Effective Crisis Response Communication and Data Breaches: a Comparative Analysis of Corporate Reputational Crises

Michael Schonheit s2135485 Master’s Thesis 02/10/2020

Effective Crisis Response Communication and Data Breaches: a comparative analysis of corporate reputational crises

Master’s Thesis Crisis and Security Management

Table of Contents

1 Introduction 2 Literature Review 2.1 Placing data breaches within the cybersecurity discourse 6 2.2 Paradigm Shift: From Prevention to Mitigation 10 2.3 Data breach by Hacking: A Taxonomy of Risk Categories 12 2.4 Economic and reputational Impact on organizations 15 2.5 Theoretical and empirical communication models for data breaches 16 3 Theoretical Framework 3.1 Organizational Crises: An introduction to framing and perceived responsibility 21 3.2 Attribution Theory and SCCT 23 3.3 Crisis Types and Communication Response Strategies 24 3.4 Intensifying Factors: Crisis Severity, Crisis History, Relationship Performance 25 3.5 Communication Response Strategies 27 3.6 SCCT Recommendations and Data Breaches 30 3.7 SCCT and PR Data Breaches by Hacking 32 4 Methodology 4.1 Operationalizing SCCT in the Context of Data Breaches 35 4.2 Stock Analysis and News Tracking: Assessing cases on varying degrees of reputation recovery 36 4.3 Refining the Case Selection Framework and the Analysis Process 40 4.4 Intra-periodic Analysis and Inter-periodic Analysis 43 5 Analysis 5.1 Narrowing the Scope: Building the Comparative Case Study 44 5.2 Statistical Recovery: Stock and Revenue Analysis 49 5.3 News Media Tracking and Reputation Index Scores 58 6 Discussion 6.1 Intra-periodic Analysis: Assessing Organizational Responses 72 6.2 Inter-periodic analysis: Verifying the Initial Propositions 74 7 Conclusions 77 8 Appendix 79 9 Bibliography 79

1. Introduction

With the emergence of the digital economy cybersecurity has rapidly become a critical aspect for organizations to thrive and maintain their core business activities. As business information and communication systems are increasingly reliant on digital technology, organizations have the imperative to protect them, and the data contained therein, against an ever-evolving landscape of cyber threats. While providing organizations with undeniable development opportunities, the unremitting trend of digitalization has concomitantly brought upon new risks for their survival. In tackling this so called “dark side of digitalization”, the paramount objective of cybersecurity revolves around preserving the availability, integrity and confidentiality of online data (MERGroup,2020). As early as 2015, IMB CEO Ginni Rometti emphatically asserted that data is the “is the world’s new natural resource” consequently making cybercrime “by definition, the greatest threat to any industry” (Morgan, 2017). With the current volume of online data over 50 larger than it was at the time, drastically increasing the magnitude of the cyber-attack surface, this statement feels now quite prophetic. (ITRC 2020;Morris,2020)

While cyber threats at large encompass any “malicious act that seeks to damage data, steal data, or disrupt digital life”, with a 4300 percent increase in online data creation from 2019, online data breaches represent one of the most recurrent and damaging cyber incidents for organizations worldwide. The Risk Based Security’s year-end report (2020) estimates that in 2019 alone total of 15.1 billion records have reportedly been exposed to unauthorized use of confidential information. This statistic feature represents an all-time high, increasing by 284% compared to 2018, and confirming a constant trend throughout the last decade. (Sobers,2020;Winder,2019;Lavelle,2020). Although information breaches in the physical world well preceded the current wave of digitalization, online data breaches nowadays are stealing the show. Strikingly enough, compared to their “physical” counterpart, online data breaches are highly dependent on factors endogenous to organizations, including inconsistent data retention and handling policies, internal misuse, system vulnerabilities and human errors. Nevertheless, for the exposed records to be leveraged into identity theft or fraudulent abuse of confidential information, data breaches still depend on the illegitimate doings of external actors proactively exploiting unauthorized access to this data. As reported by Goddijn & Kouns (2020), “Hacking, defined as unauthorized intrusion into systems, has been the top breach type by number of incidents for every year of the past decade except for 2010”. In order to depict this pattern and narrow the scope of this research, we assume Martin’s (2019) definition of data breach, as it well depicts an element of intentionality: “A data breach occurs when there is an unauthorized entry point into a corporation’s database that allows cyber hackers to access customer information”. Cyber dependent methods for gaining unauthorized access to organizations restricted information include but are not limited to: malwares, phishing emails, DDoS attacks, backdoor exploitations, and Trojan horses. Looking into the statistics for these attack vectors, combined with data exposed through unintentional leakages, data

3 breaches impose on organizations worldwide unparalleled monetary costs (MERGroup,2020;Arghire,2020).

In particular the gap between economic damages of online breaches and security capabilities of organizations to contrast this phenomenon seems to be widening. In fact, despite the steady rise in organizations awareness and security investments to defend against cyber incidents, the measures implemented have so far had limited effect in containing their impact. While total cyber security expenditures of organizations worldwide have rose from approximately 113 billion of dollars in 2015 to 173 billions in 2020, in the same timeframe the costs of data breaches and cybercrime at large have doubled, reaching an astonishing total of 6 trillion dollars (Columbus,2020). This notable disproportion can be accounted for by delving into the types of damages that businesses are confronted with. Direct costs affecting organizations suffering a data breach include: business disruption and recovery, forensic investigations, legal proceedings, regulatory fines, credit monitoring for customers, crisis management advisory. However, these constitute just the tip of iceberg. In the aftermath of a data breach organizations are often confronted with business reputational damages and loss of consumer trust, which represent much more impactful consequences with the potential to turn the cyber incident into a corporate reputational crisis (Kim et al. 2017; Wang et al. 2017). These indirect costs usually affect businesses in the long run, protracting damages in time and representing the greatest challenge of all for organizations undergoing a data breach.

The distinction between direct and indirect business damages produced by a data breach, is particularly relevant for defining the range left to organizations for effectively reduce the impact of a data breach. While we discussed that, for the large part cyber incidents cannot be entirely prevented by establishing all-encompassing cybersecurity measures, reputational damages are largely connected to the public perception of an organization undergoing a cyber crisis, and thus can be mitigated by handling the incident response phase with effective crisis communication strategies (Kim et al. 2017; Wang et al. 2017). This reasoning is one of the core foundations of crisis management as a field. Because of the uncertainty surrounding the traits of a crisis, these events cannot be entirely anticipated ex ante and adopting an exclusively preventive approach has proved to be widely inefficient. Rather, by emphasizing the larger impact of indirect reputational costs produced by data breaches, this research focuses on mitigation strategies that can be applied to reduce the impact of such events on organizations. In particular, as it will be discussed in the next section dedicated to the theoretical foundations of this research, damages to a company reputation, and its image in general, are strictly connected to the public perception of such organization and the crisis it navigates through.

The present research aims, in fact at studying crisis response communication strategies that organizations can employ to effectively reduce reputational damages and loss of consumer trust. As Harrison (2007) observed: “A fundamental principle in the field of crisis management is that there are vital and strategic communication methods that help deal with events that can negatively influence an organization” (41). By investigating this matter, the goal of this study is to derive from the analysis of concrete cases of corporate reputational crises in aftermath of data breaches, an assessment of how organizations can mitigate reputational damages through crisis response communication strategies. In doing so, this research will compare cases of corporate data breaches that vary on the degree of financial and reputational recovery from the crisis. Extrapolating communication strategies from this comparative analysis, this study aims at verifying their impact on the organizations’ recovery trends, as well as to check their validity within the body of theory on the matter. Furthermore, as discussed more in depth in the upcoming sections of this research, the vast majority of academic works that study data breaches focus more on the legal and technological aspects of the phenomenon, leaving the intersection with response communication strategies as under-researched domain. In turn, from the crisis communication academic stream, as stressed by Kim et al. (2017) “there is lack of scholarly research about data breaches in public relations and other communications-related journals”. In general, many authors contented how the field of cyber crisis management remains vastly overlooked. (Hawkins,2017; Kim et al.2017).

This is not say that within the field of crisis communications at large, the effectiveness of best practices adopted in the response phase, is not already a controversial matter. While several contributions have discussed communication tactics that can help contain reputational damages during a corporate crisis, only a few studies have concretely tested their effectiveness (Sandman,2006;Coombs,2007a;Coombs,2010;Robertson,2012;Avery&Park,2014;Park,2017;Laufer et al. 2018). As early as 2007, Coombs affirmed the need of shifting the attention towards validating and applying those theoretical formulations that guide crisis communication managers in their tasks. Given the severe impact that reputational crises can have on society as a whole, Coombs asserts that field operators: “need recommendations that are based on scientifically tested evidence rather than speculation” (2007, p7). The speculative stance of most of these unverified conjectures, is evident from the work of Avery & Park (2014). The authors discuss the fact that the field of crisis communication has been widely driven by the notion of self-efficacy as a predictor for behavioral responses to a crisis. Introducing the concept of crisis efficacy, Avery and Park contended the need to study the impact of communication strategies involving the audience as the primary target, instead of reflecting the validity of such interventions merely towards the organization itself (2007). This contention stresses the need for testing communication strategies for their effectiveness in relation to the perception of the selected audience. In this regard this research sets the study of corporate crisis communication by analyzing the

5 effect of response strategies in relation to the target audience of consumers affected by the event. As in the words of Timothy Coombs crisis management is “a nexus of praxis where theory and application must intersect”, it seems logical to assume the marginal attention given to verifying the best ways to communicate during a crisis as the research problem of this study (2010, p 22). As “theories and principles should help to improve crisis management rather than being academic exercises”, this research aims at contributing to verifying why and how some organizations communicate more effectively during a crisis (Coombs & Holladay,2010, p.21). This paper aims at contributing to studying this phenomenon by posing the following research question: “Why do some organizations maintain their reputation with their consumers in the aftermath of a data breach, why others fail to do so?”

2. Literature review

2.1 Placing data breaches within the cybersecurity discourse.

The following chapter of this research is dedicated to identifying prominent themes emerging from the literature on data breaches, and to explore the intersection with crisis communication as the academic vacuum that this study aims at bridging. Before delving into the state of the art by examining relevant academic sources, we need to define what a data breach means from a cybersecurity perspective. The initial definition of a data breach in terms of an “unauthorized entry point into a corporation’s database that allows cyber hackers to access customer information” is certainly instrumental for discussing these events from a corporate communication standpoint, but lacks a clear placing within the cyber world (Martin,2019). Are data breaches in and of themselves a specific category of cybercrime? This brief excursion will try to contextualize and answer to this question, with the intent of delineating more accurately the object of inquiry of this study by shedding a light on the technical contours of data breaches. In the introductory section we have looked at the growing occurrence of cyber data breaches, and the impactful consequences they pose, directly or indirectly, for organizations.

When it comes to appreciating the scale of an adverse phenomenon, being this the infant mortality rate in the sub-Saharian region or the recent spread of COVID 19, nothing portrays the gravity

6 of the situation more effectively than its incidence rate in a reference time period. A Clark School study of the University of Maryland conducted by Michel Cukier in 2007, was one of first to quantify the number of cyberattacks that hit network-facing computers on a daily basis. By monitoring their attack surface, the researchers concluded that the tested computers were hit by a cyberattack on average every 39 seconds. This feature, later increased to approximately 1 attack every 20 seconds, not so differently from statistics on epidemics or socio-economic disasters, when taken out of context can lead to misinterpretations (Deloitte,2016). In fact, not all cyberattacks carried out by hackers are successful. To be sure, only a residual minority of attempted hacks manage to reach the desired goal. In this regard, cyber risk management brings forward a critical differentiation between cyber events and cyber incidents. The first group generally refers to any “change in the normal behavior of a given system, process, environment or workflow” (Miller, 2019). Events have the potential to affect risk levels but do not necessarily bring negative consequences for the organization, an instance that needs to be verified by recording and analyzing the event. A suspicious email, a software download, and any unmapped activity is, therefore, a cybersecurity event. Among these changes, those that compromise the integrity, confidentiality or availability of information assets are defined as cybersecurity incidents (Danielson,2017).

The eventual compromise of the infamous CIA triad (confidentiality, integrity, availability) of company data, in information security, effectively stands as the line of demarcation between simple events and impactful incidents (Marden,2018;Rouse,2020). That same suspicious email containing a malicious payload or that software being in fact a drive-by malware unintentionally downloaded on the system, turn those events into cybersecurity incidents (Huq,2015). In other words, as summarily stated by Jason Miller on an article published on Miller (2019): “All incidents are events, but not all events are incidents”. The distinction between incidents and events is a fundamental step in information security management. By collecting alerts and correlating events generated by software and network hardware, security teams complement the monitoring activity performed by Intrusion Detection (IDS) and Intrusion Prevention Systems (IPS) by reviewing log data and identifying security risks. This process, which can optimally be executed through Security Information and Event Management technology (SIEM), allows to filter out false positives (or simply put, events that do not qualify as incidents) and redundant data to focus monitoring and remediation tasks on high priority issues. As reported by Leal (2019), ISO 27001, the leading standard for information security management, clearly outlines the importance of discerning between these phenomena, which “can have a significant impact on the effort, and costs, of security management”.

As the main objective of cyber event examination remains the detection and management of potential incidents, the problem is not simply one of finding the most efficient allocation of security resources. Rather, security teams monitor changes in an organization environment to prevent adverse

7 phenomena from escalating further and damage company assets, a task which, as anticipated in the introduction, can prove to be extremely arduous (Lopes et al. 2019). Out of different types of cyber incidents that threaten organizations, data breaches stand out for being considerably hard to detect, especially in a timely manner. In dealing with security breaches the time of the response is a crucial element as “the longer it (the response) takes, the more likely an attacker is to find and exfiltrate the organization's information” (Chickowski, 2013). There are several factors that hinder the identification of alerts generated by an on-going data breach. Firstly, from a structural perspective, after the access event, there is a limited amount of observable traces left by attackers until the stolen data emerges elsewhere. This limitation relates to the methodological nature of data breaches and will be discussed in details in the upcoming section. Other factors are instead contingent to the specific cyber maturity of a given organization, including poorly implemented automated solutions for event monitoring such a SIEM, and the inefficient coordination among different security and operations team members (Lopes et al.,2019;Marden,2018;Verizon,2020).

While these challenges affect security response capabilities in the real world, they influence the theoretical placing of data breaches at the intersection between events and incidents. Given the scarcity of events relatable to data breaches, even the ones that do not actually lead to the compromise of information assets are often regarded as security incidents. In fact, retracing the definition of cyber incidents put forward by CERT in 2001, this includes “attempts to gain unauthorized access” (Pham, 2001). In a similar fashion, SANS guidelines reported in the publication “Information Security Reading Room” originally inscribed “attempts to harm” as cyber incidents (2001,8). This reasoning, although stemming from the difficulty in discerning impactful events related to security breaches, has the indirect consequence of blurring the boundaries between events and incidents. In fact, more recent publications do not endorse this approach. Miller (2019) reinforces the difference between attempted breaches and actual breaches, claiming that:

“If you count breach attempts as incidents, you may have more incidents than what actually occurred. This mistake creates white noise and alarm fatigue. It also makes the collected incident data less valuable.”

To avoid incurring in similar repercussions, we consider as a subset of cyber incidents only data breaches that have de facto procured unauthorized access to an organizations system. This choice is coherent with the Data Breaches Investigation Report published by Verizon (2020), which clearly conceptualizes a data breach as “An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party”. Looking back at the statistics on cyberattacks (events) presented in the beginning, we have now reduced the scope of this research to those that compromise the CIA of information assets (incidents) through unauthorized access (data breaches). Although the

8 total count (previously attested at 1 every 20 seconds) is bound to drop significantly, it is very hard to come up with a precise estimation. In addition to the problem of detection discussed earlier, even successful data breaches often remain underreported (ITRC,2020). Among others, Campana (2009) who analyzed information security risk patterns among different industry sectors, asserted that only around 1 in 100 data breaches is reported to the public. More importantly for the purpose of this research even fewer data breaches, even if successful and properly reported, eventually turn into corporate reputational crises for the victim organization. Borrowing the definition of reputational crisis put forward by Zyglidopoulos and Phillips (1999), this happens when data breaches turn into ‘‘widely publicized, highly-negative events that lead important stakeholders to reevaluate their impressions’’ of an organization (3). Figure 1.1 outlines the conceptualization of the object of inquiry of this research, which aims at studying data breaches interpreting these phenomena as root causes for corporate reputational crises, hereinafter referred to as “PR Data Breaches”.

Figure 1.1

2.2 Paradigm Shift: From Prevention to Mitigation

Despite the contextualization carried out in the previous section, in the introduction we have emphasized how cybercriminals typically find themselves ahead of the security curve. No matter how systematically and consistently organizations commit to their avoidance, data breaches are bound to happen. As stated by Todd Feinman CEO of Identity Finder “Organizations in all industries must stop working under the assumption of “if,” and instead, build strategies around “when” a data breach will occur” (2015). This highlights the need to abandon a purely preventive approach and complement it with mitigative measures. In itself prevention, at times is the most effective mitigative measure: to avoid contaminating public reserves of fresh water an oil company does not build its pipelines on top of a river spring. However, as in the case of unforeseeable natural disasters such as hurricane Katrina, which exposed the failures of the system of pumps and canals designed to protect the city of New Orleans, preventive measures are far less effective. When prevention is unattainable or too costly, the imperative is to accept the risks and mitigate the consequences (Comfort et al. 2010; Wisner et al. 2012; Sen and Borle 2015). In the cyber world, and specifically when dealing with data breaches, where both the probability and impact of adverse events are high, it is important to complement protection with detection and recovery measures. This mixed approach, embodied in the National Institute of Standards and

Technology (NIST) framework, is the fundamental pillar of cyber risk management, which constitutes the academic landscape for this research (Deloitte,2016;Krumay et al.2018). However, this transition from prevention to mitigation does not only exist as a problem for security teams out there in the real world, but gets widely reflected in the academic field (Sen and Borle 2015). It was anticipated in the introduction how the majority of contributions addressing data breaches tend to focus on the technical analysis of their execution and the relative existing legislative context. This largely follows the traits of popular wisdom, much as it would happen in the physical world. After a crime is committed, the first questions generally posed revolve around the characteristics of the illegal act performed and the legal consequences pending on the perpetrator.

However, contextualized in the cyber world, these themes are still part of an agenda that largely prioritizes on a preventive approach. To study the attack sequence of a data breach by hacking has the ultimate goal of exposing eventual vulnerabilities and improving organizations resilience against future events. Similarly, the system of liabilities imposed in a given legal system has the underlying intent of deterring offenders and simultaneously encourage organizations to invest in their information security system to prevent unintended disclosures of information. Although tackling the issue from two diametrically opposed standpoints, studies that address these dimensions reiterate the same conceptual stance, by setting as their overarching goal to avoid the occurrence of data breaches entirely. With this, we do not mean to undervalue the relevance of contributions which aim at delving in technological and legislative aspects of data breaches, which in fact will be discussed in the upcoming sections. The added value of these contributions, in fact, is to sustain a comprehensive understanding of the phenomenon, and as such, is particularly valuable for investigating the subject. However, as argued by Kim et al. (2017), there is a substantial lack of scholarly research that deals data breaches from a cyber crisis management standpoint, and particularly in terms of crisis communication.

By looking at the landscape of academic sources on the matter, however, it is possible to differentiate among some thematic branches that communication-related publications have previously dealt with. These streams are categorized as follows and will be covered in corresponding sub-chapters of this literature review. First, several authors have dealt with issues connected to the definition of the phenomenon and key terminologies, a line of thought that was partly covered in the previous section and that will be addressed in the upcoming section dedicated to a taxonomy of data breaches as well as to their technological aspects. A second theme, which appears to be the dominant subject matter, relates to the impact of data breaches on organizations, both from an economic and reputational perspective. Thirdly, and arguably closer to the intent of this research, several authors have dealt with the analysis of public announcements and reports in aftermath of data breaches, which constitute rare examples of empirical research on the subject. The division between first-hand observations and theoretical

11 contributions is a key juncture in relation to studies that deal with communication response strategies at large. The difference lies on the fact that while the majority of researches aim at creating communication models that can orientate organizational responses to data breaches, applying theoretical assumptions to the general context of data breaches, a few of them have gone as far as to test these projections on concrete cases of security breaches, validating or disproving such contentions. Within this third category, departing from the topic of data breaches specifically, several contributions, which tested the efficacy of crisis communication responses to different types of reputational crises are consulted to strengthen the academic relevance of this research. In fact, the analysis of the aforementioned groups of academic sources will illustrate that the intersection between data breaches and crisis communication, is one that emerges, reciprocally, from both sides of this academic spectrum. This is to say, that while data breach research has overlooked crisis communication strategies as a domain of interest, on the other hand, academic works stemming from the field of crisis communication have rarely contemplated data breaches as types of reputational crises for their investigations.

2.3 Data breach by hacking: a taxonomy of risk categories.

It is not surprising that given the novelty of the phenomenon, an extensive body of literature is centered around analyzing cyber data breaches from a taxonomic perspective (Kim et al. 2017;Khan et al. 2019). This chapter reflects this academic stream, attempting at classifying data breaches from a risk management perspective. Risk and crisis management in the cyber world share the same locus and a tied relation. For instance, in addition to offering a model that conjugates prevention and mitigation, the NIST framework includes response measures within the mitigation cycle. It follows that within the cyber environment the risk and crisis management dimensions can be de facto reconciled. This is exemplified by the practices of professional service multinationals such as Deloitte or PWC, whose cyber crisis and cyber risk management programs include both risk mitigation and crisis response products in their pipelines (Goldberg et al.2012;Deloitte,2016;Baskerville et al. 2014). What derives from this reasoning, is that to compose a taxonomy of data breaches it is instrumental to categorize them within the risk management discourse at large. Following this leitmotiv, the work by Khan et al. (2019) offers a classification of data breaches based on three risk categories: data breach causes, data breach locus, data breach impact. These categories are the result of an extensive review performed by the authors and coincide with the most recurrent threads emerging from works that deal with defining data breaches as a phenomenon. The so-called locus, as theorized by Wall and Hayes (2000) brings forward a key distinction between physical and logical data breaches, with the latter category being the one under investigation. Logical data breaches as a class encompass any unduly access to sensitive data perpetrated by technological means, including anything from the exploit of vulnerable network

12 infrastructure that leads to man-in-the-middle-attacks, to the use of malicious software spreading viruses within the system (Culnan et al. 2008; Ryan et al. 2012; Huq,2015; Modi et al. 2013). It is by looking at the data breach causes category that we can discern further among data breaches perpetrated in a digital environment. This risk category brings forward, fundamentally, a differentiation between intentionally and unintentionally produced data breaches, which, for a large part, can be referred to as data leakages (Khan,2019). Examples of data leakages are normally attributed to disclosures of information “caused by individuals or processes not acting with malicious intent” (Elifoglu et al. 2018, p.65). Within this class, we find logical data breaches that see the participation of external actors only as accessory agents, such as in the case of the unintended disclosure of confidential data online or the use of unauthorized or flawed software by the victim party, as indicated by several authors (Johnson 2008; Modi et al. 2013; Culnan et al. 2008). Procedural errors can therefore affect the security posture of organizations, creating the opportunity for third parties to leverage access to exposed information assets, an instance that according to Bennett et al. (2010) accounts for 43% of data breaches overall. However, interestingly enough, the vast majority of sources consulted recognize hacking as the main driver for data breaches, as depicted by the trend shown in figure 1.2(Verizon,2020; Huq,2015)

Figure 1.2

Source: Verizon 2020

It is precisely this sub-category of data breaches performed by hacking that, looking at the landscape of current corporate crises, in terms of rate of occurrence and economic impact, represent the biggest threat to multinational corporations (Hawkins, 2017; Kim et al.2017; Ganev,2018; Zhou,2020).

If hacking by definition pertains to the logical locus dimension, there is a variety of interpretations as per whether it always represents an intentional cause for a data breach. For instance, Khan et al. (2019) inscribe the exploitation of vulnerabilities (such as unpatched software or the use of weak passwords) within the spectrum of unintentional breaches because they originate from conditions internal to the organization that pre-exist the attack. On the other hand, Verizon in a report published in 2020, extends the definition of hacking to obtaining access through stolen credentials (including weak passwords) and leveraging loopholes in security systems. While data breaches carried out using backdoors and Command and Control techniques are almost unilaterally linked to hacking, there is little agreement in the literature on whether simple actions such as accessing a website with exposed credentials fall in this category or instead should be merely considered (unintentional) leakages.

However, by looking at the attack sequence of concrete cases of cyber data breaches, such as the ones that hit Capital One or the Australian National University, it is possible to draw a baseline definition of what is meant by a data breach by hacking. The reports relative to each incident used the MITRE ATT&CK framework to map the tactics utilized in the attack sequences (Borkar and Goel,2019). Comparing the results, it is evident that hackers can adopt a large variety of techniques to execute the same goal. Fundamentally, despite contextual differences, the two cases shared two important tactical traits: both breaches started by gaining access to an entry point (Initial Access in MITRE ATT&CK) and at a later stage extracted confidential information assets from the organization’s systems (Exfiltration in MITRE ATT&CK) (Borkar and Goel,2019). Notably, according to the MITRE ATT&CK platform, the Initial Access tactic can be executed by applying different techniques. Among these, the most common are spear-phishing, theft of credentials of existing accounts, or drive-by compromise (attack.mitre.org, 2019). However, as exemplified by the cases analyzed, this tactic also includes the exploitation of glitches or weaknesses in online-facing applications and websites to bypass security controls, de facto expanding the definition of hacking. In this light, we can resolve the disparity of interpretations emerged in the body of literature and consider as data breaches by hacking, those that feature any cyber tactic aimed at accessing and subsequently extract confidential information assets regardless of the degree of contextual advantage eventually enjoyed by the hackers. Finally, we have retraced the academic fil rouge surrounding risk management theory in the context of data breaches, addressing two out of three risk categories identified: data breach locus, and data breach cause. After having mapped data breaches by hacking as logical and intentional risks, in the next section we will address the third risk category identified, data breach impact, a controversial and topical theme in the debate on security breaches.

2.4 Economic and reputational Impact on organizations

The third risk category put forward by Khan (2019), is data breach impact, which, as argued by Sen and Borle (2015) is the most conspicuously debated theme among scholars that deal with this matter. The definition extrapolated from the work of Huang et al. (2008) refers to data breach impact as the “adverse effect a data breach incident may have on an organization.” Khan et al. (2019) proceeding in their literature review, subdivide this last risk category in breaches that affect the different dimensions of the CIA triad: confidentiality, availability, and integrity of information. The working definition of data breach that we previously derived from Verizon’s 2020 investigative report, which related to breaches as “the confirmed disclosure of sensitive data to an unauthorized party”, clearly refers, at a minimum, to incidents that impair the confidentiality of sensitive data. This is because the large majority of data breaches by hacking has the aim of obtaining access to protected information and exfiltrate data from secured systems, effectively affecting the confidentiality of such assets. To be precise, although the availability and integrity of data are at stake in specific, less common, types of data breaches, these can additionally be impaired as indirect consequences of confidentiality-aimed incidents. Cyber-attacks such as DDoS and ransomware are specifically designed to effectively prevent users from access organizations’ resources for a certain period of time, and thus are clear examples of availability breaches (Dutta et al. 2013;Kruse et al. 2017). Similarly, data wiper malwares or the misappropriation of intellectual property normally lead to integrity-related breaches by modifying or even deleting information assets. (Biener et al. 2015;Modi et al. 2013).

However, during a data breach aimed at accessing or stealing restricted information, such as in the case of theft of medical records from a healthcare provider’s systems, the unduly accessed dataset can eventually be rendered unavailable or erased as a result of the cyber penetration. In fact, the level of impact suffered by victim organizations does not necessarily depend on the CIA infringement produced, but rather on the damaging stance of the incident procured (Cavusoglu et al. 2014;Klebnikov (2019). For this reason, in place of a CIA triad-based classification of data breach impact, it is instrumental to analyse this risk category from the perspective of the quantifiable damages that breaches impose on organizations. In other words, how and how much do data breaches affect subject organizations? A closer look at previous works who dealt with the issue of measuring the impact of data breaches on organizations, reveals that costs faced by a breached corporation assume a bi-dimensional shape: economic and reputational damages (Sinanaj and Zafar,2016). The first category comprehends sanctions imposed by regulatory authorities and legal fees of eventual proceedings, together with the financial impact registered on the markets in terms of stock evaluation and revenue stream. The second instead, relates to future consumer behaviour towards the organization, potentially affected by image deterioration due to the scandal produced by the incident. In regards to both categories, however, there is an apparent academic divide on the extent to which data breaches produce harmful consequences for victim organizations. Among others, scholars such as Garg et al. (2003), Goldberg (2013), Cavusoglu

15 et al. (2014), Rosati et al. (2019), Gwebu et al. (2018), who have studied the financial impact of data breaches, argue that data breaches create visibly negative stock market reactions in the aftermath of the announcement of the incident to the public. On the other side of the fence, however, Campbell et al. (2003) Kannan et al. (2007), Chemi (2014), Sinanaj and Zafar (2016), Klebnikov (2019), Foltyn (2019), have extensively criticized the assumption that data breaches would critically hamper the financial stability of corporations involved in a data breach. Among them, Klebnikov (2019) and Foltyn (2019), go as far as to claim that not only shareholders do not react negatively to the news of a data breach, but organizations that are subject to a breach perform better in terms of stock evaluation after 6 months of the breach.

This divergence can be largely associated to the typology of the studies conducted, which, although largely sharing an event study methodology, practically differ in terms of the period analysed in the aftermath of the breach, the statistical methods utilized, and the research goal that drives each research. Ultimately, by reviewing these works, two main common threads can be identified. First and foremost, the sources reviewed unilaterally contend that to accurately capture the impact of data breaches, one should consider precisely those factors that characterize the incidents: the number and nature of the records disclosed, the history and size of the organization, the period of time considered, and the type of breach executed. Secondly, precisely due to the heterogeneity in approaches and case selection criteria adopted, from an empirical standpoint, the original question over the damaging stance of data breaches on organizations, is still missing an all-encompassing answer. An important takeaway is that to find such an answer, the contextual characteristics of the event, such the size of the organizations or the period of time considered, should be isolated and controlled as independent variables.

2.5 Theoretical and empirical communication models for data breaches

As set out in paragraph 2.2, within the literature on data breaches there is a peripheral research stream that deals with crisis communication. This cluster can be subdivided into scholars that focus on the theoretical premises for communicating adequately with the public when navigating a cyber- inducted crisis, and those who aim at testing the validity of these projections by examining concrete cases. Standing out from the ranks of the theorists, Wang and Park (2017) created a public communication model to guide organizations in cyber crisis management. This model is built at a juncture between crisis communication strategies, such as SCCT by Timothy Coombs, and cyber incident handling guidelines as established by the National Institute of Standards and Technology (NIST). The framework proposed by the authors contends that several factors can highly influence the efficacy of corporate communication response: a timely disclosure of the incident, selecting

16 communication strategies on the basis of the perceived responsibility of the organization, using expressions of regret for the incident, the added value of cyber workforce training towards obtaining a multi-disciplinary skillset comprehensive of crisis communication knowhow (Wang and Park,2017;Jenkins et al. 2014). These elements, that in Wang and Park’s work are posed as units of a comprehensive theoretical apparatus, are contemplated in other studies, such as the ones by Brown (2016) Bachura et al. (2017) Gwebu et al. (2018), Jenkins et al (2014), where these are unilaterally inserted within wider response strategies for handling data breaches.

Strikingly enough, these same indications feature in studies that do not specifically deal with data breaches, such as the ones by Seeger (2006), Sandman (2006) and Heath (2007), where these elements are discussed in terms of crisis communication best practices at large. This convergence shows that, regardless of the type of spark that ignites the crisis, these guidelines remain valid across the board. In addition to those previously mentioned, Seeger (2006) and Heath (2007) suggest that honesty and empathy in communicating during a crisis are key components of an effective response, as much as promoting notions of self-efficacy and the inclusion of the public in the recovery process. Sandman (2006) instead offers a critique of these two works, and while endorsing most of the above contentions, the author addresses some points of disagreement, contaminating an otherwise perfectly balanced theoretical positioning. Sandman (2006) in fact criticizes Seeger (2006) and Heath (2007)’s assertion that organizations should communicate with the public by “coordinating and collaborating with credible sources” to deliver a uniform message. Sandman (2006) argues that expressing a single voice is unattainable in the real world, simply because the parties involved to some extent naturally tend to disagree with one another. In these instances, rounding off the different opinions to convey a single message would hardly be beneficial because this line of communication would fall short of representing the heterogeneity of interpretations, de facto impairing the honesty and openness of the crisis response. In other words, Sandman (2006) exposes a trade-off between these two best practices, by asserting that in the real world, things look different. This is a pivotal recognition because it shows how remaining on the theoretical side of the spectrum, even by elaborating previous academic works and popular wisdom, leads to discordant, and unverified projections.

As addressed at the beginning, there is an even smaller group of scholars who concretely tested the validity of these norms analyzing practical cases of crisis communication. In this academic stream, we find the works by Suhonen (2019), Xu et al. (2008) Kim et al. (2017), Wang (2018), Ganev (2018). However, while in the case of Ganev (2018) and Kim et al. (2017) the authors have structured their research assuming a comparative approach among similar cases, a method that provides a systematic assessment of the response strategies utilized across the board, in the remaining ones the focus was limited to just one data breach case. In fact, Xu et al. (2008) analyzed the crisis communication response

17 adopted by TJX, Suhonen (2019) focused her efforts on the Facebook breach that occurred in 2018, and Wang studied the infamous Equifax crisis response case. As a matter of fact, these single-case studies share a rather superficial analysis of the effectiveness of communication strategies used, but instead, tend to capture the overall performance of the organization through the crisis.

On the other hand, both Ganev (2018) and Kim et al. (2017) have argued that withholding information from the public or disclosing them at a later stage produce harsher consequences for organizations, but between these two studies, only the one by Kim et al. (2017) has actually applied theories extrapolated from the field of crisis communication (SCCT) to verify their validity. In assessing the response strategies utilized by a set of 5 organizations hit by a data breach, Kim et al. (2017) arrive at a number of conclusions. Importantly, the authors contend that while the organizations “used a full range of response strategies including denial, ingratiation, and regret, news media outlets assessed that the breached firms chose more advocate strategies such as scapegoat or excuse.”(12) This shows that there is a fundamental discrepancy between the communication strategies utilized by companies going through a data breach reputational crisis and the ones reported in the media. In light of this fact, the authors normatively suggest that those organizations should balance their response strategies with the crisis frame adopted by news outlets, as these do play a role in influencing the overall outcome of the crisis communication. Importantly, this research aims at contributing to verifying this contention within the scope of the analysis.

Secondly, the authors observed some notable patterns concerning the type of responses utilized. While in the two data breaches with fewer records disclosed (Neiman Marcus and Michaels), the organizations adopted a defensive posture and employed deny strategies to invalidate the claims, in the two largest data breaches there is no mention of the use of more accommodative strategies such as regret and apology (Kim et al. 2017). Interestingly, these findings are not consistent with most crisis communication theories and empirical research, that would assume that more severe crises would be treated with more complaisant measures, and argue that the use of a deny posture should be limited exclusively to cases of unfounded rumors or isolated accusations (Coombs,2007b). These peculiarities might signify that cyber crisis communication as a sub-domain somewhat parts from the field of crisis communication in terms of best practices and modus operandi. However, given the scarcity of studies that empirically evaluate communication strategies in data breaches, this hypothesis lacks a definitive answer, just as much as the generalizability of the findings discussed by Kim et al. (2017) cannot be corroborated by similar evidentiary works. Nevertheless, this uniqueness paves the way for the present study to address this vacuum and focus on empirical cases of data breaches to assess the communication response strategy utilized, promoting a better understanding of this academic sphere. Overall, the relevance of the study by Kim et al. (2017) is cast in the positive correlation found between the

18 foundational elements of Situational Crisis Communication Theory (SCCT), which will be at the heart of the upcoming theoretical framework chapter, and the reputational crises caused by a data breach. The study by Kim et al. (2017), ultimately proves (under due limitations) that effective communication response is highly dependent on the level of controllability of the crisis at hand. In other words, among the data breach cases analyzed, the ones that imposed the most damaging consequences for the organization, were those where the media frame attributed the most responsibility for the fact to the organization.

As it was the case for works that tackled crisis communication from a theoretical standpoint, there is a number of studies that, although not focusing on data breaches-related crises, have addressed the effectiveness of crisis communication response strategies from an empirical standpoint. In this research stream, we find the works by Park (2016), Robertson (2012), and Reed (2014). In introducing the relevance of his work Robertson (2012) puts forward a reasoning that lies at the very heart of the present research and that was briefly contemplated in the introduction. The author, in fact, poses the problem of verifying long-standing projections that influence the work of crisis communicators since decades but have rarely been tested academically. Robertson (2012), in particular, focuses his work on the “public relation maxim” that the proactive and timely release of information by organizations impacted by a crisis should reduce the reputational damages. To verify this hypothesis the author analysed news stories of 9 reputational crises during the 6 months following the events, to observe the volume and tone of media attention towards the crisis in relation to when damaging information has been released. The fluctuation of the organizations’ stock value was also observed to provide an additional assessment of the public reaction to the disclosure of information. Furthermore, the author has surveyed over 150 expert journalists to corroborate the results of the study, which indicated that “the consequence of withholding information will be more media coverage, keeping negative information longer in play and raising the odds of reputational damage”. As in regard to the study of Kim et al. (2017), the present research will contribute to verify the contention that a timely disclosure can influence the effect of the response.

The findings of this research are in line with what was discussed above about crisis communication during data breaches, both in terms of communicating transparently with the public and to do so in a timely manner. Differently from what emerged from the study of Kim et al. (2017), in the case of the study by Robertson (2012), we find that best practices from the general field of crisis communication and those specific to cyber crisis communication are aligned. This coherence is additionally verified by the works of Park (2016) and Reed (2014). The first study focuses on base response strategies, which are the first information resealed by the organization during a crisis, and found that showing regret and apology produces more positive effects for a company’s reputation than

19 not responding to it or reiterating an organization’s good deeds prior to the event (reinforcing strategies). Reed (2014) on the other hand, argues that defensive strategies could, in some instances, further intensify the reputational damages suffered by the organizations, and that, in most cases, accommodative strategies sort more advantageous effects for companies navigating a reputational crisis. In both cases, the crisis typology was not considered a determinant factor, but in spite of this, these findings do not particularly collide with what discussed by researches focusing specifically on data breach crisis communication.

To conclude, a limited number of studies have addressed the issue of how to communicate effectively during a data breach, both from an empirical and theoretical standpoint. However, given the scarcity and specificity of each of these works, their value, for the most part, remains intrinsic, leaving the question on how to communicate efficiently during a cyber-inducted reputational crisis open. By taking into account studies that dealt with crisis communication best practices at large we were able to insert the distinctiveness of data breach communication precepts within the wider context of crisis communication. These preliminary insights from the literature indicate that these two dimensions share the same common traits but might as well differ in others. The current impossibility of retracing a definitive picture of the intersection between crisis communication best practices and those emerging from the corresponding cyber sub-domain, at a minimum reinforces the need for this research to proceed towards gathering first-hand observations from reputational crises ignited by data breaches to assess what strategies are to be considered most effective in these instances.

3 Theoretical Framework

3.1 Organizational Crises: An introduction to framing and perceived responsibility.

The aim of this chapter is to outline the framework of theoretical contributions that will guide the analysis of this research. Before delving into the body of crisis communication theory it is instrumental to introduce the concept of organizational crisis, starting from a key differentiation. Crises that affect organizations can be divided into two main typologies: operational crises and reputational crises. The first refers to adverse events that affect a company business flow, compromising its “ability to generate revenue” (Institute for PR,2016). Most often this category of crises bears hazardous consequences for stakeholders exposing them to direct risks and endangering their safety. Due to the disruptive nature of these incidents, while the main party at stake are the relative stakeholders involved,

20 the primary objective for organizations faced with operational crises is to restore the functioning of their core activities to minimize downtime and monetary losses. An incident in a chemical processing factory can, in fact, lead to the compromise of the production operations as well as put at stake the safety of the surrounding community in case noxious substances are accidentally dispersed in the environment. Given their strong physical characterization, it is not surprising that operational crises have been historically at the top of crisis management agenda (Carroll,2003;Coombs,2007a). On the other hand, reputational crises typically do not produce impactful effects on stakeholder’s safety, and the victim subject is represented by the organization itself. These crises, as the name itself, suggests, threaten the good name of the organization as well as the estimation hold by the public and stakeholders towards that same organization. Needless to say, operational crises could negatively impact an organization’s image, as much as reputational crises could escalate to point of impacting the standard business functioning of the subject entity, or in certain instances, its very existence (Carroll,2016). However, this distinction is fundamental for the purpose of this research as it sheds a light onto the significant role played by public perceptions in regards to the crisis, being this operational or reputational in nature. In fact, regardless of the typology of a crisis, the framing of a crisis widely affects its impact, the response to the event, and ultimately the outcome of such response.

To highlight this pattern, it is instrumental to introduce the concepts of scandals and accidents as set out by the body of corporate crisis management. The first generally spark from “some action that creates public outrage because it is considered illegal or immoral” (Carroll,2016, p.244). Whether the conduct is, in fact, illegal or immoral is of relative significance, because in a scandal there’s always an underlying factor of perceived intentionality. On the other hand, accidents are generally unexpected events that lie outside of the control capabilities of the subjects that cause or endure them. Both scandals and accidents are effectively the sources of trust violations towards stakeholders, consumers, and the public at large. The difference lies in the perceived responsibility that interest groups attribute to the affected organizations. Scandals are defined as integrity-based violations. This presupposes an attribution of immoral conduct to the agent responsible for a scandal, a consideration strongly connected to the deliberate nature of the choice that leads to such behavior in the first place. Cases of corporate fraud are instances that reflect illegal conduct, while a discriminatory statement linked to a company executive represent an example of unethical behavior. Yet, in both instances, the premeditation that sustained the action will likely be met by public outrage, because the event agents will be held responsible for their course of action (Carroll,2016). Differently from scandals, accidents do not assume the same degree of responsibility ex-ante. At most, accidents can eventually be defined as competency- violations in case the event originates from an erroneous task execution by an organization’s responsible staff member. However, even in these cases accidents are rarely attributed to the same level of responsibility generated by scandals.

Fundamentally, this paradigm remains true regardless of the typology of the crisis at hand, being this operational or purely reputational. In corporate-fraud-based scandals like the one that affected Enron in 2001, we witnessed enormous backlashes of operational nature, while in case of discriminatory statements made by Barilla’s majority stakeholder Guido Barilla the reactionary damages remained within the reputational dimension. Barilla has since invested in significant egalitarian campaigns that sorted significant effects in restoring the company reputation, while Enron declared bankruptcy a few months after the scandal erupted (Toms,2019;Segal,2020). As the latter case generated much more impactful consequences compared to the second and proved to be much harder to manage, the reasons are to be found in the different degree of public attention generated and the number of stakeholders involved, rather than the crisis typology. Differently from the Enron scandal, a limited number of stakeholders came to know about Guido Barilla’s comments on the radio, while others simply were not concerned with the issue (Toms,2019;Segal,2020). Ultimately, as argued by Carroll (2016) “the greater the number of stakeholders that become offended and outraged, the more threatening the crisis is to the organization’s reputation” (243). As said, this largely depends on how the crisis is framed to the public, reasoning that stands valid for accidents as well. The case of an incident at a chemical facility can become a more or less serious crisis depending on the way the story is told. Stemming from purely adventitious frames such as a pipe failure caused by rising natural gas pressure, to purely competency- based violations such as management negligence towards safety measures, that same event can be attributed to different causes, with varying levels of crisis responsibility. Across the typologies of corporate crises, the impact and the response to the event are ultimately dependent on the way crises are framed.

3.2 Attribution Theory and SCCT

The variability in the narrative of the events shown in regards to scandals and accidents, emphasizes how the crisis responsibility associated to an organization depends on the traits of the crisis as much as on the way these traits are represented and perceived. As argued by Heath and Millar (2004) crises have both a factual and a perceived dimension. Among many authors who have addressed this dualism, Benoit (1997) who initiated the image restoration discourse went as far as to claim that the perceived dimension of a crisis is more important than the reality from which it draws. This reasoning, together with the consequent significance of framing addressed before, further emphasizes the relevance of crisis communication within the wider scheme of crisis management as a field. This perceptive dissonance from the actual development of a crisis strongly influences the outcome of the crisis, and organizations should pursue effective communication with the general public to control the narrative and minimize

22 reputational damages. But how do organizations ensure effective crisis communication? Whether an organization has responded efficiently to a crisis, and specifically employing crisis communication strategies, is inherently hard to verify given the number of concurrent factors that can influence such process. The difficulty emerges from the contextual characteristics that constitute a crisis in the first place, and that makes it unique. For instance, the type and number of stakeholders involved, the proportions of the crisis, the consumers’ reaction to the event, the organizational framework of the company at hand, are all elements that could influence the strategy and thus the success of response communications at large.

This reasoning is at the basis of Timothy Coombs’ Situational Crisis Communication Theory, henceforth referred to as SCCT, a foundational contribution that represents one of the main theoretical references in the field of Crisis Communication (Coombs,2004;2007a;2007b;2010;2013). Coombs’ theory, stemming from the larger domain of Attribution theory, affirms that “Attributions of crisis responsibility have a significant effect on how people perceive the reputation of an organization in crisis and their affective and behavioral responses to that organization following a crisis” (Coombs and Holladay,2010, p38). Introducing the notion of “attributed responsibility”, Coombs (2010) stresses a link between the inherent features of a crisis and the most compatible type of response for such an event. The most significant contribution brought by SCCT to the field of crisis communication is the provision of a comprehensive and systematic framework to reconcile response strategies with situational elements of a crisis. Following this theoretical formulation, the author initially discerns between crisis types and intensifying factors to assess the degree of crisis responsibility that the stakeholders will attribute to the organization navigating the event.

3.3 Crisis Types and Communication Response Strategies

First, SCCT postulates a typology of crises based on incremental organizational responsibility: victim crisis, accidental crisis and preventable crisis, and then associates to each category a predetermined communication response strategy cluster. These strategy clusters (Deny, Diminish Rebuilding, Reinforcing), can be effective as standalone methods or in conjunction with others (Coombs,2007,2013; Amaresan,2019). Crisis types, within the SCCT discourse, correspond to the framing of the event rather than the nature of the crisis itself (differently from operational and reputational categories previously addressed). Frames can be classified in communication frames, or the way information is presented by communicators, and frames in thought, the cognitive structures applied by the recipients to interpret the messages. Exploiting the so-called framing-effect communicators can influence the way the audience elaborates the information, and subsequently, shape its judgement. Therefore, according to SCCT, a crisis type is constructed by assembling the most prominent factors that constitute the narrative of the

23 events as reported by media and communication channels and does not constitute a preliminary fixed category (Coombs,2004;2007;2007b;2010;2013). These types of crisis are built on different degrees or attributed responsibility and correspond to minimal crisis responsibility (victim crisis), low crisis responsibility (accidental crisis), high crisis responsibility (preventable crisis). The underlying rationale for such a scale lies in the identification of an inverse relation between responsibility and reputation, a pattern that retraces the distinction between scandals and accidents. The more an organization is perceived to be accountable for a crisis, the more its reputation will suffer from the crisis. Within the victim crisis type, SCCT includes situations believed to be entirely outside of the control capabilities of the organization, which is de facto included among the affected parties. Victim crises include natural disasters, circulation of false information about the organization’s conduct, workplace violence by an employee, and product tampering by external parties. In this type of crisis, the dominant frame exempts the organization from having a role in the causal process that leads to the event, consequently imposing a mild reputational threat.

In Accidental crises, the organization had a role in the development of the crisis, but its course of actions lacked any intentionality and it had limited control over the event (Coombs,2004; Coombs & Holladay,2010).This category can somewhat blur the line of demarcation between scandals and accidents, as in addition to technical errors leading to failures or products to be recalled from the market, it includes allegations of ethical misconduct on the part of the organization. What differentiates this crisis type from actual scandals is that the organizational misconduct remains a potential but not verified instance. In an accidental crisis, there is a low attribution of crisis responsibility to the organization, and they pose moderate reputational threats on organizations. Lastly, preventable crises (otherwise referred to as intentional) represent situations where high crisis responsibility is attributed to the organization, generating severe reputational threats (Coombs & Holladay,2010). The crisis is perceived as purposively caused by the organization as a result of deliberate conduct. More accurately, the organization is held directly accountable for the crisis development as while it possessed the ability to avoid its occurrence it failed to do so. This typology consists of crises that draw both from integrity- based trust violations (scandals) such as organizational misdeeds, including legal infringements by management or stakeholders, and from competency-based trust violations (accidents) in the form of human errors knowingly causing incidents or harmful products to be recalled (Coombs,2004;2007a;2007b;2010;2013). Human errors are inscribed within this category because differently from technological failures, are generally believed to preventable, a distinction which is particularly relevant for the purpose of this study (Morris, Moore, & Sim, 1999).

3.4 Intensifying Factors: Crisis Severity, Crisis History, Relationship History:

Although being posed as the central cornerstone of SCCT, crisis responsibility is not the only factors that can influence the threatening stance of a crisis, and therefore the corrective measures to rectify it. In fact, Coombs and Holladay (2010) introduced two appurtenant variables to the framework, that, as portrayed in the words of the authors, can be regarded as “intensifying factors”: crisis severity and performance history. Crisis severity refers to the impactful proportions of a crisis regardless of the positioning of the organization towards the event, being its adverse consequences of environmental, financial or human nature. The damages produced by a crisis can in fact significantly alter the perceived responsibility attributed by the public, irrespectively of the nature of the actions carried out by the organization. Contrary to expectations, as revealed by a subsequent study conducted by Park & Len Rios in 2010, the positive relation between crisis severity and reputational threat (although usually verified) is not necessarily a positive one. Rather, the type of “injured party” plays a significant role, as when serious damages affect exclusively an organization these could potentially spark feelings of compassion in the audience (Coombs,1998), whereas when it is consumers to be hurt, the severity of the crisis tends to generate more harmful consequences for an organization’s reputation (Lee,2005). This being said, while partially correlated to the type of party affected by the crisis, crisis severity should be regarded as a fundamental modifying factor for the perceived responsibility of an organization, and consequently for the reputational threat hanging on it (Coombs,2002;2004;2007a;2007b;2013;Coombs & Holladay, 2010).

Performance history follows a similar pattern. This second intensifying factor is the sum of two intertwined but independent variables: crisis history and relationship history. Crisis history refers to precedent cases of similar nature that interested the same organization in the past. A record of previous crises can considerably change the level of attributed responsibility because it establishes a pattern of misconduct and raises suspicions of recidivism (Coombs, 2002,2004,2007; Coombs & Holladay, 2010). Although crisis history was regarded as an intensifying factor by several researches that focused on SCCT, Timothy Coombs in 2002 published a study that tested specifically the multiplying effect of a negative track record of crises has on the degree of responsibility connected to an organization during such events. The author found that, regardless of the typology of reputational crisis at hand, this intensifying factor proved to be significantly increasing the attributed responsibility across victim, accidental and preventable crises.

To understand this phenomenon, it is useful to complement the definition of crisis responsibility that we introduced in chapter 3.2 by looking at three “causal dimensions” (Coombs,2004, p.267) that

25 foster attributions from the public: external control, personal control (or external/internal locus) and stability. External control represents the level of crisis controllability of the event by an outside party, while personal control the degree to which the subject entity itself is in the position of managing the situation. Internal or external locus, which often coincides with personal control, determines whether a crisis event is produced by drivers that lie within or outside the range of actions of the subject party. While these constitute the structural ingredients that create attributions of responsibility, the stability causal dimension refers directly to the concept of crisis history (Coombs,2004). Stability, as a component of responsibility attribution, refers to the frequency with which an event manifest itself. Thus, if a crisis event is part of a series of similar occurrences, de facto creating a pattern of repeated adversities (or fallacies) is considered to be stable, whereas if it represents an isolated eventuality is characterized as unstable. If anything, the fact that crisis history is inextricably linked with the concept of stability, a foundational contributor for attributed responsibility, upholds the intensifying stance of crisis history on the magnitude of the reputational threat in a crisis (Coombs & Holladay,2010).

Similarly, relationship history relates to the conduct of the organization prior to the crisis event, but differently from crisis history does not revolve around previous incidents but the quality of the relationship between that same organization and its public, being this its stakeholders or its consumers. As it was the case of crisis history, relationship history indirectly affects the perception of the organization in the eyes of the public, depending on the nature of such rapport. When a crisis comes to light the public acquires preliminary information that can influence their attribution of cause, which in the case of crisis history and relationship history take the form of “causal antecedents” (Coombs, 2004). An organization that is known to have behaved unduly or inadequately in a previous instance, according to SCCT begin its crisis response journey from a disadvantageous position since the public is likely to associate a higher level of responsibility to it. Consequently, given a certain crisis event, the reputational threat will be higher for an organization with poor relational state with its stakeholders than one whose prior relationship is positive or unknown (Coombs and Holladay,2010).

3.5 Communication Response Strategies:

At the beginning of chapter 3, it was stressed how SCCT largely stems from attribution theory, applying socio-psychological precepts to the field of crisis communication by posing the focus on the recipients’ perspective of the crisis response rather than the responders’. The introduction of this framework represented a fundamental breakthrough for a field traditionally advanced by practitioners prioritizing on its applied nature. As exemplified in chapter 2.5 of the literature review, still nowadays, several studies indulge in producing advice through do’s and don’ts on the basis of isolated “war cases” analyzed in a descriptive manner. This stream of research, defined as informal by Stacks (2002):

“worked through subjective methods, provided little control over variables, and was not systematic in the collection and interpretation of the data” (Coombs & Holladay,2010, p.30).

Nevertheless, SCCT is deeply rooted in a number of contributions that pertain to this informal stream, which culminated with the introduction of numerous theoretical frameworks that provide strategic accounts on how to respond to a reputational crisis. Among these, we find the works by Dionisopolous and Vibbert (1988), who integrated the concept of corporate apologia within the rein of crisis communication, by Ulmer (2001) who introduced the rhetoric of renewal, and notably the work of Benoit (1995) who developed the Image Restoration Theory (IRT) cementing the role of communication in protecting reputations and representing in the words of Coombs himself: “ The most prolific framework for informal crisis communication research” (Coombs & Holladay,2010, p.31). Casted in this theoretical cosmos, Coombs’ SCCT has the merit to have initiated a formal line of research in the field of crisis communication, seeking to establish systematic inferences among variables in a structured and controlled setting. The result of this modus operandi is the development of a framework that allows to generalize and predict outcomes, anticipating patterns of dependency among the variables at play. The element of predictability is the main contributory asset brought upon by SCCT to the field of crisis communication. In fact, after having assessed the contingent standing of an organization navigating a crisis, considering both the crisis typology and the role played by contextual intensifying factors, SCCT postulates a framework of strategies to be correlated to the bulk of situational factors identified. This correlation between a given set of characteristics in a crisis and a corresponding array of response measures is obtained by adopting an audience-centred approach, the essence of the passing of the baton between informal and formal research (Coombs,2002; 2007b; Coombs & Holladay, 2010).

Since the beginning, SCCT’s conceptual development borrows from previous academic experiences. Coombs, in fact, draws from Sturges (1994) in arguing that crisis response efforts should always begin with instructing and adjusting information, tasks aimed directly at shaping the audience’s perception of the crisis event since the beginning. Instructing information serves the purpose of securing stakeholders from physical damages triggered by the crisis, shielding them from additional harm. Information could relate to safety instructions on how to evacuate an endangered area or the return policy of a malfunctioning product. Arguably, it could be asserted that instructing information would have to do more with the operational dimension of a crisis if such informative task would not have significant repercussions for the image of the organization, whose primary goal is to protect the safety of the population. On the other hand, adjusting information as task is directed precisely at gaining control over the narrative of the events, by feeding the audience with information over the evolution of the crisis, conveying messages of concern or sympathy towards the affected parties, or applying reparatory measures to prevent the spread of the crisis. As much as instructing information operates on

27 the material containment of the crisis impact, adjusting information speaks to the psychology of the stakeholders promoting a dominant frame of the crisis event (Coombs, 2002,2013; Coombs & Holladay, 2010).

Following these initial communicative tasks, which can be grouped under the definition of “base responses”, organizations move onto the corpus of the crisis response strategy by selecting among strategy clusters according to the typology of crisis to be tackled. As briefly anticipated before, these clusters, namely deny, diminish, rebuild, and reinforcing are composed by single standalone strategies assembled according to their core functionality and applicability. While reinforcing strategies function as supplemental and supporting measures, deny diminish and rebuild are clusters composed of primary responses that can be used as standalone methods. The primary clusters’ triad is ordered in terms of growing attributed responsibility from denying to rebuild, which in absence of intensifying factors (crisis severity, performance history), corresponds to the crisis typologies described above, from victim to preventable. In other words, as it will be addressed in detail in 3.6, excluding external intensifying variables, victim crises should be handled with deny measures, accidental crises by using diminish strategies, and rebuild responses should be adopted to face preventable crises (Coombs, 2002,2004,2007;2013 Coombs & Holladay, 2010).

Although the first elaboration of SCCT included 10 strategy units, subsequent works by Holladay (2010) and Fisher Liu (2010) have expanded the list to include 7 additional response interventions combined, broadening the alternatives included in each crisis cluster. These supplementary strategic measures partly originate from the reformulation of Coombs’ article “choosing the right words” published in 1995, long before these theoretical notions had been streamlined into the current version of SCCT. At the same time, these additions are the result of empirical research conducted with the intent of testing the applicability of modern SCCT in different contexts, and therefore constitute an opportunity for expanding the scope of the theoretical premises that support this investigation. The following table (1.1) outlines the revised SCCT framework adopted, outlining the additions made to Coombs’ original work. As portrayed in table 1.1, the first cluster, composed of deny response strategies, includes 5 different response strategies. Among the most offensive strategies we find Attacking the accuser, which refers to challenging directly those linking the organization to the crisis, scapegoat by which the blame is instead shifted on a third party, and denial, performed by refusing to admit any responsibility for the events. Other strategies added to this cluster are Fisher Liu’s ignore, describing organizations that implicitly deny a crisis by refraining to respond, and Holladay’s suffering, which amounts to proactively assume the role of the victim in regard to the events of the crisis (Coombs, 2002;2004;2007a;2007b; 2013; Coombs & Holladay, 2010). If deny strategies are employed to distance the organization from the crisis entirely, the diminish cluster instead aims to reduce the share of reputational involvement of the organization by lessening pressures deriving from the attribution of

28 responsibility or from the perceived severity of the event. Organizations can utilize an excuse strategy in an attempt to refute any intentions to cause harm or deny volition attempting at decreasing the perceived level crisis responsibility by contending lack of control over the event. Alternatively, a justification strategy is aimed at minimizing the scale of the crisis and its impact, and separation to sever any connection with the responsible actors within the organization.

As the term itself suggests rebuild strategies are selected when the party acknowledges the crisis and a certain degree of responsibility for its development and intends to remedy to the potential deterioration of its image by pursuing accommodative initiatives. Differently from the clusters previously addressed, rebuilding has to do with accepting the status quo attribution of guilt and attempting at redeeming the company’s reputation, regaining trust in the public and winning their forgiveness. This agenda is pushed by formulating an apology for the misconduct that enabled the outbreak of the crisis or even by offering compensation to the victims to repair the damages inflicted. While rectification as a strategy refers to demonstrating full commitment to preventing future recurrences of the crisis, transcendence, relates to inscribing the crisis within a larger and more positive context shifting the attention to the greater picture. The last strategy, given that, is often used in combination with other measures, is at times viewed as a reinforcing strategy. However, its theoretical collocation strictly depends on the nature of the case where it is applied and thus will be additionally verified within the scope of this study. (Coombs, 2002; Coombs & Holladay, 2010).

Lastly, reinforcing strategies are used to accompany and supplement primary responses to strengthen the communication narrative established with the public. This secondary response cluster includes bolstering as a strategy aimed towards drawing on past merits and achievements obtained by the organization to offset the negative consequences of the crisis. Alternatively, organizations can follow an ingratiation strategy by commending stakeholders on their support and loyalty or apply Fisher Liu’s (2010) endorsement strategy to publicly make reference to a third party supporting or validating the work done by the organization. Instead of attempting to turn the tone of the narrative of the events into a positive story, organizations can resort to using victimage to reaffirm to the audience that the organization is itself a victim of the crisis. (Coombs, 2002; 2007b; Coombs & Holladay, 2010).

Table 1.1

SCCT response strategy clusters

Deny Diminish Rebuild Reinforcing Attack the accuser Excuse Compensation Bolstering

Denial Justification Apology Ingratiation

Scapegoat Deny volition* Rectification* Victimage

Suffering* Separation** Transcendence** Endorsement**

Ignore** Source: Coombs (2002,2004,2007a) and Coombs & Holladay (2010) *= addition extrapolated from: Fisher Liu (2010) **= addition extrapolated from: Holladay (2010)

3.6 SCCT Recommendations and Data Breaches:

In line with what it has been outlined so far, SCCT should be interpreted as an instructive framework to map the best-suited response strategy to a given crisis situation, but should not be understood or enacted as a perfectly anchored recipe. To deduct the degree of responsibility attributed to a certain organization is a difficult exercise as much as selecting the most appropriate combination of responses to confront it. As SCCT draws from the socio-psychological premises of attribution theory, it follows that the analysis of crisis typology and intensifying factors requires significant interpretative efforts in order to capture the perceptive reality that sustains a company’s public reputation. In particular, given the variety of strategies available within the same cluster, even by identifying the degree of attributed responsibility, this might be a necessary but insufficient criterion for choosing the most fitting amalgam of responses. SCCT provides, nevertheless, a platform for orientating the response apparatus, carrying important lessons for organizations to follow and an array of procedural guidelines to support crisis managers in conveying the right message.

These guidelines originate from the correlation of situational elements that contribute to the attribution of responsibility, such as crisis typology, crisis severity and performance history, and the cluster of strategies designed to respond to such reputational threat. On a scale of increasing attributed responsibility, Coombs (2007b) and Coombs and Holladay (2010) have retraced a sequence of base scenarios to illustrate the variation among clusters. Starting from crises with minimal levels of attributed responsibility (victim crises), without any role played by intensifying factors, SCCT asserts that the sole use of base response strategies, such as instructing and adjusting information, should suffice for managing the event. On the other hand, if that same organization were to have experienced other cases alike (crisis history) or to have had relational problems with its stakeholders (reputational history), or if the crisis itself carried harsher consequences (crisis severity), victim crises should instead be met with diminishing strategies in unison with base responses. Importantly enough, deny strategies should only be used to counter rumors or isolated challenges about company ethics. Similarly to victim crises, in an

30 instance with low attributed responsibility (accidental crisis) a lot depends on the multiplying effect played by intensifying factors. In fact, in an accidental crisis whose reputational impact is not augmented by crisis severity or performance history, SCCT suggests employing diminish strategies. Alternatively, by offering compensation or conveying an apology, accidental crises should be countered with rebuild strategies. In case of crises with high attributed responsibility (preventable crises), aggravating contributors of crisis severity or performance history do not affect the response selection, as these events are always to be managed via rebuild strategies. Whenever victims of a crisis are subject to severe harm, organizations should rely on rebuild strategies, and in particular resort to providing compensation for the costs imposed (Coombs, 2002; 2007b; Coombs & Holladay,2010).

Figure 1.3 summarizes what was described so far. What appears to be the minimum common denominator across crisis clusters, is the use of base responses regardless of the crisis features at hand. SCCT holds in fact that “All victims or potential victims should receive instructing information, including recall information” (Coombs 2007b, 173). Similarly, as far as adjusting information goes, expressing sympathy and convey instructions about corrective measures undertaken should be seen as musts in any situation that involves victims. Concerning reinforcing strategies, while bolstering and ingratiation can be paired with any response, victimage has a far more limited range and should be employed only in specific cases: “workplace violence, product tampering, natural disasters and rumors” (Coombs, 2007b, p173). As a final recommendation, it should be noted that it is vital for the overall outcome of the response to resort to only one primary cluster, and refrain from blending together deny, diminish or rebuild strategies, as this would likely impair the consistency of the crisis frame proposed.

Figure 1.3

Derived from: Coombs (2007b) and Coombs & Holladay (2010)

3.7 SCCT and PR data breaches by hacking

Given that the task of selecting the appropriate response is rooted in deciphering the level of attributed responsibility, for crisis communication managers the imperative is to get acquainted with the facts of a crisis by looking at its taxonomic and historical traits. A key, independent variable in determining a crisis is the typology it belongs to. From this first step, a crisis communications manager could look further into calculating the intensifying factors within the equation and embark in the arduous task of assuming the correct response posture. However, when it comes to online data breaches, partly due to their novelty and complexity, these events are still lacking an established place within the crisis typology spectrum. Given the limited awareness surrounding this phenomenon in terms of root causes and dynamics, as discussed in the literature review chapter, data breaches are yet to be associated with an established crisis category and to be integrated within the cogs of SCCT. Even those studies that address the topic from a taxonomic perspective (e.g. Khan et al. 2019) treat the issue as a source of risk and do not engage in defining the contours of data breaches as crises, either in operational or reputational terms. This tendency, as we described, is rooted in the academic and practical prioritization of a preventive approach over a mitigative one, overshadowing the relevancy of online security breaches within the crisis management and communication discourse.

This deficiency is exacerbated by the conflicting outcomes of those few studies are driven by the intent of exposing the level of attributed responsibility in PR data breach crises, and consequently to find the most compelling response for handling the problem. For instance, while Kim et al. (2017) have found evidence that organizations undergoing a data breach reputational crisis tend to adopt defensive strategies, normally undertaken in cases of minimal attributed responsibility, Ramakrishna (2012) claims that data breaches are usually regarded as man-made incidents, and therefore should be dealt with using more accommodative measures in light of a higher degree of attributed responsibility. This reasoning by Ramakrishna (2012) stems from the identification of human-related drivers that can cause a data breach, such as obsolete security systems, lack of training and security policies, poor implementation of procedures. Although this assertion is endorsed by Jenkins et al. (2014), who argued that the standard response to a data breach should involve apology and regret strategies, in light of our previous findings of the prevalence of data breaches by hacking, which assume significant participation of third-party offenders, we are not inclined to endorse this contention as universally valid. Instead, Ramakrishna’s argument can be expanded and used to understand where the actual problem of classifying data breaches in terms of crisis typologies lies.

In fact, it appears inefficient, if not impossible, to categorize data breaches as a unique phenomenon, given that, as previously discussed, these can be produced by many different causes. In other words, instead of suggesting the employment of specific strategy clusters ex-ante, it can be expected that data breaches caused by employees’ negligence and those traceable to ransomware deployed by malicious actors, would be attributed different levels of responsibility, and as such, treated with different response strategies. Given the scarcity and heterogeneity of researches dealing with online data breaches in crisis communication, and the specificity of the category assumed as the object of research of this study (data breaches by hacking), to anticipately formulate a correct response posture when dealing with these events seems overly ambitious. Rather, it could be hypothesized that the high degree of attributed responsibility recognized by Ramakrishna (2012) and Jenkins’s (2014) in human- assisted breaches, would moderately decline in cases of breaches by hacking due to the significant external participation of third-party offenders. This mild expectation cannot account for taking the human factor out of the responsibility equation. As argued by Jenkins et al. (2014), since organizations are entrusted as authorities in administering and retaining personal data, these could nonetheless be seen as the liable party. Retracing the definition of “causal dimensions of crisis responsibility” discussed in 3.4, it could be argued that while the crisis originates from external drivers and the locus of control can be seen as external, given the direct responsibility for consumers’ data and the possibility of implementing cybersecurity measures, organizations are still attributed a certain degree of controllability over the event (personal control) (Coombs & Holladay, 2013). This trade-off would indicate that PR data breaches might not fit within either the victim crisis typology or the preventable crisis one. Halfway between these two extremes, accidental crises, which generally see the involvement

33 of the organization but with low direct controllability and no intentionality over the events, might instead fit this specific type of reputational crises. Although remaining a cautious projection, it follows that a corporate response posture to PR data breaches would resort to base responses (adjusting and instructing) coupled with either diminish or rebuild strategies depending on the role played by intensifying factors and eventually with reinforcing measures. Nevertheless, as discussed in the next section about the methodological trail followed by this research, although conserving this supposition, the overarching intent of this study is to obtain further evidence of the most appropriate response behavior in these instances. In fact, this study aims at comparing the effects of the response recipes chosen by each organization considered to shed a light over what should be the strategic communication approach adopted in dealing with these particular events. Although some of these hypotheses will be further clarified within the next methodology chapter (P6 and P7), this research will be driven in its analysis by a number of propositions:

▪ P1: Data breaches negatively affect corporate reputation; ▪ P2: The recovery patterns of the organizations affected by a data breach can be explained by looking at the crisis response strategies implemented; ▪ P3: The recovery patterns of the organizations can be explained by the compliance of their response with SCCT guidelines, as hypothesized by this study (Diminish/Rebuild and Reinforcing strategies); ▪ P4: A timely response significantly influenced the effect of the response strategies implemented (Robertson,2012); ▪ P5: Response strategies implemented by organizations in reality might differ from the ones represented in the media (Kim et al.2017); ▪ P6: Social Media-related communication significantly influenced the effectiveness of the response strategies implemented; ▪ P7: Inter-periodic analysis shows that newer cases of corporate data breach performed better in terms of recovery from the crisis.

4. Methodology

4.1 Operationalizing SCCT in the context of data breaches

Departing from the long-standing tradition of abstract theorizing in the realm of crisis communication, this research aims at comparing 8 cases of corporate PR data breaches following a

Most Similar System Design, to validate the applicability of such assumptions in the context of this specific type of reputational crises. Nevertheless, as addressed before, SCCT does not neatly encompass data breaches within its crisis typologies, encouraging the adoption of a predominantly inductive approach. This study will in fact derive an assessment of the bulk of strategies utilized directly from the observations, by looking at the outcomes of the responses implemented and confronting them with SCCT guidelines. The ultimate goal of this multi-lateral comparison is to extrapolate and analyze the factors that influenced the effectiveness of the response communication in the organizations involved. The data breaches are selected on the basis of contextual similarities which will allow a congruent comparative approach by stabilizing the level of attributed responsibility. Additionally, these case- studies will be selected to represent examples of both successful and unsuccessful recovery from data breaches. This will serve as a preliminary assessment to guide the analysis of this research, which assumes as dependent variable the varying degree in effectiveness of the response strategy implemented in the aftermath of a given crisis.

Before delving into the core methodological contours of this study, it is instrumental to operationalize the theoretical foundations that sustain it. As discussed in the next section of this research, we will select the reputational crises from two pre-determined time frames, to isolate the impact of social media and digital communication and capture its chronological evolution. More importantly, this periodic repartition provides the chance to observe the development of crisis response practices and to test the applicability of SCCT in light of the substantial increase of new types of reputational crises, often prompted by the current wave of digitalization. In regard to this study, however, the main contribution derived from Coombs’ Situational Crisis Communication Theory, is the reaffirmed importance of analyzing highly comparable types of crisis. As similar crises require similar communication response strategies, observing a convergence in the strategies implemented by such organizations, or the lack of thereof, will constitute a notable indicator for the analysis (Coombs,2004;2007). At the same time, selecting cases to represent varying degrees of effectiveness in post-crisis communication, in return will provide a chance to verify the validity of Coombs’ SCCT in the context of data breaches as well as to provide insights over its functioning in a particularly unexplored setting.

It was anticipated in section 3.7, that considering previous academic accounts and the theoretical placing of PR data breaches by hacking deducted from SCCT, it is possible to cautiously foresee that these events could fall under the category of accidental crises (Coombs and Holladay,2010;Coombs 2013). This precursory hypothetical scenario will be verified against this set of 8 most similar cases, to understand whether the variance in response effectiveness can be explained by divergent communication strategies and to assess the most fitting posture. In fact, the relation between

35 the recovery trends observed and the response strategies implemented in those cases will provide the chance to verify this expectation or in general to understand whether similar recovery patterns are attributable to similar SCCT strategies implemented. Alternatively, if no evidence that SCCT strategies have influenced the differentials in recovery among cases, this research will provide an opportunity to shed a light on factors that go beyond the scope of Coombs theory, exploring an under-researched dimension in corporate crisis communication.

4.2 Stock analysis and news tracking: Assessing cases on varying degrees of reputation recovery

To establish a value spectrum of effectiveness in recovering from the damages inflicted by a reputational crisis, as said, is a difficult endeavor. However, by combining the conceptual formulations of effective recovery produced by previous researches, this study aims at recreating a comprehensive model of measurement to depict its variance. To create this model as accurately as possible we intend merging statistical and purely qualitative approaches previously utilized to depict the effectiveness in reputation recovery. This dual approach reflects what has been said in relation to academic controversy over the impact posed by data breaches on organizations. In fact, the combined analysis of both economic and reputational repercussions following the breach, while aiming at depicting the recovery trend of companies included in this study, will provide a chance to resolve the long-standing dispute over the damaging stance of PR data breaches on organizations at large.

First, the most common statistical approach to observe the economic impact of a PR data breach is to study the fluctuation of the stock market value of the organization in question, in relation to the overall market trend (MacKinlay,1997; Campbell et al. 2003; Hovav &D’Arcy,2004;Goel et al.2007; Vijayan,2008;Metrica,2011;Robertson 2012;Reed,2014;Bischoff,2019). Although, as addressed in literature review chapter dedicated to “data breach impact”, there are conflicting opinions over the extent of indirect financial damages of data breaches on organizations, this method remains the most widely adopted to measure the consequences of adverse events in economic terms. As contented by Hovav and D’Arci (2004), previous finance event studies have demonstrated that “Firms that experience a loss from a catastrophic event would sustain an immediate adverse effect on their stock price” (38). If publicly traded organizations are historically exposed to stock price shocks in the aftermath of an abnormal events, that is because their shares’ value depends on their attractivity to investors, which in turn is closely correlated to the companies’ reputation. This preliminary calculation will in fact reveal whether in the period of time following the data breach, organizations were impacted by quantifiable reputational damages, registering a drop on their stock against market value. By observing the stock

36 value change in the aftermath of a series of data breaches, this study will subsequently compare these stock trends to rank the organizations’ recoveries among the cases observed.

Following the steps of several authors who have dealt with finance-related event studies, the stock values will be observed at different points in time preceding and following the event in order to depict and control the trend in their price fluctuation (MacKinlay,1997; Campbell et al. 2003;Hovav & D’Arcy,2004;Goel et al.2007). This process will be enacted by looking at the stock values prior to the event (1 week, 2 days and 1 day before the breach) and delineate a pattern by comparing these values with those registered in the aftermath of the breach (1 day, 1 week, 1 month, 3 months after the event announcement). These timeframes are selected in line with other event studies that observed the stock price change patterns of organizations in the aftermath of an abnormal occurrence ((MacKinlay,1997; Campbell et al. 2003;Hovav & D’Arcy,2004;Goel et al.2007). Looking at the initial change in value observed from the first day after the data breach announcement, and the development pattern of the share until 3 months from the event, it will be possible to draw price fluctuation curves and determine which companies have been impacted the most.

In order to eliminate the concurrent and distorting effect potentially played by overall market performance during that same period, next to observing the specific company stock prices on the New York Stock Exchange (NYSE), these values will be compared with the NYSE Composite Index (NYA). By tracking this index, which tracks the weighted capitalization performance of the publicly traded companies considered within this research, this research aims at isolating the effects of the PR data breaches over the companies’ performances. Furthermore, in order to strengthen the significance of this statistical measurement, next to stock value evaluations, the year-on-year percentage change in revenue of the companies involved will be calculated for the fiscal quarter preceding the breach announcement and the two following it. Although changes in revenue do not necessarily depend on the public image of a company, the direct costs imposed by legal proceedings, product recalls and compensations, or by contractions in sales all together might affect the volume of earnings. Consequently, as organizations seriously hit by a data breach might suffer a revenue fall, this will serve as a supplementary indicator in the assessment of the recovery performance.

On the other hand, the second case selection method instead focuses on media news tracking. Studies on corporate reputation recovery often promote the nexus between media coverage and public opinion as an alternative method to measure reputational damages (Wartick 1992; Carroll & McCombs, 2003; Eisenegger 2005; Kim et al. 2017). Robertson (2012) in his study on the effect of timely communication

37 response during a reputational crisis, tracked and analyzed news stories concerning the organizations involved over a period of 3 years. He was able to find a positive relationship between a delayed disclosure of information and negative media attention by looking at news peaks over time. Borrowing this methodological approach, this study will therefore possibly extrapolate an additional indicator for our analysis. Before tracking media and press releases for the response strategy analysis, this research will pair the financial evaluation of the organizations’ recovery with media discourse analysis of their image during the crisis.

In this phase, only news from media outlets will be considered, differently form the following discourse analysis process that will include press releases and social media posts. Understanding if the news coverage of the crisis conveys a positive or negative image of an organization will help gather insights over a company reputational performance and to have an additional instrument to verify the effectiveness of their response to a crisis. In the context of data breaches, Kim et al. (2017), suggesting the adoption of similar method, claimed that “very little is known about media portrayal of hacking” (2). While most attempts at creating an evidence-based method for tracking media in relation to reputation lacked a systemic approach, Mark Eisenegger in 2005 introduced the Reputation Index (Cravens,2003;Weverbergh et al. 2007). This index is a refined version of the NPS index, and similarly attributes to companies a score ranging between -100 and 100, with the first indicating only negative coverage and the latter only positive media coverage. The score is attributed by excluding the neutral coverage and applying the following formula:

After having calculated the Index coefficient per organization, we will compare the results to ultimately set a range among the cases observed. After having compared the results obtained from the range in stock devaluation and negative media coverage that followed the data breach, will have obtained an evidence-based spectrum of the effectiveness in the recovery strategy of the cases observed. This preliminary assessment of the relevant press will be conducted using ProQuest, an automated online news search platform, monitoring the media coverage during the 3 months following each crisis. In calculating the Reputation Indexes (as well as in extrapolating the response strategies employed by the organizations), the media outlets of reference are the 5 main US newspapers in terms of distribution and influence. These are namely: The Washington Post, The New York Times, The Wall Street Journal, and USA Today. This choice, taken in conformity with most applied studies reviewed and updated rankings, as it will be discussed in the next section, follows the selection of the US as the market of

38 reference (Coombs & Holladay,2009; Robertson,2012; Kim et al.2017; CMR,2019). In case the volume of news retrieved from these outlets would not be sufficient for depicting the image of a company portrayed by the media and thus to obtain a statistically valid Reputation Index coefficient, this investigation will contemplate news articles from alternative authoritative sources such as Forbes and The Financial Times.

The period of 3 months for the news monitoring process is chosen in parallel with the monitoring timeframe of the stock value fluctuations in the aftermath of the event. Both choices are based on the assumption, corroborated by Bishoff (2019), that the main reputational effects impacting an organization are registered in the period immediately following the event. This approach derives from the researches of Kim et al. (2017) and Robertson (2012) who both applied media tracking and content analysis in conducting their studies. Similarly to changes in stock prices, which need to be analyzed in close proximity to the event in order to isolate possible confounding factors influencing their values, this study will consider articles and press releases published immediately after the event. This will allow to discard news that surfaced at a later stage which could have possibly hampered the reputational stance of the organization in a second instance. While, as discussed in the next section, news that surfaced later in time could still be relevant for the purpose of the analysis in light of Robertson’s 2012 hypothesis, during the case selection phase this research aims at matching the timeframes for the statistical and news tracking analyses. This chronological coincidence between the two case selection methods employed should guarantee a truthful holistic picture of the organizations’ recovery in such timeframes. Ultimately thanks to the methodological elaborations provided by Robertson (2012), Eisenegger (2005), and Bischoff et al. (2019) this study will select the 2 most and least effective cases per each of two controlled periods, for a total of 8 most significant cases.

4.3 Refining the case selection framework and the analysis process

As anticipated earlier, this study aims at conducting a comparative analysis based on a Most Similar System Design. This entails the selection of highly comparable cases that vary on the basis of the dependent variable, identified in the variance in effectiveness in the recovery from a reputational crisis. Additionally, as SCCT is centered around linking strategies to a determined level of attributed responsibility, the cases are selected on the basis of their structural similarities to reduce this differential to the minimum. These selection criteria include the volume and sensitivity of records disclosed, the method of breaching, the organization’s stock exchange, the presence of legal proceedings, and parallelly, the timeframe selected.

First, in order to delimit the scope of this study to highly relevant cases, we proceed with calculating the effectiveness of organizational recovery in data breaches that caused the illicit disclosure of a significant amount of consumers’ records. To set an appropriate benchmark for the volume of compromised information, we rely on Bischoff’s categorization of data breaches based on the observations gathered in relation to 33 data breaches from 2008 (2019). In following this classification, we select data breaches in which over 1 million records were compromised. This will allow us to eliminate from the effectiveness test those cases that due to the limited relevance for the public might have not produced sustained reputational repercussions for the subject organization. At the same time, this scope reduction, allows us to control crisis severity as an intensifying factor, comparing data breaches of similar size, which if confronted with a similar response strategy are expected to produce somewhat similar repercussions. An additional reason for selecting 1 million records disclosed as the numerical benchmark for selecting the cases of data breaches stems from the fact that most of these events remain undetected. Section 2.1 of this research defined the concept of PR data breaches as online security incidents that produce significant reputational consequences. In light of the fact that only 1 in 100 data breaches is reported to the public, as affirmed by the Identity Theft Resource Center (2014), only those causing the disclosure of over 1 million records have a concrete chance of surfacing and being addressed by the media, thus with the potential of becoming reputational crises (Campana, 2009).

Another criterion utilized to demarcate the field of observations is built upon the sensitivity of the data disclosed during the breach. In fact, we preliminary classify the sensitivity of disclosed information on the basis of the impact that their leakage could produce, and the degree of difficulty faced by the organization in applying corrective measures. An important distinction to be made in the context of data breaches, is the fact that while passwords and login details could be promptly reset in the aftermath of a leakage, information such as credit card details, US social security numbers, and health records can be directly leveraged into identity theft and credit card frauds, leaving little room for reparatory fixes (Bishoff, 2019). This distinction allows us to differentiate among different types of Personally Identifiable Information (PII), and select data that can be directly leveraged into identification crimes without the need to be associated to a second identifier, such as passport numbers, national identification numbers, driver’s licenses or equivalent. This sub-category of PII, hereby defined as Primary PII (as opposed to Secondary PII), together with PCI (Payment Card Industry), which include any protected financial information including card and account numbers, and PHI (Protected Health Information), related to any medical information linked to a subject, constitutes a newly built category of “Highly Sensitive Information” (McCallister et a. 2010; InfoSec,2015). In other words, we will only consider data breaches that, at a minimum, disclosed over 1 million of highly sensitive information (HIS), being this Primary PII, PCI or PHI. (Infosec,2015). The additional indirect advantage in adopting this approach, is that it will spare us from restricting our scope to a sectoral

40 analysis. By selecting data breaches on the volume and level of information sensitivity, we do not limit our investigation to a single industry sector. Rather, this study will draw its observations holistically from the landscape of multinational organizations, narrowing the sample range exclusively on the basis of data breach characteristics, which are the core independent variables chosen for this most similar system design study. Moreover, this inclusive approach will provide the chance to expand the relevance of this research, and reach conclusions on cyber crisis communication response practices valid for organizations at large.

Nevertheless, in addition to volume and sensitivity of records disclosed, in order to maintain a level of comparability this research limits the case selection to organization listed on the same stock exchange, namely the New York Stock Exchange (NYSE). As evidenced by Bishoff (2019) and confirmed by Szmigiera (2020), the NYSE, being the largest stock exchange in the world and accounting for 40% of publicly listed organizations, represents the most relevant pool for retrieving corporate data breaches. Moreover, stocks of companies listed in the same stock exchange do share some traits according to investors’ perceptions and market of reference. In particular, organizations stocks listed on the NYSE represent most of the established major-league and traditional industrial businesses, whose stocks are perceived as more stable and their prices less volatile (Investopedia, 2020). The fourth condition for designating suitable PR data breach cases among the ones retrieved, as drawn from the literature in section 2.3, relates to the way these are executed. In fact, only cases of breaches by hacking will be eligible for the analysis. By applying this criterion, data breaches achieved in a physical locus (Paper data loss, unauthorized entry), committed unintentionally (data leakages) or explicitly caused by negligence, malicious insiders or inappropriate security measures, will be rejected. This will help maintaining constant the level of attributed responsibility and comparability of the event (Khan et al. 2019). Finally, in order to further stabilize the influence of the crisis severity factor, whether the organization has incurred in legal proceedings will be considered a determinant element, as in such instance the direct (legal fees and expenses) and indirect costs imposed by the data breach (reputational damage) are expected to be considerably higher.

Lastly, as anticipated earlier, we aim at observing cases distributed over two different timeframes. As stressed by Reed (2014), there are only a few studies that observed the effectiveness of crisis response communication over time, and this study begins at bridging this gap. This chronological distribution will additionally provide the opportunity to isolate the role of currently observed trends such as the progressive digitalization of media communication and the evolution of social media. With regards to the period selected, on the basis of the observations derived from Bishoff (2019), we underpin the year 2013 as the watershed between the two timeframes in which data breaches will be observed. In particular we will analyze events occurred between 2007 and 2013 in the first period block, while

41 the second cluster will be made up of data breaches that occurred between 2014 and 2019. This repartition is motivated by two reasons. First, acknowledging the evolution of social media as a potential concurrent variable, the cases in first cluster are contemporary to the launch phase of all the most important social media platforms. On the contrary, the second period instead represent the most prolific phase in their use. Second, setting the study around the second decade of the 2000’s allows us to monitor the highest number of data breaches compared to any other decade in history (Kim et al. 2017;Zhou,2020). Additionally, we purposively excluded the cases occurred in 2020 as these events are too recent to be properly studied over time.

As addressed before, after having obtained insights on the recovery of the organizations considered and having selected the most and least positive cases, this research will then analyze these sets of corporate PR data breaches in light of SCCT to find out what strategies have been employed and what effects these sorted. The collection and analysis methods will be based on the same tooling employed to obtain the preliminary evaluation of the organizations’ response using the Reputation Index by Eisenegger, within a timeframe of 3 months. Resorting to Proquest as a research platform, we will produce a content and discourse analysis of the news previously monitored. In addition to news articles and organizations’ press releases, in order to depict the potential game changing effect played by the emergence of social media, in this phase, posts published on the organizations’ Facebook and Twitter accounts will be additionally tracked to evaluate their narrative and reinforce the findings obtained from press releases. By implementing a coding structure in conformity with SCCT to analyze the findings obtained, this research will look at the differentials between the cases observed to isolate the concurrent independent variables that influenced the effectiveness of response. In doing so, this research will closely monitor the relevance of the accepted “best practices” from the field of crisis communication and verify their validity (Ogrizek et al. 1999).

4.4 Methodology: Inter-periodic analysis vs Intra-periodic analysis

As said, although there is a combination of strategies that proved to be most effective when applied to particular events, the SCCT framework, in general, does not provide ex-ante an all-embracing recipe for handling data breaches specifically (Tills,2017). Rather, as recently pointed out by several critiques of SCCT, this framework needs to be adapted to emerging types of reputational crises, as these do not always behave following the patterns envisioned by Coombs. (Bayarong,2015; Tills 2017; Reed,2014). Another significant critique moved to Coombs’ theory in recent times, revolves around the disruptive effect that the evolution of social and digital media had on the theoretical and practical dimensions of crisis communication. Nowadays, many experts identify in the role of social media a pivotal turning-

42 point for achieving effective response communication during a crisis. (Reed,2014; Bayarong,2015; Valentini, Krukerberg,2016; Spota,2019; Jim Preen,2020). This is not to say that SCCT cannot account for response strategies that include social media communication, but as Jim Preen simply put it: “SCCT responses were formulated back in 2007 when social media was still a toddler” (2020). This problem relates to means and methods of communication, as much as to emerging causes of reputational crises, such as data breaches. Understanding the need to verify and adapt the SCCT framework to an emergent typology of threats and to the technological developments is a key recognition that drives the present research. Additionally, by applying the SCCT model to cases distributed in different periods, we will purposively analyze its validity over time, tackling these elements of contention.

However, this is not the only limitation that seems to add on the complexity of this investigation. As addressed in the literature review, more than a few contributions have highlighted how, despite appearing as a logically sound assumption, the fact that data breaches cause severe economic repercussions for the victim organizations could be disputed. In the aftermath of a breach announcement, stock prices initially drop, but in some cases, they soon recover the initial losses and at times even report significant gains compared to the period of time preceding the crisis. Strikingly enough this phenomenon would manifest itself regardless of the communication response strategy adopted but rather because of financial speculations and investments opportunities created by the stock devaluation. Investors could buy significant shares of breached organizations, betting on their recovery, and by doing so, effectively sustain it. This alternative hypothesis could partly hamper the significance of our methodological framework, as the independent variables (financial impact of breaches) would not necessarily support the variation in the dependent variables (communication strategies). To obviate to this limitation, this research poses an alternative hypothesis advanced by Bishoff (2019) and Klebnikov (2019). These authors have in fact observed how older cases of data breaches were met with harsher market and media reactions than newer cases. This situation, according to those contributions, could be explained by the phenomenon of “Breach Fatigue”, which implies that the market and the public at large are becoming accustomed to instances of data breaches, and do not react as strongly as they used to. An alternative explanation, which acquires legitimacy in light of the studies consulted in this research, is that organizations are learning from past crises and becoming more aware and prepared at managing data breach reputational crises. () To test this dual hypothesis, this research, in addition to comparing data breach cases varying on the degree of recovery within each of the two distinct timeframes selected (intra-periodic analysis), it will outline a comparison between the two periods (Inter-periodic analysis).

5 Analysis

5.1 Narrowing the scope: Building the Comparative Case Study

To obtain an exhaustive list of corporate data breaches eligible for the comparative analysis, this research resorted to Bishoff’s study (2019), the Privacy Rights Clearinghouse’s database, and the Identity Theft Resource Center’s (ITRC) annual reports from 2007 to 2019. In particular, to eliminate irrelevant cases the collection was confined to corporate data breaches associated with the compromise of at least 1 million records. We additionally discarded those events where the information disclosed did not match the degree of sensitivity set as the parameter (HIS) to control the crisis severity factor and mediatic resonance, thus excluding breaches where PCI, PHI or Primary PII had not been exposed. In this sense, a number of milestone corporate breaches such as the 2013 Yahoo and 2018 Under Armour cases, which featured respectively 83 and 150 millions of compromised account details (Secondary PII), have been factored out (ITRC,2014,2019;PRC,2020;NYT,2016). This groundwork examination generated a comprehensive inventory of 64 corporate data breaches, 28 of which occurred between 2007 and 2013 and 36 in the 2014-2019 timeframe, as exemplified within the relative excel data sheet embedded in the Appendix section. Tables 1.2 and 1.3 illustrate the two worksheets created to partition data breaches within the two timeframes, ordering them by a number of records disclosed.

Notably, next to each company name, the second column reports the date of the first announcement released about breach, either by third parties or by the organization itself. This preliminary screening provided an advantageous position for employing the 3 remaining selection criteria: the data breach cause, the stock exchange of the organization, and the certainty of legal costs. As evidenced by tables 1.4 and 1.5, out of the 64 cases assembled, 44 proved to be the consequence of hacking performed by external threat actors, whereas 13 cases in the first period and 7 in the second were primarily driven by loss or theft of critical hardware, paper data loss, malicious insiders or poor security measures. Interestingly, alternative methods to hacking are twice as common in the first period, and the majority of these is attributable to loss or theft of physical media, a category entirely absent in the second timeframe. Moving into verifying the stock market placing criterium, the reduction is far more significant, with only 26 out of the 64 organizations included in this study being listed on the New York Stock Exchange. To be sure this feature still represents the 40% of the total number of organizations addressed within this study, matching exactly the ratio of NYSE companies to the overall number of listed companies worldwide discussed in the methodology. Nevertheless, as 9 of the total 26 NYSE-listed organizations were not breached by hacking, by cross-checking these two selection

44 factors, the list of organizations in scope is decreased to 17. From a timeframe standpoint, of these 17 organizations remaining, 6 belong to the first period, and 11 to the second. In fact, looking at organizations involved in the 15 data breaches by hacking performed between 2007 and 2013, only 6 of these are listed on the New York Stock Exchange. Proportionally even fewer organizations among the 29 hacked in the 2014-2019 timeframe are listed on the NYSE, for a total of 11. Finally, by verifying the presence of legal proceedings, we found that, out of the total 17 companies remaining, an additional 4 was to be rejected from the analysis since no investigations were launched against them (Staples from the first period, JP Morgan 2014, Community Health Systems 2014 and T-Mobile 2018 from the second).

However, a consistent fraction of the resulting 13 data breach cases, of which 5 occurred during the 2007-2013 timeframe and 8 between 2014 and 2019, besides fully satisfying the structural selection standards, had to be precluded from the analysis due to contingent improprieties. These inadmissible data breaches are the one by Heartland Payment Systems (HPY) in the first timeframe, and those relative to Neiman Marcus (2014), SONY (2014), Experian-T-Mobile (2015), and Uber (2017) in the second period. The case of HPY could not be taken into account due to the fact that the company was subsequently acquired by its competitor Global Payments, and as a result, financial information relating to its historical stock records or profit performance of the period under scrutiny cannot be retrieved from public sources (Beckerman,2015). Similarly, the case of Uber had to be discarded due to the fact that the company went public only in 2019, two years after the breach, a fact that takes away altogether the possibility of retracing its stock movement (Leskin,2019). The Experian-T-Mobile breach of 2015, instead can hardly constitute a comparable case because it is difficult to clearly divide the responsibility between the two entities. While the subject of the hack was the card merchant leader Experian, the server targeted by the attack contained exclusively T-Mobile customer details. Even if we were to say that both companies could have been hit by reputational damages for the event, it is impossible to discern ex-ante their expected accountability, anticipating the reaction of the public. The blame chain is arguably affected by their co-participation to the event, thus contaminating the comparability of the breach with cases involving a single entity. For what concerns SONY and Neiman Marcus, the problem lies instead in the inherent limitations that arise from studying the data breach phenomenon. These events, as discussed in 2.1, most of the times remain undetected because of the cybersecurity capacity gap constraining organizations’ defense efforts.

What is more, as argued by Campana (2009) and the ITRC (2020), is that even when recognized these events are systemically underreported by organizations and media outlets. Most of all, the cases by SONY and Neiman Marcus are affected by this tendency. In both cases, despite the meticulous efforts made by ITRC and PRC and the technical investigations conducted by KrebsOnSecurity, there

45 is no definitive agreement over the exact amount of records disclosed, and, more importantly, over the date of the first public announcement. () The absence of a clear-cut date for the public release of the data breach intuitively would impair the possibility of tracking the stocks or news in a precise control period. Notably, after having verified the comparability of the cases collected and reduced the scope to the ones that satisfy the selection requirements, the final dataset is composed of 8 corporate data breaches, distributed equally across the periods. Namely, the designated organizations breached between 2007 and 2013 are: SONY, Target, TJX and Global Payments. Those pertaining to the 2014- 2019 timeframe are: The Home Depot, Anthem, Capital One Financial Corp, and Equifax. Each period features specialized retailer companies, such as Target, The Home Depot, or TJX, credit reporting and payment services companies such as Global Payments and Equifax, and insurance and financial service providers such as Anthem and Capital One Financial Corp. Lastly, technology and electronics manufacturer giant SONY completes the list of cases constituting this comparative analysis.

Table 1.2: Period 1 2007-2013 Table 1.3: Period 2014-2019

Table 1.4

Table 1.5

5.2 Statistical recovery: stock and revenue analysis

As discussed earlier, the core objective of the following statistical analysis is to study the stock price movement of the selected organizations over a period of 3 months after the event, as derived from standard event study guidelines (MacKinlay,1997;Campbell et al. 2003;Hovav & D’Arcy,2004;Goel et al.2007). The price curves observed are expected to portray the trend of the financial and reputational recovery experienced by each organization through a statistical approach. For this purpose, the historical stock records have been extrapolated by resorting to Trading View, Yahoo Finance, Investopedia and MarketWatch. The first, a dynamic subscription-based platform for tracking share prices, by design offered the opportunity to simultaneously compare the selected stock range against the NYSE Composite Index (NYA). In doing so, the values registered in the 3 months window have been checked against the overall performance of the market of reference, to isolate the influence of concurrent variables that could hamper the representativeness of the observations. Based on data accumulated on MacroTrends.com, the year on year revenues for each of the companies involved were additionally observed, providing a supplemental instrument for capturing the impact of the breach on the organizations’ economic performance. This measurement was applied to the fiscal quarter preceding the event and the two following it. By observing the stock trends of the companies breached between 2007 and 2013, as outlined in table 1.6, it is evident that none of these entities came out unscathed from the breach event. While their stock prices appear to remain practically stable during the pre-crisis phase, the incidence of the breach on their share price is immediately visible from the very next day.

All the organizations included in the first period have in fact suffered a drop in their stock value during the 24 hours following the breach. More importantly, after the initial shock, none of the organizations was able to recover their stock price loss in the long term, as evidenced by the negative patterns recorded in the following months. In fact, the value of the shares of all the organizations has further decreased during the 3-months window following the event. Target’s share price, which initially dropped from 63.93 to 62.73 (USD) registering a -1.9% in the first 24 hours after the event, while gaining ground a week after the breach announcement, fell down to 59.61 on the 90th day. Target’s stock price curve portrayed in figure 1.4, while remaining undoubtedly negative in absolute terms, shows that after a drastic decline suffered within 2 months of the breach the company has recovered most of the value loss. The retail giant ended up losing approximately 7% of its original stock value, but looking at its stock chart things could have gone a lot worse. TJX stock movement followed a similar pattern, illustrated in figure 1.5. The company stock dropped by 1% the day after the breach, decreasing from 7.46 to 7.38 USD, but continued its fall over the course of the following 3 months, reaching its lowest point at 7.08 on the 90th day. The accumulated loss attained at -5.1% over its original price,

49 however, is the result of a positive come back from a steady decline registered 2 months into the crisis, a trend seemingly resembling Target’s stock movement. Both companies, in fact, seemed to have contained the adverse effects of the crisis during the first weeks, but underwent an enormous downfall during the central weeks of the period observed and only partially recovered their losses towards the end. On the other hand, SONY and Global Payments’ stock price changes followed a far more linear path. While Global Payments stock price shifted from 26.29 USD to 23.75, losing 9.06% of overnight, SONY’s shares only fell by 1.6% from 28.44 to 27.98 USD. Although the two companies’ stocks had a different initial reaction to the breach, they since behaved very similarly. Global Payments’ shares value after a drastic drop has continue at a lower rhythm with short-lived improvements, eventually doubling its losses over the ensuing months. On the other hand, SONY’s stocks have kept a constant lowering pace since the beginning, marginally decreasing in value at a constant pace throughout the 3 months-window.

The two trends, portrayed in figures 1.6 and 1.7 have nevertheless produced an astonishing value loss of -17.7% for Global Payments and -19% for SONY, between 3 and 4 times more than Target and TJX. To check the validity of these findings, the following table 1.7 contains the NYSE Composite Index (NYA) values corresponding to the timeframes observed. By assembling this dataset, it can be noted how the overall NYSE market capitalization remained quite stable during the timeframes of the Target and SONY data breaches, while being subject to more significant oscillations during the TJX and Global Payments windows. The NYA coefficient increased by 5% during the development of the TJX breach, possibly making the percentage loss of -5,1% an overly optimistic projection and eventually attenuating the disruptive impact of the breach of the company’s financial performance. On the contrary, during the Global Payments data breach crisis the NYSE aggregated capitalization decreased sharply, potentially aggravating the negative momentum the company was navigating through. These imbalances, while relevant for the purpose of this investigation, should not be interpreted as confounding variables drastically altering the nature of the patterns observed, but rather as notable indicators for rounding off the final equation at the end. As per the effect of the data breach on the companies’ revenue stream addressed by table 1.8, a comparison between the year-on-year returns of the fiscal quarter preceding and the two following the announcement date seems to confirm the tendency observed from the stock analysis. With the exception of Global Payments, which does not publish revenue stream data for the spring quarter, the results emerging from Target and SONY outline a strong contraction in sales. While the YOY balance sheet turned negative for those organizations, TJX still seems to have seen its momentum affected. All in all the evaluation of the stock market performance and YOY revenue changes seem to reveal a negative relation between the data breach and the organization’s performance. While Target and TJX have shown modest signs of recovery from a

50 certainly impactful event, Global Payments and SONY were drastically affected by a share value perspective.

Table 1.6

Table 1.7

Table 1.8

Figure 1.4 Source: Trading View

Figure 1.5 Source: Trading View

Figure 1.6 Source: Trading View

Figure 1.7 Source: Trading View

Shifting our focus to the second group of cases occurred between 2014 and 2019, the general performance trend seems to go in an opposite direction. Strikingly two of the breached organizations, Anthem and The Home Depot, have registered a substantial increase in their stock value during the timeframe observed (Figures 1.8 and 1.9). As illustrated in table 1.9, Anthem’s stock price rose of just 0.2% one day after the breach, but it steadily grew over the course of three months reaching a USD price of 155.84, 13.4% over its original one. The Home Depot’s stock value behaved almost identically, increasing of 1.2% 24 hours after the breach, and of 13.4% 3 months later. However, the other organizations did not share in this rosy picture (Figures 1.10 and 1.11). Capital One Financial Corp. lost over 6% of its stock value initially, but after enduring an even higher drop during the first 40 days, it embarked on a recovery that reduced the marginal gap to just -2.9%. This cannot be said for Equifax. The impact of the breach on the consumer reporting giant has caused the organization to lose a disastrous 12.9% in its stock price right after the incident came up in the news. Equifax recovery trend has clearly failed to alleviate the effects of the shock, and after hitting rock bottom at 66% of its original value on day 7, it stabilized at 116,83 USD, 16.4% less than its price 3 months before.

Considering the aggregated market capitalization flow in the corresponding timeframes, in comparison with the previous case group, the NYA Index has maintained a stable gain throughout the windows analysed (Table.1.10). As per the recovery patterns observed, the only significant exception to this state of affairs is the Equifax case. In spite of the ravaging fall registered by Equifax’s stock price, the rest of the accumulated NYSE market base has moderately grown in the same period, possibly hiding even more serious consequences for organization’s share value. As it was the case for the 2007- 2013 group, the year-on-year periodic revenue data sustains what discussed so far (Table 1.11). None of the companies included in this segment has reported negative growth compared to the same quarter of the year before. While Capital One has seen its marginal improvement reduced in comparison to the previous quarter, and Equifax revenue trend remained surprisingly unscathed, these findings the facto confirm the results of the stock performance analysis.

Table 1.9

Table 1.10

Table 1.11

Figure 1.8 Source: Trading View

Figure 1.9 Source: Trading View

Figure 1.10 Source: Trading View

Figure 1.11 Source: Trading View

5.3 News Media tracking and Reputation Index scores

After having evaluated their financial performance in the aftermath of the breach, this investigation moves onto assessing the reputational stance of the breach organizations as depicted by media. To do so, this research will calculate the Reputational Index coefficient on the basis of the type of narrative frame adopted by media articles in describing the events to their audience (Eiseggher,2005). The news sources have been collected through ProQuest, searching through the selected media outlets archives for publications related to the crisis event within a 3-month window in the aftermath of the breach. As anticipated in the methodology section, the media outlets of reference are The New York Times, The Washington Post, The Wall Street Journal, and UsaToday. Completing the source list as needed with articles published by The Financial Times and Forbes, an inventory of 78 news articles was assembled, setting the bar at a minimum of 6 articles per case. 47 news stories were retrieved for the first period and 31 for the second.

The qualitative evaluation of the news content is based around the notion of attributed responsibility, which according to the SCCT guidelines is the foundational element for determining the nature and the stance of a reputational crisis. The assessment scale at the basis of the Reputation Index, in fact, is built upon the extent to which the information released relate the responsibility of the crisis to organizational misconduct. As a consequence, in this study, the attribution of the nominal values of “positive” “neutral” or “negative” to the news tenor, was subordinated to the degree of attributed responsibility and to the presence of derogatory statements and inflammatory remarks undermining the image of a company, both in terms of cybersecurity posture and crisis response efforts. Furthermore, given the specific nature of the topic addressed in the articles, the value scale is naturally tipped towards a negative tone, rendering eventual positive statements detaching the company from the crisis (transcendence) or praising its past and present behavior (bolstering) as particularly significant factors from a weighting perspective.

5.3.1 Period 1.

The TJX data breach The earliest data breach case treated in this research is the TJX case, which broke the record for a number of records disclosed and soon became the base case study on data security handling for years to come. The chronicle of the events reports that a group of hackers under the name of “Gonzalez gang” had intruded the company systems leveraging in-house computer stations as entry-points and to then steal unencrypted data in transit containing the details of more than 45 million credit cards, a

58 number later increased to 94 (Vennanameni,2016). The case, over the years, sparked several critics targeting the cybersecurity posture of the organization, from failing to implement PCI protection requirements, to outdated encryption methodologies, to lack of vigilant access controls. At the time, however, the data breach reality was still to become the routine phenomenon it currently is, an element that influenced the development of the crisis in every aspect. From a state-based vague regulatory regime to widespread cyber illiteracy, the TJX data breach was treated as an unprecedented phenomenon by every actor involved, including from a journalistic perspective (Chickowski,2008).

Starting from the 17th of January 2007, the search has brought upon 7 articles addressing the matter. Of these 7 news stories, 3 were published immediately after the event. These early news reports released by the New York Times (NYT), refrain from directly pointing fingers to TJX directly, but demonstrate a tendency to address the event as one episode of an emerging, wider, problem. These articles, in addition to reporting instructing information from the company’s press release, tended to reduce the stance of the event claiming that ongoing investigations were yet to dig up evidence of fact and that projections made around the number of records might have been too pessimistic (Dash,2007a,2007b;Stone & Dash,2007). Notably, one news story by the NYT, addressing the fact that the regulatory requirements were not being adequately enforced, claiming that TJX should not be seen as the only responsible party, asserted that "It's a collective problem with collective responsibility” (Nakashima,2007). Moreover, along with reporting the concerns expressed by TJX management, this article reduced the size of the disclosed records to “substantially less than millions” (Dash,2007). While we marked the latter news report as positive, as it entirely shifted the blame away from TJX, later news surfaced on the Wall Street Journal (3) (WSJ) and the Washington Post (1) somehow reverted the verdict. In the months following the breach, this set of news started to address the impressive proportions of the data breach and writing about serious concerns arising from the banking sector, along with declarations from victims reporting fraudulent activities on their accounts.

The crisis became real, and TJX, in the eyes of the public, appeared to be on the defensive by dismissing inflammatory claims: “We're not commenting about what others are saying about the situation” (Pereira,2007a). A month into the crisis, a WP news story sets the timeline straight by asserting that the breach started at least 18 months before and that TJX simply had “no idea what was going on” (Pereira,2007b). By this point, TJX cybersecurity failures were widely discussed in the media, which repeatedly referred to sources inside the company to ridicule their security posture: “It was as easy as breaking into a house through a side window that was wide open” (Sidel,2007). The first references to apology statements are mentioned at the end of the 3 months window, indicating that the crisis was hardly treated for its level of attributed responsibility. While one article assumed a particularly soft stance in treating TJX role in the crisis, and two did not express elements significantly impacting TJX’s reputational image, 4 news stories, published from one week to three months after the

59 event, painted a significantly worse picture. The Reputation Index is calculated by subtracting the negative (4) coverage from the positive (1), multiplying by 100 and dividing for the total number of articles (7) retrieved. It follows that TJX Reputation Index score equals -43, a result obtained by applying the following formula: (1-4)x100/7.

The SONY Data Breach

The data breach that struck SONY began on the 17th of April 2011 and caused the impairment of 77 million records and a Play Station network outage of over 20 days. Given that the attack was initiated through a DDoS campaign, consequently disrupting the online functionality of the gaming platform, users directly experienced the consequences of the hack long before the company made it a first public statement about it. In fact, according to the press, SONY realized that the attack was not merely directed towards taking their systems down, but also at exfiltrating sensitive data, only thanks to a notification from an external security company one week after the event. The organization started its communication response playing catch up, as its lack of preparedness was harshly met by the press since the beginning. Of the 10 news stories retrieved for this case, only 1 did not directly accuse the company of wrongdoings. Only one article published by the Washington Post on April 27 tackled the crisis from an operational standpoint and provided the audience with guidelines on how to protect themselves (Tsukayama,2011a).

Instead, the main narrative held by 6 articles published in the first week after the breach announcement (26th of April) and 3 written in the following months was centered around SONY’s shortcomings in dealing with the crisis. Various critics blamed the company for delivering late and inadequate information (through sporadic PlayStation blog entries), for initially dismissing the event as a routine incident, for the failed attempt at scapegoating the hacktivist group Anonymous, and ultimately for their “lack of transparency and their seeming inability to issue clear, unambiguous instructions to their (former) customers” (Noer,2011). The tone of these news stories could have not being worse, as these would directly put SONY’s ineptitude in contrast with its better equipped competitors (Microsoft’s XBOX among others), claiming that SONY in comparison “has failed the internet” and that without completing a transformation process “it will be a fallen giant indeed.” (Brown,2011;Schiesel,2011). While the Japanese conglomerate was firmly denying that hackers could have been in possess of credit cards information, card frauds linked to the breach began to feature in the press, together with mentions of several class action lawsuits being launched against the organization for encryption security failures and violations against consumer laws (Menn,2011;Bilton & Stelter,2011). For instance, drawing on several accounts claiming that the company was known to be extremely vulnerable in cyber security terms, one article by the Financial Times, retraced SONY cyber IT shortcomings, claiming that it “failed to encrypt data and establish

60 adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back on line” (Palmer,2011).

While this mediatic crusade continued with titles containing expressions such as “abysmal response” and “SONY faces fury” “A test for consumer trust”, the media began to report on ongoing FBI investigations and referencing directly the words of political exponents, such as US Senator Richard Blumenthal, who commented: “The fact show SONY purposefully deceived people and mislead them before, it has now finally begun coming clean” (Menn,2011; Noer,2011; Schiesel,2011; Tsukayama,2011b,2011c). In sum, it was not possible to retrieve a single positive or ambiguous comment concerning SONY’s performance throughout the crisis. With the exception of a neutral instructive media article, 9 out of the 10 sources analyzed had strong attributions of responsibility and very definite negative connotations, which following the Reputation Index formula (0-9)x100/10, associates to the SONY security breach a score of -90.

The Target Data Breach

To this day, the corporate crisis that affected Target in December 2013, remains one of the most publicized cases of data breach incidents. The hackers exfiltrated a final count of 110 million records, penetrating the company server environments by leveraging third-party vendor credentials into poorly segmented POS systems. Although the company had already been investigating the case, the incident was first reported by KrebsonSecurity, which immediately put Target on the defensive. (Davidoff, 2019; Srinivasan et al. 2016). In analyzing the media coverage on the case, we retrieved a total of 24 news stories dedicated, which surfaced at different times throughout the crisis. From a thematic perspective, the press flow can be divided into 3 different stages. Articles published during the first week (4), although not addressing the actual scale of the incident, were already able to anticipate the gravity of the reputation risk faced by Target. These news stories referred to the fact that Target was not being transparent declining to comment on the details of the breach, and anticipated the risk of fines and profit losses during a critical time of year for the retail corporation (Christmas holidays). These media reports posed the issue of whether the attack was, in fact, sophisticated, as argued by the company, or instead driven by the exploitation of existing vulnerabilities (Timberg et al.2013;Snider,2013;Eversley & Hjelmgaard,2013)

However, in the early phases of the crisis, 2 sources remained cautious regarding the role of Target in the data breach, claiming that such instances are common across sectors and that the role of states in preserving data security should be enhanced (Prah,2014; Tsukayama,2013). Surprisingly, since

61 the breach was announced, the number of news stories increased sharply (15), and in particular, the tone of the news was fragmented between accusatory and accommodative stances. 5 of these news pieces negatively outlined Target’s role in the crisis, focusing on the size of the breach, which shifted from the initial 40 million previously announced to a total of 110, and the economic and legal repercussions suffered by the company including a 46% drop on quarter sales, the closing of 8 store facilities and more than 50 incoming class actions. However, the most common angle undertaken by these sources was centered around the insufficient cybersecurity preparedness of Target, demonstrated before and during the event (Malcom,2014;NYT 2014;Harris et al.2014, Kratsas,2014). Reported statements from security experts widely addressed the fact that Target had been warned before about its insecure systems, but de facto ignored the issue deciding to keep updating its payment terminals.

The wording chosen for describing the cybersecurity state at Target, in itself helped to convey a negative image of the company, which one source describing Target systems as “astonishingly open” and another that Target “foolishly resisted” the introduction of more secure chip-based cards because deemed too expensive. Additionally, Target’s response has been described as evasive and superficial by most of these accounts, as its executives initially refused to disclose details over the crisis, declaring to be in compliance with regulations and limiting their comments to effusive apologies (Yang & Jayakumar,2014; Jayakumar & Tsukayama,2014;Tsukayama,2014a)Nevertheless, as news that the hackers penetrated the systems through third-party vendors were starting to come up, a series of articles by the Washington Post and Wall Street Journal (6), 45 days into the crisis, started to paint a more lenient picture of Target response efforts, including reporting comments from crisis managers praising the organization for its compensation commitments and the CEO communication response efforts through interviews, emails and videos. It was reported how CEO Gregg Steinhafel was using these communication channels to convey instructing information, apologies and compensation plans, which according to the news authors were helping to reassure the public, consequently preventing stock prices to keep falling. At the same time, according to these articles, the company was retaining customers and shareholders by adopting communication strategies by the “playbook” (McGregor,2014).

Finally, this stream of coverage that adopted more positive frames, presented an alternative narrative of the events, addressing the issue of contractors’ relationship as a source of cyber vulnerability, de facto shifting the blame on insecure smaller companies paving the way to hackers for breaching major corporations (Langley,2014;Tsukayama,2014b;Jayakumar,2014a,2014b; Douglas & Timberg,2014). In between these two opposed blocks of media coverage, 4 news stories, provided instructing and contextual information about the crisis, or addressed the issue in general terms, neutrally balancing attributions of responsibility with vague comments such as “it happens every day, everywhere” (Eversley & Hjelmgaard,2014; Ziobro,2014a; Harris,2014a, Perlroth,2014). Thirdly, during the last stage of the monitored timeframe, 5 articles strongly reinforced attributions of

62 responsibility. Between the end of February and the beginning of March, new facts were coming to light, including the resignations of Target’s senior technology executives, and congress hearings had begun, initiating a new phase of the crisis. In addition to what previously discussed this fraction of slanderous press, addressed Target’s image recovery difficulties portraying internal divisions among executives, overwhelmed call centers, CEO communication struggles, costs in the order of 1 billion dollars and insufficient compensation efforts leading to contractions in Target’s consumers base (Jayakumar,2014b;Harris & Perloth,2014;Harris,2014b;Malcolm,2014b;Ziobro,2014b).Overall, the impressive amount of coverage produced around the Target Breach case can be divided as follows: 6 positive, 6 neutral and 12 negative news stories. Therefore, the cumulative score attributed to Target through the Reputation Index formula equals -25 [(6-12)x100/24].

The Global Payments Data Breach

In comparison with the previously discussed corporate crisis, the one navigated by Global Payments attracted far fewer media coverage, and most importantly all 6 seven articles retrieved were published in the first week of the crisis. The hacking initially brought up by Krebsonsecurity, caused alleged compromise of 10 million payment card accounts by exfiltrating company databases during transaction times. Two media reports published by the WP and the WSJ introduced the news by downplaying the proportions of the breach, stretching a direct comparison with precedent cases featuring more records disclosed. These reports included dismissive statements referring to Global Payments as a “little known company” or by asserting that hackers got their hands only on a portion of the server (Tsukayama,2012; Sidel & Johnson). Similarly, these articles related the issue to structural vulnerabilities that were currently affecting payment service merchants at large, excluding Global Payments as the only party at fault, and use their platform to provide operational information such as emergency contacts made available by the company.

While these news stories still outline worrisome consequences that the breached could have caused, one article published by Forbes on the 3rd of April described the issue by detaching Global Payments from the responsibility for the event, by asserting that the company “merely passes on transaction details to card networks like Visa and MasterCard” and that it had already taken the necessary measures to contain the leakage (Trefis Team,2012). In a paragraph titled “Global Payments: Your Money is Safe”, this source went further in reassuring the public by claiming: “don’t worry too much if you are a debit or credit card user. The breach has only exposed a small fraction of the total cards in use. Even if you are among the unlucky few, remember that you wouldn’t be liable for any unauthorized transactions on your card” (Trefis Team,2012). On the other side of the spectrum 3 articles published around the same dates, addressed the crisis restoring the central role played by Global Payments in the crisis. These news stories published by Forbes and the New York Times reported the

63 incident by placing the scope of the news around the decision by Visa to remove Global Payments from its list of “compliant service providers” (Kosner,2012; Silver-Greenberg,2012a,2012b).

This negative coverage along with reporting that card service providers are the weakest link in the payment chain in terms of cybersecurity, redirected the responsibility of the event towards Global Payments, claiming that this was not the first security incident involving the organization. One source in particular, which defined the breach as “massive” in its title, closed its piece by capturing the gravity of the incident in terms of damages suffered by consumers: “Even if they (consumers) are not actually liable for any fraudulent charges, their lives can be disrupted significantly at any moment—and nobody gets reimbursed for that”(Kosner,2012). In regards to this breach case, together with 2 accounts treating the event neutrally, we have thus retrieved 1 news story positively painting the role of Global Payments in the crisis, and 3 who instead directly tainted its image by placing the company at the source of the crisis. The calculated Reputation index, therefore, amounts to -33,3 [(1-3)x100/6.]

5.3.2 Period 2

The Home Depot data breach

The Home Depot corporate crisis followed the Target case in a long list of data breaches affecting retail corporations. As in the case of Target, the first to bring the case to light was Brian Krebs, but differently from the former, The Home Depot corporate breach was far less advertised in the media. The comparison between the two cases was a central and recurrent theme among the sources consulted (Siedel,2014). The search brought to 6 media stories during a window of 3 months, divided in a first series published in the days after the announcement, and a second wave around the first half of November, 45 days into the crisis. However, despite an article published on NYT the day after Krebs announcement, the rest of the media coverage did not feature noteworthy negative connotations, with 3 even distancing the company from the event. A testimony to that is the fact that the hack has been immediately described as a highly sophisticated attack executed through “custom-built malware”, reasoning paired by repeated speculations of over the involvement of Russian criminals (Peterson,2014;Creswell & Perlroth,2014;Winter2014).

These common references to external attackers, and unprecedented techniques shifted the focus away from The Home Depot’s vulnerabilities. More specifically the news articles reported comments from various experts from the industry, voicing reassurance over the security posture of the organization, which had reportedly already implemented chip and pin based card technologies, and

64 developed “major security project that fully encrypts its payment data at its point-of-sale terminals in U.S. stores” before the attack was carried out. More specifically these advancements have been discussed in terms of lessons learned from previous corporate breaches alike, in particular Target’s case: “After the Target theft (..) the company started introducing in some of its stores enhanced encryption that scrambled payment information the moment a card was swiped.” (Winter,2014;Banjo,2014) This portrayal was accompanied in the vast majority of sources encountered with a very consistent report of company updates over the results of the investigation and detailed expressions of apology, which dominated the narrative since the beginning. For instance, a WP article published the day after the breach was announced, reported in its introductory lines that the malware “has been eliminated from the company’s systems” rather than questioning how it was dropped in the first place. In particular, all sources consulted have extensively addressed the company’s compensation scheme, consisting of free credit monitoring and gift cards, since the beginning.

Once again direct references to the company’s updates allowed The Home Depot to be often quoted directly across the sources consulted, in particular, to convey rectification messages about commitments to prevent similar occurrences. For instance, as reported by Vinton (2014) on Forbes: “The Home Depot says it plans to have EMV “Chip and PIN” technology in all stores in the United States by the end of the year, ahead of the retail industry’s 2015 deadline”. While two articles placed the crisis in connection with The Home Depot, they did so by reporting the organizations’ admission of guilt, and contextualized in the larger scheme of cyber incidents that interest the retail sector: “Thefts like the one that hit The Home Depot — and an ever-growing list of merchants including Albertsons, UPS, Goodwill Industries and Neiman Marcus — are the “new normal,” according to security experts” (Banjo,2014). One these two articles, marked as neutral, despite comparing it to the Target case, claimed that the data breach affecting The Home Depot was going to be less expensive (Vinton,2014). On the other side, confirming how much the frames adopted can change the reality conveyed to the public, one article reported several statements reintegrating the responsibility for the crisis in the hands of The Home Depot. Creswell and Perlroth (2014) wrote on the NYT that a number of The Home Depot’s employees had stated that the organization responsible parties were well aware of existing vulnerabilities and that the management dismissed the concerns voiced by internal IT teams. By reporting internal staff comments, this media story conveyed the fact The Home Depot relied for years on outdated security controls and rarely implemented maintenance check on its systems. Despite confirming the high level of sophistication of the attack carried out against The Home Depot, this source eventually asserted that “despite alarms as far back as 2008, The Home Depot was slow to raise its defenses”. To summarize the observations made, 3 sources discussed the participation of The Home Depot in positive terms, 2 in a neutral way and finally 1 recognized the companies negative handling

65 of the problem. As a result of the Reputation Index formula, the coefficient is equal to +33,3 [(3- 1)x100/6].

The Anthem data breach

The largest health care-related data breach to this day is the one that impacted the private insurer Anthem around December 2014, but differently, from most data breaches treated so far, it was disclosed by the company itself on February 4th 2015. News surrounding this event retrieved from this research amount to a total of 8, and with the exception of 1 news story, they were all published in the first week since the breach was announced. The breach initially attested at 37.5 million of records, and then later increased in size to 80 million of PII information containing social security numbers, did not lead to the compromise of medical records (PHI). Nevertheless, the fact that the company self-detected and announced the issue autonomously, besides becoming a recurrent theme in the media coverage of the fact, arguably placed the organization in an advantageous position. Of the 8 media articles retrieved 6 discuss Anthem handling and response performance with clear positive connotations.

First and foremost, the company was widely praised for its timely and proactive notification of the breach. Several references across these sources were made to the fact that the healthcare insurer disclosed the hack only days after spotting the intrusion within its systems, which, as reported by the Wall Street Journal on February 4: “may signal a changing attitude among corporate executives about rapid disclosures in the wake of breaches of companies including Target Corp. , The Home Depot Inc. and SONY Pictures Entertainment Inc”(Mathews,2015;Yadron,2015). This paradigm shift was a key factor for captivating the mediatic narrative of the events. Various references were made to cybersecurity experts (such as FireEye managing director or Indiana University professor Fred Cate) and FBI officials endorsing Anthem response approach in direct contrast with the usual modus operandi: “organizations don’t typically provide notification this early on” (Abelson & Goldstein,2015a,2015b;Mathews,Yadron,2015). In addition, several reports indicated that the attack was highly sophisticated, and pointed the finger to Chinese criminal groups (scapegoat), as well as informing the audience about consistent investments made by Anthem prior to the breach and its commitment to improving its cybersecurity stance by upgrading encryption standards on its database (Bolstering and rectification). While one article focused on providing instructive information to the public on the steps to be taken (neutral) the vast majority of these media stories addressed the issue from a general perspective, indicating how healthcare insurers are increasingly becoming a target of malicious attackers because of custom vulnerabilities, thus contextualizing Anthem’s liability in the wider picture (Bernard,2015; Abelson2015,Creswel,2015;Weise,2015a).

While describing this new trend in cyber-attacks, these media stories specified that the attackers did not exfiltrate medical records and reduced the gravity of the fact, lifting Anthem from additional responsibilities. In fact, as reported in UsaToday on the February the 5th “the breach would not come under HIPAA rules, the 1996 Health Insurance Portability and Accountability Act, which governs the confidentiality and security of medical information” (News Source,2015). Together with commending Anthem’s collaborative efforts with law enforcement and deputed authorities, these articles extensively reported the company’s updates on the investigation, apology statements and operational information about the emergency contacts made available. On the other hand, an article published on February 7, the last in chronological order, addressed the topic of 4 lawsuits being launched against Anthem for suspected misconduct related to the protection of its database, which allegedly hosted all patients details in one location. As this news story reports the comments of FBI officials investigating on the matter, this represents the only voice out of the chorus concerning Anthem’s stance in the crisis (Weise,2015b). The final reputational score counts 6 positive stories and only 1 negative out of the 8 retrieved, adding up to a coefficient of +62.5 derived from the formula: (6-1)x100/8.

The Equifax data breach

The cyber-attack that got ahold of Equifax databases between March and July 2017, exfiltrating around 143 million consumers PII data from the credit reporting agency’s systems, is the largest data breach considered within this study. Equifax announced the breach on September the 7th, but this did not spare the organization from significantly negative coverage of the event, and in particular of its corporate image. The entire body of press news retrieved (10), despite the attempt made by the agency to be upfront about the crisis, turned out to be an inventory of Equifax’s mistakes committed before, during and after the event. Since the beginning, the news has associated with the allegations of inside trading by 3 company executives who sold Equifax stocks for the amount of 2 million before the breach was announced, and accusations concerning the significant delay in the disclosure of the fact.

This narrative was further exacerbated by the company’s executive evasive and dismissing comments reportedly made by the organizations' executives, both in regard to the details of the breach and the stock sale scandal (Dastagir,2017;Mccoy,2017;Andriotis et al.2017;Weise et al.2017;Weise,2017;Bernard,2017;Merle,2017). Equifax handling of the situation proved to be wildly inefficient and prompting an article written 4 days after the agency’s announcement to provide customers with information on how to freeze their credit accounts. The crisis response framework set up by Equifax was regarded as a disaster by multiple sources, which reported consumer’s outrage in relation to malfunctioning websites, non-responsive twitter account and unreachable call centers.

Equifax failures to cope with the crisis soon became the crisis itself. One media story in relation to the situation claimed how “Equifax's struggle to deal with the fallout from a massive security breach is growing as lawmakers are asking questions about what happened and more consumers are lawyering up” (Weise et al.2017). From a cybersecurity perspective, later news provided more ground for critics, by revealing that the company was using a flawed software and failed to patch well-known vulnerabilities for over a year, despite the fact that Equifax executives had themselves stated in the annual report to have been a “regular target” for years (Andriotis et al,2017). In particular, according to an article published on October 6 by the WSJ, the MSCI index in 2016 had booted Equifax from its listing comprising businesses deemed sustainable, after flagging to the organizations its security issues, and assessing that Equifax “was ill- prepared to face the “increasing frequency and sophistication of data breaches” (Loder,2017).

As if the situation was not serious enough, 30 days into the crisis, two media stories reported that Equifax customers have been redirected to a new company webpage where hackers had installed a malware, which in turn provided Equifax spokespersons with another opportunity to reportedly deny the fact and scapegoat third party contractors (Rapoport et al.2017). As reported by a UsaToday article published on October 12, the company stated that those additional 2.5 million customers affected were simply victims not counted in the previous incident, which lead the source to comment that “The breach and, even more so, Equifax’s handling of it angered lawmakers” (Guynn,2017). In light of these facts, the totality of media articles consulted was attributed to a negative value, consequently adding up to a Reputation score of -100, the lowest possible coefficient [(0-10)x100/10].

The Capital One Financial Corp. data breach

The most recent data breach case among the ones discussed in this research, which put at risk around 100 million Capital One consumers’ PCI information, is also the only case where the hackers responsible for the attack have been caught within the window of 3 months in which the crisis was monitored. The fintech bank retrieved evidence of the hack by performing a routine scanning of its systems, after being pointed to a potential vulnerability in its database. Paige Thompson, later arrested for computer fraud and abuse, allegedly penetrated the cloud-based storage of the fintech company through a firewall misconfiguration, harvesting customer data in the millions. As it turns out, the narrative adopted by the news coverage assembled, containing 7 news stories, demonstrated a somewhat indulgent stance towards the organization, primarily on the basis of two parallel themes. First, given that the media was already presented a responsible party for the event, none of the news retrieved explicitly linked the crisis to Capital One’s responsibility (Hong et al.2017;Baig et al2017;Telford et

68 al,2017;Siegel,2017;Tiko,2017) Secondly, the good fame surrounding Capital One as one of the most technologically advanced enterprises in the market, significantly softened the tone of the media coverage, by putting the case in contrast with an otherwise consistently good reputation. In fact, even the 4 sources (marked as neutral) who negatively accosted the data breach to the organization, did so by concentrating the focus of the story on Capital One’s leadership and pioneering role in guiding financial services towards innovative digital solutions, as titled by the WSJ on July 31: “hack hits reputation of the tech-savvy bank” (Rudegeair et al. 2019). This stream of the press, while outlining how Capital One missed the firewall misconfiguration prior to the event, failing to pre-emptively stop the intrusion, asserted that the organization “immediately fixed” the gap quickly spotting the vulnerability following a lead on a GitHub post and that there was no evidence of data being sold or distributed (Siegel,2017). In addition to praising the organization for the timely disclosure and response to the breach, and to extensively outlining the revolutionary stance of cloud-based solutions advocated by Capital One, a group of 3 news stories dedicated a lot of space to company’s statements of regret and apology.

These company statements have been abundantly reported in these articles, and, although the perfect scapegoat was already in the picture, seemed to convey appropriately emphatic messages to the public. For instance, The WSJ directly quoting the words of Capital One’s chief executive reported a promising message from the organization: “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right” (Hong et al. 2017;Telford & Denham,2017). In particular, these sources treated the issue as a problem much larger than Capital One, underlining how the organization is at the heart of fintech innovation programmes, while competitors are struggling to catch up (Rudegeair et al.2017; Hong et al.2017;Baig et al.2017). Committing the thematic scope of these articles to informing the audience about previous upstanding performances of the organization, effectively drew the attention away from the crisis (bolstering). Given the absence of proportionally negative accounts on Capital One involvement in the breach, the Reputation Index score, based on 4 neutral and 3 positive media reports, equals +42.85 [(3-0)x100/7].

6. Discussion

In this section, this research aims at explaining the patterns observed during the stock performance and media tracking analyses and correlate them with the SCCT strategic stance of the organizations involved. In the following table 1.12 the outcome of the first two steps of the analysis has been complemented with the analysis of the response strategies utilized by the organizations during their crisis communication process. To assess the SCCT response posture of the organizations this study has analyzed their press releases in unison with media sources, and when possible, with social media communications. In the Intra-periodic section this research analyzes and compare the organizations’ communication response strategies within each timeframe, while the following Inter-periodic analysis will address the connection between SCCT and the recovery performance of the organizations across the two periods, attempting at drawing a conclusive holistic picture.

Table 1.12

6.1 Intra-periodic analysis: Assessing Organizational Responses

6.1.1 Period 1

As portrayed in table 1.12, the entire set of cases observed has, to different extents, experienced a negative recovery trend. Within this negative group performance, SONY and Global Payments stand out for the worst aggregated recovery overall. The common negative trend emerging from this group is reflected in the SCCT framework by the widespread adoption of overlapping strategies from different primary clusters. In fact, while SCCT theory prescribes to select strategies from only one primary cluster and complement them drawing from the reinforcing pack, not one organization abide by this rule. Aside, from base responses (more or less equally adopted throughout the dataset) by digging into the characteristics of the organizations' communication narratives some differences nonetheless emerge. Global Payments, responding in a timely manner, adopted a primary justification approach in its first 2 announcements after the breach (30 March and 1 April), by claiming that only a segment (track 2) of its processing system had been compromised, and asserting that the incident had been contained and that it did “not involve our merchants or their relationships with their customers” (Global Payments,2012a,2012b). In addition, the company coupled this response, by opening its release with a bolstering stance, reminding the audience that Global Payments is: “a leader in payment processing services” (GlobalPayments,2012a). However, on June 12th Global Payments radically changed its approach by informing the public of plans involving free credit monitoring and insurance protection, and timidly apologizing for the event. However, not only these compensatory measures had not been yet implemented 3 months into the crisis, but they were quite limited in scope: “unrelated to cardholder data and pertain to individuals associated with a subset of the Company's U.S. merchant applicants” (GlobalPayments,2012c).

A different response structure was followed by TJX, which responding with 2 two press releases (January 17 and February 20), moved its strategic positioning across the entire range of the 3 response clusters. First, the company chose a Deny posture by ignoring repeatedly to questions concerning the timing and proportions of the incident, with statements like “We're not commenting about what others are saying about the situation” (Pereira,2007). Secondly, TJX employed justification and deny volition responses from the Diminish cluster. First, the company minimized the number of records disclosed to “significantly less than millions”, and then justified the length of their response efforts by claiming to have little control over the event: “given the nature of the breach, the size and international scope of our operations, and the complexity of the way credit card transactions are processed, [The response] is, by necessity, taking time (TJX2007a,2007b; Dash,2007a) Lastly, the organization eventually apologized one month after the crisis, but, simultaneously denied compensations, claiming that these were not necessary. TJX, the only organization among the ones analyzed, reportedly shifted the responsibility of checking for fraudulent activities to consumers, suggesting that they should “carefully review their account statements and immediately notify their credit or debit card company or bank if they suspect fraudulent use” (TJX,2007b). SONY’s evident recovery struggle is immediately evident from their

71 response communication. First, the company updated consumers with brief and insufficiently developed posts on its PlayStation Blog, starting from the 26th of April, 2 weeks after the users of the console noticed the network outage. Then, primarily drew from the Deny cluster, both to (inaccurately) accuse Anonymous of the fact (scapegoat), by claiming that “Hackers, after all, do their best to cover their tracks”, and by playing the victim role going absurdly off-topic: “In the last few months, SONY has faced a terrible earthquake and tsunami in Japan. But now we are facing a very man-made event – a criminal attack on us” (SONY,2011a,2011b).

At the same time, SONY used ingratiation as a reinforcing strategy thanking its customers for their “patience, understanding and goodwill” and tried to underplay the impact of the breach claiming that there was no evidence of credit card data being accessed (SONY2011b,SONY2011d). In its final post, nevertheless, the organization promised a “welcome back” package with an identity theft insurance policy, without adding further information regarding its delivery. Target, within this period, appears to be the only organization that implemented apology and compensation measures right from the start, coupling these, nonetheless, with an inconsistent variety of other approaches. In fact, the enormous number of media articles retrieved in the first analysis is reflected by an extensive series of 8 press releases, which allowed the organization to start its PR campaign with suffering statements such as “It was a crime against Target, our team members, and most importantly, our guests” and simultaneously questioning the impact of the breach in light of “very few reports of actual fraud” (justification). Using a justification, the company also invited its guests back to its stores, underplaying the risks by stating that “In fact, in other similar situations, there are typically low levels of actual fraud” (Target,2013a,2013b,2013c,2013d). From the Diminishing cluster, the company continuously stated that the development of incident lied outside of its control (deny volition), up until its December 27 release, where Target pushed away from the responsibility for potential theft of PCI information. It did so, reporting this confusing statement: “the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident. The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.” (Target2013f,2013g).

As said, although Target assumed a progressively more accommodative towards the end, it continuously reiterated its compensation efforts and conveying apologies. In addition, in the last communications, the company use a rectification strategy, by informing the public of a $100 million investment to accelerate the introduction of chip-based processing systems and claiming that: “While we are disappointed in our 2013 performance, we continue efforts to reinvest in multichannel initiatives that generate long-term value for our shareholders (Target,2013f,2013g).

6.1.2 Period 2

In the second timeframe observed, overall organizations seemed to have had more beneficial recovery trends. With the exception of Equifax, whose aggregated recovery trend has been the worst among all corporate crises observed, the remaining companies enjoyed an upward recovery trend since the breach or suffered minimum financial backlashes. As clearly depicted in table 1.12 the companies who have been hit the least from a reputational and financial standpoint are The Home Depot and Anthem. Notably, from an SCCT perspective, these companies relied more consistently on response strategies belonging to one strategy cluster, pairing them at most with Reinforcing strategies. For the record, two organizations, namely Equifax and The Home Depot mixed their consistent adoption of Bolstering strategies with Diminish ones. Equifax, whose crisis communication efforts are contained in two press releases dated September 7 and October 10, introducing an otherwise detailed and thorough technical analysis of the breach, reiterated multiple times how no evidence was found indicating the compromise of “Core Consumer or Commercial Credit Reporting Databases” (justification) (Equifax,2017a). The Home Depot used a deny volition approach in stating that the malware used in the attack was particularly sophisticated and “not been seen in any prior attacks”.

While Anthem did not clearly refer to rectification commitments, Equifax, The Home Depot and Capital One all drew from the entire set of Bolstering strategies. More importantly, besides Equifax, which was repeatedly accused to have kept the news of the breach away from the public, the other entities promptly informed the audience of the problem after they discovered it. Such a straightforward approach was paired with extensive technical explanations concerning attacks methodologies and cybersecurity improvements planned by the companies. For instance, The Home Depot dedicated an entire section of the first of its two press releases to “Cyber Security Enhancements”, and Capital One titled an analogous section “Answers to questions related to the cybersecurity incident”. (The Home Depot,2014b; CapitalOne,2019a) These detailed narratives of the events helped to convey a transparent message to the public, often even proactively admitting and contextualizing the presence of system vulnerabilities that facilitated the hack job, as in the case of Capital One (CapitalOne,2019b). While Anthem issued 3 press releases between the 5th and 13th of February, apologizing and updating customers on the evolution of the case, the main focus was given to instructing the public on the procedure required for accessing a compensation package consisting of 3 different branches: “Identity Theft Repair Assistance, Credit Monitoring and Child Identity Protection”(Anthem,2015b,2015c). Similar consumer-attentive behavior was undertaken by The Home Depot, which next to providing an apology for the fact, extended the use of free compensatory measures to anyone who “used a payment card at a The Home Depot store in 2014” (The Home Depot,2014a). Bolstering strategies were also

73 commonly found in these press releases. For instance, while Equifax stated “We pride ourselves on being a leader in managing and protecting data”, Capital One, in the first of two press releases, inserted a bolstering approach within the following rectification statement: “Safeguarding our customers' information is essential to our mission as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses” (CapitalOne,2019a;Equifax,2017a,2017b).

A notably similar mix of bolstering and rectification is inferable from The Home Depot’s statement announcing that an advanced encryption project had been launched prior to the attack and completed during the event, eventually leading to a better security posture in the future. Additionally, while The Home Depot, aimed at strengthening its apology with an ingratiation strategy in both press releases, by showing regret and thanking its consumers for their patience, Capital One’s CEO released a profuse apology, admittedly refusing to simply scapegoat a third-party actor for their own responsibility: "While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened, I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right" (CapitalOne,2019a,2019b).

6.2 Inter-periodic analysis: verifying the initial propositions

By comparing the trends of the statistical and reputation recovery analysis, this study shows a common development pattern between the financial performance of an organization and its reputational image during a PR data breach crisis, finding a non-proportional but valid correlation between the two. Moreover, looking at the results obtained it can be argued that there is a sustained divergence in terms of recovery between the periods. With the Exception of Equifax, 3 out of 4 cases analyzed between 2014 and 2019, performed significantly better than the ones within the first timeframe, both in terms of financial (stock and revenues performances) and mediatic reputation recovery, de facto positively verifying proposition 7 (P7). On the other hand, this notable fracture between periods cannot sustain a full verification of the first proposition of this research (P1), which stated that PR data breaches have an overall negative impact on organizational reputation. While in most instances this was in fact true, the cases by the Home Depot, Anthem, and partly Capital One, do not allow this study to unequivocally assert the validity of such contention. Rather, moving into assessing propositions 2 and 3, (P2, and P3) the impact of PR data breach was found to be moderately dependent on the set of communication strategies implemented by the organization. More importantly, the hypothetical response stance preliminarily envisioned for organization navigating this typology of corporate crisis, was corroborated

74 by the fact that better performing organizations complied with such prediction. The entire set of organizations breached between 2014 and 2019, recognizing a strong level of attributed responsibility resorted in fact to Rebuild strategies in unison with Reinforcing measures to contain the crisis. However, while in section 3.6 this research suggested that PR data breaches could fall under the accidental crisis category, anticipating that the use of Diminish or Rebuild strategies would have depended on intensifying factors, it can be arguably contented that in light of the strong degree of crisis severity imposed on the organizations involved in this study, resorting exclusively to Rebuild strategies turned out to be the best recipe for confronting the crisis.

Nevertheless, given that the disparity in recovery trends observed between the two timeframes appears to be moderately correlated to the adoption of a specific and exclusive set of response strategies in compliance with SCCT guidelines (Rebuild), propositions P2 and P3 hold true in light of the results of this research. In particular, consolidating the influence of the SCCT framework on the outcome of the recovery trends observed, organizations that exclusively or primarily relied on one primary strategy cluster, performed better than those that blended different primary clusters together. This reasoning further highlights the opposite trends experienced by organizations between the two periods. In the period between 2007 and 2013, 3 out of 4 organizations adopted response strategies inconsistently, switching among the entire set of primary clusters during the crisis response phase. This tendency, and specifically when resorting to Deny strategies, seemed to have ultimately contributed to their downward recovery trend. As per the role of intensifying factors, as this study stabilized the crisis severity factor ex ante by selecting corporate crises with highly comparable impacts, the performance history (crisis history and relationship history) factor, predictably did not significantly influence the outcome of the analysis, because the circumstances already sustained a strong attribution of responsibility. Additionally, while a number of organizations (SONY, TJX, Global Payments, Anthem and Capital One), did experience similar incidences in the past, these rarely featured in the media coverage about their cases. To the contrary, the only case where performance history played a relevant role, was the one of Capital One, which was praised in the media for its previous successful technological advancements, despite having been involved in cyber security issues before. Within the scope of SCCT, we observed that base response strategies (adjusting and instructing) have been unilaterally used across the board. However, in more recent cases, including Equifax, these communication strategies significantly improved qualitatively by conveying much more detailed explanations about the incident, and providing more comprehensive and exhaustive guidelines to consumers.

However, SCCT could not account for every element that influenced the recovery and response performance trends. One of the most significant differentials dividing the communication responses of the first and second timeframe, was the ability of the organization to control the narrative of the events.

In this light, the proactive disclosure of the incident helped several organizations in conveying their message to the public, without significant distortions from the press. Secondly, the fact that certain organizations, such as Anthem, The Home Depot and Capital One were capable of discovering the breach autonomously, in many cases positively influenced the media narrative of the event. Similarly, by providing detailed and exhaustive explanations over the technical contours of the hack, many organizations in the 2014-2019 fed the press with their own storyline, which the media reflected by publishing compatible versions. In fact, most recurrent discriminant between a positive or a negative version of the fact reported by the media, is based the what could be defined as the sophistication- vulnerabilities axis. Whether the news coverage would define the hacking attack as “highly sophisticated” or “unprecedented”, as opposed to relating it to vulnerabilities inherent to the organizations’ security system made a significant difference for the image of the organization. Companies had the chance to control the sequence of the events rendered to the public by coming forward with their own version, thus owning the narrative about the incidence.

This approach was all the more effective if paired with a timely disclosure of the incident. By combining the results of media tracking analysis with the analysis of the responses used by the organizations, this study entirely confirms the fourth proposition (P4) based on Robertson’s (2012) work. The time of the PR data breach disclosure proved to be one of the most relevant factors dividing the positive and negative performances of the organizations. While organizations that waited to disclose the incident, or to implement apology or compensation strategies (Equifax, TJX, SONY, Global Payments), were met with harsh criticism from media and consumers, others overcompensated the initial delay in announcing the breach by flooding the press with crisis updates, generating an immense amount of coverage that hampered their image in the long run (Target). On the other hand, organizations that came forward transparently and proactively about the data breach, were either praised in the news for their approach (Anthem), or managed to limit the attention of the media which covered their story only to the first two days of the crisis (Capital One, The Home Depot). As reported by Robertson (2012) and Davidoff (2019) the key lesson learnt is to “Reduce interest into your data breach story by publishing information all at once” (367).

Owning the narrative did not imply that media sources would reflect the exact response posture assumed by the organizations. For instance, while many organizations resorted to bolstering strategies, informing the audience about their previous achievements, many news articles reported the use of transcendence as a Reinforcing strategy. Incorporated within the narrative of sophistication, used to deny controllability over the events (deny volition), especially in second timeframe considered, many data breaches were reported by the news as single episodes of a widespread trend, thus contextualizing the event in the bigger picture of cyber security failures and exonerating the company from direct

76 responsibilities. At the same time, none of the media sources reported the use of bolstering as a strategy, with the exception of Capital One. This shows that the fifth proposition (P5) derived from Kim et al. (2017) was positively verified. Lastly, although social media communication was expected to have played a significant role in influencing the response capacity of the organizations involved, especially in light of the different timeframes selected for the analysis, this projection was not sustained by the facts. Only two companies out of the eight included in this study have used their Twitter accounts to provide updates on the crisis, namely: Equifax and Capital One (Equifax, CapitalOne). Strikingly the remaining companies did not have a social media account at the time of the breach. At the same time, the fact that, in the two most recent data breach cases, social media was used to convey crisis updates, might signify that the trend is gaining ground. Nevertheless, given the scarce use of social media as crisis response platform, and the opposite recovery trends showed by the companies that used it, it is hard to assess what influence this factor might have played on the response and recovery performance of the organizations. Therefore, proposition 6 (P6) cannot be confirmed within the scope of this research.

7. Conclusions:

This research, addressing data breaches as corporate reputational crises, has dealt with this phenomenon from a crisis communication standpoint in the attempt to explore an under-researched dimension of an always more common threat to organizations worldwide. The question driving this investigation, formulated through a set of propositions, asked why some organizations maintain their reputation with their consumer in the aftermath of a data breach, and others fail to do. The answer to this question requires to acknowledge that Situational Crisis Communication Theory, the guiding theoretical pillar of this study, as any theory ever developed, does not exist in a sealed compartment. Any application of such theory in real world, will eventually lead to exceptions and potentially contrasting conclusions. Therefore, before interpreting the results and incurring in possible misinterpretations, is it convenient to retrace the range of internal and external validity of the findings. This study a set of most comparable cases was built specifically to control the level of attributed responsibility which stands at the heart of SCCT. This implies that, in terms of generalizability, these results might be inextricably linked to the specific nature of the cases (see chapter 4.3). Furthermore, given the insufficient amount of preliminary insights on crisis communication in the context of data breaches, this research might pave the way for further academic attempts at clarifying aspects of the matter that were not exhaustively defined such as the role of social media, or a holistic categorization of data breaches within SCCT. In fact, while this study aimed at contributing to integrating data breaches within SCCT, future research efforts should be dedicated to formulating an exhaustive crisis

77 communication framework for responding to these emerging events, and in particular fully identify what crisis typology these fall under. On the other hand, the very category of corporate crisis chosen as object of inquiry, complicated the case selection process, limiting the research scope to only 64 cases retrieved, and subsequently providing only 8 cases suitable for the analysis. While thousands of data breaches happen every year, the fact that most of these cases remain undisclosed and underreported, posed serious problems to the realization of this research.

Nevertheless, by testing the validity of 7 propositions, this research reached the conclusion that communication strategies chosen in compliance with SCCT, and in particular the exclusive and timely adoption of compensation, apology and rectification strategies, is (non-proportionally) correlated to a positive reputational recovery from the crisis. However, this recipe needs to be complemented with a series of concurrent factors, which have the potential to reverse the outcome and strictly depend on the contextual features of the cases at hand. Maintaining a correct cyber security posture comprehensive of monitoring capacity and incident handling, providing detailed and exhaustive technical information about the incident, timely responding to the event, owning the narrative of the events with transparency, and an attentive customer-focused behavior, all represent necessary ingredients for enhancing the role of SCCT strategies in the context of PR data breaches. Lastly, we have observed how more corporate data breach cases were better managed by organizations, allowing these to recover from the crisis. Bishoff (2019) and Klebnikov (2019) have argued that this depend on a phenomenon defined as “breach fatigue”, which implies that the public is becoming accustomed to these issues, and does not react has harshly as in the past. This research, nevertheless observed how organizations overall have improved their response apparatus over time, applying the right strategies more consistently. As attested by the fact that 12 organizations breached in the 2007-2013 timeframe were not involved in legal proceedings, and only 6 in the second timeframe, at the same time the legal and corporate environment around them is rapidly changing, requiring companies to comply to more stringent requirements. The progressive institutionalization of the cyber dimension, might in fact have played an influence in fostering a paradigm shift in data breach response practices, together with previous failures and lessons learned. What is certain, is that data breaches are becoming the new normal, and organizations should better be prepared to be safe, than to be sorry.

8. Appendix:

PR Data Breaches DataSet.xlsx

9. Bibliography:

9.1: Authors

▪ Amaresan, S. (2019) “Situational Crisis Communication Theory and How It Helps a Business”, HubSpot ▪ Arghire, J. (2020) “Over 15.1 Billion Records Exposed in Data Breaches in 2019”, Security Week ▪ Avery E. Park S. (2014) Effects of crisis efficacy on intentions to follow directives during crisis Pages 72-86 ▪ Bachura, E., Valecha, R., & Chen, R. (2017). Modeling Public Response to Data Breaches Completed Research. ▪ Baskerville, R., Spagnoletti, P., and Kim, J. (2014) "Incident-Centered Information Security: Managing a Strategic Balance between Prevention and Response," Information & Management (51:1), pp. 138-151. ▪ Bayarong J. (2015) COMM 310, FMA-2, November 05, 2015 Situational Crisis Communication Theory (SCCT) Review, Department of Communications Studies at Eastern Illinois University ▪ Beckerman, J. (2015) “Global Payments to Buy Heartland Payment Systems for $3.8 Billion. Deal would expand the payment company’s reach among midsize and small merchants”, The Wall Street Journal ▪ Benoit, W. L. (1995). Accounts, excuses, and apologies: A theory of image restoration strategies. Albany: State University of New York. ▪ Bischoff, P. (2019) “How data breaches affect stock market share prices”, Comparitech ▪ Campana, J. (2009) “Consumer Data Losses 100 Times Worse Than Thought: Report”, Dark Reading ▪ Borkar, P. & Goel S. (2019) “A Look at the Capital One Data Breach Through the Lens of MITRE ATT&CK” Exabeam

▪ Biener, C., Eling, M., and Wirfs, J.H. (2015) "Insurability of Cyber Risk: An Empirical Analysis," The Geneva Papers (40:1), pp. 131-158. ▪ Campbell, K. Gordon, L.A. Loeb M. P. & Zhou, L. (2003) “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market,” Journal of Computer Security, Vol. 11, No. 3 ▪ Carroll, R.E. McCombs, M. (2003), “Agenda-Setting Effects of Business News on the Public’s Image and Opinions About Major Corporations”, Corporate Reputation Review, 6 (1), 36-46. ▪ Cavusoglu, H., Mishra, B., and Raghunathan, S. (2004). "The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers," International Journal of Electronic Commerce (9:1), pp. 69-104. ▪ Chemi, E. (2014) Investors Couldn't Care Less About Data Breaches, Cybersecurity, Bloomberg ▪ Chickowski, E. 2008, “TJX: Anatomy of a Massive Breach”, Baseline ▪ Chickowski, E. (2013) “Why Are We So Slow To Detect Data Breaches?” Dark Reading, Attack/Breaches ▪ Cravens, K. Goad Oliver E. Ramamoorti S. (2003) “The Reputation Index: Measuring and Managing Corporate Reputation, European Management Journal, vol. 21, issue 2, 201-212 ▪ Columbus, L. (2020) “2020 Roundup Of Cybersecurity Forecasts And Market Estimates” Forbes ▪ Comfort, L. K., Boin A. Demchak, C. (2010). Designing Resilience: Preparing for Extreme Events. Pittsburgh: University of Pittsburgh Press. Chapter 2. ‘Resilience: Exploring the Concept. ▪ Coombs W.T. and Holladay J. S. (2002) “Helping Crisis Managers Protect Reputational Assets: Initial Tests of the Situational Crisis Communication Theory” Sage Journals ▪ Coombs W.T. (2004) “Impact of Past Crises on Current Crisis Communication: Insights From Situational Crisis Communication Theory”, Sage Journals ▪ Coombs W.T. (2007a) “Attribution Theory as a guide for post-crisis communication research Public Relations Review Volume 33, Issue 2, Pages 135-139 ▪ Coombs, W.T. (2007b). Protecting organization reputations during a crisis: The development and application of situational crisis communication theory. Corporate Reputation Review, 10(3), 163- 176. ▪ Coombs W.T. and Holladay J. S. (2010), “Parameters for Crisis Communication”, The Handbook of Crisis Communication, Wiley-Blackweel, Handbooks in communications and Media p. 17-47 ▪ Coombs, W. T. (2013). “Situational theory of crisis: Situational crisis communication theory and corporate reputation”. In C. E. Carroll (Ed.), The handbook of communication and corporate reputation (pp. 262–278). Oxford, UK: Wiley-Blackwell ▪ Culnan, M.J., and Williams, C.C. 2009. "How Ethics Can Enhance Organizational Privacy: Lessons from the Choicepoint and TJX Data Breaches," MIS Quarterly (33:4), pp. 673-687.

▪ Danielson, L. (2017) “What is the difference between a cyber security incident and an event”, Corsica Technologies ▪ Davidoff, S. (2019) “Data breaches crisis and opportunity”, Addison Wesley, Chapter 7 ▪ Dutta, A., Peng, G.C.A., and Choudhary, A. (2013). "Risks in Enterprise Cloud Computing: The Perspective of IT Experts," Journal of Computer Information Systems (53:4), pp. 39-48. ▪ Eisenegger (2005), Reputation in der Mediengesellschaft Konstitution, Issues: Monitoring, Issues: Management ▪ Elifoglu, I.H., Abel, I., and Taşseven, Ö. 2018. "Minimizing Insider Threat Risk with Behavioral Monitoring," Review of Business (38:2), pp. 61-73. ▪ Feinman, T (2015) “Companies Need to Take Responsibility for Protecting Sensitive User Data” Entrepreneur Europe ▪ Fisher Liu (2010) “Effective Public Relations in Racially Charged Crises: Not Black or White” In book: The Handbook of Crisis Communication (pp.335 - 358) ▪ Garg, Ashish & Curtis, Jeffrey & Halper, Hilary. (2003). Quantifying the financial impact of IT security breaches. Inf. Manag. Comput. Security. 11. 74-83. 10.1108/09685220310468646. ▪ Ganev, D. (2018) “Crisis PR After a Hack: Case Studies”, Commetric ▪ Goddijn, I. Kouns, J. “2020 Q1 Data Breach Report”, Risk Based Security, Cyber Risk Analytics ▪ Goel, S., Brown, C., & Shawky, H. (April 11-12, 2007). Measuring the Impact of Security Breaches on Stock Valuations of Firms. 6th Annual Security Conference. Las Vegas, NV ▪ Goel, V. Perlroth, N. (2016) “Yahoo Says 1 Billion User Accounts Were Hacked”, The New York Times Dec 14 ▪ Goldberg G. McNamara, M. (2012) “Effective Enterprise Risk Management and Crisis Management”, Dentons ▪ Grobauer, B., Walloschek, T., and Stocker, E. (2011). "Understanding Cloud Computing Vulnerabilities," IEEE Security & Privacy (9:2), pp. 50-57. ▪ Gwebu, K.L. Wang J. Wang L. (2018) The Role of Corporate Reputation and Crisis Response Strategies in Data Breach Management, Journal of Management Information Systems, 35:2, 683- 714, DOI: 10.1080/07421222.2018.1451962 ▪ Foltyn, T. (2019) Data breaches can haunt firms for years, WeLiveSecurity ▪ Heat, R.L. (2006) Best Practices in Crisis Com munication: Evolution of Practice through Research Journal of Applied Communication Research Volume 34, issue 3 ▪ Harrison, G. A. (2007)"Communication Strategies as a Basis for Crisis Management Including Use of the Internet as a Delivery Platform." Dissertation, Georgia State University ▪ Hawkins N. (2017), “Why communication is vital during a cyber-attack” Everbridge EMEA PrivSec Report

▪ Heath, R. L., & Coombs, W. T. (2006). Today’s public relations: An introduction. Thousand Oaks, CA: Sage. ▪ Holladay, S.J. (2010) “Are They Practicing What We Are Preaching? An Investigation of Crisis Communication Strategies in the Media Coverage of Chemical Accidents In book: The Handbook of Crisis Communication (pp.159 - 180) ▪ Hovav, A. and D'Arcy, J. (2004). The Impact of Virus Attack Announcements on the Market Value of Firms, Information Systems Security, Vol. 13(3) pp. 32-40. ▪ Huang, C.D., Behara, R.S., and Hu, Q. 2008. "Managing Risk Propagation in Extended Enterprise Networks," IT Professional (July/August), pp. 14-19. ▪ Huq, N. (2015) “Follow the data: Dissecting Data Breaches and Debunking Myths” Trend Micro Analysis of Privacy Rights Clearinghouse 2005–2015 Data Breach Records ▪ Infosec, (2015) “Where do PCI-DSS and PII Intersect?” August 19 ▪ Investopedia (2020) “The NYSE and NASDAQ: How They Work”, Stock Markets ▪ ITRC (2008), Breach Report 2007, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2007.pdf ▪ ITRC (2009), Breach Report 2008, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2008.pdf ▪ ITRC (2010), Breach Report 2009, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2009.pdf ▪ ITRC (2011), Breach Report 2010, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2010.pdf ▪ ITRC (2012), Breach Report 2011, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2011.pdf ▪ ITRC (2013), Breach Report 2012, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2012.pdf ▪ ITRC (2014), Breach Report 2013, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2013.pdf ▪ ITRC (2015), Breach Report 2014, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2014.pdf ▪ ITRC (2016), Breach Report 2015, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2015.pdf ▪ ITRC (2017), Breach Report 2016, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2016.pdf ▪ ITRC (2018), Breach Report 2017, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2017.pdf

▪ ITRC (2019), Breach Report 2018, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2018.pdf ▪ ITRC (2020), Breach Report 2019, Identity Theft Resource Center https://www.idtheftcenter.org/images/breach/Breach_Report_2019.pdf ▪ Jenkins, A. Anandarajan, M. & D’Ovidio, R. (2014). All that glitters is not gold: The role of impression management in data breach noti cation. Western Journal of Communication, 78, 337– 357. ▪ Johnson, M.E. 2008. "Information Risk of Inadvertent Disclosure: An Analysis of File-Sharing Risk in the Financial Supply Chain," Journal of Management Information Systems (25:2), pp. 97-123. ▪ Kannan, K. & Ulmer, J. & Sridhar, S.. (2007). Market Reactions to Information Security Breach Announcements: An Empirical Analysis. International Journal of Electronic Commerce - INT J ELECTRON COMMER. 12. 69-91. 10.2753/JEC1086-4415120103 ▪ Khan, F. S. Hwan Kim, J. Moore, R. L. Mathiassen, L. (2019), “Data Breach Risks and Resolutions: A Literature Synthesis”, AMCIS 2019 ▪ Kim, B. Johnson, K. & Park, S. (2017). “Lessons from the five data breaches: Analyzing framed crisis response strategies and crisis severity.” Cogent Business & Management, 4(1). ▪ Kitten, T. (2014) “When Did Neiman Marcus Breach Start?” Bankinfosecurity, January 23 ▪ Klebnikov, S. (2019) “Companies With Security Fails Don’t See Their Stocks Drop As Much, According To Report”, Forbes, Markets ▪ Krumay, B. Bernroider, E.W.N., Walser R. (2018) Evaluation of Cybersecurity Management Controls and Metrics of Critical Infrastructures: A Literature Review Considering the NIST Cybersecurity Framework. In: Gruschka N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science, vol 11252. Springer, Cham ▪ Kruse, C.S., Frederick, B., Jacobson, T., and Monticone, D.K. 2017. "Cybersecurity in Healthcare: A Systematic Review of Modern Threats and Trends," Technology and Health Care (25:1), pp. 1- 10. ▪ Laufer, D. and T.W. Coombs, (2018)“Global Crisis Management, Current Research and Future Directions” Journal of International Management Volume 24, Issue 3, Pages 199-203 ▪ Lavelle J. (2020), “Gartner Says Data and Cyber-Related Risks Remain Top Worries for Audit Executives”, Gartner, Press release ▪ Leskin, P. (2019) “Uber is going public in one of the biggest IPOs of all time as all its execs swarm the NYSE”, Business Insider May 10 ▪ Lopes, I. Guarda, T. Oliveira, P. (2019). Implementation of ISO 27001 Standards as GDPR Compliance Facilitator. Journal of Information Systems Engineering & Management. 4. ▪ MacKinlay, A.C., (1997) “Event Studies in Economics and Finance”, Journal of Economic Literature, Vol. XXXV pp. 13–39.

▪ Martin, N. (2019) “What is a Data Breach”, AI & Big Data, Forbes ▪ McCallister E. Grance T. Scarfone K. (2010) “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" Special Publication 800-122 NIST ▪ Marden, T. (2018) “3 Ways SIEM Tools Can Let You Down” Cygilant blog ▪ Mer Group, (2020) “The dark side of digitalization” Cybersecurity ▪ Miller, J. (2019) “Cybersecurity Event/Incident: What is the difference”, Bitlyft Cybersecurity ▪ Modi, C., Patel, D., Borisaniya, B., Patel, A., and Rajarajan, M. 2013. "A Survey on Security Issues and Solutions at Different Layers of Cloud Computing," Journal of Super Computing (63:2), pp. 561-592. ▪ Morgan, S. (2017) “Is cybercrime the greatest threat to every company in the world?” Cyber Security Business Report ▪ Morris, C. (2020) “Hackers had a banner year in 2019” Techdata Breaches, Fortune ▪ Morris, M.W. Moore, P. Sim, D. (1999) Choosing remedies after accidents: Counterfactual thoughts and the focus on fixing “human error”, Psychonomic bulletin & review. 6. 579-85. ▪ Ogrizek, M. Guillery, J. (1999), “Communicating in Crisis: A Theoretical and Practical Guide to Crisis Management”, Idine De Gruyter, Hawthorne, NY. ▪ Oxford Metrica (2011), Reputation review 2011; AON ▪ Privacy Rights Clearinghouse (2020), Data Breaches Chronology Database, PRC ▪ Reed, R. (2014) “Recovering corporate consumer trust: A study of crisis response strategies and repairing damaged trust” ProQuest Dissertations Publishing ▪ Robertson (2012) “Tell It All?” Public Relations Journal – Vol. 6, No. 1, 2012 ▪ Rosati, P. & Deeney, P. Cummins, M. Van der Werff, L. Lynn, T. (2019). “Social Media and Stock Price Reaction to Data Breach Announcements: Evidence from US Listed Companies. Research in International Business and Finance”. 47. 458-469. 10.1016/j.ribaf.2018.09.007. ▪ Rouse, M. (2020) “Security information and event management (SIEM)” SearchSecurity ▪ Martin, N. (2019), “What is a Data Breach”, AI and Bid data, Forbes ▪ Park, H. (2016) “Exploring effective crisis response strategies Public Relations Review Volume 43, Issue 1, Pages 190-192 ▪ Pham, C.(2001) From Events to Incidents - SANS 2001 ▪ Preen, J. (2020) “The Case Against Situational Crisis Communication Theory” BC Trading ▪ Reynolds B. & Seeger M. W. (2007) “Crisis and Emergency Risk Communication as an Integrative Model” Pages 43-55 ▪ Ryan, J.J., Mazzuchi, T.A., Ryan, D.J., De la Cruz, J.L., and Cooke, R. 2012. "Quantifying Information Security Risks Using Expert Judgment Elicitation," Computers & Operations Research (39:4), pp. 774- 784.

▪ Sandman, (2006) “Crisis Communication Best Practices: Some Quibbles and Additions” Journal of Applied Communication Research Vol. 34, No. 3, pp. 257262 ▪ SANS (2008) Information Security Reading Room 8 ▪ Sen R. & Borle, S. (2015) “Estimating the Contextual Risk of Data Breach: An Empirical Approach”, Journal of Management Information Systems, 32:2, 314-341, ▪ Seeger, M. W. (2006), “Best Practices in Crisis Communication: An Expert Panel Process”, Journal of Applied Communication Research ▪ Segal T. (2020) “Enron Scandal: The Fall of a Wall Street Darling, Investopedia ▪ Sinanaj, G. and Zafar, H. "WHO WINS IN A DATA BREACH? - A COMPARATIVE STUDY ON THE INTANGIBLE COSTS OF DATA BREACH INCIDENTS" (2016). PACIS 2016 Proceedings. 60. ▪ Sobers, R. 2020 “107 Must-Know Data Breach Statistics for 2020” Data Security, Varonis ▪ Sohn & Ruthann, Y. J. Lariscy, W. (2014), Understanding Reputational Crisis: Definition, Properties, and Consequences Journal of Public Relations Research ▪ Spota, (2019) “How Has Crisis Communication Evolved in the 21st Century?”Qrius ▪ Suhonen S. (2019) CRISIS COMMUNICATION IN ORGANIZATIONAL DATA BREACH SITUATIONS FACEBOOK DATA BREACH 2018 Aalto University School of Business ▪ Szmigiera, M. (2020), “Largest stock exchange operators worldwide as of Mar 2020, by market capitalization of listed companies”, Statista May 20 ▪ Toms, S. (2019). Financial scandals: A historical overview. Accounting and Business Research. 49. ▪ Valentini C. Krukeberg, D. (2016) “The future role of social media in International Crisis Communication”, The Handbook of International Crisis Communication Research, pp.478-488 ▪ Vennanameni, M. (2016) “Security Breach at TJX, Analysis” Medium ▪ Verizon(2020) “2020 Data Breach Investigations Report”, Verizon ▪ Vijayan, J. (2008) “One year later: Five takeaways from the TJX breach The retailer has survived the massive data theft, but the card industry remains unsettled, Computer World ▪ Wall, T.N., and Hayes, J.A. 2000. "Depressed Clients' Attributions of Responsibility for the Causes of and Solutions to Their Problems," Journal of Counseling Development (78:1), pp. 81-86. ▪ Wang P. Johnson C. “CYBERSECURITY INCIDENT HANDLING: A CASE STUDY OF THE EQUIFAX DATA BREACH”, Robert Morris University, Issues in Information Systems Volume 19, Issue 3, pp. 150-159, 2018 150 ▪ Wang P. Park S.A. (2017), “COMMUNICATION IN CYBERSECURITY: A PUBLIC COMMUNICATION MODEL FOR BUSINESS DATA BREACH INCIDENT HANDLING”, Issues in Information Systems Volume 18, Issue 2, pp. 136-147, 2017 ▪ Wartick, S.L. (1992), “The Relationship Between Intense Media Exposure and Change in Corporate Reputation” Business and Society, 31, 33-49

▪ Weverbergh R. Vermoesen K. “Measuring PR: the (Media) Reputation Index”, FINN ▪ Winder D. (2020) “Hacker Gives Away 386 Million Stolen Records On Dark Web—What You Need To Do Now” Forbes ▪ Wisner, B.Gaillard, JC & Kelman, I (2012). ‘Framing Disaster: Theories and Stories Seeking to Understand Hazards, Vulnerability and Risk’ in Handbook of Hazards and Disaster Risk Reduction and Management. London, Routledge. ▪ Xu, W., Grant, G., Nguyen, H., and Dai, X. (2008). "Security Breach: The Case of TJX Companies, Inc," Communications of the Association for Information Systems (23:31), pp. 575-590. ▪ Yung-Yee, L. (2011) “Application of situational crisis communication theory : case study of TJX- leak of customers’ information”, Ballstate University, Department of Journalism ▪ Zetter K. (2014) “SONY Got Hacked Hard: What We Know and Don't Know So Far” Wired 12 March ▪ Zhou, (2020) Yucheng Analyzing Historical Data Breaches to Improve Public Cloud Security Postures The George Washington University, ProQuest Dissertations Publishing. 27664530. ▪ Zyglidopoulos, S. & Phillips, N. (1999). Responding to Reputational Crises: A Stakeholder Perspective. Corporate Reputation Review. 2. 333-350. 10.1057/palgrave.crr.1540090.

8.2 Press Releases

▪ Anthem, (2015a) 05/02/2015 https://www.anthem.com/press/wisconsin/statement-regarding- cyber-attack-against-anthem/

▪ Anthem, (2015b) 06/02/2015 https://ir.antheminc.com/news-releases/news-release-details/anthem- alerts-consumers-protect-themselves-scam-email-campaigns?field_nir_news_date_value[min]=

▪ Anthem, 2015c 13/02/2015 https://ir.antheminc.com/news-releases/news-release-details/how- those-affected-cyber-attack-anthem-can-get-identity-theft?field_nir_news_date_value[min]=

▪ Capital One (2019a), 29/07/2019 https://www.capitalone.com/about/newsroom/capital-one- announces-data-security-incident/

▪ Capital One (2019a) 23/09/2019 https://www.capitalone.com/facts2019/

▪ Equifax (2017a) 07/09/2017 https://investor.equifax.com/news-and-events/press-releases/2017/09- 07-2017-213000628

▪ Equifax (2017a) 02/10/2017 https://investor.equifax.com/news-and-events/press-releases/2017/10- 02-2017-213238821

▪ The Home Depot (2014a) 18/09/2014 https://ir.homedepot.com/news-releases/2014/09-18-2014- 014517752

▪ The Home Depot (2014b) 06/11/2014 https://ir.homedepot.com/news-releases/2014/11-06-2014- 014517315

▪ Global Payments (2012a) 30/03/2012 https://investors.globalpaymentsinc.com/news-and- events/press-releases/press-release-details/2012/Global-Payments-Identifies-and-Self-Reports- Unauthorized-Access-into-a-Portion-of-Its-Processing-System/default.aspx ▪ Global Payments (2012b) 01/04/2012 https://investors.globalpaymentsinc.com/news-and- events/press-releases/press-release-details/2012/Global-Payments-Provides-Updated-Information- Regarding-Unauthorized-System-Access/default.aspx ▪ Global Payments (2012c) 12/06/2012 https://investors.globalpaymentsinc.com/news-and- events/press-releases/press-release-details/2012/Global-Payments-Reports-Progress-of- Continuing-Investigation/default.aspx ▪ Target (2013a) 19/12/2013 https://corporate.target.com/press/releases/2013/12/target-confirms- unauthorized-access-to-payment-car ▪ Target (2013b) 20/12/2013 https://corporate.target.com/press/releases/2013/12/target-data- security-media-update ▪ Target (2013c) 20/12/2013 https://corporate.target.com/press/releases/2013/12/a-message-from- ceo-gregg-steinhafel-about-targets ▪ Target (2013d) 21/12/2013 https://corporate.target.com/press/releases/2013/12/target-data- security-update-tips-for-consumers ▪ Target (2013e) 23/12/2013 https://corporate.target.com/press/releases/2013/12/target-data- security-media-update-2 ▪ Target (2013f) 24/12/2013 https://corporate.target.com/press/releases/2013/12/target-data- security-media-update-3 ▪ Target (2013g) 27/12/2013 https://corporate.target.com/press/releases/2013/12/target-data- security-media-update-4

▪ Target (2013h) 10/01/2014 https://corporate.target.com/press/releases/2014/01/target-provides- update-on-data-breach-and-financia ▪ Target (2013i) 03/02/2014 https://corporate.target.com/press/releases/2014/02/time-for- smartcards-an-op-ed-by-john-mulligan-exec ▪ TJX (2007a) 17/01/2007 https://www.businesswire.com/news/home/20070117005971/en/The- TJX-Companies-Inc.-Victimized-by-Computer-Systems-Intrusion-Provides-Information-to-Help- Protect-Customers ▪ TJX (2007b) 21/02/2007 https://investor.tjx.com/static-files/977cc027-4a2b-47cc-8dac- be86638793d2 ▪ SONY (2011a) 26/04/2011https://blog.playstation.com/2011/04/26/update-on-playstation- network-and-qriocity/ ▪ SONY (2011b) 03/05/2011 https://www.flickr.com/photos/playstationblog/5686965323/in/set- 72157626521862165/ ▪ SONY (2011c) 04/05/2011 https://blog.playstation.com/2011/05/04/SONYs-response-to-the-u-s- house-of-representatives/ ▪ SONY (2011d) 05/05/2011http://blog.us.playstation.com/2011/05/05/a-letter-from-howard- stringer/ (late CEO apology)

8.3 Media Sources by case

Target

▪ Timberg, C. Yang, J. L. & Tsukayama, H. (2013), “Target says 40 million credit, debit cards may have been compromised in security breach” The Washington Post December 19 ▪ Tsukayama, H. (2013), Target data breach: what you should know, The Washington Post December 19 ▪ Yang J. L. and Jayakumar, A. (2014), Target says up to 70 million more customers were hit by December data breach, The Washington Post January 10 ▪ Jayakumar and Tsukayama (2014), Target breach: What you need to know, The Washington Post January 10 ▪ Tsukayama H. (2014), Target says customers signing up for free credit monitoring after data breach, The Washington Post January 13 ▪ Jayakumar, A. (2014a), Target tries to reassure customers after data breach revelations The Washington Post January 13 ▪ McGregor, J. (2014), Target CEO opens up about data breach The Washington Post January 13 ▪ Douglas, D. Timberg, C. (2014) Target breach could represent leading edge of wave of serious cybercrime The Washington Post February 9 ▪ Jayakumar, A. (2014b), Data breach hits Target’s profits, but that’s only the tip of the iceberg, The Washington Post February 26

▪ Harris, E. A. Perlroth, N. Popper N. Stout, H. (2014) A Sneaky Path Into Target Customers’ Wallets, The New York Times January 17 ▪ The Editorial Board (NYT), (2014) Preventing the Next Data Breach, The New York Times January 25 ▪ Perlroth, N. (2014) Heat System Called Door to Target for Hackers The New York Times February. 5 ▪ Harris, E. A. & Perlroth, N. (2014), Target Missed Signs of a Data Breach, The New York Times March 13 ▪ Harris, E. A. (2014), Target Had Chance to Stop Breach, Senators Say The New York Times March 26 ▪ Eversley, M. Hjelmgaard, K. (2013), Target confirms massive credit-card data breach, Usa Today December 18 ▪ Snider, M. (2013), Target data breach spurs lawsuits, investigations, Usa Today December 22 ▪ Malcolm, H. (2014a), Target: Data stolen from up to 70 million customers, Usa Today January 10 ▪ Prah, P. H. (2014), Target's data breach highlights state role in privacy, Usa Today January 16 ▪ Kratsas, G. (2014), Reports: Target warned before data breach, Usa Today February 14 ▪ Malcolm, H. (2014b), Target sees drop in customer visits after breach, Usa Today March 11 ▪ Sidel, R. Yadron D. and Germano S., December 19 2013, Target Hit by Credit-Card Breach, The Wall Street Journal ▪ Ziobro P., (2014a), Target Breach Began With Contractor's Electronic Billing Link, The Wall Street Journal February 6 ▪ Langley, M. (2014), Inside Target, CEO Gregg Steinhafel Struggles to Contain Giant Cybertheft, The Wall Street Journal February 18 ▪ Ziobro, P. (2014b), Target Earnings Slide 46% After Data Breach, The Wall Street Journal February 26

SONY:

▪ Tsukayama, H. (2011a), SONY got hacked; what should I do? The Washington Post April 27 ▪ Palmer, M. (2011), SONY faces lawsuit over PlayStation hack, Financial Times April 28 ▪ Tsukayama, H. (2011b), FBI looks into SONY’s PlayStation security breach, The Washington Post April 29 ▪ K. Brown, (2011), SONY scrambles to limit hacking scandal, Financial Times May 3 ▪ Tsukayama, H. (2011c) Cyber attack was large-scale, SONY says, The Washington Post May 4 ▪ Schiesel, S. (2011) PlayStation Security Breach a Test of Consumers’ Trust, The New York Times April 27

▪ Noer, M. (2011), SONY Response to PlayStation Security Breach Abysmal, Forbes May 4 ▪ Bilton N. & Stelter, B. (2011), SONY Says PlayStation Hacker Got Personal Data The New York Times April 26 ▪ Menn, J. & Palmer M. (2011) SONY faces fury over data delay, Financial Times April 27 ▪ Bradshaw, T. (2011), SONY chief in PlayStation hack apology, Financial Times May 6

TJX

▪ Nakashima, H. (2007) Customer Data Breach began in May 2005, TJX says, Washington Post, February 22 ▪ Dash E. 2007, Data Breach Could Affect Millions of TJX Shoppers, New York Times, January 19 ▪ Dash E. 2007 Retail security breach may be biggest in U.S. - Business - International Herald Tribune, New York Times, January 19 ▪ Stone B. & Dash E. 18 January 2007, TJX Says Customer Data Was Stolen, New York Times, January 18 ▪ Sidel, (2007) “TJX Data breach poses woe for bank”, Wall street Journal (19/01), January 19 ▪ Pereira, (2007) “Wide Credit-Card Fraud Surfaces in TJX Hacking, Wall Street Journal, February 25 ▪ Pereira, (2007) “How Credit Card Data Went out wireless door, Wall Street Journal, May 4

Global Payments

▪ Sidel & Johnson, (2012) “Data Breach Sparks Worry Hack Attack at Card Processor Compromises Potentially Thousands of Accounts 29 March ▪ Kosner, A. W. (2012), “Massive Credit Card Breach of Estimated 10 Million Accounts: Where Are Those Smart Cards?” Forbes March 31 ▪ Trefis Team, Apr 3, 2012, Global Payments Data Breach Exposes Card Payments Vulnerability Forbes ▪ H.Tsukayama, April 2, 2012, FAQ: The Global Payments hack, The Washington Post ▪ J. Silver-Greenberg and N. D. Schwartz, April 1, 2012, MasterCard and Visa Investigate Data Breach, The New York Times ▪ J. Silver-Greenberg, April 1, 2012, After a Data Breach, Visa Removes a Service Provider The New York Times

The Home Depot

▪ Peterson, A. (2014), The Home Depot breach put 56 million payment cards at risk ▪ The Washington Post September 18 ▪ Creswell J. & Perlroth N. (2014) Ex-Employees Say The Home Depot Left Data Vulnerable, The New York Times 19 September ▪ Vinton, A. (2014), With 56 Million Cards Compromised, The Home Depot's Breach Is Bigger Than Target's, Forbes 18 September ▪ Winter, M. (2014), The Home Depot hackers used vendor log-on to steal data, e-mails, UsaToday 6 November

▪ Siedel R. (2014) The Home Depot's 56 Million Card Breach Bigger Than Target's - Unique, Custom-Built Malware' Eliminated From Retailer's Systems After Five-Month Attack on Terminals,. The Wall Street Journal 18 Sept ▪ Banjo S. (2014), The Home Depot Hackers Exposed 53 Million Email Addresses- Hackers Used Password Stolen From Vendor to Gain Access to Retailer’s Systems The Wall Street Journal Nov 6

Anthem

▪ Mathews, A. W. Yadron D. (2015) “Health Insurer Anthem Hit by Hackers Breach Gets Away With Names, Social Security Numbers of Customers, Employees” Wall Street Journal 04 February ▪ Abelson, R. Goldstain M. (2015a) “Millions of Anthem Customers Targeted in Cyberattack” New York Times 05 February ▪ Abelson, R. Goldstain M. (2015b) “Anthem Hacking Points to Security Vulnerability of Health Care Industry” 06 February ▪ Bernard, S. T. (2015)“ Protecting Yourself From the Consequences of Anthem’s Data Breach” New York Times 05 February ▪ Abelson R. Creswell, J. (2015) “Data Breach at Anthem May Forecast a Trend” New York Times Feb.6 ▪ Weise E. (2015a) Millions of Anthem customers alerted to hack, UsaToday Feb. 5 ▪ News Source, (2015)“Anthem/Blue Cross-Blue Shield hit with cyber-attack”, UsaToday feb. 05 ▪ Weise E. (2015b) “First lawsuits launched in Anthem hack”, UsaToday Feb 07

Equifax

▪ Bernard S. Hsu T. Periroth, T. Lieber, N.R. (2017) Equifax Says Cyberattack May Have Affected 143 Million in the U.S., The New York Times Sept 7 ▪ Merle R. (2017), Outrage builds after Equifax executives banked $2 million in stock sales following data breach, The Washington Post Sept 8 ▪ Wieze, E. (2017), Equifax web snafu another reminder to protect your credit info, Usa Today September 8 ▪ Guynn, J. (2017) Equifax says it was not breached again, but vendor on site served 'malicious content'. Usa Today Dec 12 ▪ Mccoy, K. Shell, A. (2017) “Equifax CEO retires amid cyberbreach fallout”, UsaToday 26 Sept ▪ Dastagir A. (2017), Equifax data breach: How to freeze your credit Usa Today Sept 9 ▪ Weise, E. Mccoy, K. (2017) “Equifax's struggle after massive security breach deepens” Usa Today Sept 11 ▪ Andriotis, A.M., Rapoport, M. McMillan, R. (2017) We’ve Been Breached’: Inside the Equifax Hack. The crisis has sent shock waves through the industry, spooked consumers and sparked investigations, The Wall Street Journal Sept 18 ▪ Rapoport M.and Andriotis AM. 2017, States Push Equifax to Explain Why It Took 6 Weeks to Disclose Hack. Equifax faced a patchwork of state requirements about how quickly a company must disclose a data breach and to whom, The Wall Street Journal October 28 ▪ Loder A., (2017), “A Warning Shot on Equifax: Index Provider Flagged Security Issues Last Year MSCI cautioned in an August 2016 report that Equifax was ill-prepared to face the ‘increasing frequency and sophistication of data breaches”. The Wall Street Journal October 6

Capital One

▪ TYKO, K. (2019) “Capital One suspect indicted by federal grand jury on wire fraud and data theft charges Usa Today August 28 ▪ NYT, (2019) “Capital One Data Breach Compromises Data of Over 100 Million”, The New York Times July 29 ▪ Hong N. Hoffman L. Andriotis, A.M. (2019) “Capital One Reports Data Breach Affecting 100 Million Customers, Alleged hacker, a former employee of Amazon Web Services, arrested by federal agents in Seattle”, Wall Street Journal 30 July ▪ Baig E. Bomey N. Herron J. (2019) “Capital One data breach: What's the cost of data hacks for customers and businesses?” UsaToday 30 July ▪ Telford T. and Denham H. (2019) Here’s how to make sure you’re safe after the Capital One hack The personal information of about 100 million U.S. customers was compromised. What steps should you take to protect yourself. The Washington Post July 30 ▪ R. Siegel, (2019) “Capital One looked to the cloud for security. But its own firewall couldn’t stop a hacker” The Washington Post July 30 ▪ Rudegeair P. Andriotis, A.M. Benoit D. (2019) “Capital One Hack Hits the Reputation of a Tech- Savvy Bank The lender is known for diving into new technology ahead of its peers. But that could become a liability” The Wall Street Journal July 31