Rite Aid is facing a class action lawsuit over a data breach on June 6, 2024, involving the personal information of 2.2 million customers. In response to this data breach, Rite Aid released an official statement in mid-July informing the public of the incident and providing them with information on how it occurred, what had been done, and what the next steps were. Additionally, Rite Aid sent letters to the affected customers, informing them about the incident and offering complimentary identity monitoring services.
However, many stakeholders believe Rite Aid should have taken important preventative steps and needed more transparency in their response, particularly regarding the attackers' identity, ransom demands, or potential data leaks. This sentiment highlights a broader issue in corporate crisis management, where companies are increasingly judged not only on the speed of their response to the breach but on the transparency and depth of the information they provide.
Breaches gain the attention of company stakeholders – including investors, customers, and the public – by making them closely examine how executives handle the situation. From taking accountability to maintaining constant and transparent communication, these responses can have long-lasting implications on an organization's reputational and financial status. In today’s corporate environment, where ethical crisis management is at the forefront of reputational importance, strategically responding to data breaches is critical.
In the article “Strategizing Responses to Data Breaches: A Multi-Method Study of Organizational Responsibility and Effective Communication with Stakeholders,” Walton College’s Varun Grover and Hamid Reza Nikkhah (University of Nevada, Las Vegas) examine the complexities of data breach responses. By examining how companies can optimize their response strategies, they emphasize the need for customized approaches rather than a one-size-fits-all response, which can be costly and ineffective.
One Size Fits None
In their study, Grover and Nikkhah aim to help companies understand how to respond effectively to data breaches by tailoring their response to the specific circumstances of the incident. The research finds that the traditional “one-size-fits-all” crisis management style many organizations use is often inefficient and costly.
Because each data breach is different and impacts different stakeholder groups, this general approach does not typically cater to every organizational and stakeholder need. For example, a major breach involving confidential employee information would require much more intensive resources than a minor breach with limited customer information. The study suggests that companies can better protect their reputational and financial status through a more tailored response strategy.
With the variety and number of data breaches growing, a tailored approach is increasingly important. Companies that can tailor their response to fit the problem at hand will have more control over stakeholders' perceptions and minimize damage to their organization. Strategic, customized approaches can better address the specific concerns of investors and customers while reinforcing feelings of trust and confidence in the company’s desire to keep data safe.
Causality and Controllability
Creating a tailored response requires understanding the breach and how stakeholders will perceive the incident. Many factors can impact the levels of trust and expectations for accountability, but one factor that influences stakeholder reaction is whether the breach was external or internal.
An external breach occurs when unauthorized entities or individuals break into a system to gain information or access from outside the organization. Often, these breaches are controlled by hackers, cybercriminals, or others who exploit weaknesses in the organization’s network. Many things influence an organization’s likelihood of being breached externally, such as limited budgets or expertise, which can hinder its ability to defend against attacks effectively. Because of barriers like these, companies may be able to reduce the likelihood of attacks through firewalls, intrusion detection systems, etc., but they cannot have complete control over cyber threats.
Stakeholders often think of organizations as less responsible for external breaches because they are generally caused by forces beyond the organization’s direct control. Because of the advanced nature of most external attacks, stakeholders may recognize that even well-prepared companies cannot always prevent such attacks. This way of thinking may lead to a more understanding reaction from customers and investors, especially if the company takes quick, corrective action and communicates transparently. Demonstrating accountability through sincere apologies, clear explanations of the incident, and concrete steps to prevent future breaches can help maintain customer trust, as it shows the organization is dedicated to improvement.
An internal breach, on the other hand, occurs when misuse of information or unauthorized access starts from within the organization itself. This type of breach often involves contractors, employees, or other insiders who have access to sensitive data within the company, either unintentionally or intentionally compromising security. Often, this occurs when organizations lack adequate internal controls, monitoring systems, and employee training, which increases the risk of a breach.
Because companies should be able to reduce the likelihood of these attacks, stakeholders may see the company as more accountable in these cases. Internal breaches thus elicit a stronger adverse reaction because stakeholders may feel that the company should have taken better precautions to prevent an attack. When an internal attack occurs, stakeholders are more likely to focus on the company’s internal policies and security practices. With this reaction, organizations should focus on transparent communication to rebuild reputational damage. The study suggests that if a company’s response appears evasive, defensive, or delayed, customer trust will erode faster. Because of this, companies should strongly prioritize accountability and transparency in their responses when responding to an internal breach.
Diverse Stakeholder Reactions
To create an effective tailored response, companies must recognize that each stakeholder group will react uniquely to data breaches. Since these incidents impact each group in distinct ways, responses must be customized accordingly. Grover’s research analyzes these diverse reactions among stakeholders, providing a general framework for anticipating and addressing their specific concerns.
This research underlines the fact that customers are especially sensitive to both the cause and perceived controllability of data breaches. That is, customers will respond more negatively toward those breaches that they perceive as avoidable or internally caused.
Customers are worried about accountability and need assurance that the company is concerned with their privacy and security. Trust may erode further when customers realize there has been an internal breach and begin to see that as a reflection of poor internal security. In return, companies should be as transparent as possible and clearly show that corrective actions are being taken since such steps could diminish negative customer perception. Companies can take further steps in managing post-breach customer trust and loyalty by framing the company response to address those concerns.
On the other hand, investors generally do not discuss the details of whether the company could have better controlled or avoided the issue. Instead, investors are more concerned with the potential impact on long-term performance and brand reputation. Investors are primarily concerned with how the breach will affect financial stability and operational resilience rather than the origin of the breach. This research suggests that risk management and recovery would be the best method of communication for investors. Clear, forward-looking statements of how the organization will prevent potential incidents in the future and stabilize operations can reassure investors.
Customized Communication
Data breaches represent complex organizational problems, such as navigating multiple stakeholder expectations. Rite Aid’s data breach illustrates how crucial it is for companies to approach crisis management with a tailored response that addresses the unique concerns of customers, investors, and the public. Every aspect of a data breach requires a differing response. Customers require accountability and transparency, especially when sensitive data has been breached. Investors, on the other hand, are interested in stability and managing long-term risks.
Grover and Nikkhah’s study underlines the need for organizations to adopt more than just the one-size-fits-all approach that is so common today. Companies need to be flexible and adopt strategic responses that consider every incident's specifics and uniqueness. This proactive, customized communication can help mitigate reputational damage, reinforce trust, and ultimately strengthen the organization’s resilience in the face of security challenges.
Kaslyn Tidmore is a second-year graduate student at the University of Arkansas, earning
her master’s degree in public relations and advertising. Before relocating to Arkansas,
Kaslyn graduated from the University of Oklahoma with a bachelor’s degree in print
journalism and a minor in editing and publishing. During this time, she interned with
publications such as, Parker County Today Magazine, WedLinkMedia, Modern Luxury, and
the school’s newspaper, the OU Daily. Following her role as the graduate assistant
to Editor-in-Chief Ryan Sheets, Kaslyn now serves as a GA in the Center for Media
Ethics and Literacy at the School of Journalism and Strategic Media.
