Sage Journals: Discover world-class research

Abstract

Forty-six states require organizations to notify users when personally identifiable information has been exposed or when the organization’s data security measures have been breached. This article describes a qualitative document analysis of 13 data breach notification templates from state and federal agencies. The results confirm much of the typical advice for negative messages, but they suggest that the direct pattern may be an effective way to inform users as required by law, to overcome optimism bias, and to overcome rational ignorance. When a buffer is used, writers should not be afraid to refer to the bad news.

Keywords

bad-news messages business practices crisis communication data breach notification privacy qualitative research negative messages

Get full access to this article

View all access options for this article.

References

Acquisti

Friedman

Telang

(2006). Is there a cost to privacy breaches? An event study. Paper presented at the 27th International Conference on Information Systems, Milwaukee, WI. Retrieved from http://allan.friedmans.org/papers/breach06.pdf

Alred

G. J.

(1992). “We regret to inform you”: Toward a new theory of negative messages. In Sims

B. R.

(Ed.), Studies in technical communication: Selected papers from the 1992 CCCC and NCTE meetings (pp. 17-36). Denton, TX: University of North Texas Press.

Alred

G. J.

Brusaw

C. T.

Oliu

W. E.

(2011). The business writer’s handbook. Boston, MA: Bedford/St. Martin’s.

Argenti

P. A.

(2006). How technology has influenced the field of corporate communication. Journal of Business and Technical Communication, 20, 357-370.

Bovée

C. L.

Thill

J. V.

(2012). Writing negative messages. In Business communication today (11th ed.). Upper Saddle River, NJ: Prentice Hall.

Carter

(2012). Negative messages. In Keys to business communication: Success in college, career, and life. Upper Saddle River, NJ: Prentice Hall.

Church

(n.d.). The art of fessing up. Data Breach! Retrieved from http://media.techtarget.com/searchCIO-Midmarket/downloads/databreach_ebook.pdf

Coombs

W. T.

Holladay

S. J.

(2008). Comparing apology to equivalent crisis response strategies: Clarifying apology’s role and value in crisis communication. Public Relations Review, 34, 252-257.

Cooney

(2011). The Sony Playstation breach notification that broke 77 million hearts. Retrieved from http://www.cio.com/article/681038/The_Sony_Playstation_Breach_Notification_Letter_That_Broke_77_Million_Hearts?page=2&taxonomyId=3089

10.

Federal Trade Commission. (2004). Information compromise and risk of identity theft: Guidance for your business. Retrieved from http://business.ftc.gov/documents/bus59-information-compromise-and-risk-id-theft-guidance-your-business

11.

Guffey

M. E.

Lowey

(2011). Business communication: Process and product (7th ed.). Mason, OH: South-Western/Cengage Learning.

12.

Goedert

(2010). Lost flash drive affects 280,000. Retrieved from http://www.healthdatamanagement.com/news/breach-flash-drive-medicaid-notification-hitech-41212-1.html

13.

Hynes

G. E.

(2008). Routine messages. In Managerial communication: Strategies and applications (4th ed.). Columbus, OH: McGraw-Hill.

14.

Identity Theft Resource Center. (2011). 2011 ITRC breach report. Retrieved from http://www.idtheftcenter.org/ITRC%20Breach%20Report%202011.pdf

15.

J. C. Neu and Associates. (2009, September 15). How to write an ARRA breach notification letter. Retrieved from http://www.jeffreyneu.com/20090318184/how-to-write-an-arra-breach-notification-letter.html

16.

Jansen

Janssen

(2011). Explanations first: A case for presenting explanations before the decision in Dutch bad-news messages. Journal of Business and Technical Communication, 25, 36-67. doi:10.1177/105065191038037210.1177/1050651910380372

17.

Jebb

J. F.

(2005). The crisis posting: Scenarios for class discussion and creation. Business Communication Quarterly, 68, 457-478.

18.

Johnson

(2006). Recommendations for identity theft related data breach notification. Washington, DC: Office of Management and Budget. Retrieved from http://www.whitehouse.gov/omb/memoranda_2006/

19.

Kolin

P. C.

(2007). Successful writing at work. Boston, MA: Houghton Mifflin.

20.

Lehman

C. M.

DuFrene

D. M.

(2012). Delivering bad-news messages. In BCOM (3rd ed.). Mason, OH: South-Western/Cengage Learning.

21.

Limaye

M. R.

(2001). Some reflections on explanation in negative messages. Journal of Technical and Business Communication, 15, 100-110.

22.

Locker

K. O.

(1999). Factors in reader responses to negative letters: Experimental evidence for changing what we teach. Journal of Business and Technical Communication, 13, 5-48.

23.

Locker

K. O.

Kienzler

D. S.

(2010). Delivering negative messages. In Business and administrative communication (9th ed.). New York, NY: McGraw-Hill/Irwin.

24.

Mascolini

(1994). Another look at teaching the external negative message. Business Communication Quarterly, 57(2), 45-47.

25.

McElhatton

(2009). Some passport snoopers still on the job. Washington Times. Retrieved from http://www.washingtontimes.com/news/2009/dec/18/some-passport-snoopers-still-on-the-job/

26.

NASA Office of the Chief Information Officer. (2007, December 13). Procedures for responding to a breach of personally identifiable information. Retrieved from http://www.nasa.gov/pdf/419926main_ITS-HB_0044-%20_.pdf

27.

New York State Consumer Protection Board. (n.d.). Sample letter from a breaching entity to notify New Yorkers of a security breach incident. Retrieved from http://www.dos.ny.gov/consumerprotection/security_breach/sampleletter.html

28.

Oliu

W. E.

Brusaw

C. T.

Alred

G. J.

(2009). Writing business correspondence. In Writing that works: Communicating effectively on the job (9th ed.). Boston, MA: Bedford/St. Martins.

29.

Oregon Division of Finance and Corporate Securities. (n.d.). Sample security breach notification letter, Oregon Identity Theft Protection Act. Retrieved from http://dfcs.oregon.gov/identity_theft/SampleLetter-Breach.pdf

30.

Privacy Rights Clearinghouse. (2011.) Data breaches: Why you should care and what you should do. Retrieved from http://www.privacyrights.org/data-breaches-why-you-should-care-what-to-do-2011

31.

Rode

(2007). Database security breach notification statues: Does placing the responsibility on the true victim increase data security? Houston Law Review, 43, 1597-1634.

32.

Romanosky

Telang

Acquisti

(2011). Do data breach disclosure laws reduce identity theft? Journal of Policy Analysis and Management, 30, 256-286.

33.

Schneier

(2009, January). State data breach notification laws: Have they helped? Retrieved from http://www.schneier.com/essay-256.html

34.

Shwom

B. G.

Snyder

L. G.

(2012). Communicating bad-news messages. In Business communication: Polishing your professional presence. Upper Saddle River, NJ: Prentice Hall.

35.

Soma

J. T.

Courson

J. Z.

Cadkin

(2009). Corporate privacy trend: The “value” of personally identifiable information (PII) equals the “value” of financial assets. Richmond Journal of Law and Technology, 25(4), 1-32. Retrieved from http://jolt.richmond.edu/v15i4/article11.pdf

36.

State of Arizona Government Information Technology Unit. (2011). SISPO standard P900-S910. Retireved from http://www.azgita.gov/policies_standards/pdf/P900-S910%20Data%20Breach%20Notification%20Standard%20Final.pdf

37.

State of Illinois Department of Central Management Services. (2007). Action plan for notification of a security breach. Retrieved from http://www2.illinois.gov/bccs/Documents/Policies/Security_Breech_Action_Plan.pdf

38.

State of Vermont Office of the Attorney General. (2009, July 29). Attorney General security breach notification guidance. Retrieved from http://www.atg.state.vt.us/assets/files/2009-7-29%20Security%20Breach%20Guidance.pdf

39.

Synovate. (2007). Federal Trade Commission report: 2006 Identity theft survey. Retrieved from http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf

40.

U.S. Department of Defense. (2007, May 14). Sample notification letter. Retrieved from http://www.dodig.mil/fo/privacy/PDFs/Breach_Sample_Notification_Letter.pdf

41.

Verjee

(2008). State Department: Someone snooped in Obama’s passport file. Retrieved from http://www.cnn.com/2008/POLITICS/03/20/obama.passport/index.html

An Analysis of Data Breach Notifications as Negative News

Abstract

Keywords

Get full access to this article

References