Bachelor thesis
in
May 2015
201209790
Mathias Trier Mortensen
Marketing and Management Communication
Total characters: 54.975 excl. blanks
OBLIGATORISK FORSIDE
Prescribed front page
HJEMMEOPGAVER, PROJEKTER, SYNOPSER U/ MUNDTLIGT
FORSVAR
Home Assignments, Project Reports, Synopses without oral defence
INSTITUT FOR ERHVERVSKOMMUNIKATION
Department of Business Communication
STUDIENUMMER
Student No.
HOLD NR.:
Class No.
Ex.: U02
201209790
FAGETS NAVN:
Course/Exam Title
Bachelor project
VEJLEDER:
Name of Supervisor
Silvia Ravazzani
ANTAL
TYPEENHEDER I DIN
BESVARELSE
54975 (2434 for Summary)
H03
(ekskl. blanktegn):
Number of Characters in
your Assignment
(exclusive of blanks):
Page 1 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
Crisis communication
An investigation of crisis response strategies
for data breaches
BA in Marketing and Management Communication
Supervisor: Silvia Ravazzani, Aarhus BSS
Department of Business Communication
Student number: 201209790 / Exam number: 528461
Total number of characters excl. blanks: 54974 (thesis) / 2434 (summary)
Page 2 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
Summary
This BA thesis, titled “Crisis Communication: An investigation of crisis response strategies for data
breaches”, employs social constructionism in an empirical research to characterise data breaches in a
corporate context and expand the theory of crisis communication. Crisis communication efforts through
crisis response strategies should serve to reduce the reputational threat of a crisis. Yet, it is vital for
organisations to navigate in the different crisis response strategies to avoid pitfalls and optimise corporate
reputation based on the perception from stakeholders.
Therefore, the topic of this thesis is of high interest for managers responsible for corporate communication
prior to, during and following a crisis, in order to apply effective crisis communication in their practices.
Specifically, the concept of data breaching is in interest due to the recent series of IT crises in the corporate
world, wherein payment systems have exposed consumers’ credit card information
The need for an adaption of contemporary theory on crisis response strategies to the practice of crisis
communication in the event of a data breach is therefore a key to respond immediately and thereby protect
the corporate reputation. To acquire empirical data for analysis, the thesis investigates two cases of data
breach, from 2011 and 2013, in which Sony and Target had to respond, respectively. The case studies will
serve to answer the following questions:
1. How should communication practitioners contemplate data breaching as a crisis?
a. Which type of crisis is a data breach?
b. How can communication practitioners plan crisis response strategies for data breaches?
c. Which pitfalls do crisis response strategies and discourses following a data breach present?
Based on the discussed findings of the analysis, this thesis concludes that data breaching is an IT crisis
associated with the victim cluster as malevolence. Hence, the communication practitioners should employ
victimage to reduce the reputational threat initially as well as corrective actions to retain a positive
corporate reputation by stakeholders. Organisations should be wary of misleading stakeholders by
minimisation as legitimisation of the crisis response. The strategy can be applied, but can quickly backfire if
stakeholders perceive they have been misled by the organisation.
In events with high reputational threat, the organisation should aim to rebuild their corporate reputation, for
instance through compensation to the involved stakeholders. Lastly, it is important to be coherent in the
application of crisis response strategies and respond immediately and decisively.
Key words: Crisis Communication; Corporate reputation; Reputational threat; Crisis response strategies;
data breach; Image Restoration Theory; Situational Crisis Communication Theory.
Page 3 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
Table of content
1. Introduction ................................................................................................................................................... 5
1.1 Problem statement ................................................................................................................................... 6
1.2 Structure of thesis .................................................................................................................................... 6
1.3 Scientific Framework .............................................................................................................................. 6
1.4 Delimitation ............................................................................................................................................. 8
2. Literature review ........................................................................................................................................... 8
2.1 Defining Crisis Communication ............................................................................................................ 10
3. Method......................................................................................................................................................... 14
3.1 Data collection ................................................................................................................................... 14
3.2 Data analysis ...................................................................................................................................... 15
4. Background information .............................................................................................................................. 17
5. Findings ....................................................................................................................................................... 19
5.1 Crisis communication ............................................................................................................................ 19
5.1.1 Sony ................................................................................................................................................ 19
5.1.2 Target .............................................................................................................................................. 20
5.1.3 Comparison..................................................................................................................................... 21
5.2 Discourse analysis ................................................................................................................................. 21
5.2.1 Sony ................................................................................................................................................ 21
5.2.2 Target .............................................................................................................................................. 22
5.2.3 Comparison..................................................................................................................................... 23
6. Discussion.................................................................................................................................................... 23
7. Conclusion and implications ....................................................................................................................... 26
8. References ................................................................................................................................................... 28
9. Appendices ................................................................................................... Error! Bookmark not defined.
Appendix A: Sony 2011a ............................................................................. Error! Bookmark not defined.
Appendix B: Sony 2011b ............................................................................. Error! Bookmark not defined.
Appendix C: Sony 2011c.............................................................................. Error! Bookmark not defined.
Appendix D: Target 2013a ........................................................................... Error! Bookmark not defined.
Appendix E: Target 2013b ........................................................................... Error! Bookmark not defined.
Appendix F: Target 2013c ............................................................................ Error! Bookmark not defined.
Page 4 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
1. Introduction
Crises in a corporate context have established a necessity amongst communication practitioners to master
crisis commmunication. Thus, the theoretical framework of crisis communication has become extensive
within the existing paradigm with regards to crisis management (e.g. Hearit 1994, 1999; Coombs 2006,
2007).
However, the digitalisation and globalisation of society including organisations present new crises that have
not previously been addressed within the area of crisis communication.
First, the emergence of social media platforms empowers the rapidity of information sharing amongst
consumers, which “more than previously are conversing online about organisations” (Li and Bernoff 2011)
and corporate reputation can thus be affected by the conversation. This notion becomes critical in the event
of a crisis as consumers can make the crisis escalade quickly if a negative perception is advocated in
conversation – therefore organisations must respond immediately after a crisis (Cornelissen 2011) to assess
the crisis before it escalades.
Secondly, the digitalised customer data in information technology (IT) can be exposed and exploited by IT
criminals, especially in features of online credit payment systems that contain consumer credit card
information. Thus, consumers with credit card information stored online have a financial stake, in the
organisation that maintains the payment system, which can be deprived.
Therefore, the consumers as a stakeholder group are key contributors to the development of corporate
reputation that can quickly act as a catalyst in the development of a crisis likewise.
Organisations maintaining online payment systems thus have to respond to a new form of crisis, namely data
breaching. In 2006-2007 hackers pioneered IT crime during the TJX data breach crisis in which supposedly
credit card information for up to 95million credit cards had been compromised (Shurman 2007). Since then,
other companies, such as Heartland Payments Systems and most recently the insurance company, Anthem,
have been victims on a large scale of the same category of IT crime (Palermo 2015).
The strategic management of crisis communication in cases of IT crises, thus, has to be prepared in advance
of a potential reputational threat to manage the situation optimally.
The concept of crisis communication needs to evolve in order to adapt to the added practice of IT crises and
accommodate the apparent pitfalls. Hence, it will be beneficial to critically analyse the crisis communication
of previous occurrences of data breaches. A comparative analysis of two recent data breach crises can
determine whether the communication practice of crisis management has changed.
The two companies in question of this research are Target, the retailing company, and Sony, the electronics
conglomerate. Both have experienced data breach crises in recent years and thus present updated cases
Page 5 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
eligible for analysis.
The analysis will investigate the following articles for both companies: press release, CEO statement and
annual reports, as the official sender of the articles are the organisations and they can be accessed easily
online for consumers to converse about. Thus they present discourse and crisis responses meant for
stakeholders as the intended receiver of these articles is stakeholders to protect the corporate reputation.
1.1 Problem statement
As a mean to structure this research paper, the following questions will be answered in the course of the
thesis through a case study of Sony’s and Target’s data breaches:
1. How should communication practitioners contemplate data breaching as a crisis?
a. Which type of crisis is a data breach?
b. How can communication practitioners plan crisis response strategies for data breaches?
c. Which pitfalls do crisis response strategies and discourses following a data breach present?
1.2 Structure of thesis
The structure of this thesis can be divided into three main parts: framing, analysis and discussion of findings.
Initially, the scientific framework of the analysis will be presented in order to contemplate on the effect of
the scientific position, in which the analysis is framed.
A delimitation of the thesis will frame the analysis and, thus, impose a cohesive thesis. Thirdly, the literature
review forms the theory background for the analysis and discussion of the problem statement with a
description of each theoretical field. Theories applied to the analysis include Coombs’ Situational Crisis
Communication Theory (2007), Benoit’s Image Restoration Theory (1997) and Van Leeuwen’s Legitimation
in Discourse Analysis (2007.) The theories will be reviewed in terms of relevance to the formulated problem
statement. Subsequently, the methods and methodology in relation to the scientific framework will be
accounted for prior to the empirical analysis. The initial fragment of the analysis will briefly introduce the
two case crises for Sony and Target and their articles as crisis communication materials (Sony 2011a, 2011b,
2011c; Target 2013a, 2013b, 2013c). The findings identified in the analysis will be discussed in the
succeeding discussion paragraph to interpret the ramifications of those findings. Lastly, the conclusion and
implications paragraph will offer insight on the future perspective on crisis communication for data breaches.
1.3 Scientific Framework
The scientific perspective on this research paper is of social constructionist character. Burr (2001) defines
social constructionism with four premises to describe the ontological and epistemological level of social
constructionism.
Page 6 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
The first premise is that it takes “[…] a critical stance towards taken-for-granted knowledge” (2001: 3) in the
sense of being open to find new perceptions and of reality in order to understand the socially constructed
nature of science. Therefore, social constructionists should be able to apprehend observations to find a
deeper meaning.
The second premise dictates that data and observations are “historical and cultural specific” (2001: 3) with
regards to the position of the observer and previous findings, their position in the historical and cultural
continuum. Hence, it becomes necessary for a social constructionist to comprehend the relevance of
historical and cultural background of the research in question.
Thirdly, the researcher should recognise that “knowledge is sustained by social processes” (2001: 4), and
thus, that it is socially constructed between human beings rather than through a universal true reality.
Therefore, knowledge is both sender and receiver oriented.
The fourth and final premise for social constructionism is the notion; that “knowledge and social actions go
together” (2001: 5) in terms of the engagements incited in human beings derived from knowledge
constructed by social interactions.
From the four premises a postulation about the ontological, epistemological and methodological levels of
social constructionism can be made. Thus, the ontological level is based on the notion that knowledge is
socially constructed between human beings in relation to the history as well as culture with a critical stance
towards taken-for-granted knowledge.
On an epistemological level social constructionists believe that knowledge is best developed through a broad
understanding of the interrelation between human beings and their perception of reality constructed by their
previous knowledge. Accordingly, it becomes necessary for researchers to contextualise their analyses to
fully adapt the notion of knowledge from a social constructionist’ perspective.
The ontological and epistemological level thus constructs an understanding of how knowledge is acquired
through methods during the analysis. The prerequisite of knowledge through broad understanding of human
beings and the perception of reality invites researchers to analyse the discourse in which the research takes
place. Additionally, it becomes necessary to analyse findings with an acknowledgement of their in
correlation with the historical and cultural context.
The manner in which the analysis questions the discursive elements in the crisis communication, suggests
that societal elements affect the background and application of theories due to the exhaustive relevance of
events in society. This notion follows that of Burr (2003) as she stresses that discourse analysis is now
referred to as social constructionism “due to the conception that humans are social animals [and] the
construction of different aspect of human nature and society,” [such as] philosophy, sociology and
linguistics, serve as influencers in the scientific spectrum (2003: 1-2).
Page 7 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
Critics in form of realists would argue that the constitution of the different aspect is contemplative rather
than real (Searle 1995). But it can be argued from an anti-realist’s perspective that the philosophy of science
is immense and thus is constituted of our socially constructed knowledge (Potter 1998 in Nightingale and
Cromby 2002). As such, it is the socially constructed knowledge that produces whole articles in an analysis.
1.4 Delimitation
For the purpose of critically reviewing the scientific perspective applied in the thesis, social constructionism
entails certain rationalisations of the chosen area of focus. So, the thesis follows the essential parts of social
constructionism described in the previous paragraph, explicitly discourse analysis. While knowledge is
gained via receiver as well as sender, this thesis is sender-oriented to analyse in-depth with that emphasis.
Therefore, the focus will be on the data collected from articles within the cultural and historical context of
the crisis that forms the two discourses. In connection, the two cases presented revolve around the niche part
of IT crises, data breaching, to offer relevant implications to the specific niche fragment of crisis
communication.
2. Literature review
The following sections will conceptualise crisis communication by definition through crisis, crisis types and
crisis response strategies in order to characterise the rationale of the analysis and embedded assumptions in
IT crises. Thus, the literature review serves to discuss the findings well along within the existing research
field of crisis communication. Originally, the term crisis stems from the “Greek word krisis [that] implies a
pulling apart, a separating” (Ciborra 1998: 7). The notion can be applied to different types of crisis in the
separation between two or more parties.
However, in a corporate context and for this thesis, the concept of crisis is defined as “an untimely but
predictable event that has actual or potential consequences for stakeholders’ interests as well as the
reputation of the organisation suffering the crisis” (Heath and Millar 2003: 2). Additionally, Gamble (2009)
argues that “a crisis is not a natural event, but a social event and, therefore, is always socially constructed
[…]” (cited in Laffan 2014: 267).
Hence, the crisis can hurt an organisation through stakeholders due to the stakeholders’ socially constructed
reactions to the crisis. A crisis should then induce a response, which should be “decisive and immediate [,]
from the organisation” (Cornelissen 2011: 200) in order to accommodate and diminish the crisis’ effect on
the corporate reputation.
However, a crisis can occur as different crisis types determined by the cause for the crisis, which is identified
by Coombs (2007: 168):
Page 8 of 29
Bachelor thesis
in
May 2015
201209790
Mathias Trier Mortensen
Victim Cluster
-
Workplace violence
Product tampering/Malevolence
-
Acts of nature damage an organisation
False and damaging information about the organisation is
circulated
Employee attacks emplooyes onsite
External agent causes damage to organisation
Unintentional crisis caused by organisation’s action
Accidental cluster
-
Preventable cluster
Human-error accidents
Human-error product harm
Organisational misdeed with no
injuries
Organisational misdeed
management misconduct
Organisational misdeed with
injuries
Total characters: 54.975 excl. blanks
The organisation is a victim of the crisis
Natural disaster
Rumour
Challenges
Technical-error accidents
Technical-error product harm
Marketing and Management Communication
Stakeholders critic the manner of organisational operation
Technology failure causes accident
Technology failure causes product recall
Hazardous actions done by organization
-
Human error caused accident
Human error caused product recall
Stakeholders are deceived without injuries
-
Legislations are violated by management
Stakeholders are at risk and injuries occur
Table 1: Overview of crisis types by clusters in accordance with Situational Crisis Communication Theory (Coombs 2007)
As Coombs (2007: 167) argues, “it does matter if stakeholders view the event as an accident, sabotage or
criminal negligence [, hence] how much stakeholders attribute responsibility for the crisis to the
organisation”. He divides the crisis types into three identified clusters as declared previously; 1) the victim
cluster, in which the organization is the victim of the crisis; 2) the accidental cluster, in which the crisis in
unintentional or uncontrollable; and 3) the preventable cluster, wherein the crisis is purposeful (2007: 167).
The first two have weak attributions of crisis responsibility, to which degree the organization is considered
accountable, whereas the preventable cluster has strong attributions of crisis responsibility (Coombs 2007).
Additionally, the reputational threat increases ranging from 1) the victim cluster – mild reputational threat to
3) the intentional cluster – severe reputational threat (2007: 168).
In the modern business world, new potential crises can arise through the application of information
technology. Following the emergence of online data collection, “companies are busy seeking strategic
applications of information technology (IT), savouring the delights and pitfalls of more and more
sophisticated networks” (Ciborra 1998: 6). IT does therefore not only provide opportunities to businesses but
also challenges that can potentially evolve into crises, which can thus be defined as IT crises. An example of
such an IT crisis is the “Heartland Payment System data breach” in which credit card information was stolen
by hackers to access customers’ credit card accounts and thus their personal assets. The IT crisis eventually
Page 9 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
cost Heartland “50 percent of its market capitalization and, as of August 2009, had spent more than $32
million on legal fees, forensic costs, reserves for potential card brand fines, and other related settlement
costs” (Cheney 2010: 18). Therefore, management should serve to employ “efforts aimed at improving
information sharing and data security within the consumer payments industry” (2010: 1) to avoid such crises.
So, for this thesis, an IT crisis takes point of departure in an untimely, but predictable event related to the
implementation or utilisation of information technology. The crisis carries potential consequences for
stakeholders’ interests as well as the reputation of the organisation suffering from the crisis.
The characteristics of an IT crisis correspond with the accidental cluster of Coombs’ (2007: 168) crisis types
by cluster due to the technological aspect and potential failure to correctly manage that technology.
However, in the case of the Heartland data breach the intrusion of the IT systems was done by an external
agent who deliberately breached the system and stole personal payment data intentionally. Hence, the
organisation becomes the victim in the crisis as the intrusion constitutes malevolence. The Heartland data
breach will thus establish a general definition of data breaching in a crisis context. Thus, a data breach will
be defined as a crisis with an illegal act of information theft done by an external agent.
Additionally, it is assumed that the stakeholders hold the organisation less responsible due to the external
agent’s wrongdoing.
It is thus essential for organisations to be able to convey the crisis to the stakeholders in an appropriate
manner. Kim et al. (2009: 86) argue that “[stakeholders] make sense of the crisis based on not only the
objective facts regarding the crisis, but also on the aspects of reassurance emphasized by the company in the
media or news releases”. This argument is backed by Benoit’s statement that the conveyed message is
crucial as “perceptions are more important than reality” (Benoit 1997: 178). The application of
communication in crises can therefore diminish the criticism by stakeholders towards an organisation.
2.1 Defining Crisis Communication
The field of crisis communication is a subcategory of crisis management with “[…] objective to exert control
[and] reassure stakeholders […]” (Cornelissen 2011: 199). The emphasis on the communication aspect of
crises is due to the assumption that “a crises response […] is essentially communicative” (Coombs 2010:
337). Crisis communication can thus be summarized as the visual, textual and/or verbal interaction by the
company and its stakeholders, whether it is before, during or following a crisis (Fearn-Banks 2001: 480).
Hence, organisations should serve the interests of their stakeholders in order to uphold a certain level of
corporate reputation, as Coombs (2010) state that “once [stakeholder] safety is addressed, the crisis response
shifts to reputational repair” (: 338). To apply the term “safety” in this context, it is viewed as safety of the
stakeholder’s investment in the organisation rather than physical safety, which is unlikely in the event of a
Page 10 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
crisis through information technology. In the event of a data breach the stakeholder safety is thus entrenched
in their credit card information.
The corporate reputation is here defined as “[…]a perceptual representation of a company’s past actions and
future prospects that describes the firm’s overall appeal to all of its key constituents[…]” (Fombrun 1996
cited in Wartick 2002: 374). This signifies an emphasis on the perception of the stakeholders, the need to be
wary of the impact it has on an organisation and the need to apply assets of reputational character in the
crisis management.
The crisis response strategies to repair corporate reputation are comprehensive and it is thus essential to be
able to navigate in the countless theories within the field. Therefore, two main principle of crisis
communication are presented below for adaption to highlight the cases in nuances.
Previously stated, crises can damage the corporate reputation and affect how stakeholders interact with the
organisation in a negative manner (Barton 2001, Dowling 2002 in Coombs 2007: 163). According to
Rousseau (2006), the approach to counter the crisis and thus protect the corporate reputation is “through
evidence-based guidance […] supported by scientific evidence rather than personal preference and
unscientific experience” (cited in Coombs 2007: 163). This notion should however still be seen in the light of
social constructionism that acknowledges that scientific evidence is founded in social interactions.
So, the Situational Crisis Communication Theory developed by Coombs (2007), serves the apparent need for
evidence-based guidance in a scientific matter. Throughout the thesis, Situational Crisis Communication
Theory will be referred to as SCCT in short on Coombs’ own invitation (2007).
SCCT can be applied as a strategic tool to 1) determine the crisis type, 2) identify possible crisis response
strategies and 3) evaluate the strategies through guidelines for crisis responses (Coombs 2007).
However, for the identification of possible crisis responses, the Image Restoration Theory (Benoit 1997) will
interchange Coombs’ own crisis response strategies through primary and secondary crisis response
strategies (Coombs 2007). This is due to the augmented variety of strategies, in which, for instance, the
possibility of corrective action is possible in Benoit’s theory (1997) and not in Coombs’ (2007). Coombs
(2007: 171) argues that “Image Restoration Theory offers no conceptual links between the crisis response
strategies and elements of the crisis situation”.
Yet, an adaptation of the Image Restoration Theory to Coombs’ terminology, through the three general crisis
response strategies; Deny, Deminish, Rebuild and Victimage (Coombs 2006), allows the application of
Coombs’ crisis response strategy guidelines of SCCT (Coombs 2007) specified subsequently.
SCCT assesses the reputational threat of a crisis situation via three main points 1) initial crisis
responsibility, 2) crisis history and 3) prior relational reputation (Coombs 2007: 166). The initial crisis
Page 11 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
responsibility is defined as “[…] how much stakeholders believe organisational actions caused the crisis”
(Coombs 1995 cited in Coombs 2007: 166). Thus, it is important to determine to which level the crisis is
perceived as self-induced. The crisis history and prior relational reputation of an organisation can further
enhance that perception, as “either a history of crises or an unfavourable prior relational reputation
intensifies attributions of crisis responsibility thereby indirectly affecting the reputational threat” (Coombs
2007: 167)
In relation to the three main points of reputational threat, it is necessary for managers to determine the crisis
type to find the initial cause or offender in the crisis situation. The crisis type has previously been elaborated
in the 3 crisis types by clusters: victim, accidental and preventable cluster (Coombs 2007: 167)
Coombs’ SCCT (2007)emphasises swift assessment of the situation at the point of crisis, however, the crisis
history and prior relational reputation indicates the manner in which a crisis can be alleviated or aggravated
dependant on the two attributes.
Following the crisis types, the crisis response strategies, which previously stated will be presented in
Benoit’s (1997) terminology offer initiatives for communication practitioners to apply in crises. The
strategies will 1) shape attributions, 2) change perceptions and 3) reduce reputational threat (Coombs 1995 in
Coombs 2007).
Benoit emphasises that “perceptions are more important than reality [and] as long as the audience thinks the
firm at fault, the image is at risk” (1997: 178). Benoit’s concept of image can thus be related to Coombs’
corporate reputation, as they describe the perception of the stakeholders. Henceforth, the term corporate
reputation will be applied throughout the thesis.
The augmented variety of crisis response strategies includes five general message options with subordinate
description within the first three. Image Restoration Theory‘s descriptions are briefly described below
(Benoit 1997: 179-181):
1) Denial, wherein the organisation applies either simple denial or shifts the blame to deny its responsibility;
2) Evasion of responsibility that is in form of provocation, defeasibility, accidents or good intentions. Thus
the crisis was provoked by another event, due to poor information, an accident or based on good intentions;
3) Reducing offensiveness of event that is either based on bolstering of the organisation, minimisation of the
crisis, differentiation from other similar crises, the means for transcendence , attack(ing) the accuser or
compensation to the victims of the crisis;
4) Corrective action, wherein the organisation will assure stakeholders that the problem will be corrected or
prevent the reoccurrence that problem;
Page 12 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
5) Mortification that implies the organisation confesses to stakeholders and takes responsibility for the crisis.
This strategy can, however, be hazardous as “[…] it might invite lawsuits from victims” (1997: 181).
Benoit’s Image Restoration Theory (1997) has theoretical connections to Frandsen and Johansen’s crisis
communication and apologetic ethics (2010) through the emphasis on crisis communication through
apologies, which can be applied to some cases of 3) reducing offensiveness of event, 4) corrective action and
especially 5) mortification. However, the apologetic approach does not apply well with 1) Denial or 2)
Evasion of responsibility.
A more suitable notion of apologia by Hearit (1994: 115) is, however, more differentiated as it does not
necessarily carry an apology to right the wrongdoings of an organisation. He argues it to be “[…] a defense
that seeks to present a compelling, counter description of organizational actions […] in a more favourable
context than the initial charges suggest” (Hearit 1994: 115). As such, the apologia is applied to a discourse
by the organisation to minimise reputational threats. The concept of apologia thus translates well into the
SCCT (Coombs 2007) and Image Restoration Theory (Benoit 1997) without providing an extensive strategic
tool compared to SCCT.
Lastly, Coombs offers a set of recommendations for the use of crisis response strategies through the crisis
response strategy guidelines (Coombs 2007). For the scope of this thesis the response guidelines included
will concern the premises of data breaching, defined previously as an illegal act of information theft done by
an external agent. The definition stresses minimal attributions of crisis responsibility by the organisation.
Hence, only the following guidelines concerning minimal attributions of crisis responsibility and a singular
guideline concerning strong attributions of crisis responsibilities, in case of organisational misdeed with no
injuries (Coombs 2007), will be applied to this thesis.
The guidelines suggest that “informing and adjusting information alone can be enough” when the
reputational threat is low (2007: 173), but as the reputational threat growths the crisis response should move
towards diminish responses onwards to rebuild responses in pari passu with the growth. Also, “victimage can
be used as part of the response for […] malevolence […]” (2007: 173).
Lastly, the guidelines suggest that consistency in the application of response strategies should be in place to
avoid erosion of effectiveness (2007: 173-174).
Crisis response strategies can thus provide an overview for communication practitioners to apply in crisis
communication. Overall, the two theories, SCCT (Coombs 2007) and Image Restoration Theory (Benoit
1997) supplement the other in terms of application and conceptualisation. An adaption of the two in unison is
thus applied to this thesis with emphasis on crisis response strategies:
Page 13 of 29
Bachelor thesis
in
May 2015
201209790
Mathias Trier Mortensen
Marketing and Management Communication
Total characters: 54.975 excl. blanks
Crisis response strategies
Denial
Simple Denial
Shift the blame
Evasion of responsibility
Provocation
Defeasibility
Accident
Good intentions
Reduce offensiveness of Event
Bolstering
Minimisation
Differentiation
Transcendence
Attack accuser
Compensation
-
Deny doing the act
Blame another for act
-
Claim that something else caused it
Blame lack of information
Claim that act was a mishap
Claim that act was meant for the best
-
Stress good traits
Claim that act was not serious
Claim that act was less offensive
Claim that the end justifies the means
Reduce attacker’s credibility
Reimburse victim
Corrective action
Mortification
-
Prevent/solve problem
Apologise and take blame
-
Reemphasise the role as a victim
Deny
Diminish
Rebuild
Adapted from Benoit (1997)
Victimage
Adapted from
Coombs (2007)
Table 2: Adaptation of Image Restoration Theory (Benoit 1997) and SCCT (Coombs 2007)
3. Method
Subsequent to the methodology of the scientific position of this analysis, the methods will have focus on the
socially constructed knowledge presented in the collected data. Additionally, social constructionism is the
rationale for the chosen methods with historical and cultural context in mind. In the following two sections
the data collection and data analysis will be presented.
3.1 Data collection
The social constructionist perspective on this thesis entails the premise that knowledge is socially
constructed and that the discourse in a given context is constituted by multiple perceptions. Hence, in order
to gain knowledge, a “holistic examination – using multiple sources of evidence […] of a single phenomenon
([for example] an event) within its social context” (Daymon and Holloway 2011: 115) can determine the key
points of crisis communication in the presented cases.
The data collection of this analysis is reliant on articles in form of annual reports, CEO statements and press
releases as qualitative empirical data in the case study of Sony and Target’s respective IT crises, specifically
data breaching. Sony has made the following articles official in a chronological order: a two-page press
release at May 3 2011 (Sony 2011a), CEO statement May 5 2011 (Sony 2011b) and annual report July 6
Page 14 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
2011 (Sony 2011c). Subsequently, Target released a press release December 19 2013 (Target 2013a), a CEO
statement December 20 2013 (Target 2013b) and an annual report March 14 2014 (Target 2013c). Collection
of data from the annual reports will exclusively target the paragraphs explicitly addressing the data breach of
the respective companies. That is page 8 from Sony’s annual report (Sony 2011c) and pages 17-18 from
Target’s annual report (Target 2013c: 1-2).
The articles can be viewed in Appendix A to F, however throughout the analysis; they will be referred to the
sender and year of publication.
A noteworthy distinction between the companies’ articles is time, as Sony’s crisis material stems from 2011,
whereas Target’s is more recent, from 2013. The parameter of time can thus play a role on the crisis
communication efforts when the two cases are compared to each other, as new understanding of the subject
after Sony’s crisis in 2011 can have aided Target in their crisis communication.
The rationale for three different communication channels is a holistic perception of the crisis communication
embedded in instant communication, press releases; reactionary communication, CEO statements and finally
the settled communication integrated in the annual reports and more explicit in certain paragraphs of that
article.
Thus, the articles present more than one aspect to the same challenge of successfully communicating within a
crisis discourse.
3.2 Data analysis
As determined previously, social constructionism is the foundation of this thesis, which is reflected in the
chosen theories for analysis of the crisis communication by Sony and Target. An adaptation of Coombs’
SCCT (2007) and Benoit’s Image Restoration Theory (1997) will investigate the setting for the crisis
communication for each company qualitatively through an analysis of responses and discourses. These
adaptations of crisis response strategies from existing theory can be viewed in Table 2. In supplement to the
adaptation, Van Leeuwen’s Legitimisation in discourse analysis (2007) serves as an expansion of the
analytic approach to crisis communication in a rhetoric perspective that can illustrate the intention to affect
stakeholders’ perception of the organisations.
Fairclough (1992: 225) defines discourse as the “[…] practice of signifying a domain of knowledge or
experience from a particular perspective”. To paraphrase that definition, a discourse analysis is thus an
analysis of the signals used to describe a field of study or involvement from a particular perspective. Thus,
the discourse analysis identifies elements of rationale from the provided perspective.
Van Leeuwen (2007) developed the legitimisation in discourse analysis theory to effectively interpret and
analyse discourses in question through legitimisations applied in the communication material. He defines
Page 15 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
legitimisations as “the answer […] to the question ‘Why’ – ‘Why should we do this?’ and ‘Why should we
do this in this way?’ (2007: 93).
The legitimisation in discourse analysis is divided into four major categories of legitimacy: 1) authorisation,
2) moral evaluation, 3) rationalisation and 4) mythopoesis (2007: 92-111).
The 1) authorisation in legitimisation employs either personal authority, expert authority, role model
authority, impersonal authority, authority of tradition or authority of conformity. Personal authority implies
the authority embedded in the status of the sender.
Contrary, through expert authorisation, legitimacy is delivered via expertise rather than. Hence, the
legitimacy becomes empowered via an expert role.
Role model authority relies on the sender’s role as an opinion leader or role model within the context.
Impersonal authority is present in legislations and is, thus, impersonal due to the prohibitions of the law.
Authority of tradition relies on “[…] what we have always done” (2007: 96).
Lastly, authority of conformity applies the legitimisation by stating that “most people are doing it, and so
should you” (2007: 97).
2) Moral evaluation legitimises via values. IT can be subdivided into evaluation, in which evaluative
adjectives are used to legitimise; abstraction, wherein the abstract references form the legitimisation, and
lastly analogies that imply the use of comparisons as legitimisation (97-100).
3) Rationalisation applies the use of logic to rationalise the legitimisation. It can be subdivided into
instrumental rationalisation and theoretical rationalisation (2007: 101-105).
Instrumental rationalisation emphasises the purpose legitimised through means, effect or goal, whereas
theoretical rationalisation emphasises the nature of circumstances by definition, explanation or prediction.
Lastly, 4) mythopoesis applies legitimisation through storytelling. Mythopoesis can be either positively,
moral tales, or negatively, cautionary tales, influencing as the legitimisation (2007: 105-107).
Kress’ analysis shows “that a single text can invoke many different, sometimes even contradictory,
discourses” (1985 in Van Leeuwen 2007: 108). Hence, it is necessary to attempt to view the legitimisations
from different perspectives to avoid misinterpretation. This notion is supported by Van Leeuwen’s statement
“[we] need to consider not just legitimation, but also and especially the intricate interconnections between
social practices and the discourses that legitimize them” (2007: 111).
Thus, to support the crisis communication analysis, an in-depth discourse analysis through legitimisations in
Page 16 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
discourse analysis by Van Leeuwen (2007) will provide an understanding of the discourse in which the crisis
communication operates.
Thus, the crisis communication and discourse analyses take the context of the crises into account. However,
while the analyses emphasise the socially constructed discourses there is little or no emphasis on the
stakeholders and their perception prior to, during and post crisis. Hence, this thesis will provide insight in the
rationale of the chosen crisis communication strategies; however it will not examine the effect on stakeholder
perception.
4. Background information
A brief description of the two data breach crises will provide the analysis with a context in which the
communication transpires. Thus, the background information will precede the analysis to make grounds for
the value and corporate reputation of the two.
4.1 Crisis: Sony Online Entertainment’s data breach
One of Sony’s most salient product groups is PlayStation, a series of video gaming consoles and software.
The entertainment service network developed for the consoles, PlayStation Network, had 75million users in
March 2011 and 150million in September 2013 (Statista 2015). In the registration process of PlayStation
Network consumers state data collection of private personal details, such as credit card information to
purchase content through the network.
In April 2011, Sony’s first major crisis occurred after the hacktivist group, Anonymous, allegedly hacked the
PlayStation Network and Qriocity servers and thus compromised 12,3million registered users’ credit card
information at April 3 (VentureBeat 2011). The hack attack was rumoured to be an act of retaliation of the
lawsuit against George “GeoHot” Hotz at January 11 2011 due to his distribution of “jailbreaking” tools to
PlayStation users, thus circumventing Sony’s security system against unauthorised software. The hack
attack, thus, created a sudden technological crisis (Tench and Yeomans 2009: 386‐837) that happened
expeditious. Therefore, the crisis communication had to be swift in order to react timely to the hacking.
However, according to VentureBeat (2011), Sony noticed the intrusion on the servers at April 20, 17 days
later after the intrusion occurred, and decided to shut the system down in order to investigate the attack. The
users were given the following statement: “[…] we are aware certain functions of PlayStation Network are
down. We will report back here as soon as we [have] more information” (PC World 2011).
Furthermore, they did not publicise a press release until May 3 2011 (Sony Online Entertainment 2011),
which had left users without a legitimate reason for the shutdown of servers for almost two weeks. Two
Page 17 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
days later CEO, Howard Stringer, released a statement on the crisis (PlayStation Blog 2011), in which he
apologised for any inconvenience caused by the crisis.
Following the shutdown, Sony strived to accommodate the affected users of PlayStation Network by the
“welcome back” programme that included free games and premium access to PlayStation Plus for the users
as compensation for the time excluded from the Network (Huffington Post 2011).
During the span from April 20 to May 20, Sony’s stock price went down ≈10% from 30,14US$ to 27,05$US,
which indicated a loss of confidence in Sony as a public limited company (Yahoo! Finance 2015).
4.2 Crisis: Target’s data breach
In 1995 Target introduced their credit card solution for customers, Target Guest Card, which was later
renamed to REDcards in 2004 (Corporate Target 2015). Customers can apply for a REDcard with their
personal information in order to receive the credit card that ensures exclusive discounts and advantages for
the cardholder (Target 2015).
In the winter 2013, Target’s first corporate crisis hit as hackers were able to steal 40 million customer’s;
names, credit or debit card numbers, expiration dates and three-digit security codes from November 27 to
December 15 (New York Times 2013).
Initially, Target claimed that “to date, there is no evidence that unencrypted PIN data has been
compromised” (TIME Business 2013). However, at December 19 2013, Target released a press release,
wherein they confirmed “unauthorised access to payment card data in US stores […] that may have impacted
certain guests” (Target 2013a). Thus, within the few days, Target switched deposition from disregarding the
crisis to an acknowledgement that it “may have” happened. The stolen PIN data could then be used by
“cybercriminals [to] make withdrawals from a customer’s account through an ATM” or it can even be sold
on cyber black markets for others to mismanage (New York Times 2013).
In the wake of the discovery of the crisis at December 21 2013, the bank, JP Morgan Chase, announced to
“debit card customers affected by the Target breach that it [would] place daily limits on spending and
withdrawals as it works to reissue cards in the following two weeks” (Wall Street Journal 2014). Hence, the
statement by JP Morgan Chase further strengthened the distrust in Target.
In order to regain some of the trust and thereby repair the corporate reputation, Target offered customers, an
additional 10 percent off their purchases, whether they were victims of the crisis or not (NewsCred n.d.).
Target eventually announced at January 10 2014 that “70 million customers had their personal information
stolen during the holiday data breach” (Wall Street Journal 2014).
Page 18 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
5. Findings
In this section the case material of Sony and Target will be analysed to identify key findings that can
substantiate the impact of crisis communication in cases of data breaching.
The two company cases will be analysed separately under each theoretical section to form a foundation for a
comparative analysis in the end of each section.
5.1 Crisis communication
The crisis response strategies relevant for the adaptation of Coombs’ SCCT (2007) and Benoit’s Image
Restoration Theory (1997) will be scrutinised. Firstly, the crisis types by clusters adapted from SCCT will be
identified, then, crisis response strategies adapted from Image Restoration Theory.
Despite the emphasis of crisis history and prior relational reputation of reputational threats, the two factors
will be omitted as there has been no prior crisis in the companies’ history, which is evident in the
background information. The study of prior relational reputation carries ample research question on its own
beyond the scope of this analysis and will therefore not by investigated.
5.1.1 Sony
Sony denotes that the crisis is due to external agent’s malevolence on the company as “hackers may have
stolen SOE customer information” and “SOE accounts may have been stolen [which were][…] illegally
obtained” (Sony 2011a: 1).
The bias towards this crisis type continues in the CEO Statement (Sony 2011b) with the comprehensive exert
of the word, attack, thus connotes that Sony is a victim in the crisis; “[…] caused by this attack”, “If attacks
like this happen again” and “a criminal attack on us”.
Similarly, in the annual report (Sony 2011c) the “cyber-attack launched against the PlayStation Network and
Qriocity […] forced [Sony] to temporarily shut down all of these services” connotes the victimage of Sony in
this crisis as they have fallen victim to “sophisticated criminal intrusions”.
The press release (Sony 2011a) introduces the crisis via a shift of blame interconnected to the malevolence
described above, as “hackers may have stolen SOE customer information on April 16th and 17th, 2011” (: 1)
and “hackers […] do their best to cover their tracks” stated in the CEO statement (Sony 2011b).
However, the predominant response strategy applied is corrective action. This is evident from reaction in
which, “upon discovery […], the company promptly shut down all servers related to SOE services” also “the
company is working with the FBI and continuing its own full investigation while working to restore all
services”(Sony 2011a: 1). By responding immediately, Sony denotes a corrective action has been done. The
“$1 million identity theft insurance policy” will in the future protect the interests of the customers to prevent
the problem from reoccurring (Sony 2011b).
Page 19 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
Compensation is briefly managed by “rewarding [customers] for [their] patience” (Sony 2011b) with the “30
days of additional time on [customers] subscription” (Sony 2011a: 2)
The annual report (Sony 2011c) only has few traits of crisis response strategies in form of shifting the blame,
“cyber-attack launched against PlayStation Network […], which forced [them] to temporarily shut down all
of these services”. The other strategy evident is corrective action, as“[they] have worked around the clock to
strengthen [their] information security systems” and eventually “all serviced territories have been restored”.
5.1.2 Target
The crisis type of Target’s data breach is characterised via the victim cluster in form of malevolence. It is
evident from the press release (Target 2013a), wherein Target “confirmed [it is] aware of unauthorised
access to payment card data”.
Additionally, the “unauthorised access to payment card data” is succeeded by a statement that “[the data
breach] was a crime against Target, [their] team members and [their] valued guest” (Target 2013b).
The recurrence of “unauthorised access” denotes that it was an external agent. Which is explicitly stated in
the annual report; as “an intruder stole certain payment card and other guest information from our network”
and that the intruder accessed “[…] approximately 40 million credit and debit card accounts” (Target 2013c:
1).
The crisis is minimised through the ambiguity of the statement that “card accounts” and “card data may have
been impacted” (Target 2013a) and still customers “can shop with confidence at target” as “there are
typically low levels of actual fraud” (Target 2013b) . It thus remains unresolved in the press release and CEO
statement, whether there really was cause for consumers’ concern over their credit card information. Hence,
the crisis threat is minimised due to the low risk of affecting customers and they should therefore disregard
the threat and purchase unaffectedly.
However, corrective actions are applied as Target has “resolved the issue” and are “working with law
enforcement to bring those responsible to justice” to correct the crisis (Target 2013b).
Target ”removed the malware from virtually all registers” (Target 2013c: 1) and ”committed to restore
[customer] confidence (: 2). Conclusively in the annual report, it is stated that Target “are committed to […]
activities to restore [customers’] confidence” (: 3). These examples connote actions initiated to protect
consumers and prevent a similar crisis.
The compensation is explicit in the CEO statement (Target 2013b) as Target “will offer free credit
monitoring services”. Moreover, the “issue has been addressed” connotes a corrective action to illustrate that
actions have been taken to resolve the crisis.
Page 20 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
There is no evident minimisation in the annual report contrary to the press release and the CEO statement.
Instead, the annual report shifts the blame to “the intruder [who] accessed and stole payment card data” and
“the intruder stole certain guest information […] for up to 70 million individuals” (Target 2013c: 1).
In correlation, minor traits of mortification are evident as “it is probable [Target] would be found liable on
these claims were they to be litigated” and thus “may be subject to fines or other obligations” (Target 2013c:
2). Thus, the organisation takes partial blame for the crisis and addresses the risk of litigations.
Victimage is identified with emphasis on the financial aspect of the crisis. Target addresses the “more than
80 actions filed in court […] may be asserted against [them] on behalf of guests[…]” (Target 2013c: 2).
Thus, the crisis has caused liabilities that can be referred to the “$61 million of pretax data breach-related
expenses” (: 1).
5.1.3 Comparison
A similar strategy applied by both organisations is the malevolence as part of the victim cluster, wherein
Sony as well as Target claims that an external agent caused the crisis rather than the organisations
themselves. Additionally, response through compensation is identified in both cases.
However, Sony is fairly consistent in the application of the crisis response strategies with traits of shift the
blame and corrective action across the three Sony articles.
Contrary, Target is inconsistent in the crisis response strategies applied as the first two articles contain
minimisation, which is abandoned in favour of shift the blame and minor traits of mortification in the third
article.
Conclusively, both organisations apply victimage to denote their role as victims in the crisis.
5.2 Discourse analysis
The articles will be analysed for legitimisations applied in discourse of the communication. However, due to
the prosperity of legitimisation traits, the predominant legitimisations will be highlighted to indicate the
trending practice of the two organisations in the articles and thus not misconceive the rationale of the
strategy overall.
5.2.1 Sony
Sony’s application of authority in the legitimisation is primarily in form of impersonal authority, evident in
the press release by the “illegal intrusions” and the work with “the FBI” to recover the “illegally obtained”
personal information (Sony 2011a: 1). The emphasis is, thus, put on what is dictated by legislation as illegal
and upheld by the governmental FBI.
Page 21 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
The phrase “under the leadership of Kazuo Hirai” (Sony 2011b)” forms an analogy of moral evaluation
through a military comparison with reference to a military status, to make “[their] defences […] even
stronger” against the “cyber-attacks”.
The annual report (Sony 2011c) contains a trait of instrumental rationalisation as the effect of “a cyberattack […] forced [them] to temporarily shut down all of these services”. Thus, the shutdown was an effect of
the data breach. Additionally, a legitimisation by moral evaluation is applied by evaluation as the evaluative
adjectives, “new and rich user experiences” and “a serious challenge”; legitimise the quality of products and
the degree of crisis.
The evaluation is predominant throughout in the moral evaluation of legitimisation through the use of
evaluative adjectives: “as quickly as possible” (Sony 2011a) and “full and safe service” (Sony 2011b). The
adjectives legitimise the efficiency of the process. The instrumental rationalisation is evident in the press
release; “the company is committed to helping customers” and “complimentary offering to assist users”, goal
and means respectively (Sony 2011a). Hence, Sony emphasises the support to customers as a goal and the
offering as a mean towards that goal. Additionally, Sony wants to “[get] back what [customers] signed up
for” (Sony 2011b) and “further reinforce [their] security” (Sony 2011c). Thus, the goals, which were
customer satisfaction and IT security, are set for Sony.
5.2.2 Target
Likewise, Target’s reference to “law enforcement”, “financial institutions” and “authorities” (Target 2013a)
form authority of impersonal character, as the examples denote authority in legislative form.
The legitimisation by authority in the CEO statement (Target 2013b) is still present, but, instead of
impersonal authority the application of authority of tradition becomes evident as “[Target] has been built on
a 50-year foundation of trust” and “[their] guests are always first priority”. Thus, the lineage is included to
legitimise trust and customer service.
Instrumental rationalisation is evident in the first two articles through goal-orientation towards customer
trust in the organisation, “Target’s first priority is preserving the trust of [their] guests” (Target 2013a), and
means-orientation through “free credit monitoring services [to get] extra assurance” (Target 2013b).
Rationalisation is also featured in the annual report (Target 2013a), but is of theoretical character through
prediction as, “[they] expect the forensic investigator […] to claim […]” and explanation of the “yearend
incremental counterfeit fraud losses […] because [they] have not yet received third-party fraud reporting”.
The rationalisation is thus based on the nature of the organisation’s circumstances rather than the purpose.
Conclusively, authority is primarily of impersonal character with emphasis on “state and federal agencies”
and the support to “law enforcement” (2013c: 2).
Page 22 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
Evaluation is evident in the article by the wording “appropriate resources” and “thorough investigation” to
legitimise the expenditure and quality of research (Target 2013a) and the normality of the crisis is legitimised
by “other similar situations” (Target 2013b). Furthermore, Evaluation legitimises the righteousness of the
“significant investigation” and the inaccessibility of the “broad array of […] factors” as “infeasible” (Target
2013c: 2, 3).
5.2.3 Comparison
The application of impersonal authority in the articles is similar for both organisations. Though, Target shifts
from impersonal authority to authority of tradition back to impersonal authority.
Target applies evaluation across their three articles, whereas Sony applies it to the press release and annual
report, but analogies in the CEO statement through a military comparison.
On the other hand, Sony applies instrumental rationalisation across the three articles and Target does in the
press release and CEO statement as well, but applies theoretical rationalisation in the annual report.
6. Discussion
A discussion based on the contemporary theoretical contribution to crisis communication, background
information and analysis findings will identify key takeaways for communication practitioners to apply in
the event of data breaching going forward.
This discussion takes point of departure in Coombs’ (2007) crisis response strategy guidelines that can help
protect the corporate reputation “through evidence-based guidance […] supported by scientific evidence
rather than personal preference and unscientific experience” (Rousseau 2006 cited in Coombs 2007: 163).
The premise of a data breach involves an external agent in form of a hacker, which constitutes the primary
guilty party in the crisis, in contrast to other crisis types. Thus, it is natural for organisations to recede from
responsibility and introduce the crisis as malevolence by victimage with the organisation as a victim in order
to reduce the reputational threat (Coombs 2007). This claim is denoted by the practice performed by Sony
and Target’s crisis communication, implying a consensus within the niche area of the crisis communication
that follows the guidelines of victimage in cases of malevolence.
The organisations’ insufficiency within IT security could constitute reputational threat if stakeholders
perceive that as an attribution of crisis responsibility. Thus, the level of attribution of crisis responsibility
would be higher than, if it is perceived that nothing could have been done to prevent the data breaches.
Therefore, it is possible that stakeholders in reality perceive low attribution of crisis responsibility to the
organisation rather than minimal attributions in cases of data breaches based on the importance of sufficient
IT security to prevent the crisis.
Page 23 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
Cornelissen’s (2011: 200) premise for optimal crisis communication state that it has to be “decisive and
immediate [,] from the organisation” and Coombs’ (2010) priority on stakeholder safety, in this thesis credit
card information, is a point of critique for Sony’s crisis response. Sony’s announcement of the failing
functions of PlayStation Network without much information does not denote decisiveness or immediacy in
terms of crisis response strategies, nor does it accommodate a potential threat to the credit card information
of PSN users. The initial poor response with no information may even have devalued Sony’s stock indirectly.
However, overall the effectiveness of the crisis response strategies was maintained by consistency (Coombs
2007: 173) across the three articles in form of shift the blame and corrective action (Benoit 1997) mainly.
The shift of blame works in the case of malevolence with the denial of responsibility of wrongdoing shifted
to the intruders, but with reassurance that Sony will take appropriate corrective actions to prevent the crisis
from occurring again.
Coombs (2007) argues that rebuild strategies accommodate stakeholders best, but that the high cost of
compensation can make the strategy too expensive. The compensation given by Sony in form of the “30 days
of additional time on [customers] subscription” holds low level of accommodation, as the compensation is an
opportunity cost rather than a variable cost that can still accommodate customers’ questions towards
PlayStation Network’s credibility as a secure network provider. However, the compensation provides Sony
with a tool to regain their damaged corporate reputation evident in the negative stock development
following the crisis.
Contrary to Sony’s consistent crisis response strategies, Target has inconsistent application of crisis response
strategies in the articles through minimisation in the first two articles and replaced with shift the blame and
mortification in the third. As Coombs (2007) argues in his guidelines, the inconsistent application of crisis
response strategies will erode the effectiveness of the overall response.
This is evident in the Target case as the minimisation applied through reassurance that the crisis likely will
have no effect on the customers’ confidence in shopping at Target and that they therefore should refrain from
alarm.
But, following JP Morgan Chase’s corrective action targeted at debit card customers affected by the Target
breach (Wall Street Journal 2014) the notion of minimisation applied by Target loses credibility and thus the
corporate reputation is tarnished. Target thus responded immediately, but not decisively to accommodate
such a development of the crisis. The loss of credibility creates a new crisis that can be accounted to
organisational misdeed with no injuries, as Target has deceived stakeholders’ perception of the crisis
implications. Therefore, Target becomes exposed to potential litigations that can affect the financial
circumstances of the organisation.
In order to rebuild the corporation reputation, Target offers compensation through free credit monitoring
Page 24 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
services and corrective actions to prevent a similar crisis in the future. The supplementary response to the
mishap by minimisation of the data is thus in line with Coombs’ guidelines expression that rebuild strategies
should be applied in cases of preventable crises. It is argued that the offspring crisis is preventable as Target
could have minimised the crisis but still be resolute in their reaction to the crisis. Meanwhile, Target could
assure stakeholders that the organisation would take the crisis seriously in terms of corrective actions. Benoit
(1997: 178) noted: “perceptions are more important than reality”. But even if the crisis response strategy
through minimisation makes stakeholders perceive the crisis as a minor threat the perception is altered
negatively when the reality is uncovered from a third-party. This would cause the crisis response strategy to
backfire as the initial perception was misleading. Consequently, consumers would question whether or not
their credit card information is safe due to the misleading communication on the issue by Target and on that
rationale stop shopping at the stores.
The legitimisations with moral evaluative features serve to induce a set of values towards the crisis framed
by the organisations. The evaluations most evident in the articles induce the values through evaluative
adjectives. However, Sony’s CEO statement employs analogies in form of military comparisons of the crisis
that persuades the stakeholders in the PlayStation Network to perceive the hackers as enemies and they
should endorse Sony as the defender of the people against that enemy.
That specific approach of legitimisation can be argued to function well in a patriotic country, such as USA,
due to the national pride and the general endorsement on military in USA. But, this sort of legitimisation can
induce strong emotions of negative character in the receiver dependant on the values in the individual and the
cultural influence that can be difficult to control in connection the socially constructed reality of the receiver.
Likewise, an abundance of evaluative adjectives can become overly identifiable for the receiver and the
persuasive elements of the legitimisation will thus loose effect as receiver would questions the legitimacy of
the evaluations.
The legitimisation through authority, namely impersonal authority, legitimises the crisis as severe through
the inclusion of FBI and other federal agencies in the investigation. However, this form of legitimisation
conflicts the rationale behind minimisation as a crisis response strategy per classification, while interference
by FBI is not deemed minimal attribution to a perception of a crisis. In the case of data breaches, it can
however also signify that the worst-case-scenario of a data breach is severe, while in reality the impending
crisis may not have be severe to accommodate stakeholders’ concerns.
Additionally, the authority of tradition translates well into crises with no crisis history or negative prior
relational reputation as organisations can further reduce reputational threat thereby due to their legitimised
credibility through corporate history.
Page 25 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
Lastly, the application of instrumental rationalisation denotes a purpose in the legitimisation that translates
well into corrective actions through emphasis on the organisation’s ability to respond to the crisis and
prevent it in the future. Whereas, the theoretical rationalisation connotes a reaction to a crisis as “the way
things are” (Van Leeuwen 2007: 103). That reflection denotes a reaction and acceptance of a contemporary
situation rather than a proactive prevention of future potential crises, which is identifiable in the
mortification crisis response strategy. It should be applied to a case of high reputational threat as rebuild
crisis response strategies. Hence, in cases with either minimal attribution of crisis responsibility, no history
of crises or negative prior relationship reputation the mortification vaguely embedded in the application of
theoretical rationalisation is ill-advised.
In summary, the opportune crisis response strategy for data breaching immediately determines the crisis as
malevolence providing minimal attributes of initial crisis responsibility and assesses the reputational threat
in order to determine the crisis history and prior relational reputation .The level of reputational threat thus
regulates to which extent the organisation should deny, diminish or rebuild with regards to Coombs’ SCCT
(2007).
Importantly, the reputational threat can increase if the legitimised response is deemed misleading,
exemplified in the case of Target. Finally, the communication practitioner should recognise that the
discourse can be interpreted differently by each individual stakeholder and the reaction to the crisis response
can thus differ depending on the perception affected by culture and history.
7. Conclusion and implications
The final section of this thesis will conclude on the identified critical features to the contribution of crisis
communication specifically in the event of a data breach. Thus it provides cohesion in the assessment of
contemporary theory with an interpretation targeted towards this niche segment of crisis communication.
Suggestions for future research within this niche segment will be presented to scrutinise further.
This thesis has analysed two cases of data breaching against Sony and Target and identified characteristics of
such a crisis in connection to opportune strategies and pitfalls. The analysis of crisis response strategies and
discourse in the two cases has determined data breaching as an IT crisis with evident traits of malevolence
that encourages communication practitioners to employ victimage as a crisis response strategy. Both cases
initially had minimal attributions of crisis responsibility, however due to poor crisis communication the
reputational threat overall increased as the organisations were unable to respond optimally to the data
breaches.
Therefore, it is important to learn from the cases, so the poor crisis communication will not occur again.
Page 26 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
Organisations should prioritise the protection of credit card information as stakeholder safety in their crisis
response strategies to avoid misleading stakeholders. If they refrain from this notion, the strategy can
backfire through lost credibility leading to a weakened corporate reputation that will amplify the
reputational threat in the future. The reputational threat can translate to financial expenses through either
litigations or negative stock development. Hence, it is advised to emphasise a respect for potential crises,
even though an organisation legitimises it as minimal.
However with this mix of crisis strategy response, organisations can connote responsibility, if a crisis should
occur in reality.
If a supplementary preventable crisis through organisational misdeed ensues the organisation should exercise
rebuilding to adjust to the stronger attribution of crisis responsibility following the weakened corporate
reputation. Otherwise, the opportune strategy should be coherent in the crisis communication to avoid
erosion of the effectiveness of crisis responses. Corporate reputation can become damaged if the
stakeholders begin to question the incoherence of applied crisis response strategies. Therefore, it is vital for
organisations to be immediate as well as decisive, when responding to a crisis.
To broaden the contemplation of crisis communication following data breaches, it can beneficial for
researchers to investigate the cases from a receiver-oriented perspective. Thus, the corporate reputation and
reputational threat regulated by stakeholders can evaluate the crisis response strategies in-depth in different
segments. Alternately, the development of crisis communication following data breaches can be analysed in
recent instances, thus further elevating theory to aid communication practitioners in their efforts.
Page 27 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
8. References
Burr, V. (2003) Social constructionism. London: Routledge.
Ciborra, C. (1998) Crisis and foundations: an inquiry into the nature and limits of models and methods in the
information systems discipline. The Journal of Strategic Information Systems, 7(1), pp.5-16.
Cheney, J. (2010) Heartland Payment Systems: Lessons Learned from a Data Breach. SSRN Journal.
Coombs, W. (2006) The Protective Powers of Crisis Response Strategies. Journal of Promotion
Management, 12(3-4), pp.241-260.
Coombs, W. (2007) Protecting Organization Reputations During a Crisis: The Development and Application
of Situational Crisis Communication Theory. Corporate Reputation Review, 10(3), pp.163-176.
Timothy Coombs, W., Frandsen, F., Holladay, S. and Johansen, W. (2010) Why a concern for apologia and
crisis communication?. Corp Comm: An Int Jnl, 15(4), pp.337-349.
Cornelissen, J. (2011) Corporate communication: A guide to theory and practice. Thousand Oaks, CA:
SAGE Publications.
Corporate Target (2015) Target through the years. [Online]Available at:
https://corporate.target.com/about/history/Target-through-the-years [Accessed 4 May 2015].
Daymon, C., & Holloway, I. (2011) Qualitative Research Methods in Public Relations and Marketing
Communications (2 ed.).New York, NY, USA:Routledge.
Fairclough, N. (1992) Discourse and Text: Linguistic and Intertextual Analysis within Discourse Analysis.
Discourse & Society, 3(2), pp.193-217.
Frandsen, F. and Johansen, W. (2010) Apologizing in a globalizing world: crisis communication and
apologetic ethics. Corp Comm: An Int Jnl, 15(4), pp.350-364.
Hearit, K. (1994) Apologies and public relations crises at Chrysler, Toshiba, and Volvo. Public Relations
Review, 20(2), pp.113-125.
Hearit, K. (1999) Newsgroups, activist publics, and corporate apologia: The case of Intel and its Pentium
chip. Public Relations Review, 25(3), pp.291-308.
Heath, R. L. and Millar, D. P. (2003) Responding to Crisis: A Rhetorical Approach to Crisis
Communication. Lawrence Erlbaum Associates: New Jersey
The Huffington Post, (2015) 'Welcome Back': Sony's Make-Up Package For PSN Hack. [Online] Available
at: http://www.huffingtonpost.com/2011/06/03/welcome-back-sony-playstation-networkprogram_n_871167.html [Accessed 4 May 2015].
Kim, J., Kim, H. and Cameron, G. (2009) Making nice may not matter: The interplay of crisis type, response
type and crisis issue on perceived organizational responsibility. Public Relations Review, 35(1), pp.86-88.
Li, C. and Bernoff, J. (2011) Groundswell: Winning in a world transformed by social technologies. United
States of America: Harvard Business Press.
New York Times (2013) Target Struck in the Cat-and-Mouse Game of Credit Theft. [online]
Available at: http://www.nytimes.com/2013/12/20/technology/target-stolenshopperdata.html?src=me&ref=general&_r=0 [Accessed 4 May 2015]
Page 28 of 29
Bachelor thesis
Mathias Trier Mortensen
in
May 2015
201209790
Marketing and Management Communication
Total characters: 54.975 excl. blanks
NewsCred (n.d.) Social Media Crisis Communication: Lessons From Target’s Data Breach. [online]
Available at: http://blog.newscred.com/article/social-media-crisis-communication-lessons-from-targets-databreach/f3568a27345ecac5ea5154da86d90343 [Accessed 4 May 2015].
Nightingale, D. and Cromby, J. (2002) Social Constructionism as Ontology: Exposition and Example.
Theory & Psychology, 12(5), pp.701-713.
Palermo, E. (2015). 10 Worst Data Breaches of All Time. [online] Tom's Guide. Available at:
http://www.tomsguide.com/us/biggest-data-breaches,news-19083.html [Accessed 4 May 2015].
PC World (2011) PlayStation Network Hack Timeline. [online] Available at:
http://www.pcworld.com/article/226802/playstation_network_hack_timeline.html [Accessed 4 May 2015].
Schuman E. (2007) The TJX Data loss and security breach case. The Case.
Searle, J. R. (1995) The construction of social reality. London: Penguin
Statista, (2015) PlayStation Network: number of accounts 2013 | Statistic. [online]
Available at: http://www.statista.com/statistics/272639/number-of-registered-accounts-of-playstationnetwork/ [Accessed 4 May 2015].
Target (2015) Target : REDcard. [online]
Available at: http://www.target.com/redcard/main [Accessed 4 May 2015].
Tench, R. and Yeomans, L. (2009) Exploring public relations. Harlow, England: FT Prentice Hall.
Van Leeuwen, T. (2007) Legitimation in discourse and communication. Discourse & Communication, 1(1),
pp.91-112.
Venturebeat (2011) Chronology of the attack on Sony’s PlayStation Network. [online]
Available at: http://venturebeat.com/2011/05/04/chronology-of-the-attack-on-sonys-playstation-network/
[Accessed 4 May 2015].
Yahoo! Finance (2015) SNE Historical Prices | Sony Corporation Common Stock Stock - Yahoo! Finance.
[online] Available at:
http://finance.yahoo.com/q/hp?s=SNE&a=03&b=20&c=2011&d=04&e=20&f=2011&g=d [Accessed 4 May
2015].
Wartick, S. (2002) Measuring Corporate Reputation: Definition and Data. Business & Society, 41(4), pp.371392.
Wall Street Journal (2013). Target’s Data-Breach Timeline. [online] Available at:
http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/ [Accessed 4 May
2015].
Page 29 of 29