Area: Marketing
Host: Associate Professor Tonya Bradford
Speaker: André Martin, Marketing PhD Student, University of North Carolina, Kenan-Flagler Business School
Description: As agile marketing firms increasingly invest in MarTech (Marketing Technology) infrastructure to gather and analyze customer data to spot opportunities and trends, the responsibility to protect these customer data becomes all the more important. Inadequately protecting data can have longlasting negative consequences, not only for the affected customers, but also for the affected firms. In 2021, the overall number of data compromises went up by more than 68 percent compared to the previous year (2021 Annual Data Breach Report). On average, each of these data breaches costed firms $8.64 million in damages (Varonis.com 2021). Factoring in the cost of reputation damage, these losses can swell considerably as exemplified by Citi Group’s losses of $836 million following a data breach (Martin, Borah, and Palmatier 2017). The extent of this problem is so pervasive that former FBI Director Robert Muller (2012) stated that “I am convinced that there are only two types of companies: those that have been hacked and those that will be.”
Overall, the negative consequences of data breaches go well beyond the immediate fines and legal actions and lawsuits, and extend to loss of customer trust, brand equity damages, and eventually detrimental financial consequences. Prior research has made first steps to capture and measure the extent of these losses. As such, extant literature established the negative impact of data breaches on the firm’s market value (Malhotra and Malhotra 2011), on risk perceptions (Aivazpour, Valecha, and Chakraborty 2018), on word-of-mouth (Martin, Borah, and Palmatier 2017), on customer trust (Martin, Borah, and Palmatier 2017), and on customer spending (Janakiraman, Lim, and Rishika 2018).
Given the potential for negative implications of data breaches, the natural question to ask is what firms can do to mitigate the impact and recover from the crisis. Martin, Borah, and Palmatier (2017) find that the transparency of firms’ data use and customers’ ability to control information flow affect trust and consumer behavior, thereby emphasizing the role of a firm’s pre-crisis efforts and policy investments. To provide first insights in effective actions once and after breaches occur, Rasoulain et al. (2017) look into the role of compensation, improving processes, and apologies to minimize the negative impact of data breaches on firms’ idiosyncratic risk. In our study, we further explore and dig deeper into data breach recovery options by systematically analyzing the short- and long-term impact of multiple crisis recovery communication options. Specifically, we use the typology, as proposed by Diesterhöft et al. (2020) that combines elements of blame attribution theory (Coombs 2007) into eight response categories: Offering Compensation, Offering Apology, Engaging in Whitewash, Taking Objective Actions, Reinforcing Value Commitment, Highlighting Customer Relationship, Transparently Informing on Type of Information Disclosed, and Offering Customer Advise. We study to what extent each of these crisis communication elements manages to mitigate data breach harm.
To gauge data breach harm we look at its impact on a wide set of consumer mind-set metrics.
Customer mind-set metrics track brand health and allows firms to track consumers on their path on the brand funnel toward brand advocacy. As such, they measure ‘what a customer thinks’, and are leading indicators of their future behavior (Srinivasan, Vanhuele, and Pauwels 2010). This gives firms advanced notice to act appropriately to minimize the impact of MarTech crises. To this effect, we examine the impact on seven mind-set metrics: two top of the funnel recall metrics (Buzz and Impression); four middle of the funnel evaluation metrics (Quality, Value, Reputation, and Satisfaction), and one bottom of the funnel commitment metric (Recommendation).
Empirically, we study the impact of data breaches using high frequency (daily) data, for a variety of product and service categories and a broad set of several brands. Specifically, we use daily brand level customer mind-set metric data from YouGov between 2012 and 2021. Our data allows us to track over 2,000 brands in the US in a wide variety of industries (Financial Services, Hospitality, Travel, Retail, Healthcare, Consumables, and Durables). This permits us to examine brand and industry level heterogeneity and thus offer empirically generalizable implications. The high frequency and long-time series permit us to model not just the short-term impact of MarTech crises, but also the long-term impact, which no research to the best of our knowledge has examined to date. The real-time nature of the data gives managers instant access to decision dashboards to make fast mitigation decisions.
To assess the firm’s crisis communication styles we focus on the direct communication the firm provides to its consumers following a data breach. Specifically, in the US market, state laws regulate privacy breaches and require the affected firms to inform victims via a letter from the firm. This creates a direct communication channel between the firm and customer, which captures firms’ intentions, without any interpretation and perceptions of news media. In our ten-year observation window, 198 brands were embroiled in a data breach. Of these, 130 brands sent out a letter to their consumers. We do a text-analysis of these letters to measure different communication recovery strategies. Next, we use dynamic panel data models, which control for firm and temporal unobserved heterogeneity, potential endogeneity biases, and several other sources of observed heterogeneity to isolate the direct impact of data breaches and the moderating effect of firm communication strategies on customer mind-set metrics.
We find that privacy breaches negatively affect all seven dimensions of our customer mindset metrics, and surprisingly, that some firm recovery strategies exacerbate the adverse effects of the privacy data breach. Moreover, using our parameter estimates we assess to what extent and how long the potential negative effects linger, and to what extent communication strategies speed up the path towards recovery.