ba in marketing and management ... - au purepure.au.dk/portal/files/86457683/201209790.docx  ·...

47
Bachelor thesis in Marketing and Management Communication May 2015 Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks OBLIGATORISK FORSIDE Prescribed front page HJEMMEOPGAVER, PROJEKTER, SYNOPSER U/ MUNDTLIGT FORSVAR Home Assignments, Project Reports, Synopses without oral defence INSTITUT FOR ERHVERVSKOMMUNIKATION Department of Business Communication STUDIENUMMER Student No. 201209790 HOLD NR.: Class No. Ex.: U02 H03 FAGETS NAVN: Course/Exam Title Bachelor project VEJLEDER: Name of Supervisor Silvia Ravazzani ANTAL TYPEENHEDER I DIN BESVARELSE (ekskl. blanktegn): Number of Characters in your Assignment (exclusive of blanks): 54975 (2434 for Summary) Page 1 of 47

Upload: doanliem

Post on 06-Feb-2018

212 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

OBLIGATORISK FORSIDEPrescribed front page

HJEMMEOPGAVER, PROJEKTER, SYNOPSER U/ MUNDTLIGT FORSVARHome Assignments, Project Reports, Synopses without oral defence

INSTITUT FOR ERHVERVSKOMMUNIKATIONDepartment of Business Communication

STUDIENUMMERStudent No.

201209790

HOLD NR.:Class No.Ex.: U02

H03

FAGETS NAVN:Course/Exam Title

Bachelor project

VEJLEDER:Name of Supervisor

Silvia Ravazzani

ANTAL TYPEENHEDER I DIN BESVARELSE(ekskl. blanktegn):Number of Characters in your Assignment(exclusive of blanks):

54975 (2434 for Summary)

Page 1 of 29

Page 2: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

Crisis communicationAn investigation of crisis response strategies for data breaches

BA in Marketing and Management CommunicationSupervisor: Silvia Ravazzani, Aarhus BSSDepartment of Business CommunicationStudent number: 201209790 / Exam number: 528461

Total number of characters excl. blanks: 54974 (thesis) / 2434 (summary)

Page 2 of 29

Page 3: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

SummaryThis BA thesis, titled “Crisis Communication: An investigation of crisis response strategies for data

breaches”, employs social constructionism in an empirical research to characterise data breaches in a

corporate context and expand the theory of crisis communication. Crisis communication efforts through

crisis response strategies should serve to reduce the reputational threat of a crisis. Yet, it is vital for

organisations to navigate in the different crisis response strategies to avoid pitfalls and optimise corporate

reputation based on the perception from stakeholders.

Therefore, the topic of this thesis is of high interest for managers responsible for corporate communication

prior to, during and following a crisis, in order to apply effective crisis communication in their practices.

Specifically, the concept of data breaching is in interest due to the recent series of IT crises in the corporate

world, wherein payment systems have exposed consumers’ credit card information

The need for an adaption of contemporary theory on crisis response strategies to the practice of crisis

communication in the event of a data breach is therefore a key to respond immediately and thereby protect

the corporate reputation. To acquire empirical data for analysis, the thesis investigates two cases of data

breach, from 2011 and 2013, in which Sony and Target had to respond, respectively. The case studies will

serve to answer the following questions:

1. How should communication practitioners contemplate data breaching as a crisis?

a. Which type of crisis is a data breach?

b. How can communication practitioners plan crisis response strategies for data breaches?

c. Which pitfalls do crisis response strategies and discourses following a data breach present?

Based on the discussed findings of the analysis, this thesis concludes that data breaching is an IT crisis

associated with the victim cluster as malevolence. Hence, the communication practitioners should employ

victimage to reduce the reputational threat initially as well as corrective actions to retain a positive

corporate reputation by stakeholders. Organisations should be wary of misleading stakeholders by

minimisation as legitimisation of the crisis response. The strategy can be applied, but can quickly backfire if

stakeholders perceive they have been misled by the organisation.

In events with high reputational threat, the organisation should aim to rebuild their corporate reputation, for

instance through compensation to the involved stakeholders. Lastly, it is important to be coherent in the

application of crisis response strategies and respond immediately and decisively.

Key words: Crisis Communication; Corporate reputation; Reputational threat; Crisis response strategies;

data breach; Image Restoration Theory; Situational Crisis Communication Theory.

Page 3 of 29

Page 4: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

Table of conten

t1. Introduction.....................................................................................................................................................5

1.1 Problem statement.....................................................................................................................................6

1.2 Structure of thesis.....................................................................................................................................6

1.3 Scientific Framework................................................................................................................................6

1.4 Delimitation..............................................................................................................................................8

2. Literature review.............................................................................................................................................8

2.1 Defining Crisis Communication.............................................................................................................10

3. Method..........................................................................................................................................................14

3.1 Data collection....................................................................................................................................14

3.2 Data analysis.......................................................................................................................................15

4. Background information...............................................................................................................................17

5. Findings.........................................................................................................................................................19

5.1 Crisis communication.............................................................................................................................19

5.1.1 Sony.................................................................................................................................................19

5.1.2 Target...............................................................................................................................................20

5.1.3 Comparison......................................................................................................................................21

5.2 Discourse analysis...................................................................................................................................21

5.2.1 Sony.................................................................................................................................................21

5.2.2 Target...............................................................................................................................................22

5.2.3 Comparison......................................................................................................................................23

6. Discussion.....................................................................................................................................................23

7. Conclusion and implications.........................................................................................................................26

8. References.....................................................................................................................................................28

9. Appendices....................................................................................................................................................30

Appendix A: Sony 2011a..............................................................................................................................30

Appendix B: Sony 2011b..............................................................................................................................32

Appendix C: Sony 2011c..............................................................................................................................33

Appendix D: Target 2013a............................................................................................................................34

Appendix E: Target 2013b............................................................................................................................35

Appendix F: Target 2013c............................................................................................................................36

Page 4 of 29

Page 5: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

1. IntroductionCrises in a corporate context have established a necessity amongst communication practitioners to master

crisis commmunication. Thus, the theoretical framework of crisis communication has become extensive

within the existing paradigm with regards to crisis management (e.g. Hearit 1994, 1999; Coombs 2006,

2007).

However, the digitalisation and globalisation of society including organisations present new crises that have

not previously been addressed within the area of crisis communication.

First, the emergence of social media platforms empowers the rapidity of information sharing amongst

consumers, which “more than previously are conversing online about organisations” (Li and Bernoff 2011)

and corporate reputation can thus be affected by the conversation. This notion becomes critical in the event

of a crisis as consumers can make the crisis escalade quickly if a negative perception is advocated in

conversation – therefore organisations must respond immediately after a crisis (Cornelissen 2011) to assess

the crisis before it escalades.

Secondly, the digitalised customer data in information technology (IT) can be exposed and exploited by IT

criminals, especially in features of online credit payment systems that contain consumer credit card

information. Thus, consumers with credit card information stored online have a financial stake, in the

organisation that maintains the payment system, which can be deprived.

Therefore, the consumers as a stakeholder group are key contributors to the development of corporate

reputation that can quickly act as a catalyst in the development of a crisis likewise.

Organisations maintaining online payment systems thus have to respond to a new form of crisis, namely data

breaching. In 2006-2007 hackers pioneered IT crime during the TJX data breach crisis in which supposedly

credit card information for up to 95million credit cards had been compromised (Shurman 2007). Since then,

other companies, such as Heartland Payments Systems and most recently the insurance company, Anthem,

have been victims on a large scale of the same category of IT crime (Palermo 2015).

The strategic management of crisis communication in cases of IT crises, thus, has to be prepared in advance

of a potential reputational threat to manage the situation optimally.

The concept of crisis communication needs to evolve in order to adapt to the added practice of IT crises and

accommodate the apparent pitfalls. Hence, it will be beneficial to critically analyse the crisis communication

of previous occurrences of data breaches. A comparative analysis of two recent data breach crises can

determine whether the communication practice of crisis management has changed.

The two companies in question of this research are Target, the retailing company, and Sony, the electronics

conglomerate. Both have experienced data breach crises in recent years and thus present updated cases

Page 5 of 29

Page 6: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

eligible for analysis.

The analysis will investigate the following articles for both companies: press release, CEO statement and

annual reports, as the official sender of the articles are the organisations and they can be accessed easily

online for consumers to converse about. Thus they present discourse and crisis responses meant for

stakeholders as the intended receiver of these articles is stakeholders to protect the corporate reputation.

1.1 Problem statementAs a mean to structure this research paper, the following questions will be answered in the course of the

thesis through a case study of Sony’s and Target’s data breaches:

1. How should communication practitioners contemplate data breaching as a crisis?

a. Which type of crisis is a data breach?

b. How can communication practitioners plan crisis response strategies for data breaches?

c. Which pitfalls do crisis response strategies and discourses following a data breach present?

1.2 Structure of thesisThe structure of this thesis can be divided into three main parts: framing, analysis and discussion of findings.

Initially, the scientific framework of the analysis will be presented in order to contemplate on the effect of

the scientific position, in which the analysis is framed.

A delimitation of the thesis will frame the analysis and, thus, impose a cohesive thesis. Thirdly, the literature

review forms the theory background for the analysis and discussion of the problem statement with a

description of each theoretical field. Theories applied to the analysis include Coombs’ Situational Crisis

Communication Theory (2007), Benoit’s Image Restoration Theory (1997) and Van Leeuwen’s Legitimation

in Discourse Analysis (2007.) The theories will be reviewed in terms of relevance to the formulated problem

statement. Subsequently, the methods and methodology in relation to the scientific framework will be

accounted for prior to the empirical analysis. The initial fragment of the analysis will briefly introduce the

two case crises for Sony and Target and their articles as crisis communication materials (Sony 2011a, 2011b,

2011c; Target 2013a, 2013b, 2013c). The findings identified in the analysis will be discussed in the

succeeding discussion paragraph to interpret the ramifications of those findings. Lastly, the conclusion and

implications paragraph will offer insight on the future perspective on crisis communication for data breaches.

1.3 Scientific FrameworkThe scientific perspective on this research paper is of social constructionist character. Burr (2001) defines

social constructionism with four premises to describe the ontological and epistemological level of social

Page 6 of 29

Page 7: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

constructionism.

The first premise is that it takes “[…] a critical stance towards taken-for-granted knowledge” (2001: 3) in the

sense of being open to find new perceptions and of reality in order to understand the socially constructed

nature of science. Therefore, social constructionists should be able to apprehend observations to find a

deeper meaning.

The second premise dictates that data and observations are “historical and cultural specific” (2001: 3) with

regards to the position of the observer and previous findings, their position in the historical and cultural

continuum. Hence, it becomes necessary for a social constructionist to comprehend the relevance of

historical and cultural background of the research in question.

Thirdly, the researcher should recognise that “knowledge is sustained by social processes” (2001: 4), and

thus, that it is socially constructed between human beings rather than through a universal true reality.

Therefore, knowledge is both sender and receiver oriented.

The fourth and final premise for social constructionism is the notion; that “knowledge and social actions go

together” (2001: 5) in terms of the engagements incited in human beings derived from knowledge

constructed by social interactions.

From the four premises a postulation about the ontological, epistemological and methodological levels of

social constructionism can be made. Thus, the ontological level is based on the notion that knowledge is

socially constructed between human beings in relation to the history as well as culture with a critical stance

towards taken-for-granted knowledge.

On an epistemological level social constructionists believe that knowledge is best developed through a broad

understanding of the interrelation between human beings and their perception of reality constructed by their

previous knowledge. Accordingly, it becomes necessary for researchers to contextualise their analyses to

fully adapt the notion of knowledge from a social constructionist’ perspective.

The ontological and epistemological level thus constructs an understanding of how knowledge is acquired

through methods during the analysis. The prerequisite of knowledge through broad understanding of human

beings and the perception of reality invites researchers to analyse the discourse in which the research takes

place. Additionally, it becomes necessary to analyse findings with an acknowledgement of their in

correlation with the historical and cultural context.

The manner in which the analysis questions the discursive elements in the crisis communication, suggests

that societal elements affect the background and application of theories due to the exhaustive relevance of

events in society. This notion follows that of Burr (2003) as she stresses that discourse analysis is now

referred to as social constructionism “due to the conception that humans are social animals [and] the

construction of different aspect of human nature and society,” [such as] philosophy, sociology and

Page 7 of 29

Page 8: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

linguistics, serve as influencers in the scientific spectrum (2003: 1-2).

Critics in form of realists would argue that the constitution of the different aspect is contemplative rather

than real (Searle 1995). But it can be argued from an anti-realist’s perspective that the philosophy of science

is immense and thus is constituted of our socially constructed knowledge (Potter 1998 in Nightingale and

Cromby 2002). As such, it is the socially constructed knowledge that produces whole articles in an analysis.

1.4 DelimitationFor the purpose of critically reviewing the scientific perspective applied in the thesis, social constructionism

entails certain rationalisations of the chosen area of focus. So, the thesis follows the essential parts of social

constructionism described in the previous paragraph, explicitly discourse analysis. While knowledge is

gained via receiver as well as sender, this thesis is sender-oriented to analyse in-depth with that emphasis.

Therefore, the focus will be on the data collected from articles within the cultural and historical context of

the crisis that forms the two discourses. In connection, the two cases presented revolve around the niche part

of IT crises, data breaching, to offer relevant implications to the specific niche fragment of crisis

communication.

2. Literature reviewThe following sections will conceptualise crisis communication by definition through crisis, crisis types and

crisis response strategies in order to characterise the rationale of the analysis and embedded assumptions in

IT crises. Thus, the literature review serves to discuss the findings well along within the existing research

field of crisis communication. Originally, the term crisis stems from the “Greek word krisis [that] implies a

pulling apart, a separating” (Ciborra 1998: 7). The notion can be applied to different types of crisis in the

separation between two or more parties.

However, in a corporate context and for this thesis, the concept of crisis is defined as “an untimely but

predictable event that has actual or potential consequences for stakeholders’ interests as well as the

reputation of the organisation suffering the crisis” (Heath and Millar 2003: 2). Additionally, Gamble (2009)

argues that “a crisis is not a natural event, but a social event and, therefore, is always socially constructed

[…]” (cited in Laffan 2014: 267).

Hence, the crisis can hurt an organisation through stakeholders due to the stakeholders’ socially constructed

reactions to the crisis. A crisis should then induce a response, which should be “decisive and immediate [,]

from the organisation” (Cornelissen 2011: 200) in order to accommodate and diminish the crisis’ effect on

the corporate reputation.

However, a crisis can occur as different crisis types determined by the cause for the crisis, which is identified

by Coombs (2007: 168):

Page 8 of 29

Page 9: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

Victim Cluster The organisation is a victim of the crisis

Natural disaster - Acts of nature damage an organisationRumour - False and damaging information about the organisation is

circulatedWorkplace violence - Employee attacks emplooyes onsiteProduct tampering/Malevolence - External agent causes damage to organisation

Accidental cluster Unintentional crisis caused by organisation’s action

Challenges - Stakeholders critic the manner of organisational operationTechnical-error accidents - Technology failure causes accidentTechnical-error product harm - Technology failure causes product recall

Preventable cluster Hazardous actions done by organization

Human-error accidents - Human error caused accidentHuman-error product harm - Human error caused product recallOrganisational misdeed with no injuries

- Stakeholders are deceived without injuries

Organisational misdeed management misconduct

- Legislations are violated by management

Organisational misdeed with injuries

Stakeholders are at risk and injuries occur

Table 1: Overview of crisis types by clusters in accordance with Situational Crisis Communication Theory (Coombs 2007)

As Coombs (2007: 167) argues, “it does matter if stakeholders view the event as an accident, sabotage or

criminal negligence [, hence] how much stakeholders attribute responsibility for the crisis to the

organisation”. He divides the crisis types into three identified clusters as declared previously; 1) the victim

cluster, in which the organization is the victim of the crisis; 2) the accidental cluster, in which the crisis in

unintentional or uncontrollable; and 3) the preventable cluster, wherein the crisis is purposeful (2007: 167).

The first two have weak attributions of crisis responsibility, to which degree the organization is considered

accountable, whereas the preventable cluster has strong attributions of crisis responsibility (Coombs 2007).

Additionally, the reputational threat increases ranging from 1) the victim cluster – mild reputational threat to

3) the intentional cluster – severe reputational threat (2007: 168).

In the modern business world, new potential crises can arise through the application of information

technology. Following the emergence of online data collection, “companies are busy seeking strategic

applications of information technology (IT), savouring the delights and pitfalls of more and more

sophisticated networks” (Ciborra 1998: 6). IT does therefore not only provide opportunities to businesses but

also challenges that can potentially evolve into crises, which can thus be defined as IT crises. An example of

such an IT crisis is the “Heartland Payment System data breach” in which credit card information was stolen

by hackers to access customers’ credit card accounts and thus their personal assets. The IT crisis eventually

Page 9 of 29

Page 10: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

cost Heartland “50 percent of its market capitalization and, as of August 2009, had spent more than $32

million on legal fees, forensic costs, reserves for potential card brand fines, and other related settlement

costs” (Cheney 2010: 18). Therefore, management should serve to employ “efforts aimed at improving

information sharing and data security within the consumer payments industry” (2010: 1) to avoid such crises.

So, for this thesis, an IT crisis takes point of departure in an untimely, but predictable event related to the

implementation or utilisation of information technology. The crisis carries potential consequences for

stakeholders’ interests as well as the reputation of the organisation suffering from the crisis.

The characteristics of an IT crisis correspond with the accidental cluster of Coombs’ (2007: 168) crisis types

by cluster due to the technological aspect and potential failure to correctly manage that technology.

However, in the case of the Heartland data breach the intrusion of the IT systems was done by an external

agent who deliberately breached the system and stole personal payment data intentionally. Hence, the

organisation becomes the victim in the crisis as the intrusion constitutes malevolence. The Heartland data

breach will thus establish a general definition of data breaching in a crisis context. Thus, a data breach will

be defined as a crisis with an illegal act of information theft done by an external agent.

Additionally, it is assumed that the stakeholders hold the organisation less responsible due to the external

agent’s wrongdoing.

It is thus essential for organisations to be able to convey the crisis to the stakeholders in an appropriate

manner. Kim et al. (2009: 86) argue that “[stakeholders] make sense of the crisis based on not only the

objective facts regarding the crisis, but also on the aspects of reassurance emphasized by the company in the

media or news releases”. This argument is backed by Benoit’s statement that the conveyed message is

crucial as “perceptions are more important than reality” (Benoit 1997: 178). The application of

communication in crises can therefore diminish the criticism by stakeholders towards an organisation.

2.1 Defining Crisis CommunicationThe field of crisis communication is a subcategory of crisis management with “[…] objective to exert control

[and] reassure stakeholders […]” (Cornelissen 2011: 199). The emphasis on the communication aspect of

crises is due to the assumption that “a crises response […] is essentially communicative” (Coombs 2010:

337). Crisis communication can thus be summarized as the visual, textual and/or verbal interaction by the

company and its stakeholders, whether it is before, during or following a crisis (Fearn-Banks 2001: 480).

Hence, organisations should serve the interests of their stakeholders in order to uphold a certain level of

corporate reputation, as Coombs (2010) state that “once [stakeholder] safety is addressed, the crisis response

shifts to reputational repair” (: 338). To apply the term “safety” in this context, it is viewed as safety of the

stakeholder’s investment in the organisation rather than physical safety, which is unlikely in the event of a

crisis through information technology. In the event of a data breach the stakeholder safety is thus entrenched

Page 10 of 29

Page 11: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

in their credit card information.

The corporate reputation is here defined as “[…]a perceptual representation of a company’s past actions and

future prospects that describes the firm’s overall appeal to all of its key constituents[…]” (Fombrun 1996

cited in Wartick 2002: 374). This signifies an emphasis on the perception of the stakeholders, the need to be

wary of the impact it has on an organisation and the need to apply assets of reputational character in the

crisis management.

The crisis response strategies to repair corporate reputation are comprehensive and it is thus essential to be

able to navigate in the countless theories within the field. Therefore, two main principle of crisis

communication are presented below for adaption to highlight the cases in nuances.

Previously stated, crises can damage the corporate reputation and affect how stakeholders interact with the

organisation in a negative manner (Barton 2001, Dowling 2002 in Coombs 2007: 163). According to

Rousseau (2006), the approach to counter the crisis and thus protect the corporate reputation is “through

evidence-based guidance […] supported by scientific evidence rather than personal preference and

unscientific experience” (cited in Coombs 2007: 163). This notion should however still be seen in the light of

social constructionism that acknowledges that scientific evidence is founded in social interactions.

So, the Situational Crisis Communication Theory developed by Coombs (2007), serves the apparent need for

evidence-based guidance in a scientific matter. Throughout the thesis, Situational Crisis Communication

Theory will be referred to as SCCT in short on Coombs’ own invitation (2007).

SCCT can be applied as a strategic tool to 1) determine the crisis type, 2) identify possible crisis response

strategies and 3) evaluate the strategies through guidelines for crisis responses (Coombs 2007).

However, for the identification of possible crisis responses, the Image Restoration Theory (Benoit 1997) will

interchange Coombs’ own crisis response strategies through primary and secondary crisis response

strategies (Coombs 2007). This is due to the augmented variety of strategies, in which, for instance, the

possibility of corrective action is possible in Benoit’s theory (1997) and not in Coombs’ (2007). Coombs

(2007: 171) argues that “Image Restoration Theory offers no conceptual links between the crisis response

strategies and elements of the crisis situation”.

Yet, an adaptation of the Image Restoration Theory to Coombs’ terminology, through the three general crisis

response strategies; Deny, Deminish, Rebuild and Victimage (Coombs 2006), allows the application of

Coombs’ crisis response strategy guidelines of SCCT (Coombs 2007) specified subsequently.

SCCT assesses the reputational threat of a crisis situation via three main points 1) initial crisis

responsibility, 2) crisis history and 3) prior relational reputation (Coombs 2007: 166). The initial crisis

responsibility is defined as “[…] how much stakeholders believe organisational actions caused the crisis”

Page 11 of 29

Page 12: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

(Coombs 1995 cited in Coombs 2007: 166). Thus, it is important to determine to which level the crisis is

perceived as self-induced. The crisis history and prior relational reputation of an organisation can further

enhance that perception, as “either a history of crises or an unfavourable prior relational reputation

intensifies attributions of crisis responsibility thereby indirectly affecting the reputational threat” (Coombs

2007: 167)

In relation to the three main points of reputational threat, it is necessary for managers to determine the crisis

type to find the initial cause or offender in the crisis situation. The crisis type has previously been elaborated

in the 3 crisis types by clusters: victim, accidental and preventable cluster (Coombs 2007: 167)

Coombs’ SCCT (2007)emphasises swift assessment of the situation at the point of crisis, however, the crisis

history and prior relational reputation indicates the manner in which a crisis can be alleviated or aggravated

dependant on the two attributes.

Following the crisis types, the crisis response strategies, which previously stated will be presented in

Benoit’s (1997) terminology offer initiatives for communication practitioners to apply in crises. The

strategies will 1) shape attributions, 2) change perceptions and 3) reduce reputational threat (Coombs 1995 in

Coombs 2007).

Benoit emphasises that “perceptions are more important than reality [and] as long as the audience thinks the

firm at fault, the image is at risk” (1997: 178). Benoit’s concept of image can thus be related to Coombs’

corporate reputation, as they describe the perception of the stakeholders. Henceforth, the term corporate

reputation will be applied throughout the thesis.

The augmented variety of crisis response strategies includes five general message options with subordinate

description within the first three. Image Restoration Theory‘s descriptions are briefly described below

(Benoit 1997: 179-181):

1) Denial, wherein the organisation applies either simple denial or shifts the blame to deny its responsibility;

2) Evasion of responsibility that is in form of provocation, defeasibility, accidents or good intentions. Thus

the crisis was provoked by another event, due to poor information, an accident or based on good intentions;

3) Reducing offensiveness of event that is either based on bolstering of the organisation, minimisation of the

crisis, differentiation from other similar crises, the means for transcendence , attack(ing) the accuser or

compensation to the victims of the crisis;

4) Corrective action, wherein the organisation will assure stakeholders that the problem will be corrected or

prevent the reoccurrence that problem;

Page 12 of 29

Page 13: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

5) Mortification that implies the organisation confesses to stakeholders and takes responsibility for the crisis.

This strategy can, however, be hazardous as “[…] it might invite lawsuits from victims” (1997: 181).

Benoit’s Image Restoration Theory (1997) has theoretical connections to Frandsen and Johansen’s crisis

communication and apologetic ethics (2010) through the emphasis on crisis communication through

apologies, which can be applied to some cases of 3) reducing offensiveness of event, 4) corrective action and

especially 5) mortification. However, the apologetic approach does not apply well with 1) Denial or 2)

Evasion of responsibility.

A more suitable notion of apologia by Hearit (1994: 115) is, however, more differentiated as it does not

necessarily carry an apology to right the wrongdoings of an organisation. He argues it to be “[…] a defense

that seeks to present a compelling, counter description of organizational actions […] in a more favourable

context than the initial charges suggest” (Hearit 1994: 115). As such, the apologia is applied to a discourse

by the organisation to minimise reputational threats. The concept of apologia thus translates well into the

SCCT (Coombs 2007) and Image Restoration Theory (Benoit 1997) without providing an extensive strategic

tool compared to SCCT.

Lastly, Coombs offers a set of recommendations for the use of crisis response strategies through the crisis

response strategy guidelines (Coombs 2007). For the scope of this thesis the response guidelines included

will concern the premises of data breaching, defined previously as an illegal act of information theft done by

an external agent. The definition stresses minimal attributions of crisis responsibility by the organisation.

Hence, only the following guidelines concerning minimal attributions of crisis responsibility and a singular

guideline concerning strong attributions of crisis responsibilities, in case of organisational misdeed with no

injuries (Coombs 2007), will be applied to this thesis.

The guidelines suggest that “informing and adjusting information alone can be enough” when the

reputational threat is low (2007: 173), but as the reputational threat growths the crisis response should

move towards diminish responses onwards to rebuild responses in pari passu with the growth. Also,

“victimage can be used as part of the response for […] malevolence […]” (2007: 173).

Lastly, the guidelines suggest that consistency in the application of response strategies should be in place to

avoid erosion of effectiveness (2007: 173-174).

Crisis response strategies can thus provide an overview for communication practitioners to apply in crisis

communication. Overall, the two theories, SCCT (Coombs 2007) and Image Restoration Theory (Benoit

1997) supplement the other in terms of application and conceptualisation. An adaption of the two in unison is

thus applied to this thesis with emphasis on crisis response strategies:

Page 13 of 29

Page 14: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

Crisis response strategies

DenialSimple DenialShift the blame Evasion of responsibilityProvocation DefeasibilityAccidentGood intentionsReduce offensiveness of EventBolsteringMinimisationDifferentiationTranscendence Attack accuserCompensation

Corrective actionMortification

Adapted from Benoit (1997)

--

----

------

--

Deny doing the actBlame another for act

Claim that something else caused itBlame lack of informationClaim that act was a mishapClaim that act was meant for the best

Stress good traitsClaim that act was not seriousClaim that act was less offensiveClaim that the end justifies the meansReduce attacker’s credibilityReimburse victim

Prevent/solve problemApologise and take blame

Deny

Diminish

Rebuild

Victimage - Reemphasise the role as a victim Adapted from Coombs (2007)

Table 2: Adaptation of Image Restoration Theory (Benoit 1997) and SCCT (Coombs 2007)

3. MethodSubsequent to the methodology of the scientific position of this analysis, the methods will have focus on the

socially constructed knowledge presented in the collected data. Additionally, social constructionism is the

rationale for the chosen methods with historical and cultural context in mind. In the following two sections

the data collection and data analysis will be presented.

3.1 Data collection

The social constructionist perspective on this thesis entails the premise that knowledge is socially

constructed and that the discourse in a given context is constituted by multiple perceptions. Hence, in order

to gain knowledge, a “holistic examination – using multiple sources of evidence […] of a single phenomenon

([for example] an event) within its social context” (Daymon and Holloway 2011: 115) can determine the key

points of crisis communication in the presented cases.

The data collection of this analysis is reliant on articles in form of annual reports, CEO statements and press

releases as qualitative empirical data in the case study of Sony and Target’s respective IT crises, specifically

data breaching. Sony has made the following articles official in a chronological order: a two-page press

release at May 3 2011 (Sony 2011a), CEO statement May 5 2011 (Sony 2011b) and annual report July 6

Page 14 of 29

Page 15: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

2011 (Sony 2011c). Subsequently, Target released a press release December 19 2013 (Target 2013a), a CEO

statement December 20 2013 (Target 2013b) and an annual report March 14 2014 (Target 2013c). Collection

of data from the annual reports will exclusively target the paragraphs explicitly addressing the data breach of

the respective companies. That is page 8 from Sony’s annual report (Sony 2011c) and pages 17-18 from

Target’s annual report (Target 2013c: 1-2).

The articles can be viewed in Appendix A to F, however throughout the analysis; they will be referred to the

sender and year of publication.

A noteworthy distinction between the companies’ articles is time, as Sony’s crisis material stems from 2011,

whereas Target’s is more recent, from 2013. The parameter of time can thus play a role on the crisis

communication efforts when the two cases are compared to each other, as new understanding of the subject

after Sony’s crisis in 2011 can have aided Target in their crisis communication.

The rationale for three different communication channels is a holistic perception of the crisis communication

embedded in instant communication, press releases; reactionary communication, CEO statements and finally

the settled communication integrated in the annual reports and more explicit in certain paragraphs of that

article.

Thus, the articles present more than one aspect to the same challenge of successfully communicating within a

crisis discourse.

3.2 Data analysis

As determined previously, social constructionism is the foundation of this thesis, which is reflected in the

chosen theories for analysis of the crisis communication by Sony and Target. An adaptation of Coombs’

SCCT (2007) and Benoit’s Image Restoration Theory (1997) will investigate the setting for the crisis

communication for each company qualitatively through an analysis of responses and discourses. These

adaptations of crisis response strategies from existing theory can be viewed in Table 2. In supplement to the

adaptation, Van Leeuwen’s Legitimisation in discourse analysis (2007) serves as an expansion of the

analytic approach to crisis communication in a rhetoric perspective that can illustrate the intention to affect

stakeholders’ perception of the organisations.

Fairclough (1992: 225) defines discourse as the “[…] practice of signifying a domain of knowledge or

experience from a particular perspective”. To paraphrase that definition, a discourse analysis is thus an

analysis of the signals used to describe a field of study or involvement from a particular perspective. Thus,

the discourse analysis identifies elements of rationale from the provided perspective.

Van Leeuwen (2007) developed the legitimisation in discourse analysis theory to effectively interpret and

analyse discourses in question through legitimisations applied in the communication material. He defines

Page 15 of 29

Page 16: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

legitimisations as “the answer […] to the question ‘Why’ – ‘Why should we do this?’ and ‘Why should we

do this in this way?’ (2007: 93).

The legitimisation in discourse analysis is divided into four major categories of legitimacy: 1) authorisation,

2) moral evaluation, 3) rationalisation and 4) mythopoesis (2007: 92-111).

The 1) authorisation in legitimisation employs either personal authority, expert authority, role model

authority, impersonal authority, authority of tradition or authority of conformity. Personal authority implies

the authority embedded in the status of the sender.

Contrary, through expert authorisation, legitimacy is delivered via expertise rather than. Hence, the

legitimacy becomes empowered via an expert role.

Role model authority relies on the sender’s role as an opinion leader or role model within the context.

Impersonal authority is present in legislations and is, thus, impersonal due to the prohibitions of the law.

Authority of tradition relies on “[…] what we have always done” (2007: 96).

Lastly, authority of conformity applies the legitimisation by stating that “most people are doing it, and so

should you” (2007: 97).

2) Moral evaluation legitimises via values. IT can be subdivided into evaluation, in which evaluative

adjectives are used to legitimise; abstraction, wherein the abstract references form the legitimisation, and

lastly analogies that imply the use of comparisons as legitimisation (97-100).

3) Rationalisation applies the use of logic to rationalise the legitimisation. It can be subdivided into

instrumental rationalisation and theoretical rationalisation (2007: 101-105).

Instrumental rationalisation emphasises the purpose legitimised through means, effect or goal, whereas

theoretical rationalisation emphasises the nature of circumstances by definition, explanation or prediction.

Lastly, 4) mythopoesis applies legitimisation through storytelling. Mythopoesis can be either positively,

moral tales, or negatively, cautionary tales, influencing as the legitimisation (2007: 105-107).

Kress’ analysis shows “that a single text can invoke many different, sometimes even contradictory,

discourses” (1985 in Van Leeuwen 2007: 108). Hence, it is necessary to attempt to view the legitimisations

from different perspectives to avoid misinterpretation. This notion is supported by Van Leeuwen’s statement

“[we] need to consider not just legitimation, but also and especially the intricate interconnections between

social practices and the discourses that legitimize them” (2007: 111).

Thus, to support the crisis communication analysis, an in-depth discourse analysis through legitimisations in

Page 16 of 29

Page 17: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

discourse analysis by Van Leeuwen (2007) will provide an understanding of the discourse in which the crisis

communication operates.

Thus, the crisis communication and discourse analyses take the context of the crises into account. However,

while the analyses emphasise the socially constructed discourses there is little or no emphasis on the

stakeholders and their perception prior to, during and post crisis. Hence, this thesis will provide insight in the

rationale of the chosen crisis communication strategies; however it will not examine the effect on stakeholder

perception.

4. Background informationA brief description of the two data breach crises will provide the analysis with a context in which the

communication transpires. Thus, the background information will precede the analysis to make grounds for

the value and corporate reputation of the two.

4.1 Crisis: Sony Online Entertainment’s data breachOne of Sony’s most salient product groups is PlayStation, a series of video gaming consoles and software.

The entertainment service network developed for the consoles, PlayStation Network, had 75million users in

March 2011 and 150million in September 2013 (Statista 2015). In the registration process of PlayStation

Network consumers state data collection of private personal details, such as credit card information to

purchase content through the network.

In April 2011, Sony’s first major crisis occurred after the hacktivist group, Anonymous, allegedly hacked the

PlayStation Network and Qriocity servers and thus compromised 12,3million registered users’ credit card

information at April 3 (VentureBeat 2011). The hack attack was rumoured to be an act of retaliation of the

lawsuit against George “GeoHot” Hotz at January 11 2011 due to his distribution of “jailbreaking” tools to

PlayStation users, thus circumventing Sony’s security system against unauthorised software. The hack

attack, thus, created a sudden technological crisis (Tench and Yeomans 2009: 386‐837) that happened

expeditious. Therefore, the crisis communication had to be swift in order to react timely to the hacking.

However, according to VentureBeat (2011), Sony noticed the intrusion on the servers at April 20, 17 days

later after the intrusion occurred, and decided to shut the system down in order to investigate the attack. The

users were given the following statement: “[…] we are aware certain functions of PlayStation Network are

down. We will report back here as soon as we [have] more information” (PC World 2011).

Furthermore, they did not publicise a press release until May 3 2011 (Sony Online Entertainment 2011),

which had left users without a legitimate reason for the shutdown of servers for almost two weeks. Two

Page 17 of 29

Page 18: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

days later CEO, Howard Stringer, released a statement on the crisis (PlayStation Blog 2011), in which he

apologised for any inconvenience caused by the crisis.

Following the shutdown, Sony strived to accommodate the affected users of PlayStation Network by the

“welcome back” programme that included free games and premium access to PlayStation Plus for the users

as compensation for the time excluded from the Network (Huffington Post 2011).

During the span from April 20 to May 20, Sony’s stock price went down ≈10% from 30,14US$ to 27,05$US,

which indicated a loss of confidence in Sony as a public limited company (Yahoo! Finance 2015).

4.2 Crisis: Target’s data breachIn 1995 Target introduced their credit card solution for customers, Target Guest Card, which was later

renamed to REDcards in 2004 (Corporate Target 2015). Customers can apply for a REDcard with their

personal information in order to receive the credit card that ensures exclusive discounts and advantages for

the cardholder (Target 2015).

In the winter 2013, Target’s first corporate crisis hit as hackers were able to steal 40 million customer’s;

names, credit or debit card numbers, expiration dates and three-digit security codes from November 27 to

December 15 (New York Times 2013).

Initially, Target claimed that “to date, there is no evidence that unencrypted PIN data has been

compromised” (TIME Business 2013). However, at December 19 2013, Target released a press release,

wherein they confirmed “unauthorised access to payment card data in US stores […] that may have impacted

certain guests” (Target 2013a). Thus, within the few days, Target switched deposition from disregarding the

crisis to an acknowledgement that it “may have” happened. The stolen PIN data could then be used by

“cybercriminals [to] make withdrawals from a customer’s account through an ATM” or it can even be sold

on cyber black markets for others to mismanage (New York Times 2013).

In the wake of the discovery of the crisis at December 21 2013, the bank, JP Morgan Chase, announced to

“debit card customers affected by the Target breach that it [would] place daily limits on spending and

withdrawals as it works to reissue cards in the following two weeks” (Wall Street Journal 2014). Hence, the

statement by JP Morgan Chase further strengthened the distrust in Target.

In order to regain some of the trust and thereby repair the corporate reputation, Target offered customers, an

additional 10 percent off their purchases, whether they were victims of the crisis or not (NewsCred n.d.).

Target eventually announced at January 10 2014 that “70 million customers had their personal information

stolen during the holiday data breach” (Wall Street Journal 2014).

Page 18 of 29

Page 19: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

5. FindingsIn this section the case material of Sony and Target will be analysed to identify key findings that can

substantiate the impact of crisis communication in cases of data breaching.

The two company cases will be analysed separately under each theoretical section to form a foundation for a

comparative analysis in the end of each section.

5.1 Crisis communicationThe crisis response strategies relevant for the adaptation of Coombs’ SCCT (2007) and Benoit’s Image

Restoration Theory (1997) will be scrutinised. Firstly, the crisis types by clusters adapted from SCCT will be

identified, then, crisis response strategies adapted from Image Restoration Theory.

Despite the emphasis of crisis history and prior relational reputation of reputational threats, the two factors

will be omitted as there has been no prior crisis in the companies’ history, which is evident in the

background information. The study of prior relational reputation carries ample research question on its own

beyond the scope of this analysis and will therefore not by investigated.

5.1.1 SonySony denotes that the crisis is due to external agent’s malevolence on the company as “hackers may have

stolen SOE customer information” and “SOE accounts may have been stolen [which were][…] illegally

obtained” (Sony 2011a: 1).

The bias towards this crisis type continues in the CEO Statement (Sony 2011b) with the comprehensive exert

of the word, attack, thus connotes that Sony is a victim in the crisis; “[…] caused by this attack”, “If attacks

like this happen again” and “a criminal attack on us”.

Similarly, in the annual report (Sony 2011c) the “cyber-attack launched against the PlayStation Network and

Qriocity […] forced [Sony] to temporarily shut down all of these services” connotes the victimage of Sony in

this crisis as they have fallen victim to “sophisticated criminal intrusions”.

The press release (Sony 2011a) introduces the crisis via a shift of blame interconnected to the malevolence

described above, as “hackers may have stolen SOE customer information on April 16th and 17th, 2011” (: 1)

and “hackers […] do their best to cover their tracks” stated in the CEO statement (Sony 2011b).

However, the predominant response strategy applied is corrective action. This is evident from reaction in

which, “upon discovery […], the company promptly shut down all servers related to SOE services” also “the

company is working with the FBI and continuing its own full investigation while working to restore all

services”(Sony 2011a: 1). By responding immediately, Sony denotes a corrective action has been done. The

“$1 million identity theft insurance policy” will in the future protect the interests of the customers to prevent

the problem from reoccurring (Sony 2011b).

Page 19 of 29

Page 20: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

Compensation is briefly managed by “rewarding [customers] for [their] patience” (Sony 2011b) with the “30

days of additional time on [customers] subscription” (Sony 2011a: 2)

The annual report (Sony 2011c) only has few traits of crisis response strategies in form of shifting the blame,

“cyber-attack launched against PlayStation Network […], which forced [them] to temporarily shut down all

of these services”. The other strategy evident is corrective action, as“[they] have worked around the clock to

strengthen [their] information security systems” and eventually “all serviced territories have been restored”.

5.1.2 TargetThe crisis type of Target’s data breach is characterised via the victim cluster in form of malevolence. It is

evident from the press release (Target 2013a), wherein Target “confirmed [it is] aware of unauthorised

access to payment card data”.

Additionally, the “unauthorised access to payment card data” is succeeded by a statement that “[the data

breach] was a crime against Target, [their] team members and [their] valued guest” (Target 2013b).

The recurrence of “unauthorised access” denotes that it was an external agent. Which is explicitly stated in

the annual report; as “an intruder stole certain payment card and other guest information from our network”

and that the intruder accessed “[…] approximately 40 million credit and debit card accounts” (Target 2013c:

1).

The crisis is minimised through the ambiguity of the statement that “card accounts” and “card data may have

been impacted” (Target 2013a) and still customers “can shop with confidence at target” as “there are

typically low levels of actual fraud” (Target 2013b) . It thus remains unresolved in the press release and CEO

statement, whether there really was cause for consumers’ concern over their credit card information. Hence,

the crisis threat is minimised due to the low risk of affecting customers and they should therefore disregard

the threat and purchase unaffectedly.

However, corrective actions are applied as Target has “resolved the issue” and are “working with law

enforcement to bring those responsible to justice” to correct the crisis (Target 2013b).

Target ”removed the malware from virtually all registers” (Target 2013c: 1) and ”committed to restore

[customer] confidence (: 2). Conclusively in the annual report, it is stated that Target “are committed to […]

activities to restore [customers’] confidence” (: 3). These examples connote actions initiated to protect

consumers and prevent a similar crisis.

The compensation is explicit in the CEO statement (Target 2013b) as Target “will offer free credit

monitoring services”. Moreover, the “issue has been addressed” connotes a corrective action to illustrate that

actions have been taken to resolve the crisis.

Page 20 of 29

Page 21: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

There is no evident minimisation in the annual report contrary to the press release and the CEO statement.

Instead, the annual report shifts the blame to “the intruder [who] accessed and stole payment card data” and

“the intruder stole certain guest information […] for up to 70 million individuals” (Target 2013c: 1).

In correlation, minor traits of mortification are evident as “it is probable [Target] would be found liable on

these claims were they to be litigated” and thus “may be subject to fines or other obligations” (Target 2013c:

2). Thus, the organisation takes partial blame for the crisis and addresses the risk of litigations.

Victimage is identified with emphasis on the financial aspect of the crisis. Target addresses the “more than

80 actions filed in court […] may be asserted against [them] on behalf of guests[…]” (Target 2013c: 2).

Thus, the crisis has caused liabilities that can be referred to the “$61 million of pretax data breach-related

expenses” (: 1).

5.1.3 ComparisonA similar strategy applied by both organisations is the malevolence as part of the victim cluster, wherein

Sony as well as Target claims that an external agent caused the crisis rather than the organisations

themselves. Additionally, response through compensation is identified in both cases.

However, Sony is fairly consistent in the application of the crisis response strategies with traits of shift the

blame and corrective action across the three Sony articles.

Contrary, Target is inconsistent in the crisis response strategies applied as the first two articles contain

minimisation, which is abandoned in favour of shift the blame and minor traits of mortification in the third

article.

Conclusively, both organisations apply victimage to denote their role as victims in the crisis.

5.2 Discourse analysisThe articles will be analysed for legitimisations applied in discourse of the communication. However, due to

the prosperity of legitimisation traits, the predominant legitimisations will be highlighted to indicate the

trending practice of the two organisations in the articles and thus not misconceive the rationale of the

strategy overall.

5.2.1 SonySony’s application of authority in the legitimisation is primarily in form of impersonal authority, evident in

the press release by the “illegal intrusions” and the work with “the FBI” to recover the “illegally obtained”

personal information (Sony 2011a: 1). The emphasis is, thus, put on what is dictated by legislation as illegal

and upheld by the governmental FBI.

Page 21 of 29

Page 22: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

The phrase “under the leadership of Kazuo Hirai” (Sony 2011b)” forms an analogy of moral evaluation

through a military comparison with reference to a military status, to make “[their] defences […] even

stronger” against the “cyber-attacks”.

The annual report (Sony 2011c) contains a trait of instrumental rationalisation as the effect of “a cyber-

attack […] forced [them] to temporarily shut down all of these services”. Thus, the shutdown was an effect of

the data breach. Additionally, a legitimisation by moral evaluation is applied by evaluation as the evaluative

adjectives, “new and rich user experiences” and “a serious challenge”; legitimise the quality of products and

the degree of crisis.

The evaluation is predominant throughout in the moral evaluation of legitimisation through the use of

evaluative adjectives: “as quickly as possible” (Sony 2011a) and “full and safe service” (Sony 2011b). The

adjectives legitimise the efficiency of the process. The instrumental rationalisation is evident in the press

release; “the company is committed to helping customers” and “complimentary offering to assist users”, goal

and means respectively (Sony 2011a). Hence, Sony emphasises the support to customers as a goal and the

offering as a mean towards that goal. Additionally, Sony wants to “[get] back what [customers] signed up

for” (Sony 2011b) and “further reinforce [their] security” (Sony 2011c). Thus, the goals, which were

customer satisfaction and IT security, are set for Sony.

5.2.2 TargetLikewise, Target’s reference to “law enforcement”, “financial institutions” and “authorities” (Target 2013a)

form authority of impersonal character, as the examples denote authority in legislative form.

The legitimisation by authority in the CEO statement (Target 2013b) is still present, but, instead of

impersonal authority the application of authority of tradition becomes evident as “[Target] has been built on

a 50-year foundation of trust” and “[their] guests are always first priority”. Thus, the lineage is included to

legitimise trust and customer service.

Instrumental rationalisation is evident in the first two articles through goal-orientation towards customer

trust in the organisation, “Target’s first priority is preserving the trust of [their] guests” (Target 2013a), and

means-orientation through “free credit monitoring services [to get] extra assurance” (Target 2013b).

Rationalisation is also featured in the annual report (Target 2013a), but is of theoretical character through

prediction as, “[they] expect the forensic investigator […] to claim […]” and explanation of the “yearend

incremental counterfeit fraud losses […] because [they] have not yet received third-party fraud reporting”.

The rationalisation is thus based on the nature of the organisation’s circumstances rather than the purpose.

Conclusively, authority is primarily of impersonal character with emphasis on “state and federal agencies”

and the support to “law enforcement” (2013c: 2).

Page 22 of 29

Page 23: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

Evaluation is evident in the article by the wording “appropriate resources” and “thorough investigation” to

legitimise the expenditure and quality of research (Target 2013a) and the normality of the crisis is legitimised

by “other similar situations” (Target 2013b). Furthermore, Evaluation legitimises the righteousness of the

“significant investigation” and the inaccessibility of the “broad array of […] factors” as “infeasible” (Target

2013c: 2, 3).

5.2.3 ComparisonThe application of impersonal authority in the articles is similar for both organisations. Though, Target shifts

from impersonal authority to authority of tradition back to impersonal authority.

Target applies evaluation across their three articles, whereas Sony applies it to the press release and annual

report, but analogies in the CEO statement through a military comparison.

On the other hand, Sony applies instrumental rationalisation across the three articles and Target does in the

press release and CEO statement as well, but applies theoretical rationalisation in the annual report.

6. DiscussionA discussion based on the contemporary theoretical contribution to crisis communication, background

information and analysis findings will identify key takeaways for communication practitioners to apply in

the event of data breaching going forward.

This discussion takes point of departure in Coombs’ (2007) crisis response strategy guidelines that can help

protect the corporate reputation “through evidence-based guidance […] supported by scientific evidence

rather than personal preference and unscientific experience” (Rousseau 2006 cited in Coombs 2007: 163).

The premise of a data breach involves an external agent in form of a hacker, which constitutes the primary

guilty party in the crisis, in contrast to other crisis types. Thus, it is natural for organisations to recede from

responsibility and introduce the crisis as malevolence by victimage with the organisation as a victim in order

to reduce the reputational threat (Coombs 2007). This claim is denoted by the practice performed by Sony

and Target’s crisis communication, implying a consensus within the niche area of the crisis communication

that follows the guidelines of victimage in cases of malevolence.

The organisations’ insufficiency within IT security could constitute reputational threat if stakeholders

perceive that as an attribution of crisis responsibility. Thus, the level of attribution of crisis responsibility

would be higher than, if it is perceived that nothing could have been done to prevent the data breaches.

Therefore, it is possible that stakeholders in reality perceive low attribution of crisis responsibility to the

organisation rather than minimal attributions in cases of data breaches based on the importance of sufficient

IT security to prevent the crisis.

Page 23 of 29

Page 24: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

Cornelissen’s (2011: 200) premise for optimal crisis communication state that it has to be “decisive and

immediate [,] from the organisation” and Coombs’ (2010) priority on stakeholder safety, in this thesis credit

card information, is a point of critique for Sony’s crisis response. Sony’s announcement of the failing

functions of PlayStation Network without much information does not denote decisiveness or immediacy in

terms of crisis response strategies, nor does it accommodate a potential threat to the credit card information

of PSN users. The initial poor response with no information may even have devalued Sony’s stock indirectly.

However, overall the effectiveness of the crisis response strategies was maintained by consistency (Coombs

2007: 173) across the three articles in form of shift the blame and corrective action (Benoit 1997) mainly.

The shift of blame works in the case of malevolence with the denial of responsibility of wrongdoing shifted

to the intruders, but with reassurance that Sony will take appropriate corrective actions to prevent the crisis

from occurring again.

Coombs (2007) argues that rebuild strategies accommodate stakeholders best, but that the high cost of

compensation can make the strategy too expensive. The compensation given by Sony in form of the “30 days

of additional time on [customers] subscription” holds low level of accommodation, as the compensation is an

opportunity cost rather than a variable cost that can still accommodate customers’ questions towards

PlayStation Network’s credibility as a secure network provider. However, the compensation provides Sony

with a tool to regain their damaged corporate reputation evident in the negative stock development

following the crisis.

Contrary to Sony’s consistent crisis response strategies, Target has inconsistent application of crisis response

strategies in the articles through minimisation in the first two articles and replaced with shift the blame and

mortification in the third. As Coombs (2007) argues in his guidelines, the inconsistent application of crisis

response strategies will erode the effectiveness of the overall response.

This is evident in the Target case as the minimisation applied through reassurance that the crisis likely will

have no effect on the customers’ confidence in shopping at Target and that they therefore should refrain from

alarm.

But, following JP Morgan Chase’s corrective action targeted at debit card customers affected by the Target

breach (Wall Street Journal 2014) the notion of minimisation applied by Target loses credibility and thus the

corporate reputation is tarnished. Target thus responded immediately, but not decisively to accommodate

such a development of the crisis. The loss of credibility creates a new crisis that can be accounted to

organisational misdeed with no injuries, as Target has deceived stakeholders’ perception of the crisis

implications. Therefore, Target becomes exposed to potential litigations that can affect the financial

circumstances of the organisation.

In order to rebuild the corporation reputation, Target offers compensation through free credit monitoring

Page 24 of 29

Page 25: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

services and corrective actions to prevent a similar crisis in the future. The supplementary response to the

mishap by minimisation of the data is thus in line with Coombs’ guidelines expression that rebuild strategies

should be applied in cases of preventable crises. It is argued that the offspring crisis is preventable as Target

could have minimised the crisis but still be resolute in their reaction to the crisis. Meanwhile, Target could

assure stakeholders that the organisation would take the crisis seriously in terms of corrective actions. Benoit

(1997: 178) noted: “perceptions are more important than reality”. But even if the crisis response strategy

through minimisation makes stakeholders perceive the crisis as a minor threat the perception is altered

negatively when the reality is uncovered from a third-party. This would cause the crisis response strategy to

backfire as the initial perception was misleading. Consequently, consumers would question whether or not

their credit card information is safe due to the misleading communication on the issue by Target and on that

rationale stop shopping at the stores.

The legitimisations with moral evaluative features serve to induce a set of values towards the crisis framed

by the organisations. The evaluations most evident in the articles induce the values through evaluative

adjectives. However, Sony’s CEO statement employs analogies in form of military comparisons of the crisis

that persuades the stakeholders in the PlayStation Network to perceive the hackers as enemies and they

should endorse Sony as the defender of the people against that enemy.

That specific approach of legitimisation can be argued to function well in a patriotic country, such as USA,

due to the national pride and the general endorsement on military in USA. But, this sort of legitimisation can

induce strong emotions of negative character in the receiver dependant on the values in the individual and the

cultural influence that can be difficult to control in connection the socially constructed reality of the receiver.

Likewise, an abundance of evaluative adjectives can become overly identifiable for the receiver and the

persuasive elements of the legitimisation will thus loose effect as receiver would questions the legitimacy of

the evaluations.

The legitimisation through authority, namely impersonal authority, legitimises the crisis as severe through

the inclusion of FBI and other federal agencies in the investigation. However, this form of legitimisation

conflicts the rationale behind minimisation as a crisis response strategy per classification, while interference

by FBI is not deemed minimal attribution to a perception of a crisis. In the case of data breaches, it can

however also signify that the worst-case-scenario of a data breach is severe, while in reality the impending

crisis may not have be severe to accommodate stakeholders’ concerns.

Additionally, the authority of tradition translates well into crises with no crisis history or negative prior

relational reputation as organisations can further reduce reputational threat thereby due to their legitimised

credibility through corporate history.

Page 25 of 29

Page 26: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

Lastly, the application of instrumental rationalisation denotes a purpose in the legitimisation that translates

well into corrective actions through emphasis on the organisation’s ability to respond to the crisis and

prevent it in the future. Whereas, the theoretical rationalisation connotes a reaction to a crisis as “the way

things are” (Van Leeuwen 2007: 103). That reflection denotes a reaction and acceptance of a contemporary

situation rather than a proactive prevention of future potential crises, which is identifiable in the

mortification crisis response strategy. It should be applied to a case of high reputational threat as rebuild

crisis response strategies. Hence, in cases with either minimal attribution of crisis responsibility, no history

of crises or negative prior relationship reputation the mortification vaguely embedded in the application of

theoretical rationalisation is ill-advised.

In summary, the opportune crisis response strategy for data breaching immediately determines the crisis as

malevolence providing minimal attributes of initial crisis responsibility and assesses the reputational threat

in order to determine the crisis history and prior relational reputation .The level of reputational threat thus

regulates to which extent the organisation should deny, diminish or rebuild with regards to Coombs’ SCCT

(2007).

Importantly, the reputational threat can increase if the legitimised response is deemed misleading,

exemplified in the case of Target. Finally, the communication practitioner should recognise that the

discourse can be interpreted differently by each individual stakeholder and the reaction to the crisis response

can thus differ depending on the perception affected by culture and history.

7. Conclusion and implicationsThe final section of this thesis will conclude on the identified critical features to the contribution of crisis

communication specifically in the event of a data breach. Thus it provides cohesion in the assessment of

contemporary theory with an interpretation targeted towards this niche segment of crisis communication.

Suggestions for future research within this niche segment will be presented to scrutinise further.

This thesis has analysed two cases of data breaching against Sony and Target and identified characteristics of

such a crisis in connection to opportune strategies and pitfalls. The analysis of crisis response strategies and

discourse in the two cases has determined data breaching as an IT crisis with evident traits of malevolence

that encourages communication practitioners to employ victimage as a crisis response strategy. Both cases

initially had minimal attributions of crisis responsibility, however due to poor crisis communication the

reputational threat overall increased as the organisations were unable to respond optimally to the data

breaches.

Therefore, it is important to learn from the cases, so the poor crisis communication will not occur again.

Page 26 of 29

Page 27: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

Organisations should prioritise the protection of credit card information as stakeholder safety in their crisis

response strategies to avoid misleading stakeholders. If they refrain from this notion, the strategy can

backfire through lost credibility leading to a weakened corporate reputation that will amplify the

reputational threat in the future. The reputational threat can translate to financial expenses through either

litigations or negative stock development. Hence, it is advised to emphasise a respect for potential crises,

even though an organisation legitimises it as minimal.

However with this mix of crisis strategy response, organisations can connote responsibility, if a crisis should

occur in reality.

If a supplementary preventable crisis through organisational misdeed ensues the organisation should exercise

rebuilding to adjust to the stronger attribution of crisis responsibility following the weakened corporate

reputation. Otherwise, the opportune strategy should be coherent in the crisis communication to avoid

erosion of the effectiveness of crisis responses. Corporate reputation can become damaged if the

stakeholders begin to question the incoherence of applied crisis response strategies. Therefore, it is vital for

organisations to be immediate as well as decisive, when responding to a crisis.

To broaden the contemplation of crisis communication following data breaches, it can beneficial for

researchers to investigate the cases from a receiver-oriented perspective. Thus, the corporate reputation and

reputational threat regulated by stakeholders can evaluate the crisis response strategies in-depth in different

segments. Alternately, the development of crisis communication following data breaches can be analysed in

recent instances, thus further elevating theory to aid communication practitioners in their efforts.

Page 27 of 29

Page 28: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

8. ReferencesBurr, V. (2003) Social constructionism. London: Routledge.

Ciborra, C. (1998) Crisis and foundations: an inquiry into the nature and limits of models and methods in the information systems discipline. The Journal of Strategic Information Systems, 7(1), pp.5-16.

Cheney, J. (2010) Heartland Payment Systems: Lessons Learned from a Data Breach. SSRN Journal.

Coombs, W. (2006) The Protective Powers of Crisis Response Strategies. Journal of Promotion Management, 12(3-4), pp.241-260.

Coombs, W. (2007) Protecting Organization Reputations During a Crisis: The Development and Application of Situational Crisis Communication Theory. Corporate Reputation Review, 10(3), pp.163-176.

Timothy Coombs, W., Frandsen, F., Holladay, S. and Johansen, W. (2010) Why a concern for apologia and crisis communication?. Corp Comm: An Int Jnl, 15(4), pp.337-349.

Cornelissen, J. (2011) Corporate communication: A guide to theory and practice. Thousand Oaks, CA: SAGE Publications.

Corporate Target (2015) Target through the years. [Online]Available at: https://corporate.target.com/about/history/Target-through-the-years [Accessed 4 May 2015].

Daymon, C., & Holloway, I. (2011) Qualitative Research Methods in Public Relations and Marketing Communications (2 ed.).New York, NY, USA:Routledge.

Fairclough, N. (1992) Discourse and Text: Linguistic and Intertextual Analysis within Discourse Analysis. Discourse & Society, 3(2), pp.193-217.

Frandsen, F. and Johansen, W. (2010) Apologizing in a globalizing world: crisis communication and apologetic ethics. Corp Comm: An Int Jnl, 15(4), pp.350-364.

Hearit, K. (1994) Apologies and public relations crises at Chrysler, Toshiba, and Volvo. Public Relations Review, 20(2), pp.113-125.

Hearit, K. (1999) Newsgroups, activist publics, and corporate apologia: The case of Intel and its Pentium chip. Public Relations Review, 25(3), pp.291-308.

Heath, R. L. and Millar, D. P. (2003) Responding to Crisis: A Rhetorical Approach to Crisis Communication. Lawrence Erlbaum Associates: New Jersey

The Huffington Post, (2015) 'Welcome Back': Sony's Make-Up Package For PSN Hack. [Online] Available at: http://www.huffingtonpost.com/2011/06/03/welcome-back-sony-playstation-network-program_n_871167.html [Accessed 4 May 2015].

Kim, J., Kim, H. and Cameron, G. (2009) Making nice may not matter: The interplay of crisis type, response type and crisis issue on perceived organizational responsibility. Public Relations Review, 35(1), pp.86-88.

Li, C. and Bernoff, J. (2011) Groundswell: Winning in a world transformed by social technologies. United States of America: Harvard Business Press.

New York Times (2013) Target Struck in the Cat-and-Mouse Game of Credit Theft. [online] Available at: http://www.nytimes.com/2013/12/20/technology/target-stolen-shopperdata.html?src=me&ref=general&_r=0 [Accessed 4 May 2015]

Page 28 of 29

Page 29: BA in Marketing and Management ... - AU Purepure.au.dk/portal/files/86457683/201209790.docx  · Web viewThe strategic management of crisis ... stems from the “Greek word

Bachelor thesis in Marketing and Management CommunicationMay 2015

Mathias Trier Mortensen 201209790 Total characters: 54.975 excl. blanks

NewsCred (n.d.) Social Media Crisis Communication: Lessons From Target’s Data Breach. [online] Available at: http://blog.newscred.com/article/social-media-crisis-communication-lessons-from-targets-data-breach/f3568a27345ecac5ea5154da86d90343 [Accessed 4 May 2015].

Nightingale, D. and Cromby, J. (2002) Social Constructionism as Ontology: Exposition and Example. Theory & Psychology, 12(5), pp.701-713.

Palermo, E. (2015). 10 Worst Data Breaches of All Time. [online] Tom's Guide. Available at: http://www.tomsguide.com/us/biggest-data-breaches,news-19083.html [Accessed 4 May 2015].

PC World (2011) PlayStation Network Hack Timeline. [online] Available at: http://www.pcworld.com/article/226802/playstation_network_hack_timeline.html [Accessed 4 May 2015].

Schuman E. (2007) The TJX Data loss and security breach case. The Case.

Searle, J. R. (1995) The construction of social reality. London: Penguin

Statista, (2015) PlayStation Network: number of accounts 2013 | Statistic. [online] Available at: http://www.statista.com/statistics/272639/number-of-registered-accounts-of-playstation-network/ [Accessed 4 May 2015].

Target (2015) Target : REDcard. [online] Available at: http://www.target.com/redcard/main [Accessed 4 May 2015].

Tench, R. and Yeomans, L. (2009) Exploring public relations. Harlow, England: FT Prentice Hall.

Van Leeuwen, T. (2007) Legitimation in discourse and communication. Discourse & Communication, 1(1), pp.91-112.

Venturebeat (2011) Chronology of the attack on Sony’s PlayStation Network. [online] Available at: http://venturebeat.com/2011/05/04/chronology-of-the-attack-on-sonys-playstation-network/ [Accessed 4 May 2015].

Yahoo! Finance (2015) SNE Historical Prices | Sony Corporation Common Stock Stock - Yahoo! Finance. [online] Available at: http://finance.yahoo.com/q/hp?s=SNE&a=03&b=20&c=2011&d=04&e=20&f=2011&g=d [Accessed 4 May 2015].

Wartick, S. (2002) Measuring Corporate Reputation: Definition and Data. Business & Society, 41(4), pp.371-392.

Wall Street Journal (2013). Target’s Data-Breach Timeline. [online] Available at: http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/ [Accessed 4 May 2015].

Page 29 of 29