The impact of crisis response strategies on
customer satisfaction in the unique context of data breaches
Master Business Administration - Strategy University of Amsterdam
Author: Laura Bruijnzeels Student number: 13365789
EBEC approval number: EC 20220521050518 Thesis supervisor: Pushpika Vishwanathan Date: 24th of June, 2022
Word count: 12706 words
Statement of Originality
This document is written by Student Laura Bruijnzeels who declares to take full responsibility for the contents of this document. I declare that the text and the work presented in this document is original and that no sources other than those mentioned in the text and its references have been used in creating it. The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not for the contents.
Table of Contents
Abstract ... 4
1. Introduction ... 5
2. Literature review ... 10
2.1 Misconduct ... 10
2.2 Online misconduct ... 10
2.3 Data Breaches ... 12
2.4 Customer satisfaction ... 13
2.5 Current knowledge on response strategies ... 15
2.6 The different response strategy options ... 18
3. Hypothesis development ... 21
3.1 A comparison of SCCT response options ... 21
3.2 The impact of severity of the data breach ... 23
3.3 The impact of firm size ... 23
3.4 Conceptual model ... 24
4. Methods ... 25
4.1 Research design ... 25
4.2 Sample ... 26
4.3 Measures ... 27
5. Results ... 31
5.1 Data preparation ... 31
5.2 Descriptive statistics and correlation analysis ... 31
5.3 Hypothesis testing ... 34
6. Discussion ... 41
6.1 Summary of findings ... 41
6.2 Theoretical contributions ... 42
6.3 Recommendations for future research and managerial implications ... 45
6.4 Strengths and limitations ... 47
7. Conclusion ... 49
8. Reference list ... 50
Appendix A ... 62
The number of data breaches keeps rising enormously. These breaches represent cases of misconduct, affect stakeholder’s personal information and they bring the relationships firms have with their stakeholders in danger. The model tested in this research is based on Situational Crisis Response Theory, to analyse whether firm response strategy, that is either financial or non-financial compensation, in comparison to only an explanation influences customer satisfaction after a data breach. The model was tested against 11134 data breach cases collected from the American Consumer Financial Protection Bureau from January 2012 until December 2017. The results show that firm response strategy affects customer satisfaction, and that the customer is more satisfied with financial or non-financial compensation, than with only an explanation. Also, the moderating effect of severity of the breach appeared to be insignificant and the moderating effect of firm size proved to be significant, meaning that the firm size influences the compensation that the customer prefers in order to be satisfied. In specific, only customers of large firms are satisfied with financial and non-financial compensation, whereas in small and medium-sized firms customers are only satisfied with financial compensation. As a result, this study provides new insights on dealing with data breaches and offers new insights for Situational Crisis Response Theory in the unique context of data breaches. In addition, it also adds to stakeholder theory as the relationship between the customer and the firm is crucial for long-term engagement.
It is crucial that firms understand their stakeholder groups and know how to act according to their needs, especially when they are struck by misconduct (Rasche & Esser, 2006).
Misconduct harms stakeholders and violations of stakeholder relationships can have long-term damaging effects on current and future partnerships. These violations can lead crisis situations and result in costly healing processes (Hersel et al., 2019).
In recent times an increasing number of firms rely on data for their improving their customer journey (Van den Bulck & Moe, 2018). With this data, that includes “personal health information, personal identifiable information, trade secrets or intellectual property, and/or personal financial data” (Sen & Borle, 2015, p. 315), firms can create more targeted campaigns through e.g. personalized advertising and be able to reach more and the right number of customers (Van den Bulck & Moe, 2018). However, this increased use of digital personalized information also brings risks. One of these risks is the fraudulent use of this digital confidential information, known as a data breach (Masuch et al., 2022). And these breaches can lead to disappointed customers (Masuch et al., 2021). IBM (2020) shows how important it is that we understand how to respond after this risk, since eighty percent of data breaches affects customers and their personalized information. Currently, 39.4% of the firm costs of a data breach are attributed to lost customers. IBM (2020), Garrison and Ncube (2011) and Makridis and Dean (2018) show that the financial industry suffered from the highest number of individual records breached, therefore highlighting the relevance of reviewing the customer perspective in the financial industry.
This digital misconduct, a data breach, is an online crisis situation for a firm, because data breaches happen unexpectedly and put stakeholders in jeopardy (Coombs, 2007). The main problem after these data breaches is that customers discontinue their relationship with a firm due to dissatisfaction with the service provided after a data breach, and decide not to use the
breached firm’s products or services again (Goode et al., 2017; Johnson et al., 2006). The quality of the relationship between the consumer and the firm is thus strongly affected by this misconduct, and as a result the repurchase intention of the customer decreases (Huber et al., 2010). Vice versa, if the customer agrees with the type of service recovery, customer satisfaction increases (Andreassen, 2000).
In order to understand how to repair the damaged stakeholder relationships and tackle the crisis situation with the right response, Situational Crisis Communication Theory (SCCT) provides a strong framework. This theory proposes that the crisis situation should play a large role in the strategy selection (Coombs, 1995, 2006). If the firm properly understands how to respond after the data breach, it can make an effective repair response strategy choice, which will maximize the positive behavioural judgement of the stakeholder(s) involved, in this case customers.
There is a gap in the literature on the unique context of data breach response strategies.
A data breach is a unique type of crisis situation, as it is often ambiguous who the attacker really is (Makridis & Dean, 2018). These breaches threaten customer information security, however for firms it is difficult to understand where the leak in their system is. As a consequence, the firm suffers and for customers it is unclear who carries the responsibility for the crisis.
Therefore, a firm should understand how to respond to their customers in this specific crisis and keep their customers satisfied (Andreassen, 2000; Choi et al., 2016; Oliver & Swan, 1989).
Previous studies have not addressed the topic of response strategies in the context of data breaches, while in reality the chance that a firm has to deal with a data breach has increased severely the past decade (Lending et al., 2018). In addition, there is inadequate understanding of the effectiveness of different response strategies a firm can use and how that affects customer satisfaction after a data breach (Bansal & Zahedi, 2015; Gwebu et al., 2018). Therefore, there is a need to investigate this.
Furthermore, the severity of the data breach can alter the customer’s expectation of the given compensation, and thus influences the customer’s satisfaction with the given response (Goode et al., 2017). SCCT suggests that a firm’s response strategy should reflect its level of responsibility for the crisis and address the customer’s concern. According to previous literature severer breaches are associated with a higher perceived threat by the consumer, and therefore severity of the breach is expected to influence the response a firm gives (Chen & Jai, 2021a;
Additionally, it is interesting to see whether the size of the firm may influence whether the customer is satisfied with the given response, because the size of the firm changes the customer’s expectation of the response. Larger firms suffer from more breaches and have more financial resources to cope with the breach than small firms (Makridis & Dean, 2018).
Accordingly, it needs to be investigated if large firms offer customers different responses after a data breach than small firms and if customers are more satisfied with a different response in a firm of a different size.
The purpose of this research is to advance crisis management literature by testing the effect of different response strategy options after a data breach on customer satisfaction, measured as disconfirmation. Information systems literature is used for deeper knowledge on data breaches and some service failure literature is addressed to find a deeper understanding of what response options customers prefer. This study focuses on the financial industry, as the industry suffers most breaches (Makridis & Dean, 2018). The response options; information only, non-financial compensation, or financial compensation, are derived from crisis management literature and address two of the categories of the SCCT model (Coombs &
Holladay, 2008). Customer (dis)satisfaction is measured as (dis)confirmation with the given response, and this definition has also been used by other marketing scholars (Andreassen, 2000;
Oliver & Swan, 1989). The effect of whether a firm should alter its response based on the severity of the breach and on the size of the firm is also measured.
To test this theory, this study uses data from the Consumer Financial Protection Bureau, which contains data on customer complaints after a data breach. All firms in the set are US banks. With the gathered data, the effect of financial and non-financial compensation in comparison to only an explanation on customer satisfaction was measured. The final sample includes 111134 cases of data breach complaints, collected over six years from 2012 until 2017.
The hypotheses were tested using a binary logistic regression and for the significant moderator a sub-group analysis was performed in order to better understand the moderating effect.
This study found that in US banks after a data breach firm response strategy, has a significant effect on customer satisfaction and that both financial and non-financial compensation (in comparison to only an explanation) leads to higher customer satisfaction. In addition, this research found that severity of the breach does not influence the relationship between firm response strategy and customer satisfaction. It was found that firm size moderates the relationship between firm response strategy and customer satisfaction and the sub-group analysis showed that for small, medium-sized and large firms customers are more satisfied with financial compensation, than with only an explanation. However, in small and medium-sized firms, customers did not prefer non-financial compensation over only an explanation. In large firms, customers did prefer non-financial compensation over only an explanation. It is an interesting finding that customers clearly prefer compensation over an explanation response as literature has illustrated that in online situations customers prefer lower levels of compensation (Coombs & Holladay, 2008; Harris et al., 2006)
Hence, this study will contribute to current literature in three ways. First, this study extends situational crisis response theory as it focuses on customer satisfaction in the specific context of data breaches. Even though a data breach is of an ambiguous nature, the customer
wants the firm to take responsibility for the breach, that will lead to higher customer satisfaction. Also, as severity does not moderate this relationship, accountability perceptions may not weigh as heavy as other researchers have implied earlier (Coombs, 2006). Instead understanding customer expectations could result in higher customer satisfaction for firms.
Second, this study adds to stakeholder theory as this study offered insights on a relational mechanism between customers and the firm. In order to keep customers engaged, firms need to understand their customers and treat them accordingly. For managerial practice this study recommends managers to work on improving their data management efforts, in order to minimize breaches and to create simple and understandable misconduct response strategies and policies for all employees and customers dealing with the data breach to understand.
2. Literature review
Misconduct is described as actors taking actions that are either harmful or morally questionable (Greve et al., 2010). This can be regarded as an infringement of the norms of society (Coombs, 2006). Hersel et al. (2019) identified four main types of misconduct, namely fraud, issues with product safety, employee mistreatment, and environmental violations. Within fraud they include financial fraud, consumer fraud and contract violations. Fraudulent actions represent a serious form of wrongdoing of a stakeholder (Martin et al., 2017), and include activities or crimes that can do harm to other stakeholders and are punishable by law (Hersel et al., 2019).
These violations can hurt strategic partnerships and damage a firm’s network of relationships with different stakeholders, such as suppliers and customers (Harmon et al., 2015).
2.2 Online misconduct 2.2.1 Advantages of data
The digital universe has caused humans to constantly be ‘on’. This sometimes translates into addiction to online lives, and the digital technologies have become central in human life (Flyverbom et al., 2019). Communication with customers is not one-way ‘sending information’
anymore. Instead, it has become an interactive two-way process in which the customer can react and respond, making customers a key stakeholder group for firms (Hollebeek & Brodie, 2016).
This interdependence of the customer and the firm in decision-making ultimately leads to firm success (Tombs & Smith, 1995). Online this means that it is possible to constantly interact with each other. Everyone leaves digital footprints and that gives firms a lot of data, which they can use to understand people’s hobbies, interests, and activities (Flyverbom et al., 2019). This digital personalized data includes “personal health information, personal identifiable information, trade secrets or intellectual property, and/or personal financial data” (Sen & Borle, 2015, p. 315), that firms can then use to create targeted campaigns to reach the customer.
Customers often share their data for free in exchange for other services. This unlimited sharing of data has led to the emergence of a new type of customer; the non-paying customer.
This customer is “a user of specific product(s) or service(s), which are offered for free, such that a mandate for the user’s financial payment to the firm does not exist, as it would in more traditional (i.e. paying customer) contexts” (Hollebeek & Brodie, 2016, p.169). Non-paying customers often unknowingly exchange their data for access to a website or discount code, by e.g. accepting cookies/consent. As such, firms can easily gather even more information on their customers and improve their services (Flyverbom et al., 2019). As a consequence, more customer data is available than ever before.
2.2.2 Disadvantages of data
Nevertheless, big data also bring difficulties with it. Firms struggle to extract the right data, and to understand the complexity and magnitude of the data and that could lead to the data being attacked. Abraham et al. (2019) identified four issues that have arisen in the world of data that need to be addressed by the literature. First, firms need to be aware of the quality of the data, as the source of the data is often untraceable. Second, privacy of the data represents a big issue, that is still to be unravelled. This brings ethical issues with it, as customers are often unaware of their data being sold and used (Barnett, 2014). Third, all data has different degrees of value and organizations struggle with finding which data is more valuable than other data.
Last, the integration of the online and offline world brings struggles with, as combining these two sources of data remains a confusing process for many firms (Abraham et al., 2019). As there is still a lot of inaccuracy in how to use data and data management systems, this opens doors for violations. As a result, misconduct has moved online as well in the form of data breaches.
12 2.3 Data Breaches
Data breaches emerged quickly and are a new digital form of misconduct (IBM, 2020).
When consumers are targeted, it can also be viewed as consumer fraud (Hersel et al., 2019).
Since there is a risk of financial or reputational loss for a breached firm, a data breach is the cause of a crisis situation for a firm (Coombs, 2007; Shankar & Mohammed, 2020). Data breaches largely include “An organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information, which can include personally identifiable information” (Peretti, 2008, p.377). Goode et al. (2017) explain that a data breach could actually be considered an electronic version of a service failure. They identify a service failure as
“negative experiences for affected customers and may include various events in different contexts, such as overly long wait times in restaurants, point-of-sale terminal downtime in retail environments, temporary network outages that could be triggered by data breaches (e.g., Sony’s data breach), or an unclean hotel room” (p. 706). Data breach tracking has become a common method to educate people about data vulnerability (Garrison & Ncube, 2011).
Firms in the financial industry suffer most data breaches (Garrison & Ncube, 2011;
IBM, 2020; Makridis & Dean, 2018). Data breaches often happen unexpectedly and therefore put stakeholders in danger (Coombs, 2007). The harm done to the consumer is most often in the form of unauthorized use of an existing account of the consumer (Peretti, 2008). Examples thereof include identity theft, credit and debit card fraud or embezzlement (Choi et al., 2016;
Culnan et al., 2009; Peretti, 2008; Sen & Borle, 2015). These data breaches can take multiple forms, such as hacks from outside a company, or breaches from within an organization (Bansal
& Zahedi, 2015; Confente et al., 2019; Grazioli & Jarvenpaa, 2000). The difficulty with data breaches is that firms are not aware where the system issues lie in their firms, so they do not know where in their system they could be attacked (Makridis & Dean, 2018). However, these attacks affect the confidentiality of their customers’ data, as the goal of the attack tends to be to use the data in fraudulent ways. As a result, customers are disappointed as their personal
identifiable data is now publicly available (Masuch et al., 2022). For the firm this leads to negative firm performance and that has a rather negative effect on firms in the long- and short- run (Hsieh et al., 2015; Malhotra & Malhotra, 2011; Schatz & Bashroush, 2016; Sen & Borle, 2015). Hsieh et al. (2015) conclude that firms should invest more in their data security efforts.
However, the ambiguity of the data breach attack makes it difficult for firms to understand where to invest. Therefore, it is of essence that firms understand how to cope with the consequences of a data breach.
2.3.1 Severity of the data breach
There are different levels of severity of data breaches. Data breach severity is described as ‘the scope, reach and impact of a firm’s security data breach (Martin et al., 2017, p.42). The customer’s perception of severity of the breach can cause behavioral changes in the consumer, as the severity of the threat can alter the consequences of the threat (Chen & Jai, 2021). Martin et al. (2017) show that if the breach is more severe, it will enhance a negative spillover effect, meaning that the customer will switch firms as a consequence of the severity of the data breach.
In addition, if the breached firm could have prevented the breach from happening, then the firm will be punished more heavily by its stakeholders (Morse et al., 2011). Data breaches often take place in the form of identity theft, and identity theft has the heaviest effect on individual people and thus on single customers (Sen & Borle, 2015). Therefore, severity of the breach could influence customer behaviour after a data breach.
2.4 Customer satisfaction
This digital misconduct strongly affects the relationship between the customer and the firm. When the quality of this relationship is affected customer satisfaction, and consequently the repurchase intention of the customer decreases (Huber et al., 2010; Liao et al., 2011).
According to the literature, in order to retain customers, and keep repurchase intention high, firms have to focus on three aspects of their customer relationships; customer trust,
reputation and satisfaction (Bowen & Chen, 2001; García-Rodríguez & Gutiérrez-Taño, 2021;
Islam et al., 2021; Martínez García de Leaniz & Rodríguez del Bosque Rodríguez, 2016).
Customer satisfaction is an intangible asset that ensures profitability and long-term customer engagement with the firm (Hauser et al., 1994; Shankar & Mohammed, 2020). And as a satisfied customer will more easily repurchase a product, there is a causal relationship between satisfaction and loyalty (Yeung & Ennew, 2000). Bowen and Chen (2001) also show that there is a powerful relationship between customer satisfaction and loyalty as their results indicate a one-unit increase in satisfaction leads to a 100% increase in customer loyalty. Next to satisfaction’s effect on loyalty, research indicates that satisfaction can reduce the costs of a firm, and thus increase firm performance.
Several mechanisms are used in predicting customer satisfaction and ‘disconfirmation’
of the expectation presents to be the leading paradigm to measure customer satisfaction (Andreassen, 2000; Oliver & Swan, 1989). More recently, Choi et al. (2019) show that accurate identification of the customer expectation leads to customer satisfaction. As satisfaction results from the purchaser’s response to the expected outcome, it is a post-judgement construct (Churchill & Surprenant, 1982; Klein et al., 2004). Thus, if there is no congruence between the customer’s personal (expected) and the organizational (actual) behavior, the customer may disconfirm the actions of the firm, which will result in dissatisfaction (Liao et al., 2011). Kim et al. (2009) showed that in digital situations customer confirmation remains to have a positive impact on satisfaction, and thus when a consumer disputes a response this has a negative effect on satisfaction (Kim et al., 2009). Hence, firms need to understand what response communication strategy customers prefer in order to keep their customers satisfied.
15 2.5 Current knowledge on response strategies 2.5.1 Stakeholder theory
In every stakeholder relationship two parties enter into some sort of contract, and according to stakeholder theory both parties have some degree of liberty and some degree of interest (Friedman & Miles, 2002; Phillips et al., 2003; Reynolds et al., 2006). If that contract is violated it can have damaging effects on current and future partnerships and this can result in costly processes to heal (Hersel et al., 2019), and therefore the impact of these violations on the relationship needs to be considered and repaired. The firm should consider the impact of actions and decision-making on its various stakeholders (Fassin, 2012). In case of a breach of contract the stakeholder group of customers, from a normative perspective the firm, could develop an image of the firm being an untrustworthy partner, which could have severe effects for the relationship and customer satisfaction (Phillips et al., 2003; Sullivan et al., 2007). Within stakeholder literature the crisis communication theory concentrates attention on taking action after crisis situations (Painter & Martins, 2017).
2.5.2 Crisis Communication theories
In the situation of a data breach it can be difficult for a firm to decide how to respond to its customers, due the vague nature of the data breach and respectively the uncertain level of responsibility for the data breach. How a company responds to a data breach influences how strong it survives and that this influences customer satisfaction after the data breach (Janakiraman et al., 2018). The data breach is the misconduct that creates the crisis situation for the firm. Therefore communication is used to manage strategic relationships and the main goal of the repair strategy is to reduce the negative effects of the crisis and generate positive responses (Hersel et al., 2019). Responding to the customer encourages relational benefits and enhances the relationship between the customer and the firm (Johnson et al., 2006). However, important to realize is that in the case of a data breach it is often ambiguous who is responsible for the crisis, making this a unique crisis situation in comparison to earlier studies on crisis
management (Masuch et al., 2022). Within crisis communication literature most studies recommend that the firm offers a proactive response to customers after a crisis situation, especially when the firm is not responsible for the harm done (Bansal & Zahedi, 2015; Coombs, 2007; Gomulya et al., 2017). Still, even in ambiguous situations the firm should be inclined to take some responsibility for the harm done to their customers as the nourishment of this relationship directly has an effect on the customer’s intention to repurchase (Huber et al., 2010).
Thus, the choice in response a firm makes, transmits a message to its stakeholders, and that affects the firm as stakeholders form a judgement around the company (Lyon & Cameron, 2004). Hersel et al. (2019) discuss three strong frameworks that are used for stakeholder communication in order to properly manage relationships in times of crises. Those are image restoration theory, attribution theory and situational crisis communication theory (SCCT). All three will be discussed below.
2.5.3 Image Restoration Theory
Image restoration theory focuses on recovering confidence in corporate appearance. The theory assumes that the actor is responsible for the harm and that the harm is offensive and thus puts the firm’s image at risk (Painter & Martins, 2017). Firms that make use of this theory usually adopt crisis communication along the continuum of accommodative-defensive (Gwebu et al., 2018). An accommodative response entails proactivity and positivity towards the stakeholder, which means communication of trust towards the stakeholders (Gomulya &
Mishina, 2017). This can have a positive effect on the customer’s satisfaction towards the firm.
This entails that the firm acknowledges the customer’s claim. A defensive response means that the firm denies the customer’s claim of (in this case) misconduct (Gwebu et al., 2018; Hersel et al., 2019). This means that firms decide to ignore and act as if they are not responsible for the misconduct. This response is riskier than the accommodative response. Many authors recommend an accommodative approach (Coombs, 2007; Edinger-Schons et al., 2020; Greve
et al., 2010; Hersel et al., 2019). Claeys et al. (2016) show that stakeholders (including customers) prefer accommodative responses over defensive response strategies as firms seem to be aware of their responsibilities to the stakeholders.
2.5.4 Attribution Theory
Attribution theory focuses on the potential causes that can be attributed to the performance outcome of a crisis situation (Bansal & Zahedi, 2015). This is a theory based on the subjectivity of a person; human interpretation (Weiner, 2010). This subjectivity is built on a continuum of three dimensions; internal locus, stability and controllability to determine whether the firm is responsible for the crisis situation (Coombs, 1995). Responsibilities and emotions are assigned to certain behaviours. As a consequence, a person or firm can be attributed responsible and induce anger, or not be attributed responsible and thus induce compassion (Coombs, 2007). In the end, the stronger the feelings of organizational responsibility for the crisis, the more the crisis will damage the organization (Coombs, 1995).
2.5.5 Situational Crisis Communication Theory
SCCT finds its roots in attribution theory as crisis attributions form people’s feelings and behaviours (Coombs, 2004). SCCT moves away from the subjective nature and bases its framework on specific actions and responsibilities for situations, instead of causes (Weiner, 2010). Several studies have empirically revised situational crisis communication theory, showing its strong foundation (Grappi & Romani, 2015; Kriyantono, 2012; Raithel & Hock, 2021). Ma and Zhan (2016) show in their meta-analysis of 24 studies between 1990 and 2015 that SCCT is the main framework used in crisis literature.
This theory’s fundamental centre of attention is how to manage the firm’s response (Coombs & Holladay, 2002). The actions taken by the firm affects how people feel about the organization after the crisis (Coombs, 2006). SCCT is built on three factors; the situation, the response strategies and a mechanism for matching the situation and the response strategy
(Coombs, 2006). The theory matches the repair response a firm offers after a crisis situation to the firm’s degree of responsibility to decide what kind of crisis the firm deals with. There are different types of threats that require different types of responses by the organization, however consistency in the crisis response type is necessary for the effectiveness of the response strategy (Coombs, 2007). In the case of data breaches there is a unique situation context, in which it is currently unclear how much responsibility the firm should take for the crisis situation and how this affects the customer’s perception of the firm and the crisis.
2.6 The different response strategy options
According to the SCCT framework there are three types of responses that a firm can give in case of a crisis. These can be to (1) deny, (2) diminish, or (3) deal with the consequences of the crisis. A crisis type that would need denial is ‘fighting rumours’ about the organization.
Then in order to lessen impairment to the organization a diminish response would work best.
And in case of a preventable crisis, a deal response is necessary. The deal response directly addresses stakeholders and is accommodative in nature. As a consequence, a firm can restore its legitimacy and relationship with its customers (Coombs, 2006).
There is a need to understand the consequence (or impact) of different deal response strategies in the same crisis. Little research has empirically revised what a firm needs to do to recover after they have suffered a data breach (Gwebu et al., 2018). SCCT offers five different
‘deal’ responses a firm can give after a crisis situation (see table 1, Coombs, 2006). An apology is defined as accepting full responsibility for the crisis (Fuchs-Burnett, 2002). According to Coombs’ framework, an apology means taking full responsibility, and also asking for forgiveness (Coombs, 2006). Earlier literature reviewed the ‘apology’ response as the best response after a crisis. However, recently it has been concluded that this finding is rather redundant as the firm should always apologize, next to taking reparative actions (Gwebu et al.,
2018). In addition, an apology is a very common first response (Goode et al., 2017). When it is ambiguous who is responsible for the crisis situation, Coombs and Holladay (2008) recommend the firm not to take responsibility and subsequently apologize, but to choose for a different response option in order to prevent reputational damage. There is little theoretical knowledge on a comparison between different accommodative response options, without the ‘apology’
option (Coombs & Holladay, 2008). For that reason, this needs to be investigated.
SCCT Deal response options
Response option Definition
Ingratiation The organization thanks stakeholders for their help and reminds stakeholders of the organization's past effort to help the community and to improve the environment.
Concern The organization expressed concern for the victims Compassion The Organization offers money or other gifts to the
Regret The organization feels bad about the crisis
Apology The organization accepts full responsibility for the crisis and asks stakeholders for forgiveness.
Notes: Table cited from Coombs (2006, p.248)
Literature shows the apology, sympathy, compassion and informative responses are of most value to customers in online environments (Coombs & Holladay, 2008). To provide information is seen as a crucial action in a crisis situation, but this does not specifically abandon negative effects of the crisis (Coombs & Holladay, 2008). Harris et al. (2006) show that online customers are more permissive in accepting lower levels of compensation and are still more satisfied than offline customers. This can explain the results by Coombs and Holladay (2008) and Schultz et al. (2011) that show that in social media situations only information was also a successful response strategy, next to an apology, sympathy or compassion response. However, in these cases the social media channel mediated the relationship.
In the case of a compassion response a firm can provide money or gifts (Coombs, 2006). Jin et al. (2019) show that monetary compensation in combination with explanation actually lead to the highest customer satisfaction during hotel service failure. Chuang et al. (2012) found that customers prefer monetary compensation in case of an outcome-related failure over social compensation, but that they prefer social compensation in a process-outcome. A data breach could be both these situations, as the breach can happen during or after the customer has purchased something. Therefore, it needs to be investigated if monetary compensation would also be the preferred response after a data breach. Goode et al. (2017) even go a step further and recommend firms to personalize compensation strategies, and their main point is that the customer’s expectation should match the level of compensation.
2.6.3 Firm size and its potential resources to cope with data breaches
Bigger firms, in specific publicly traded firms, are more likely to be the target of a data breach, as there is more to steal for the attackers (Makridis & Dean, 2018). Following Lending et al. (2018) and Hsieh et al. (2015) firm size may affect the resources that a firm has to battle data breaches. Lending et al. (2018) explain that larger firms may have more resources to compensate customers with. In addition, larger firms tend to have a stronger customer focus than middle-sized or small firms (Park et al., 2018). Therefore, large firms may offer more compensation to their customers, but also experience more complains of data breaches. Small banks most likely have a stronger community focus and therefore there may be less complaints, because customers may feel it does not make a difference to complain. Therefore, customers of larger firms could be expected to want more compensation than customers of smaller firms.
3. Hypothesis development
The previous section discussed the existing literature concerning the relationship between the different response strategies and customer satisfaction, the context of data breaches and the influence of severity of data breaches and firm size. In this section the proposed hypotheses will be elaborated on.
Previous research profoundly pursued an organization-centered perspective, thereby focusing on organizational reputation as the key determinant of the right response strategy (Coombs, 2007; Coombs & Holladay, 2008; Gwebu et al., 2018; Schultz et al., 2011). By centralizing customer satisfaction and the data breach this study may offer different results.
3.1 A comparison of SCCT response options
In crisis management literature specific crisis situations are still understudied (Coombs
& Holladay, 2008). Bansal and Zahedi (2015) identified there is inadequate research on trust repair, especially after a breach of customer’s privacy. Therefore, how to repair customer relationships after a data breach is of added value specifically. In addition, data breaches affect the customer’s personalized information and thus can damage the customer’s satisfaction with the firm (Andreassen, 2000; Peretti, 2008). As a result, data breaches can affect the long-term engagement of customers with the firm (Shankar & Mohammed, 2020). Therefore, it is important that firms understand how to deal with this specific situation of data breaches. To our knowledge this is the first study that proposes a relationship between response strategies and customer satisfaction in the context of data breaches. The outcomes will help firms understand how to deal with this specific situation.
This study follows the crisis response framework used in Coombs and Holladay (2008) by comparing three different accommodative responses to each other after a data breach. Recent literature indicated that the apology option should not be regarded as a substitute for compensation, but as a complement (Gwebu et al., 2018). Earlier literature also indicated that
the apology always tends to be easy option for firms, so, the apology option is intentionally left out in this study (Goode et al., 2017). In addition, the cause of a data breach is often ambiguous and therefore management is not at entirely at fault for the breach, so an apology response is not recommended, as the firm should not take complete responsibility for the violation. Instead existing literature recommends offering customers compassion (Coombs & Holladay, 2008).
Therefore, it should be made clear whether and what kind of compassion customers prefer. As a result, this study brings novel insights as it compares the explanative response to two compassion response options: financial and non-financial compensation, in the specific context of data breaches.
A firm response enhances the relationship between the customer and the firm (Johnson et al., 2006). Therefore, it is crucial the firm always responds in an accommodative manner. If the customer agrees with the type of service recovery, customer satisfaction increases (Andreassen, 2000). Literature explains that customers are willing to accept lower levels of compensation in online situations (Coombs & Holladay, 2008; Harris et al., 2006; Schultz et al., 2011), however these conclusions are not based on online misconduct. Therefore, it seems to be more likely that a data breach will result in the same response preference as a service failure. The service failure customers prefer monetary compensation over non-monetary or explanative responses. As a data breach can be regarded as the electronic version of service failure, it is expected that customers will prefer compensation over an explanative response (Goode et al., 2017), and that they thus will not be willing to accept lower levels of compensation due to the online context. This leads to the following hypothesis.
H1: Financial and non-financial compensation will lead to higher customer satisfaction than only an explanation.
23 3.2 The impact of severity of the data breach
Chen and Jai (2021) illustrated that severity of the data breach can cause behavioural changes in the customer, as the severity of the threat can alter the consequences of the threat. This means that the more severe the customer experiences the breach to be, the more compensation the customer would need. This fits the results that in breaches on social media accounts the customer would be okay with an online information response, as the personal damage is not heavy. However, when more important personally identifiable data is stolen, such as the customer’s financial information, it is expected that the customer will expect more than a only information from the firm (Sen & Borle, 2015). Therefore, it can be expected that severity of the data breach moderates the relationship between accommodative response strategies and customer satisfaction. This leads to the following hypothesis:
H2: The severity of the data breach moderates the relationship between the accommodative
response strategies and customer satisfaction, meaning that severity of the breach influences what compensation the customer wants in order to be satisfied.
3.3 The impact of firm size
Makridis and Dean (2018) show that larger firms tend to suffer more from data breaches. Also, as small firms seem to have less resources to battle data breaches, it is expected that they offer less compensation responses than large firms (Hsieh et al., 2015; Lending et al., 2018). In addition, as small businesses may have less financial resources, it could be expected that customers of smaller firms would be satisfied with less compensation than customers of large firms (Pelham & Wilson, 1996). Sedunov (2020) also explains that small banks have a stronger community focus and therefore there are less complaints, because customers may feel it does not make a difference to complain. From the SCCT angle, it is interesting to see if small and large firms offer the same deal response and if customers are satisfied with less compensation than the customers of large firms. That leads to the following hypothesis:
H3: Firm size moderates the relationship between the accommodative response strategies and
customer satisfaction, meaning that the firm size influences what compensation the customer wants in order to be satisfied.
3.4 Conceptual model
In figure 1 the hypotheses are explained in the conceptual model.
This chapter will address the chosen research design, sample and the constructs of response strategies, customer satisfaction, severity of data breaches, firm size and the control variables.
4.1 Research design
Several studies have compared data breaches different industries and across all studies it was concluded that the financial sector suffers most data breaches (Garrison & Ncube, 2011;
IBM, 2020; Makridis & Dean, 2018). Also, this industry experiences the highest number of individual breaches, and the highest number of breaches in which information is stolen (Garrison & Ncube, 2011). Therefore, as this means that many customers experience breaches and their information is stolen often, it is of essence for this industry to understand how to respond after a data breach and how to ensure customer satisfaction. Therefore, this study decided to focus on the financial sector specifically.
To answer the research question and test the hypotheses the research employs a secondary database analysis. Data has been gathered from publically available secondary data sources on the internet and from government agencies. Furthermore, this is a cross-sectional study. Previous studies have analyzed data breaches in different forms, such as using a scenario- based experiment (Choi et al., 2016), illustrative cases (Mohammed, 2021), or performing a field study (Goode et al., 2017). These studies mainly analyzed big cases of data breaches. This illustrates the relevance of this study’s research design, as with the secondary database analysis a large number of individual cases can be analyzed.
For the analytical method it has been decided to do a binary logistic regression and perform a sub-group analysis afterwards for the significant moderator. As the dependent variable ‘customer satisfaction’ in the equation exists of only two categories, that give a ‘yes’
or ‘no’ answer, this is the best fitting model to understand the relationship between the independent and dependent variables (Fritz & Berger, 2015).
26 4.2 Sample
The Consumer Financial Protection Bureau tries to ensure the consumer’s protection against malpractice by banks and other financial institutions (CFPB, n.d.). This government agency collects information on actions of and malpractice by banks and the firms’ responses to their customers. The purpose of this US governmental institution, under the Consumer Protection Act, is to ensure the fair treatment of customers by financial institutions (Ayres et al., 2013; CFPB, n.d.). The CFPB analyses the data internally for its reported insights to congress (Ayres et al., 2013). Also, the CFPB informs customers to make better financial choices. A line of research (in highly rated journals) also analysed the CFPB data (Ayres et al., 2013; Hayes et al., 2021; Roderick, 2014; Sedunov, 2020). The database only encompasses complaints that are issued after the company responds to the customer. This validates the commercial relationship between the firm and the customer (CFPB, n.d.).
The data on firm responses to consumers by the American Financial Protection Bureau (2022) will be used to represent several variables in this study. The independent construct of the accommodative response strategies is split in three categories. The dependent two-category variable ‘customer satisfaction’ comes from the same dataset. All firms within the CFPB dataset are small, medium and large banks located in the United States. Therefore, the three forms of misconduct were selected from a list of issues in the database, as these issues represent data breaches. These include ‘fraud or scam’, ‘identity theft / fraud / embezzlement’ and
‘unauthorized transactions / trans. issues’. The dataset from the CFPB provides data for a 6- year period between 01-01-2012 and 31-12-2017. This timeframe has been chosen, as literature shows that the financial industry is the highest breached industry in this timeframe (Makridis
& Dean, 2018). The data is ordered on data breach level and the sample includes 11134 cases of data breaches.
27 4.3 Measures
4.3.1 Dependent variable
The dependent variable ‘customer satisfaction’ is measured with the binary operationalization ‘disputed response’ in the CFPB dataset, that shows whether the customer disputed the firm response or not. This disputation (DV) of the response (IV) to the complaint reflects the customer’s dissatisfaction with the firm and no disputation reflects the customer is satisfied. Andreassen (2000) has also used ‘disconfirmation with a service recovery’ to represent the construct ‘customer satisfaction’. As the consumer disputes or does not dispute the response in the CPFB dataset, this represents a valid operationalization of ‘customer satisfaction’. Other datasets that lie very close to the operationalization of this construct have been consulted as well, including the American Customer Satisfaction Index and the Fortune500 Most Admirable Companies list (Luo & Homburg, 2007). However, these datasets only provide data on publicly listed firms and therefore there is not enough overlap with the data from the Consumer Financial Protection Bureau, which provides data on American banks of all sizes. As such, it was decided to use the customer satisfaction variable from within the CFPB dataset.
4.3.2 Independent variables
The independent variables represent different response strategies a firm can employ after a crisis situation, which includes organizational misconduct such as data breaches (Hersel et al., 2019).
The variable ‘Accommodative Response strategies’ is categorized in three types of responses in the dataset of the CFPB within the construct ‘Company response to consumer’.
This categorical variable consists of three categories. All responses in this dataset represent accommodative responses, as the company decided to respond (Edinger-Schons et al., 2020).
These responses represent two compassion responses, and an informative response (Coombs &
In all cases the company responded timely to the consumer, meaning within 14 days after the data breach had happened (CFPB, n.d.). The three accommodative response strategies are operationalized as follows:
Category 1: Response strategy 1: ‘Financial compensation’ – The variable is represented by the construct ‘closed with monetary relief’ in the dataset by the CFPB. Financial compensation is one of the response strategies. Financial compensation is one of the possible responses a firm can give. Coombs (2006) shows that when there is the firm offers money in order to compensate for the crisis, then the firm offers compensation, and shows compassion.
Category 2: Response strategy 2: ‘Non-financial compensation’ – This variable is represented by the construct of ‘closed with non-monetary relief’ in the dataset by the CFPB.
This means that the firm offered compensation, however this compensation was non-monetary.
This is the second compassion response, as the firm offers gifts or other non-financial remuneration. In this manner the firm offers compensation, and also shows compassion (Coombs, 2006). Therefore, this construct is a valid representation of the compensation response.
Category 3: Response strategy 3: ‘Only explanation’ – This variable is represented by the construct of ‘closed with explanation’ in the dataset by the CFPB, meaning the company responded to the consumer, however did not offer any form of compensation. This category follows Coombs and Holladay (2008) and shows that this condition ensures differences between the different response strategy options, therefore adding to the reliability of the study. In addition, Schultz et al., (2011) also used this category as an accommodative response strategy.
29 4.3.3 Moderating variables
The conceptual model proposes the moderating effects of ‘severity of the data breach’
and ‘firm size’. In the following paragraphs the operationalization of these constructs will be discussed.
The dataset of the CFPB distinguishes between different forms of hacks. Previous studies have highlighted the importance of the type of hack (McDonald et al., 2010). Severity of the type of data breach may moderate the relationship between response strategy and customer satisfaction. This variable is gathered from the CFPB database. In the CFPB dataset three categories of breaches were identified; ‘Identity theft / Fraud / Embezzlement’, ‘Fraud or scam’ and ‘Unauthorized transactions/trans. Issues’. These forms of data breaches are operationalized on a three-point scale, with ‘identity theft’ as the heaviest form of data breach and ‘unauthorized transactions/trans. issues’ as the lightest form of data breach for the customer (IBM, 2020).
Firm size may moderate the type of response strategy and the effect on customer satisfaction. This data is gathered from another secondary source; Glassdoor.com, and the variable is categorized based on the log of number of employees, as Luo and Homburg (2007) also measured firm size. The three categories exist of small firms: 01-5000 employees, middle- sized firms: 5000-10000 employees and large firms: 10000+ employees. According to Filbeck and Zhao (2022) Glassdoor’s algorithm looks at consistency. Even though this raises questions about the reliability, it has been decided to use this database. The reason thereof is that other databases, such as Compustat Bank Fundamentals Annual have also been consulted with measures as total assets, net income and number of employees. However, due to the limited number of overlapping cases, it has been decided not to use this database.
30 4.3.4 Control variables
Three effects are controlled for in this study. The first effect that will be controlled for is the ‘product’ that the data breach happened to. This variable is divided into five categories.
These include (1) credit card, (2) prepaid card, (3) Money transfers, (4) Virtual currency and (5) other financial services. These represent products that data loss incidents happened to (Hsieh et al., 2015). This control variable comes from the dataset provided by the CFPB.
The second effect that will be controlled for is the ‘year of the breach’. This study follows Hsieh et al. (2015) in that the year of the breach(es) may affect the results. This control variable is gathered from the dataset provided by the CFPB and is divided into six categories:
(1) 2012, (2) 2013, (3) 2014, (4) 2015, (5) 2016 and (6) 2017.
The third effect that will be controlled for is ‘employee satisfaction’. This variable is measured based on a five-point scale as taken from Glassdoor.com. Previous articles have used this method to measure employee satisfaction (Filbeck & Zhao, 2022; Luo & Homburg, 2007).
To clarify further, employee satisfaction influences customer satisfaction, especially within companies that have strong employee-customer interplay (Wolter et al., 2019), which is the case in the banking industry.
5.1 Data preparation
Before starting the analysis, data matching and several conversions in the variables were performed. The data from glassdoor.com and the CFPB dataset were matched using SPSS Statistics 27 and as a result 656 incomplete cases were removed from the dataset. As a result, the final sample consists of 11134 cases (N=11134).
5.1.1 Normality check
The dependent variable ‘customer satisfaction’ is a binary categorical variable. The independent variables, the moderators and control variables are also all categorical, with three to six categories. Accordingly, normality could not be tested for as these variables cannot be normally distributed. However, since there are more than 50 cases of breaches per cell normality can be assumed.
5.2 Descriptive statistics and correlation analysis
The means and standard deviations of all variables are reported in table 2. All the cross- tabulations of customer satisfaction and the other variables can be found under tables 4-8 in appendix A. Since all variables are categorical, the Pearson chi-square test is performed to check whether the variables are correlated. This is also reported in table 2. All relationships appear to be significant, except for the relationship between customer satisfaction and employee satisfaction. Also, no negative correlations were found between any of the variables.
First, the chi-square test shows that the direct relationship between ‘response strategy’
and ‘customer satisfaction’ is statistically significant (χ2=185.479, p<0.01). The cross tabulation already provides some interesting first insights (See table 4, appendix A). The table shows that the satisfaction with the response strategy ‘financial compensation’ is 10.9% higher than the satisfaction with ‘only explanation’. Therefore, preliminary support for H1 has been found.
Second, the chi-square test shows there is a significant relationship between ‘severity of the data breach’ and ‘customer satisfaction’ (χ2=20.406, p<0.01). The correlation table shows that in the case of category 1 ‘identity theft/fraud/embezzlement’ satisfaction is the lowest, in the case of category 2 ‘fraud or scam’ satisfaction is the highest and in the category 3
‘unauthorized transactions/trans. Issues’ satisfaction is slightly lower than in the case of a fraud or scam, but overall the percentages do not differ much from each other (See table 5, appendix A).
Third, the chi-square shows that the relationship between ‘firm size’ and ‘customer satisfaction’ is significant (χ2=46.843, p<0.01). The cross tabulation illustrates that for big firms, customers are more often unsatisfied than in small firms, as there is a difference of 5.1%
between the two. Medium-sized firms are in the middle with a slightly higher satisfaction rate than in big firms, and slightly lower than in small firms (See table 6, appendix A).
Also, for ‘breached product’ and ‘customer satisfaction’ the relationship is significant (χ2=45.619, p<0.05). The correlation table illustrates an interesting observation. There are only five cases of a breach in the case of a virtual currency, however in three of the five cases the customer was unsatisfied. Furthermore, especially in the case of ‘other financial services’ and
‘credit card’ breaches the customer seems to be unsatisfied (See table 7, appendix A).
Then, for ‘Year of breach’ and ‘customer satisfaction’ the relationship is also significant, however slightly less significant than for the other controls (χ2=19.630, p<0.01). The cross tabulation depicts that in 2016 the most breaches took place, however that in 2012 most customers were most dissatisfied (See table 8, appendix A).
Finally, for ‘employee satisfaction’ and ‘customer satisfaction’ the relationship is not significant (χ2=0.544, p=0.909>0.05).
33 Table 2
Pearson Chi Square Correlation Matrix
Notes: * p <0.05. ** p <0.01. N=11134
M SD 1 2 3 4 5 6 7
1. Customer Satisfaction
0.8240 0.38087 -
2. Response strategy
1.4820 0.78291 185.479** -
3. Severity of the breach
1.3898 0.63282 20.406** 538.598** -
4. Firm Size 2.5840 0.73967 46.843** 234.823** 2892.334** - 5. Year of
2014.99 1.322 19.630** 77.873** 583.508** 252.553** -
6. Breached product
1.5328 0.90477 45.619** 633.675** 17000.548** 2963.892** 760.104** - 7. Employee
3.9879 0.12973 0.544 16.819* 89.593** 478.238** 48.993** 1175.199** -
34 5.3 Hypothesis testing
H1: Financial and non-financial compensation will lead to higher customer satisfaction than
only an explanation.
H2: The severity of the data breach moderates the relationship between the accommodative
response strategies and customer satisfaction, meaning that severity of the breach influences what compensation the customer wants in order to be satisfied.
H3: Firm size moderates the relationship between the accommodative response strategies and
customer satisfaction, meaning that the firm size influences what compensation the customer wants in order to be satisfied.
It has been chosen to execute a binary logistic regression to test the three hypotheses.
Therefore, several assumptions have to be met. Firstly, the binary logistic regression requires that the dependent variable is binary, which is the case in this dataset. The dependent variable
‘customer satisfaction’ thus has two categories (1=satisfied, 0=unsatisfied). Secondly, the data represents independent measurements as each compliant of the breach was recorded individually and checked by the CFPB. In all 11134 cases there is no recurrence, as every case was checked separately by the CFPB and is based on an individual response by the firm. Lastly, a binary logistic regression needs a large sample size. Since there are more than 500 cases, this assumption has been met.
5.3.2 Direct relationship
In table 3 the regression results of the 3 models are presented. In model 1 the logistic regression results for the control variables only can be found. It shows that the breached product is significant, and that year of the breach and employee satisfaction are not significant.
For the direct relationship, the binary logistic regression is performed at a confidence interval of 95% to test whether response strategy, that consists of three categories (1= ‘only
explanation’, 2= ‘non-financial compensation’, 3 = ‘financial compensation’), affects customer satisfaction after a data breach. Afterwards the moderators were added to discover whether severity of the data breach or firm size moderate this relationship. Severity of the data breach is represented in three ordinal categories with identity theft being expected as the worst data breach and unauthorized transactions expected as the least (1= ‘identity theft/fraud/embezzlement’, 2= ‘fraud or scam’, 3= ‘unauthorized transactions/trans. Issues).
Firm size is represented in three ordinal categories as well (1= ‘small firms’, 2= ‘medium-sized firms’, 3= ‘large firms’). The following three variables were adopted as control variables, as they show to be significant in the correlation analysis: year of the data breach, product breached, and employee satisfaction. The regression results can be found under model 2 in table 3.
For the direct relationship the binary logistic regression gives two classification tables, that includes the null model and model 1, with explanatory variables (See table 15, appendix A). Model 1 explains whether response strategy affects customer satisfaction. The chance of a customer being satisfied is 82.4%. Therefore, classification from the null model is 82.4%
accurate. As such, there is no initial support for hypothesis 1. The Hosmer and Lemeshow goodness-of-fit test showed that the model is not significant (p=0.553>0.05), therefore the model is not a good fit (See table 17, appendix A). The binary logistic regression gives the two values for the pseudo R2, as it does not calculate R2. The Cox & Snell R2 = 0.026 and the Nagelkerke R2 = 0.043 (See table 13, appendix A). These values represent the goodness of fit from the null model to model 1. This is a low score, as for a good fit the pseudo R2 needs to be at least 0.2, therefore the model is not a good fit (Hemmert et al., 2018). As a consequence, it can be concluded that the control variables do not influence the relationship between response strategy and customer satisfaction (See table 3). Still, the results remain to give an interesting output.
The effects of all three response strategies are significant. So, the odds that a customer is more satisfied with ‘non-financial compensation’ will increase by 2.499:1 (EXP(B)) (p<0.05) in comparison to ‘only explanation’. Also the odds that a customer is more satisfied with
‘financial compensation’ will increase by 2.531:1 (EXP(B)) (p<0.05) in comparison to ‘only explanation’. As a result, it can be concluded that H1 is supported. This means that customers are more satisfied after a data breach when they receive financial compensation or non-financial compensation, instead of only an explanation.
37 Table 3
Results of Binary Logistic Regression analysis
Model 1 2 3
Credit card 1 1 1
Prepaid card 1.174* 1.174 1.367
Money transfers 1.465** 1.742** 1.980**
Virtual currency 0.156* 0.200 0.201
Other financial services 0.659* 0.112 0.112
Year of the Breach
2012 1 1 1
2013 1.184 1.269 1.255
2014 1.361* 1.499** 1.483**
2015 1.241 1.352* 1.327*
2016 1.286* 1.396** 1.388**
2017 1.610** 1.686** 1.652**
Not satisfied 1 1 1
Neutral 1.300 1.137 1.249
Satisfied 1.174 0.996 1.358
Very satisfied 0.931 0.960 0.944
Response strategy -
Only explanation - 1 1
Non-financial compensation - 2.499** 2.526**
Financial compensation - 2.531** 2.589**
Severity of the breach - -
Unauthorized transactions - - 1
Fraud or scam - - 1.310
Identity theft, fraud, embezzlement - - 0.914
Firm size - -
Small firms - - 1
Medium-sized firms - - 1.051
Large firms - - 0.665**
Constant 2.905 2.455 1.992
Hosmer-and-Leweshow Goodness of Fit chi-square test
5.704 6.849 25.205**
Notes: * p <0.05. ** p <0.01. N=11134