Abstract:Data breaches refer to unauthorized accesses to data. Typically but not always, data breaches are about cyber crime. An organization facing such a crime is often also in a crisis situation. Therefore, organizations should prepare also for data breaches in their crisis management procedures. These procedures should include also crisis communication plans. To this end, this paper examines data breach crisis communication strategies and their practical executions. The background comes from the vibrant crisis communication research domain. According to a few qualitative case studies from Finland, the conventional wisdom holds well; the successful cases indicate communicating early, taking responsibility, offering an apology, and notifying public authorities. The unsuccessful cases show varying degrees of the reverse, including shifting of blame, positioning of an organization as a victim, and failing to notify public authorities. With these qualitative insights, the paper contributes to the research domain by focusing specifically on data breach crises, their peculiarities, and their management, including with respect to European regulations that have been neglected in existing crisis communication research.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is: **Communication strategies and their implementation in the data leakage crisis**. Specifically, the paper focuses on how organizations should prepare and implement effective crisis communication strategies when facing this special type of crisis - data leakage. Data leakage usually involves unauthorized data access, which may be caused by cyber - crime or other reasons. This kind of crisis not only poses a threat to the organization's reputation, but may also lead to financial losses, legal consequences and a decline in social trust. Therefore, organizations need to include a crisis communication plan in their crisis management procedures to deal with possible data leakage events. The main contributions of the paper are as follows: 1. **Focus on the data leakage crisis**: Most of the existing crisis communication research focuses on general crisis situations, while relatively few studies specifically target data leakage. This paper fills this research gap. 2. **Combine with European regulations**: The paper specifically takes into account the General Data Protection Regulation (GDPR) and the Network and Information Security Directive 2 (NIS2) in Europe. These regulations put forward specific requirements for the handling of data leakage, but have been ignored in the existing crisis communication research. 3. **Provide empirical case analysis**: Through several qualitative case studies in Finland, the paper shows successful and unsuccessful crisis communication strategies and summarizes the lessons learned from them. ### Core issues of the paper - **How to formulate and implement effective data leakage crisis communication strategies?** - **What are the effects of these strategies in actual operation?** - **How to combine crisis communication with existing laws and regulations?** ### Main findings - Successful cases usually include early communication, taking responsibility, apologizing and notifying public authorities. - Unsuccessful cases show problems such as shirking responsibility, positioning the organization as a victim, and failing to notify public authorities in a timely manner. Through these studies, the paper provides valuable guidance for future crisis communication practices, especially in the specific context of data leakage.

Crisis Communication in the Face of Data Breaches

The Role of Corporate Reputation and Crisis Response Strategies in Data Breach Management.

Stock Market Reaction To Data Breaches: The Moderating Role Of Corporate Social Responsibility

An Exploratory Case Study on Data Breach Journalism

Understanding the Cost associated with Data Security Breaches.

A framework for effective corporate communication after cyber security incidents

Enhancing global health communication during a crisis: lessons from the COVID-19 pandemic.

HARNESSING DATA INSIGHTS FOR CRISIS MANAGEMENT IN U.S. PUBLIC HEALTH: LESSONS LEARNED AND FUTURE DIRECTIONS

The GDPR's Rules on Data Breaches: Analysing Their Rationales and Effects

Maintaining both availability and integrity of communications: Challenges and guidelines for data security and privacy during disasters and crises

Anatomy of a High-Profile Data Breach: Dissecting the Aftermath of a Crypto-Wallet Case

Big data, privacy and COVID-19 – learning from humanitarian expertise in data protection

Error management in service security breaches

Victim crisis communication strategy on digital media: A study of the COVID-19 pandemic

MEDIA MANAGEMENT AND CRISIS COMMUNICATIONS: THE IMPORTANCE OF IMPLEMENTING KEY PROVISIONS OF THE MEDIA IN THE RESPONSE METHODOLOGY

A Literature Review on the GDPR, COVID-19 and the Ethical Considerations of Data Protection During a Time of Crisis

Root causes, ongoing difficulties, proactive prevention techniques, and emerging trends of enterprise data breaches

Encryption and the loss of patient data

Media discourses surrounding ‘non-ideal’ victims: The case of the Ashley Madison data breach

Crisis Management Strategy in Handling Financial Sector Scandals in the Digital Transformation Era

When is a law firm liable for a data breach? An exploration into the legal liability of ransomware and cybersecurity