‘All that Glitters is not Gold’: The Role of Impression Management in Data Breach Notification

Abstract

Data breaches have become a seemingly unavoidable aspect of the information age for both consumers and organizations. Breaches have tangible consequences, including the increased possibility of identity theft for consumers who see their personally identifiable information (PII) compromised. Organizations also face particular issues from data breaches, including damage to organizational reputation. In the United States, organizations are required to notify consumers in the event of a data breach. These notifications feature some aspects that are mandated by the state. However, organizations could control many aspects through the use of perspectives such as speech act theory and impression management techniques. In this article two studies examined the performance of language in letters sent to notify consumers whose PII had been affected by a security breach. Study 1, using a theoretical framework consisting of speech act theory, conditions of felicity, and visual presentation, analyzed 212 letters for specific elements. Study 2 used a 2 × 2 between-subjects design in which participants received sample stimulus letters in order to measure the effectiveness of visual presentation techniques on consumers. The results suggest that use of impression management techniques can produce a positive outcome when organizations send notification letters.