers” (Target 2013c: 1) and ”committed to restore [customer] confidence (: 2). Conclusively in the annual report, it is stated that Target “are committed to […] activities to restore [customers’] confidence” (: 3). These examples connote actions initiated to protect consumers and prevent a similar crisis.
The compensation is explicit in the CEO statement (Target 2013b) as Target “will offer free credit monitoring services”. Moreover, the “issue has been addressed” connotes a corrective action to illustrate that actions have been taken to resolve the crisis. There is no evident minimisation in the annual report contrary to the press release and the CEO statement. Instead, the annual report shifts the blame to “the intruder [who] accessed and stole payment card data” and
Page 19 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
“the intruder stole certain guest information […] for up to 70 million individuals” (Target 2013c: 1). In correlation, minor traits of mortification are evident as “it is probable [Target] would be found liable on these claims were they to be litigated” and thus “may be subject to fines or other obligations” (Target 2013c: 2). Thus, the organisation takes partial blame for the crisis and addresses the risk of litigations.
Victimage is identified with emphasis on the financial aspect of the crisis. Target addresses the “more than 80 actions filed in court […] may be asserted against [them] on behalf of guests[…]” (Target 2013c: 2). Thus, the crisis has caused liabilities that can be referred to the “$61 million of pretax data breach-related expenses” (: 1).
5.1.3 Comparison A similar strategy applied by both organisations is the malevolence as part of the victim cluster, wherein Sony as well as Target claims that an external agent caused the crisis rather than the organisations themselves. Additionally, response through compensation is identified in both cases. However, Sony is fairly consistent in the application of the crisis response strategies with traits of shift the blame and corrective action across the three Sony articles. Contrary, Target is inconsistent in the crisis response strategies applied as the first two articles contain minimisation, which is abandoned in favour of shift the blame and minor traits of mortification in the third article. Conclusively, both organisations apply victimage to denote their role as victims in the crisis.
5.2 Discourse analysis The articles will be analysed for legitimisations applied in discourse of the communication. However, due to the prosperity of legitimisation traits, the predominant legitimisations will be highlighted to indicate the trending practice of the two organisations in the articles and thus not misconceive the rationale of the strategy overall.
5.2.1 Sony Sony’s application of authority in the legitimisation is primarily in form of impersonal authority, evident in the press release by the “illegal intrusions” and the work with “the FBI” to recover the “illegally obtained” personal information (Sony 2011a: 1). The emphasis is, thus, put on what is dictated by legislation as illegal and upheld by the governmental FBI.
The phrase “under the leadership of Kazuo Hirai” (Sony 2011b)” forms an analogy of moral evaluation through a military comparison with reference to a military status, to make “[their] defences […] even stronger” against the “cyber-attacks”.
The annual report (Sony 2011c) contains a trait of instrumental rationalisation as the effect of “a cyber- attack […] forced [them] to temporarily shut down all of these services”. Thus, the shutdown was an effect of
Page 20 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks the data breach. Additionally, a legitimisation by moral evaluation is applied by evaluation as the evaluative adjectives, “new and rich user experiences” and “a serious challenge”; legitimise the quality of products and the degree of crisis.
The evaluation is predominant throughout in the moral evaluation of legitimisation through the use of evaluative adjectives: “as quickly as possible” (Sony 2011a) and “full and safe service” (Sony 2011b). The adjectives legitimise the efficiency of the process. The instrumental rationalisation is evident in the press release; “the company is committed to helping customers” and “complimentary offering to assist users”, goal and means respectively (Sony 2011a). Hence, Sony emphasises the support to customers as a goal and the offering as a mean towards that goal. Additionally, Sony wants to “[get] back what [customers] signed up for” (Sony 2011b) and “further reinforce [their] security” (Sony 2011c). Thus, the goals, which were customer satisfaction and IT security, are set for Sony.
5.2.2 Target Likewise, Target’s reference to “law enforcement”, “financial institutions” and “authorities” (Target 2013a) form authority of impersonal character, as the examples denote authority in legislative form.
The legitimisation by authority in the CEO statement (Target 2013b) is still present, but, instead of impersonal authority the application of authority of tradition becomes evident as “[Target] has been built on a 50-year foundation of trust” and “[their] guests are always first priority”. Thus, the lineage is included to legitimise trust and customer service.
Instrumental rationalisation is evident in the first two articles through goal-orientation towards customer trust in the organisation, “Target’s first priority is preserving the trust of [their] guests” (Target 2013a), and means-orientation through “free credit monitoring services [to get] extra assurance” (Target 2013b).
Rationalisation is also featured in the annual report (Target 2013a), but is of theoretical character through prediction as, “[they] expect the forensic investigator […] to claim […]” and explanation of the “yearend incremental counterfeit fraud losses […] because [they] have not yet received third-party fraud reporting”. The rationalisation is thus based on the nature of the organisation’s circumstances rather than the purpose. Conclusively, authority is primarily of impersonal character with emphasis on “state and federal agencies” and the support to “law enforcement” (2013c: 2).
Evaluation is evident in the article by the wording “appropriate resources” and “thorough investigation” to legitimise the expenditure and quality of research (Target 2013a) and the normality of the crisis is legitimised by “other similar situations” (Target 2013b). Furthermore, Evaluation legitimises the righteousness of the “significant investigation” and the inaccessibility of the “broad array of […] factors” as “infeasible” (Target 2013c: 2, 3).
Page 21 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
5.2.3 Comparison The application of impersonal authority in the articles is similar for both organisations. Though, Target shifts from impersonal authority to authority of tradition back to impersonal authority. Target applies evaluation across their three articles, whereas Sony applies it to the press release and annual report, but analogies in the CEO statement through a military comparison. On the other hand, Sony applies instrumental rationalisation across the three articles and Target does in the press release and CEO statement as well, but applies theoretical rationalisation in the annual report.
6. Discussion A discussion based on the contemporary theoretical contribution to crisis communication, background information and analysis findings will identify key takeaways for communication practitioners to apply in the event of data breaching going forward. This discussion takes point of departure in Coombs’ (2007) crisis response strategy guidelines that can help protect the corporate reputation “through evidence-based guidance […] supported by scientific evidence rather than personal preference and unscientific experience” (Rousseau 2006 cited in Coombs 2007: 163).
The premise of a data breach involves an external agent in form of a hacker, which constitutes the primary guilty party in the crisis, in contrast to other crisis types. Thus, it is natural for organisations to recede from responsibility and introduce the crisis as malevolence by victimage with the organisation as a victim in order to reduce the reputational threat (Coombs 2007). This claim is denoted by the practice performed by Sony and Target’s crisis communication, implying a consensus within the niche area of the crisis communication that follows the guidelines of victimage in cases of malevolence. The organisations’ insufficiency within IT security could constitute reputational threat if stakeholders perceive that as an attribution of crisis responsibility. Thus, the level of attribution of crisis responsibility would be higher than, if it is perceived that nothing could have been done to prevent the data breaches. Therefore, it is possible that stakeholders in reality perceive low attribution of crisis responsibility to the organisation rather than minimal attributions in cases of data breaches based on the importance of sufficient IT security to prevent the crisis.
Cornelissen’s (2011: 200) premise for optimal crisis communication state that it has to be “decisive and immediate [,] from the organisation” and Coombs’ (2010) priority on stakeholder safety, in this thesis credit card information, is a point of critique for Sony’s crisis response. Sony’s announcement of the failing functions of PlayStation Network without much information does not denote decisiveness or immediacy in terms of crisis response strategies, nor does it accommodate a potential threat to the credit card information of PSN users. The initial poor response with no information may even have devalued Sony’s stock indirectly.
Page 22 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
However, overall the effectiveness of the crisis response strategies was maintained by consistency (Coombs 2007: 173) across the three articles in form of shift the blame and corrective action (Benoit 1997) mainly. The shift of blame works in the case of malevolence with the denial of responsibility of wrongdoing shifted to the intruders, but with reassurance that Sony will take appropriate corrective actions to prevent the crisis from occurring again.
Coombs (2007) argues that rebuild strategies accommodate stakeholders best, but that the high cost of compensation can make the strategy too expensive. The compensation given by Sony in form of the “30 days of additional time on [customers] subscription” holds low level of accommodation, as the compensation is an opportunity cost rather than a variable cost that can still accommodate customers’ questions towards PlayStation Network’s credibility as a secure network provider. However, the compensation provides Sony with a tool to regain their damaged corporate reputation evident in the negative stock development following the crisis. Contrary to Sony’s consistent crisis response strategies, Target has inconsistent application of crisis response strategies in the articles through minimisation in the first two articles and replaced with shift the blame and mortification in the third. As Coombs (2007) argues in his guidelines, the inconsistent application of crisis response strategies will erode the effectiveness of the overall response. This is evident in the Target case as the minimisation applied through reassurance that the crisis likely will have no effect on the customers’ confidence in shopping at Target and that they therefore should refrain from alarm. But, following JP Morgan Chase’s corrective action targeted at debit card customers affected by the Target breach (Wall Street Journal 2014) the notion of minimisation applied by Target loses credibility and thus the corporate reputation is tarnished. Target thus responded immediately, but not decisively to accommodate such a development of the crisis. The loss of credibility creates a new crisis that can be accounted to organisational misdeed with no injuries, as Target has deceived stakeholders’ perception of the crisis implications. Therefore, Target becomes exposed to potential litigations that can affect the financial circumstances of the organisation. In order to rebuild the corporation reputation, Target offers compensation through free credit monitoring services and corrective actions to prevent a similar crisis in the future. The supplementary response to the mishap by minimisation of the data is thus in line with Coombs’ guidelines expression that rebuild strategies should be applied in cases of preventable crises. It is argued that the offspring crisis is preventable as Target could have minimised the crisis but still be resolute in their reaction to the crisis. Meanwhile, Target could assure stakeholders that the organisation would take the crisis seriously in terms of corrective actions. Benoit (1997: 178) noted: “perceptions are more important than reality”. But even if the crisis response strategy through minimisation makes stakeholders perceive the crisis as a minor threat the perception is altered
Page 23 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks negatively when the reality is uncovered from a third-party. This would cause the crisis response strategy to backfire as the initial perception was misleading. Consequently, consumers would question whether or not their credit card information is safe due to the misleading communication on the issue by Target and on that rationale stop shopping at the stores.
The legitimisations with moral evaluative features serve to induce a set of values towards the crisis framed by the organisations. The evaluations most evident in the articles induce the values through evaluative adjectives. However, Sony’s CEO statement employs analogies in form of military comparisons of the crisis that persuades the stakeholders in the PlayStation Network to perceive the hackers as enemies and they should endorse Sony as the defender of the people against that enemy. That specific approach of legitimisation can be argued to function well in a patriotic country, such as USA, due to the national pride and the general endorsement on military in USA. But, this sort of legitimisation can induce strong emotions of negative character in the receiver dependant on the values in the individual and the cultural influence that can be difficult to control in connection the socially constructed reality of the receiver. Likewise, an abundance of evaluative adjectives can become overly identifiable for the receiver and the persuasive elements of the legitimisation will thus loose effect as receiver would questions the legitimacy of the evaluations.
The legitimisation through authority, namely impersonal authority, legitimises the crisis as severe through the inclusion of FBI and other federal agencies in the investigation. However, this form of legitimisation conflicts the rationale behind minimisation as a crisis response strategy per classification, while interference by FBI is not deemed minimal attribution to a perception of a crisis. In the case of data breaches, it can however also signify that the worst-case-scenario of a data breach is severe, while in reality the impending crisis may not have be severe to accommodate stakeholders’ concerns. Additionally, the authority of tradition translates well into crises with no crisis history or negative prior relational reputation as organisations can further reduce reputational threat thereby due to their legitimised credibility through corporate history.
Lastly, the application of instrumental rationalisation denotes a purpose in the legitimisation that translates well into corrective actions through emphasis on the organisation’s ability to respond to the crisis and prevent it in the future. Whereas, the theoretical rationalisation connotes a reaction to a crisis as “the way things are” (Van Leeuwen 2007: 103). That reflection denotes a reaction and acceptance of a contemporary situation rather than a proactive prevention of future potential crises, which is identifiable in the mortification crisis response strategy. It should be applied to a case of high reputational threat as rebuild crisis response strategies. Hence, in cases with either minimal attribution of crisis responsibility, no history of crises or negative prior relationship reputation the mortification vaguely embedded in the application of theoretical rationalisation is ill-advised.
Page 24 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
In summary, the opportune crisis response strategy for data breaching immediately determines the crisis as malevolence providing minimal attributes of initial crisis responsibility and assesses the reputational threat in order to determine the crisis history and prior relational reputation .The level of reputational threat thus regulates to which extent the organisation should deny, diminish or rebuild with regards to Coombs’ SCCT (2007). Importantly, the reputational threat can increase if the legitimised response is deemed misleading, exemplified in the case of Target. Finally, the communication practitioner should recognise that the discourse can be interpreted differently by each individual stakeholder and the reaction to the crisis response can thus differ depending on the perception affected by culture and history.
7. Conclusion and implications The final section of this thesis will conclude on the identified critical features to the contribution of crisis communication specifically in the event of a data breach. Thus it provides cohesion in the assessment of contemporary theory with an interpretation targeted towards this niche segment of crisis communication. Suggestions for future research within this niche segment will be presented to scrutinise further.
This thesis has analysed two cases of data breaching against Sony and Target and identified characteristics of such a crisis in connection to opportune strategies and pitfalls. The analysis of crisis response strategies and discourse in the two cases has determined data breaching as an IT crisis with evident traits of malevolence that encourages communication practitioners to employ victimage as a crisis response strategy. Both cases initially had minimal attributions of crisis responsibility, however due to poor crisis communication the reputational threat overall increased as the organisations were unable to respond optimally to the data breaches. Therefore, it is important to learn from the cases, so the poor crisis communication will not occur again.
Organisations should prioritise the protection of credit card information as stakeholder safety in their crisis response strategies to avoid misleading stakeholders. If they refrain from this notion, the strategy can backfire through lost credibility leading to a weakened corporate reputation that will amplify the reputational threat in the future. The reputational threat can translate to financial expenses through either litigations or negative stock development. Hence, it is advised to emphasise a respect for potential crises, even though an organisation legitimises it as minimal. However with this mix of crisis strategy response, organisations can connote responsibility, if a crisis should occur in reality.
If a supplementary preventable crisis through organisational misdeed ensues the organisation should exercise rebuilding to adjust to the stronger attribution of crisis responsibility following the weakened corporate
Page 25 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks reputation. Otherwise, the opportune strategy should be coherent in the crisis communication to avoid erosion of the effectiveness of crisis responses. Corporate reputation can become damaged if the stakeholders begin to question the incoherence of applied crisis response strategies. Therefore, it is vital for organisations to be immediate as well as decisive, when responding to a crisis.
To broaden the contemplation of crisis communication following data breaches, it can beneficial for researchers to investigate the cases from a receiver-oriented perspective. Thus, the corporate reputation and reputational threat regulated by stakeholders can evaluate the crisis response strategies in-depth in different segments. Alternately, the development of crisis communication following data breaches can be analysed in recent instances, thus further elevating theory to aid communication practitioners in their efforts.
8. References Burr, V. (2003) Social constructionism. London: Routledge.
Ciborra, C. (1998) Crisis and foundations: an inquiry into the nature and limits of models and methods in the information systems discipline. The Journal of Strategic Information Systems, 7(1), pp.5-16.
Cheney, J. (2010) Heartland Payment Systems: Lessons Learned from a Data Breach. SSRN Journal.
Coombs, W. (2006) The Protective Powers of Crisis Response Strategies. Journal of Promotion Management, 12(3-4), pp.241-260.
Coombs, W. (2007) Protecting Organization Reputations During a Crisis: The Development and Application of Situational Crisis Communication Theory. Corporate Reputation Review, 10(3), pp.163-176.
Timothy Coombs, W., Frandsen, F., Holladay, S. and Johansen, W. (2010) Why a concern for apologia and crisis communication?. Corp Comm: An Int Jnl, 15(4), pp.337-349.
Cornelissen, J. (2011) Corporate communication: A guide to theory and practice. Thousand Oaks, CA: SAGE Publications.
Page 26 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
Corporate Target (2015) Target through the years. [Online]Available at: https://corporate.target.com/about/history/Target-through-the-years [Accessed 4 May 2015].
Daymon, C., & Holloway, I. (2011) Qualitative Research Methods in Public Relations and Marketing Communications (2 ed.).New York, NY, USA:Routledge.
Fairclough, N. (1992) Discourse and Text: Linguistic and Intertextual Analysis within Discourse Analysis. Discourse & Society, 3(2), pp.193-217.
Frandsen, F. and Johansen, W. (2010) Apologizing in a globalizing world: crisis communication and apologetic ethics. Corp Comm: An Int Jnl, 15(4), pp.350-364.
Hearit, K. (1994) Apologies and public relations crises at Chrysler, Toshiba, and Volvo. Public Relations Review, 20(2), pp.113-125.
Hearit, K. (1999) Newsgroups, activist publics, and corporate apologia: The case of Intel and its Pentium chip. Public Relations Review, 25(3), pp.291-308.
Heath, R. L. and Millar, D. P. (2003) Responding to Crisis: A Rhetorical Approach to Crisis Communication. Lawrence Erlbaum Associates: New Jersey
The Huffington Post, (2015) 'Welcome Back': Sony's Make-Up Package For PSN Hack. [Online] Available at: http://www.huffingtonpost.com/2011/06/03/welcome-back-sony-playstation-network- program_n_871167.html [Accessed 4 May 2015].
Kim, J., Kim, H. and Cameron, G. (2009) Making nice may not matter: The interplay of crisis type, response type and crisis issue on perceived organizational responsibility. Public Relations Review, 35(1), pp.86-88.
Li, C. and Bernoff, J. (2011) Groundswell: Winning in a world transformed by social technologies. United States of America: Harvard Business Press.
New York Times (2013) Target Struck in the Cat-and-Mouse Game of Credit Theft. [online] Available at: http://www.nytimes.com/2013/12/20/technology/target-stolen-shopperdata.html? src=me&ref=general&_r=0 [Accessed 4 May 2015]
NewsCred (n.d.) Social Media Crisis Communication: Lessons From Target’s Data Breach. [online] Available at: http://blog.newscred.com/article/social-media-crisis-communication-lessons-from-targets-data- breach/f3568a27345ecac5ea5154da86d90343 [Accessed 4 May 2015].
Nightingale, D. and Cromby, J. (2002) Social Constructionism as Ontology: Exposition and Example. Theory & Psychology, 12(5), pp.701-713.
Palermo, E. (2015). 10 Worst Data Breaches of All Time. [online] Tom's Guide. Available at: http://www.tomsguide.com/us/biggest-data-breaches,news-19083.html [Accessed 4 May 2015].
PC World (2011) PlayStation Network Hack Timeline. [online] Available at: http://www.pcworld.com/article/226802/playstation_network_hack_timeline.html [Accessed 4 May 2015].
Schuman E. (2007) The TJX Data loss and security breach case. The Case.
Searle, J. R. (1995) The construction of social reality. London: Penguin
Statista, (2015) PlayStation Network: number of accounts 2013 | Statistic. [online] Available at: http://www.statista.com/statistics/272639/number-of-registered-accounts-of-playstation- network/ [Accessed 4 May 2015].
Page 27 of 28 Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks
Target (2015) Target : REDcard. [online] Available at: http://www.target.com/redcard/main [Accessed 4 May 2015].
Tench, R. and Yeomans, L. (2009) Exploring public relations. Harlow, England: FT Prentice Hall.
Van Leeuwen, T. (2007) Legitimation in discourse and communication. Discourse & Communication, 1(1), pp.91-112.
Venturebeat (2011) Chronology of the attack on Sony’s PlayStation Network. [online] Available at: http://venturebeat.com/2011/05/04/chronology-of-the-attack-on-sonys-playstation-network/ [Accessed 4 May 2015].
Yahoo! Finance (2015) SNE Historical Prices | Sony Corporation Common Stock Stock - Yahoo! Finance. [online] Available at: http://finance.yahoo.com/q/hp? s=SNE&a=03&b=20&c=2011&d=04&e=20&f=2011&g=d [Accessed 4 May 2015].
Wartick, S. (2002) Measuring Corporate Reputation: Definition and Data. Business & Society, 41(4), pp.371- 392.
Wall Street Journal (2013). Target’s Data-Breach Timeline. [online] Available at: http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/ [Accessed 4 May 2015].
Page 28 of 28