When It Comes to Data Breaches, Try a Little Empathy: Study

Thom Weidlich 05.25.17


In apologizing for data breaches, companies could probably express more empathy for their stakeholders, the authors of a new study write. In less than a quarter (22.9 percent) of the apologies for data breaches did companies express empathy, the researchers find. That compares with 48.6 percent of the other crisis types examined. Showing a little empathy is an easy way to rebuild relationships, the authors say.

The study looked at two sets of corporate apologies: those for which the organization’s blame is ambiguous — in this case, data breaches — and those for which the organization is clearly to blame. It’s reasonable that customers wouldn’t chide a company or organization for a data breach. On the other hand, they could feel it should have taken security more seriously.

The purpose of the study, “We’re Sorry But It’s Not Our Fault: Organizational Apologies in Ambiguous Crisis Situations,” was to see how the contents of the apologies for the two types of crises differed.

One of the main findings was this difference on empathy. The authors call this “somewhat surprising” because expressing empathy doesn’t mean admitting guilt. For example, in its September 8, 2014, statement about its data breach, Home Depot had then-Chairman and CEO Frank Blake say, “We apologize for the frustration and anxiety this causes our customers.”


Empathy does not require an organization to admit fault. It just shows that the organization understands and cares about how the crisis negatively impacts stakeholders.

— “We’re Sorry But It’s Not Our Fault” study

The authors write: “Empathy does not require an organization to admit fault. It just shows that the organization understands and cares about how the crisis negatively impacts stakeholders. There is no reason an expression of empathy should change the organization’s liability, so more organizations ought to empathize with stakeholders in data-breach crises. Crisis managers may need to further explain to help other members of the organization understand the value and low cost of empathetic statements.”

The researchers surmise that organizations may “worry more about stakeholder relationships when they know they are responsible for a crisis and, thus, work harder to rebuild those relationships.”

The study also found that apologies for both types of crises tended not to include two other risk-free and low-cost elements that could help rebuild relationships: “acknowledging stakeholders’ worth to the organization and affirming stakeholders’ values (e.g., privacy, safety).”

Fed Ex Employee

The researchers parsed 35 crises for each of the two categories. The situations that weren’t data breaches included those as varied as Takata’s defective air-bag inflators and the 2011 incident in which a FedEx employee was seen on video carelessly tossing a package. The dates for all 70 ranged from 2006 to 2016, but 41 percent fell within 2013 to 2016.

Of the 35 data-breach statements, 23 (65.7 percent) expressed remorse, 20 (57.1 percent) advised stakeholders how to protect themselves, and 16 (45.7 percent) explained how the problem happened. Also fairly high were mentions of preventing a recurrence of the problem (21, or 60 percent) and of what the company was doing to mitigate the damage (11, or 35.7 percent).

But only one acknowledged responsibility and none asked their audiences for another chance for the organization.

The study evaluated only the content of the apologies. It didn’t examine stakeholders’ response to them or how effective they were.

The researchers are Joshua M. Bentley of Texas Christian University and Kimberly R. Oostman and Sayyed Fawad Ali Shah of the University of New Mexico. The study, posted online April 26, is published in The Journal of Contingencies and Crisis Management.

Image Credit: Shutterstock

This is an abridged version of an article that appeared today on the CrisisResponsePro paid subscription portal. (CrisisResponsePro subscribers can access the full version by clicking here. ID and password are required.) To take advantage of all of the content, data, and collaborative resources CrisisResponsePro has to offer, contact us at info@crisisresponsepro.com.

Related:The North Face Apologizes (Weakly) for Wikipedia Fiasco