Electronic Markets (2021) 31:829–848

https://doi.org/10.1007/s12525-021-00490-3

RESEARCH PAPER

What to do after a data breach? Examining apology and compensation

as response strategies for health service providers
Kristin Masuch1 · Maike Greve2 · Simon Trang1

Received: 31 July 2020 / Accepted: 5 July 2021 / Published online: 17 November 2021
© The Author(s) 2021

Abstract
Innovative IT-enabled health services promise tremendous benefits for customers and service providers alike. Simultaneously,
health services by nature process sensitive customer information, and data breaches have become an everyday phenomenon.
The challenge that health service providers face is to find effective recovery strategies after data breaches to retain customer
trust and loyalty. We theorize and investigate how two widely applied recovery actions (namely apology and compensation)
affect customer reactions after a data breach in the specific context of fitness trackers. Drawing on expectation confirmation
theory, we argue that the recovery actions derived from practice, apology, and compensation address the assimilation-contrast
model’s tolerance range and, thus, always lead to satisfaction with the recovery strategy, which positively influences custom-
ers’ behavior. We employ an experimental investigation and collect data from fitness tracker users during a running event. In
the end, we found substantial support for our research model. Health service providers should determine specific customer
expectations and align their data breach recovery strategies accordingly.

Keywords Health data breach recovery action · Data breach response strategies · Compensation · Apology · Expectation
confirmation theory · Assimilation-contrast model

JEL classification I12

Introduction

Internet-enabled innovations and applications have opened

up new opportunities to expand and improve market poten-
tial in all industries (Cavusoglu et al., 2004). The healthcare
Responsible Editor: Ulrich Reimer.
industry also has experienced this trend, which supports its
tasks primarily through digital applications, including the
This article is part of the Topical Collection on Digital Healthcare use of mobile devices to track personal activity levels. Pro-
Services fessional athletes and normal people (Kim & Kwon, 2019;
Piwek et al., 2016) use this technology to achieve personal
* Kristin Masuch
kristin.masuch@uni-goettingen.de self-optimization, such as improved physical performance
and positive habits (Piwek et al., 2016), as well as to moni-
Maike Greve
maike.greve@uni-goettingen.de tor personal health status and prevent or control diseases
(Greve et al., 2020). Such goals can be achieved by tracking
Simon Trang
strang@uni-goettingen.de personal data, including number of steps taken, geolocation,
or heart rate (Chuah et al., 2016).
1
Chair of Information Security and Compliance, However, to enjoy the many uses and benefits of intelli-
University of Goettingen, Platz der Göttinger Sieben 5, gent technology, consumers need to share their personal data
37073 Göttingen, Germany
2
with service providers. This technology enables necessary
Chair of Information Management, Digital Health Research intermodal connectivity and pocket-size functionalities that
Group, University of Goettingen, Humboldtallee 3,
37073 Göttingen, Germany previously required multiple devices.

13
Vol.:(0123456789)
830 K. Masuch et al.

As a result, it has become a common practice to use such marketing communications literature and crisis response lit-
devices (Piwek et al., 2016), and this trend’s popularity erature (Goode et al., 2017; Malhotra & Kubowicz Malhotra,
can be seen in the market demand for fitness trackers and 2011). The basic idea behind this is that data breaches can occur
smartwatches, among other such technology (Chuah et al., in the form of an electronically transmitted service failure, which
2016). However, this technology’s many benefits come with the customer experiences as a disruption in core service provi-
a high risk of cyber-attacks on systems. It has been shown sion. Therefore, the notion of how a service provider can recover
that, especially in mobile digital health gadgets, incidents of after a service failure and restore its reputation (McColl-Ken-
information security breaches rising sharply and breaches nedy & Sparks, 2003; Patterson et al., 2006) can be applied
are observed almost daily (Cavusoglu et al., 2004; Liu & to the data breach context. For example, Goode et al. (2017)
Sun, 2016; McLeod & Dolezel, 2018). examined compensation as a recovery action after a data breach,
Particularly in the health industry and explicitly with fit- drawing on the perspective of Mattila and Cranage (2005), who
ness trackers, data breaches represent a high risk (Liu & found that compensation (and apology) positively influence
Sun, 2016; Mousavizadeh et al., 2016). This is based on two perceptions of fairness, which are related positively to satisfac-
aspects. First, fitness trackers are particularly vulnerable due tion. In addition to this basic construct, customer expectations
to their interconnectivity and mobile data transfers (Piccoli also have been identified as important antecedents in influenc-
et al., 2018). Second, fitness trackers collect highly sensitive ing user satisfaction with privacy breach responses (Berezina
personal health data that include medical data, though they et al., 2012). It becomes clear that although efforts have been
do not officially belong to the category of medical apps that made to transfer literature on service failures to the context of
must follow legal regulations for medical devices. Therefore, data breaches. However, a research gap remains as a lack of a
they are not subject to strict security guidelines (Behne & deeper understanding of the effectiveness of various responses
Teuteberg, 2020), making them a perfect target for attacks. to customer behavior following a data breach.
The healthcare industry has acknowledged this high risk In examining typical recovery actions after a data breach,
of data breaches, being the industry with the largest financial one finds that the compensation suggested by Goode et al.
losses following data breaches, exceeding US$7 million (Dig- (2017) was a unique recovery action that was not adopted as
ital Guardian, 2018). Investigated data breaches negatively a common response among companies after a data breach.
impact the affected company’s market value (Cavusoglu et al., It elicits disconfirmation from customers and is, therefore,
2004) and can damage customers’ trust and the company’s outside the assimilation-contrast model’s tolerance range,
reputation (Goel & Shawky, 2009). Such data breaches have which is positive in this case. However, the literature lacks
affected the entire industry adversely (Cavusoglu et al., 2004). deeper insights into how different recovery actions function
In addition to this phenomenon’s increasing urgency, in real-world settings following a data breach and thereby
characteristics that influence the negative consequences’ allowing companies to reassure customers after a data breach
severity have been identified. For example, effects on a as efficiently as possible. In addition, the question arises as
company’s market value can differ depending on the data to whether it is desirable to address the tolerance range of
breach’s severity (Morse et al., 2011). Furthermore, it was assimilation-contrast model. After all, it is not clear whether a
found that the data breach’s characteristics and how the reaction that causes customers to fall within the assimilation-
affected company reacts impact market value, e.g., a sig- contrast model’s tolerance range actually exerts a positive
nificantly negative impact on market value could occur if long-term effect on customer behavior and, thus, on negative
the company apologizes for a data breach. indirect costs, such as lost trust, loyalty and word of mouth.
However, costs incurred after a data breach do not all To determine which recovery actions are applied com-
involve loss of market value, but instead entail business monly in the context of data breaches and should be stud-
losses caused by the decrease in customer trust and loyalty ied, we examined real-world data breaches at publicly
after a data breach. These costs can be felt years after the ini- traded U.S. companies from 2007 onward using the Pri-
tial incident (Ponemon Institute LLC, 2018) and are indirect, vacy Rights Clearinghouse and identified and coded related
including brand damage and negative customer sentiment response strategies. Based on a database of 72 healthcare
(Sherr & Wingfield, 2011), which lead to customers termi- data breaches with response strategies, two strategies—com-
nating their relationship with the company. Some compa- pensation and apology—were identified as relevant common
nies have reported customer losses of up to 40% after a data practices in the context of health data breaches. Since when
breach (Ponemon Institute LLC, 2013). Few studies have considering recovery actions after data breaches designed
addressed strategies that companies can employ in the wake to address and engage the customer directly, apologies and
of such breaches to manage their effects and minimize them. compensation are the most commonly used recovery actions
Recent research has made significant advances in understand- used by companies affected by a confirmed data breach.
ing data breach response strategies by applying insights from Therefore, it is crucial to investigate the actual impact from
service failure literature to data breaches, creating a link between a typical compensation and apology in context. Furthermore, it

13
What to do after a data breach? Examining apology and compensation as response strategies for… 831

is important to determine how a successful recovery action can an appropriate response to a data breach poses a significant
influence customer perceptions. For this purpose, in addition to challenge, especially given that there is often some uncer-
actual recovery actions and the influence from existing expec- tainty about what has happened, and legal requirements
tations, this research examines the following research question: necessitate disclosing data breaches quickly (Masuch et al.,
2020). Although companies have been responding to data
RQ How do typical compensation and apology as recov- breaches for years, little research has been done on how
ery actions by a health service provider influence cus- these data breach responses, derived from crisis response
tomers’ reaction to a data breach? strategies, work in context.
A few existing studies have examined actual data breach
We address this question using a fitness tracker compa- responses and their effects on stock prices. For instance, Gwebu
ny’s recovery actions after a data breach. For this purpose, et al. (2018) examined the effects from response strategies after
a survey was conducted on 507 users of fitness trackers at a data breach as to whether a company has a good reputation.
a local sports event based on a data breach scenario. For Based on 221 data breaches, the strategies in responding to
this purpose, it was ensured that the fitness tracker users breaches were categorized into defensive, accommodative,
accepted that the device would collect their health data, moderate, and image renewal. Based on the companies’ rep-
which includes tracking GPS data from running tracks, utations, the impact on their stock prices was examined. For
monitoring heart rate, and displaying calories burned. Also, companies with solid reputations, the response strategies to a
personal information such as gender, age, and name is col- data breach did not affect their market value, while the opposite
lected the first time the device is used. occurred for companies with poor reputations.
Our study contributes to healthcare and security litera- Here, differences in market value after a data breach can
ture, providing insights explicitly into security issues in be identified based on the response strategy. The moderate
digital health. First, we put the assimilation-contrast model (ingratiation or justification) and image renewal (correction
into a general theoretical context with data breaches and commitment, stakeholder, or value commitment) strategies
further showed a positive correlation to other dependent appeared to affect the company’s market value positively, an
variables (trust, loyalty, word of mouth) from the tolerance effect that could be confirmed. Simultaneously, the defensive
range of the model. Second, we extended the literature on (denial or excuse) and accommodative (apology or reme-
data breach recovery actions to include other actions used in dial action) strategies appeared to exert a negative impact
practice and their impact on customer behavior after a data on stock price, an effect that could not be confirmed with
breach. Third, our study adds to the existing literature on statistical significance.
healthcare security by illustrating how customer responses Masuch et al. (2021) expanded on this research by cat-
can be explained, mainly to help healthcare providers deter- egorizing response strategies differently, considering the
mine recovery actions for their customers in response to data underlying response and recovery actions in response strat-
breaches. Fourth, we were able to show that the context of egies and considering whether it makes a difference whom
service failure is also applicable to health data breaches. the data breach affects. Thus, a distinction is made between
In addition to theoretical contributions, several practical response and recovery actions. Companies’ response actions
implications from our study provide essential insights into in the present study’s context focus on whitewashing data
customer responses at an individual level, as the perceived breaches, in which, similar to Gwebu et al. (2018), such
recovery actions influences customer behavior after recov- incidents are denied or downplayed, or responsibility is not
ery. Our results can help companies and managers determine accepted. In contrast, recovery actions involve the company
their customers’ expectations after a data breach and find directly addressing the customer, apologizing, and showing
suitable strategies for expectations. They also enable com- remorse. The research indicated that data breach responses
panies to repair damaged relationships with their customers. only impact the context of customer-related data breaches,
and that the whitewashing response action did not elicit a
negative impact on the company’s market value, whereas the
Practical background and related research apology recovery action elicited a negative impact.
On the other side of data breach research, instead of direct
Review of data breach response strategies research financial losses due to the negative impact on stock price,
the immense financial losses from the loss of the company-
Few studies in extant literature have examined how com- customer relationship are considered.
panies should respond after a data breach. Consequently, it After all, the responses to a data breach are not intended
can be assumed that companies are likely to rely on findings to address shareholders exclusively and, thus, the company’s
from general crisis management literature when responding stock value, but often serve as a means to respond to those
to a data breach (Gwebu et al., 2018). However, providing affected directly from the breach. Thus, response strategies

13
832 K. Masuch et al.

often are used to appease customers after an incident and We identified 72 data breaches at publicly traded U.S.
make them feel like they have been compensated for any companies in the healthcare industry between 2007 and
losses (Grönroos, 1988). In addition to providing information 2019, all of which were required to communicate their data
about the incident, as discussed earlier, responses can include breaches to those affected due to legal regulations.
recovery actions designed to reassure those affected and stabi- The responses observed here follow the typical spectrum
lize their relationship with the company (Goode et al., 2017). of crisis response strategies that are possible under the legal
In this area, little research has addressed such actions’ requirements. Thus, none of the companies denied that the
impact on customer behavior after a data breach and has data breaches occurred.
attempted to find positive influencing factors. For example, In 57 of the 72 companies’ responses, they tried to defend
some companies offer customers compensation for their themselves by downplaying, or trying to justify the data
losses in the form of a monetary compensation or a non- breach. It already has been demonstrated that this type of
monetary equivalent (Goode et al., 2017). Extant research strategy positively affects a company’s stock price and, there-
has demonstrated that compensation positively impacts fore, often is used to protect the company (e.g. Masuch et al.,
customer attitudes, thereby averting negative impacts (e.g., 2020). Nevertheless, it must be noted that this type of strat-
Goode et al., 2017; Kude et al., 2017). egy focuses more on addressing losses in stock value and less
For the present study, the literature has examined existing on losses in reputation and customers (Masuch et al., 2020).
response strategies with response actions and recovery strat- However, in the context of data breaches, it already has
egies to data breaches. Response actions try to defend the been demonstrated that the main, long-term cost is the loss
company, whereas recovery actions try to address the dam- of reputation and company-customer relationships. In addi-
aged customer and repair the relationship. Actual recovery tion, a wide range of other companies is involved, from
actions have been studied in terms of effects on stock price, health insurers to fitness trackers, i.e., customers changing
while other research has examined recovery actions’ impact companies is quite realistic. Therefore, companies’ remain-
on the company’s relationship with customers. Thus, extant ing response strategies include recovery actions and dem-
research is lacking on how actual recovery actions used after onstrate a more understanding, customer-oriented approach
a data breach affect the company-customer relationship and that attempts to stabilize the company-customer relationship
whether they influence it positively. (Ponemon Institute LLC, 2018). Overall, 38 of the 72 com-
panies offered their customers compensation or apologized
Practical review of data breach recovery actions to them. Table 1 provides a short outline of selected data
in healthcare breaches in the health sector, demonstrating how companies
use these two recovery strategies: apology and compensation.
As mentioned earlier, the healthcare industry is a branch of In 2013, DaVita Inc.—which provides kidney dialysis ser-
particular importance with unique challenges. It involves vices through a network of 2753 outpatient dialysis centers in
managing highly sensitive personal health data and experi- the U.S., serving 206,900 patients, and 259 outpatient dialysis
ences public and political pressure to adopt new technologi- centers in 10 other countries, serving 28,700 patients (DaVita
cal practices, particularly when surrounding infrastructure Inc., 2020)—experienced a data breach when an employee’s
is not secure (Angst et al., 2017). Regulation and public laptop was stolen. The stolen information included names;
concerns underline this industry’s sensitivity and pressure health information such as diagnoses, insurance benefits, and
healthcare providers to secure patient data and comply with dialysis treatment information; and Social Security numbers.
regulations (Kwon & Johnson, 2015). The company offered a year of free credit monitoring as com-
However, existing research indicates that the healthcare pensation for its affected customers (DaVita Inc., 2013).
industry lags in security strength (Kruse et al., 2017) and UnitedHealth, a healthcare company that offers health-
experiences security incidents, such as data breaches, daily care products and insurance services, discovered that one
(McLeod & Dolezel, 2018). Although this area is relevant to of its employees was suspected of participating in iden-
study, little research has focused on the consequences from tity theft activities in 2007. Sensitive personal information
such incidents. However, considering that data breaches in on 127 customers was found in the suspect’s possession,
particular are unavoidable and always become public knowl- including Social Security numbers, names, addresses, and
edge due to mandatory disclosure requirements, it is impera- dates of birth. Considering their obligation to protect all
tive to address cost-effective ways to mitigate harm. customers, the company offered a 1-year subscription to
To identify how companies in the healthcare industry Equifax Credit Watch Gold (which provides daily credit
have attempted to address the consequences of data breaches file monitoring, identity theft insurance, and copies of
so far, we examined data breaches in the healthcare industry credit reports) to all members whose data could have been
since 2007 and coded the response strategies (please see accessed by the employee in the past 2.5 years (United-
Appendix 1 for details). Healthcare, 2007).

13
What to do after a data breach? Examining apology and compensation as response strategies for… 833

Table 1  Apology and compensation in recent health data breaches

Instantiation Examples Response Strategy

Compensation DaVita Inc Free credit monitoring was offered as a com-

Material or immaterial payments that a cus- On 09.07.2013, an employee’s laptop was pensation strategy
tomer receives in exchange for losses from a stolen, resulting in personal health data—
data breach including diagnoses, etc., from 11,500
patients—being breached (DaVita Inc.,
2013)
UnitedHealth Group Inc As a compensation strategy, a one-year sub-
On 07.25.2007, personal information on 127 scription to Equifax Credit Watch Gold was
customers was found in a suspect’s posses- offered
sion. This personal information included
names, addresses, dates of birth, and Social
Security numbers (UnitedHealthcare, 2007)
Apology Medtronic The company explained the incident and apolo-
A sympathetic way to announce that a data On 10.11.2018, unauthorized access occurred gized for it
breach has occurred in connection with protected health and
other personal information on 12 New
Hampshire residents (Medtronic, 2018)
Quest diagnostics The company explained and apologized for the
On 11.17.2017, personal information on incident
employees was breached via mail (Quest
Diagnostics, 2015)

In 2018, Medtronic, an Irish medical device company that Expectation confirmation theory as a theoretical
generates most of its sales from the U.S. healthcare system, lens
discovered that employees misused customer information.
The company apologized publicly to the affected customers Expectation confirmation theory has existed for several
(Medtronic, 2018). decades and first appeared in psychology and marketing
In 2014, at Quest Diagnostics, a U.S. clinical laboratory, literature (Oliver, 1977, 1980). It has been researched in
an employee sent out a report that contained employee data other disciplines over time, including information systems
via mail to business partners outside the company. The data— (IS) (Bhattacherjee, 2001; Brown et al., 2014; Venkatesh
including names, addresses, Social Security numbers, dates of & Goyal, 2010).
birth, employee IDs, and mail addresses—were misused. The The theory attempts to explain and predict a custom-
company apologized publicly for the incident (Quest Diag- er’s repurchase intention and satisfaction levels by com-
nostics, 2015). paring their expectations with perceived performance
For this study’s purposes, the practically studied data (Oliver, 1977). This comparison leads to confirmation
breaches in the healthcare industry indicate that companies or disconfirmation, and ultimately to customer satis-
followed crisis response theory regarding their response faction or dissatisfaction. This final (dis)satisfaction
strategies to data breaches. In the area of recovery actions for level has been found to be a determinant of repurchase
customers, compensation and apology were used. In addi- intention (Oliver, 1980). This relationship between sat-
tion, no research in this context has been conducted regarding isfaction and purchase intention has been extended in
the actual impact from responses transferred from the crisis recent literature to include other dependent variables.
response. Thus, research is lacking on how compensation and The IS literature shows, for example, that the resulting
apology, as recovery actions, affect the company-customer satisfaction, from the confirmation in expectations and
relationship in the healthcare industry. experiences, has a positive effect on the continuance
intention in IT (Bhattacherjee, 2001; Islam et al., 2017).
Furthermore, this satisfaction also has a positive cor-
Theoretical framework relation in loyalty or trust when using websites (Flavián
et al., 2006; Valvi & West, 2013) or also a positive word
Building on the practical background and drawing on the of mouth in the context of service convenience (Dai
related research, we created a theoretical framework and et al., 2008).
derived hypotheses based on expectation confirmation However, recent literature on information systems now
theory. examines this basic theory using four competing models:

13
834 K. Masuch et al.

generalized negativity; assimilation; contrast; and assimila- across several dependent variables (intention, usage, and
tion-contrast (Brown et al., 2014; Goode et al., 2017). satisfaction) and also applied to Goode et al.’s (2017) data
The generalized negativity model, developed from the breach context.
fulfilled expectations hypothesis, asserts that positive or neg- In transferring the assimilation-contrast model, Goode et al.
ative disconfirmation negatively affects resulting outcome (2017) pointed out that it already is used increasingly in ser-
evaluations (Irving & Meyer, 1994; Wanous et al., 1992). vice failure literature to adjust customer expectations regarding
The resulting effect from any discrepancy in expectations, compensation after a service failure. Their study investigated
whether positive or negative, results in negative conse- a Sony PlayStation network breach using the modified assim-
quences, as demonstrated by Venkatesh and Goyal (2010) ilation-contrast model and the generalized negativity model.
in the IS context during technology use. They examined hypotheses concerning compensation’s impact
The assimilation model is based on the rationale that dis- on key customer outcomes after a major data breach and the
confirmation is avoided to some extent by adjusting outcome resulting efforts to restore service. Expectations and experi-
evaluations to reduce cognitive dissonance (Sherif & Sherif, ences with compensation as a recovery action were examined
1965). For example, it has been evaluated by Szajna and as precursors to the perception of service quality, intention to
Scamell (1993) in the context of satisfaction with a system. continue, and intention to purchase.
They demonstrated that users’ satisfaction level with the It could be demonstrated that the modified assimilation-
same system was higher when expectations were set high contrast model is applicable for the service quality and con-
than when expectations were set low. tinuance intention, and that the tolerance range, as well as the
Unlike the assimilation model, the contrast model’s positive and negative effects from large disconfirmation in the
underlying idea involves understanding outcome ratings as data breach context, can be proven. The generalized negativity
a function with the size and direction of the gap between model again can explain repurchase intention in a data breach
expectations and experiences in a robust potential discon- with the corresponding effects. Overall, the study demonstrated
firmation (Churchill & Surprenant, 1982; Patterson et al., that expectation confirmation theory explains the perception of
1996). Compared with the assimilation model, it is not the service quality and intention to continue and repurchase.
cognitive dissonance, but the difference between expecta- In summary expectation confirmation research indicates
tion and evaluation that is crucial. If the difference here is that in IS research there are limited competing model of
positive, it elicits positive effects and vice versa. The model expectation confirmation theory examined. Nevertheless, it
also is anchored in IS research, e.g., Staples et al. (2002) should be noted that the assimilation-contrast model holds
found support for the contrast model in the context of system particular prominence, particularly in recent research, as it
satisfaction and effectiveness. already has been applied to the context of data breaches
The assimilation-contrast model combines the main ideas relevant to the present study and has demonstrated that the
from the assimilation and contrast models. It assumes that effect’s mechanism is applicable.
when a small difference exists between expectations and However, it leaves open the question of how more typi-
experiences, the evaluation will adjust. Thus, the assimilation cal response strategies that follow the usual pattern of data
model follows the divergence of expectations and experiences breach recovery actions interact, what influence those strate-
within a certain tolerance range. However, if the difference gies exert on satisfaction with the response, and the long-
turns out to be too large, the model follows the contrast mod- term effects on the company-customer relationship, particu-
el’s idea, with positive differences eliciting positive effects larly in the healthcare industry.
and negative differences eliciting negative effects (e.g., Becker In contrast to Goode et al. (2017), the present study is not
et al., 1992; Johnston, 1995; Klein, 1999). The assimilation- intended to measure how differences in expectation (dis)con-
contrast model has been demonstrated and developed several formation affect direct effects on customer behavior. Instead,
times in IS research, e.g., Brown et al. (2012) found support it aims to investigate how expectations and (dis)confirma-
for the model in software use. It was demonstrated that smaller tion of expectations affect satisfaction with commonly used
disconfirmations between expectations and experiences led to recovery actions after a healthcare-related data breach and
the assimilation of expectations and positively affected soft- how they affect customer behavior.
ware use. Large positive disconfirmations exerted the same
effect. By comparison, large negative disconfirmations led to Hypotheses derivation and theoretical framework
less software use (Brown et al., 2012). development
In doing so, Brown et al. (2012) also introduced the modi-
fied assimilation-contrast model, which also builds on pros- For this study’s purposes, our research model considers
pect theory and suggests that negative disconfirmation exerts expectations of a recovery actions after a data breach and the
a more substantial impact than positive disconfirmation. actual perceived experience (recovery actions) to explain sat-
Brown et al.’s (2012) modified model also was validated isfaction with it, as well as long-term customer behavior—as

13
What to do after a data breach? Examining apology and compensation as response strategies for… 835

measured by word of mouth, loyalty, and trust—through sat- Unlike Goode et al. (2017), we build on typical, commonly
isfaction with the recovery action (see Fig. 1). used recovery actions derived from actual responses by
In addition to basic ideas from expectation confirmation companies that have experienced a data breach. Thus, we
theory, the results from Bhattacherjee (2001), Brown et al., can assume that a comparable recovery action causes only
(2012, 2014) and Goode et al. (2017) in particular are used minor disconfirmations. Therefore, we hypothesized the
to derive hypotheses and develop the research model. following:
To identify the effect from expectations, it is essential to
build on Goode et al.’s (2017) results, in which an offer of H1 Users’ expectation of a data breach recovery action is
compensation is a unique, unprecedented, and practically associated negatively with a confirmation.
rarely used type of recovery action. Thus, it suits the under-
lying assumptions to follow the effects from the modified As defined in the previous hypothesis, we examined typi-
assimilation-contrast model. cal, commonly used recovery actions after a data breach
It is based on the idea that small discrepancies between in the healthcare industry. From the practical derivation of
expectations and experiences are treated differently than recovery actions in the healthcare industry, it was found that
larger discrepancies (Brown et al., 2014). Thus, it suggests the two most commonly used recovery actions are apology
that a slightly high, accurate, or slightly low expectation and compensation. Considering that data breaches have
is preferable to an excessively high/low one (Brown et al., become an everyday occurrence, and that companies must
2014), considering that the smaller the discrepancy between disclose data breaches and often resort to apology, compen-
expectations and experience, the smaller the negative influ- sation, or a combination of the two (Masuch et al., 2021),
ence from experience. An explanation for this can be found it can be assumed that customers who are offered such a
when the difference between the experience rating and recovery action with wording similar in practice are less
expectation is small, and expectations can be assumed to surprised. Thus, this effect follows the assimilation-contrast
be inertial, causing the experience to be assimilated toward model in the tolerance range, i.e., an offered and expected
the outcome rating (e.g., Johnston, 1995). In contrast, when recovery action positively affects the confirmation between
differences are large, contrast is weighted more heavily, and expectation and experience. This resulted in the following
disconfirmation prevails (e.g., Klein, 1999). two hypotheses:
Thus, considering only the relationship between expec-
tations and experiences, we note that experiences always H2a After a data breach, a typical compensation is associ-
are measured against expectations. Unless complete con- ated positively with confirmation.
firmation occurs, the evaluation process always is negative, H2b After a data breach, a typical apology is associated
considering that a discrepancy, whether positive or negative, positively with confirmation.
indicates a non-confirmation effect.
Thus, it can be assumed that these effects mainly are Thus, it can be assumed that expectations are a determi-
due to the surprise effect on affected individuals, consid- nant of satisfaction with recovery action. This effect is based
ering that they are not aware of any comparable recovery on the fact that expectations can be viewed as a kind of refer-
actions in response to a data breach from their experience. ence level for the customer toward the experience (Brown

Process Description
Examination of Conformity Customers form an Customers shape
Customer Expectation Health Service offers
of Received Recovery and Attitude towards Attitude towards Heath
Formation Recovery
Expectations Received Recovery Service

H3
Data Breach

Trust
H5
Compensation H2a
Expectation H4 Satisfaction with H6
towards Recovery Confirmation Word of Mouth
v
Recovery Action
Action
Apology H2b
H7 Loyalty

H1 Expectation-Confirmation Theory

Calculation arrows Path Analysis v AND-Connector (Representation of the Confirmation Calculation)

Fig. 1  Research model

13
836 K. Masuch et al.

et al., 2014). Therefore, high expectations tend to increase H4 Users’ extent of confirmation is associated positively
satisfaction, while low expectations tend to decrease satis- with their satisfaction with the actual data breach
faction (Bhattacherjee, 2001). recovery action.
However, this relationship ignores the adjustment in
expectations after the experience. If one examines the assim- Satisfaction is viewed as the key to building and retain-
ilation-contrast model, it states that expectations are adjusted ing a long-term customer base (Anderson & Sullivan, 1993;
to experience within a certain tolerance range; thus, low dis- Anderson et al., 2011). The interest at this point is whether
confirmation continues to lead to satisfaction (Brown et al., the satisfaction generated in the tolerance range also has a
2014). If one lies outside this tolerance range, expectations positive long-term effect on actual customer behavior and
are no longer adjusted to experience and lead to negative or can thus avert the negative long-term consequences.
positive effects, depending on the disconfirmation direction. Therefore, we also examined components that exert a
According to Oliver (1977), overly high expectations lead long-term impact on customer behavior and corporate repu-
to negative disconfirmation, but would exert a fundamentally tation. For this purpose, we first identified trust as a princi-
positive affect on satisfaction, and vice versa, in the case of pal measure of customers long-term behavior after the data
low expectations. With agreement or low disconfirmation, i.e., breach recovery strategy. This is due to the fact that trust is
with (almost) correct expectations, these would be neither seen, particularly in marketing literature, as an indicator that
significantly negative nor significantly positive (Goode et al., distinguishes long-lasting and profitable relationships with a
2017). Since in the case of a data breach recovery action, company and could therefore indicate that customers will not
customers have a comparative value from previous incidents, leave the company after a data breach (Flavián et al., 2006).
they will have expectations regarding the company’s response Overall, trust is defined primarily by three components,
in any case. These expectations can be expected to be either honesty, benevolence, and the company’s competence (Coul-
equal to or higher than the comparison value. ter & Coulter, 2002; Gundlach & Murphy, 1993; Larzelere
Thus, based on the fundamental idea of expectation con- & Huston, 1980). Experience allows the customer to create
firmation theory, we assume that this form of expectation expectations about these three components and to create expec-
exerts a positive effect on satisfaction with the recovery tations about events that may occur in the future, and therefore
action, leading to the following hypothesis: to decide whether to continue the relationship. Consequently,
trust is generated as a result of knowledge accumulation. Trust
H3 Users’ expectations of a data breach recovery action is often not set as a pure result of experiences and expectations,
are associated positively with their satisfaction with but much more related to satisfaction with the experiences.
the actual data breach recovery action. Thus, trust should be greater if the satisfaction that the com-
pany or product gives to the consumer is greater (Flavián et al.,
Considering that we intended to demonstrate that a typical 2006). In this case, when a satisfaction with the recovery action
recovery action in healthcare always lies within the assimila- occurs. Therefore, we hypothesize the following:
tion-contrast model’s tolerance range, it can be assumed that
experiences are close to expectations. Thus, outcome ratings H5 Users’ level of satisfaction with the data breach recov-
always would be aligned with expectations, i.e., the customer ery action is associated positively with users’ trust in
always would be in a range in which the service received is the company.
deemed appropriate (Kettinger & Lee, 2005).
In the present study’s context, this would imply that Since in the case of data breaches, in addition to the lost
the level of compensation disappointment lies within the trust, it is in particular the termination of customer loyalty
customer’s tolerance range; thus, the response to the data that leads to high costs, we set loyalty as the second main
breach is viewed as satisfactory. This means that even if measure of customers’ long-term behavior after the data
the customer expected an apology/compensation, but did breach recovery strategy for this purpose.
not receive one, the expectation of disappointment would Loyalty is defined as a deep-rooted commitment to buy
be low enough that expectations would be adjusted accord- a product again in the future or to prefer a company even
ing to the experience. Thus, in the studied scenario, the though situational influences, in this case the data breach,
post hoc expectations always would be equal to the experi- might cause switching behavior. Loyal customers are thus
ence and positively affect the customer’s satisfaction. willing to buy products again or remain loyal to companies
Therefore, we assume that this effect can be demon- even though there are competitive alternatives to switch to.
strated not only in overall satisfaction, but also in satisfac- A customer will be loyal if he believes that the company will
tion with the recovery action, consequently yielding the fulfill the agreed conditions. At the same time, the alterna-
following hypothesis: tives in the market will be less attractive (Li & Green, 2011).

13
What to do after a data breach? Examining apology and compensation as response strategies for… 837

Since data breaches are a common phenomenon and are H7 Users’ level of satisfaction with the data breach recov-
known to affect all companies, we postulate that the fulfill- ery action is associated positively with users’ word of
ment of expectations in the response after a data breach mouth.
and thus the satisfaction with the recovery action will lead
to the customer’s continued loyalty with the company. The Based on the theoretical and practical derivations, we
significant positive relationship between customer satisfac- established a research model based on expectation confir-
tion and customer loyalty has already been confirmed by mation theory, with the assumption that the confirmation
several studies (e.g.Chang et al., 2009; Cronin et al., 2000; follows the (modified) assimilation-contrast model.
Oliver & Burke, 1999).
However, we hypothesize that not only customer sat-
isfaction but also satisfaction with recovery action has a Research design
positive impact on customer loyalty:
Study’s setting and data collection
H6 Users’ level of satisfaction with the data breach recov-
ery action is associated positively with users’ loyalty. For data collection, the live Altstadtlauf Göttingen sports
event was chosen, as it would reach a large number of peo-
An essential ingredient and outcome of successful long- ple using fitness trackers. The run attracts several thou-
term relationships has been identified as word of mouth. sand people annually. In 2019, 4000 people registered.
This involves existing customers spreading good word Runners and bystanders were considered as potential can-
about the company and its products and services (Ander- didates for the survey. Care was taken to ensure that the par-
son, 1988; Richins, 1983). ticipants used a fitness tracker to increase external validity
Word of mouth is particularly important in the case of and ensure that they could imagine the fictitious data breach
negative news, such as data breaches, as it can either join situation. Participants were selected and sampled individu-
the negative news, fall silent, or in the best case, be posi- ally or in groups as follows Fig. 2.
tive about the situation. Anderson (1988) can identify that The survey was conducted anonymously, thereby exclud-
there is a clear relationship between word of mouth and ing the possibility of contacting the participants afterward.
customer satisfaction. He showed that more extreme levels Subsequently, each participant received the same question-
of satisfaction (positive or negative) lead to more extreme naire with manipulation control. The participants needed
word of mouth and yet was able to show that satisfaction about 10 min per person to complete the questionnaire.
leads to word of mouth.
Thus, it can be assumed that satisfaction with the recov-
Experimental design and sampling
ery action leads to positive word of mouth:
To test our research model, a scenario experiment was imple-
mented. A scenario including a fictitious data breach of a

Fig. 2  Recruiting phases

Identify if the person was obviously wearing a fitness

tracker and therefore eligible as a test subject.

No

Participant was first asked if

Yes they used a fitness tracker.

Yes No

Participant received an iPad with the Person was not interviewed

quantitative questionnaire, on which because they were not part
they answered the questionnaire. of the target group.

Phases of Recruiting

13
838 K. Masuch et al.

fitness tracker was developed. During the survey, participants scenario-based experimental manipulation. Four scenarios
needed to imagine that they had a fitness tracker they regularly (neutral × neutral, neutral × apology, neutral × compensa-
used for running. It was explained that this could be an app tion, and apology × compensation) were assigned randomly to
on their mobile phone or a portable device, like a smartwatch. the participants through an intermediate design (Atzmüller &
In the first paragraph of the message, the data breach’s Steiner, 2010) to test the two countermeasures’ effectiveness.
severity was mentioned. For this purpose, it is explained that First, the apology contains the values “no apology
the user (participant) gave the fitness tracker personal infor- received” or “apology received,” and the compensation is
mation—such as email address, date of birth, height, weight, expressed as “no compensation received” or “compensation
etc.—once, and the tracker collects live GPS data on each received”.
run to evaluate mileage. The participant was presented with If the customers received the apology as a supplier reaction,
the situation that he would like to start a new run, but that a it was added to the second paragraph. Thus, they received a
message from the fitness tracker’s provider appears shortly message that included an apology from the provider, in which
before the run begins, stating that an unauthorized third the company expresses regret over the incident and promises
party violated some of his data. To ensure comparability, to work on the problem to prevent it from recurring.
all participants received the same introductory information: If the customer received a compensation offer, it was in
the third paragraph of the message. The vendor offered the
Please imagine that you have a fitness tracker that you
customer the opportunity to use the premium version free of
regularly use for jogging. This could be an activity tracker
charge for 3 months. (There were no further obligations, and
app (Runtastic, Nike Run Club, Strava, ...) or a fitness
the account automatically was reset to the standard version
watch (Fitbit, Apple Watch, Samsung Galaxy Fit, ...). The
after 3 months). The concrete reactions used in the scenario
fitness tracker needs personal data from you once, such
are provided in Table 2 with their respective characteristics.
as email address, date of birth, height, weight, running
Across the different treatment groups, we collected 507
behavior, etc. Also, every time you use the fitness tracker
valid answers. Invalid responses were identified by uncom-
for jogging, the running route is tracked using GPS data
pleted questionnaires, a manipulation check, and an atten-
to receive an evaluation after the run. You now want to go
tion check. The participants’ average age was 28.52 years
running and receive the following message: “Dear user,
(SD = 9.14 years), and the sample comprised 54.83% men
we discovered a security incident in your fitness tracker
and 44.38% women. These respondents stated that they train
account on June 25, 2019. Some of your personal data
or engage in other sports activities 3.15 times a week and run
have been stolen by an unauthorized third party.”
1.47 times a week on average. In addition, 59.4% of respond-
After this introduction, the participants received another ents stated that they “occasionally” or “more frequently”
message that contained the health care provider’s response to (29.6% always) use a fitness tracker for sports. To validate
the data breach by randomization, which was implemented random assignment, we checked the variation in control
using the Qualtrics questionnaire tool’s functionality. Thus, it variables among the four treatments via variance analysis,
was possible to ensure that the randomization was distributed which did not indicate any significant effects and, thus, did

Table 2  Scenarios
Compensation
Neutral Compensation
“As compensation, we offer you use of our premium version free of
charge for three months. (There are no further obligations. Your
Neutral

“If you have any questions, please contact us.” account then automatically will be switched back to the standard
version.)
If you have any questions, please contact us."
Apology

“We deeply regret the incident and are striving to address it to ensure
that such an inconvenience does not recur. We apologize for the
“We deeply regret the incident and are striving to address
inconvenience.
it to ensure that such an inconvenience does not recur. We
Apology

apologize for the inconvenience. As compensation, we offer you use of our premium version free of
charge for three months. (There are no further obligations. Your
If you have any questions, please contact us."
account then automatically will be switched back to the standard
version.)
If you have any questions, please contact us."

equally. In this step, a vignette design was chosen to query the not indicate any sign of randomness validation. Please see
independent variables (apology and compensation) through the Appendix 2 for details.

13
What to do after a data breach? Examining apology and compensation as response strategies for… 839

Measurement of constructs for a common factor (Podsakoff & Organ, 1986). All meas-
urement items used in the investigation were subjected to
All research constructs were adapted from the literature. exploratory factor analysis. In doing so, it can be stated
The items were selected for consistency with the con- that no method bias was found in the data, as the total vari-
struct definition in this research context and the meas- ance extracted by one factor is 42%, which is less than the
urement quality. All items were reworded carefully to fit recommended threshold of 50%. Thus, as no single factor
the research context and measured using a seven-point emerged from the analysis, it can be concluded that the
Likert scale, ranging from 1 (“fully disagree”) to 7 (“fully study was free of common method bias.
agree”). Other scales were used partly for the control vari-
ables, e.g., age was measured using a metric scale. The
latent measurement scales—including construct names,
elements, and related referents—are listed in Table 3.
A potential problem in this study is common method
bias, so Harman’s single-factor test was performed to test

Table 3  Operationalization of constructs

Constructs and items Loadings

Expectation–compensation (Goode et al., 2017)

I expect compensation (monetary or non-monetary) when personal data are stolen .671
I assume that the provider provides me with, in the event of a data breach, free usable content .805
I find that compensation, such as three months of free premium membership, represents reasonable compensation if a third party .681
misuses my fitness tracker data
Expectation–apology (Goode et al., 2017)
I expect an apology from the provider when personal data are stolen .810
I assume that the provider would show remorse to its customers after a data breach .738
I find that an apology is a reasonable response from the provider if a third party misuses my fitness tracker data .724
Confirmation (Bhattacherjee, 2001)
My experience with the fitness tracker provider’s recovery action after the data breach was better than expected .902
The fitness tracker provider’s recovery actions after the data breach were better than expected .917
Overall, most of my expectations regarding the fitness tracker provider’s recovery actions after the data breach were confirmed .688
Satisfaction with recovery action (Kantsperger & Kunz, 2010)
Overall, I am satisfied with the fitness tracker provider’s response to the incident .895
The fitness tracker provider’s response fully meets my expectations .893
Looking back, I perceive the fitness tracker provider’s response as a good experience .855
Looking back, the decision to use this fitness tracker was the right one .725
The fitness tracker provider’s response corresponds with my expectations .871
Trust in fitness tracker (Choi & Ji, 2015)
I think the fitness tracker is safe .930
I find the fitness tracker trustworthy .957
All in all, I trust the fitness tracker .958
I find the fitness tracker reliable .884
Word of mouth with fitness tracker (Kim & Son, 2009)
I will tell others about the fitness tracker’s positive aspects .935
I will recommend the fitness tracker to anyone who seeks my advice .958
I will advise my friends and acquaintances to use this fitness tracker .962
Loyalty with fitness tracker (Kau & Loh, 2006)
I will continue to use this fitness tracker .885
I will not change my fitness tracker provider after the incident .870
In the near future, I intend to consider the fitness tracker provider’s new product offers .840
I consider myself to be a loyal customer of this fitness tracker provider .877

13
840 K. Masuch et al.

Data analysis and results Table 4 provides composite reliability (CR) and average
variance extracted (AVE) data used to assess the construct’s
We tested our hypotheses using a partial least squares (PLS) reliability and validity. Both requirements were met when all
structural equation modeling (SEM) approach, which is con- constructs evaluated CR values higher than 0.7, with AVE
sistent with other experimental IS and management research and Cronbach’s alpha values higher than 0.5 (Bagozzi &
studies (Fombelle et al., 2016; Trenz et al., 2020). Yi, 1988). In our model, all CR values clearly were above
In experimental research designs with latent variables, the 0.7 limit. All AVE values also reached the limit. To
SEM is preferable to other methods because it can account assess discriminant validity, Fornell and Larcker offer an
for measurement errors and theoretical constructs’ multi- approach in which the square root of the AVE is compared
dimensional structures (Bagozzi & Yi, 1988). As the PLS with the correlations between the constructs. The compari-
estimator offers advantages in fewer restrictive assump- son indicated that all constructs retained a higher value for
tions, it finds broad application in experimental research the square root of the AVE (bold diagonal numbers) than
designs (Fombelle et al., 2016; Trenz et al., 2020). for the correlation with other constructs (Fornell & Larcker,
In addition, the PLS estimator fits our primary goal of 1981). We concluded that our data indicate acceptable meas-
predicting the effects from recovery strategies, rather than urement properties for further analyses.
testing the theory. We dummy-coded the experimentally
manipulated recovery strategies (apology and compensa-
tion) into two variables for the structural model setup. Hypotheses testing
Furthermore, the higher-order constructs were modeled
using the two-step approach (Hair et al., 2012). Smart- We used the PLS method to estimate the theoretical structural
PLS 3.0 software was used to perform the analysis, and model described above. The bootstrapping re-sampling method
R (Version 4.0.3) was used to perform other calculations. with 5000 samples was used to assess the paths’ significance.
The results from the calculations are provided in Fig. 3.
Measurement validation It can be stated that the results support our research mod-
el’s structure. The ­R2 of the dependent variable satisfaction
Our model included the three independent variables com- was 52.1%, trust was 52.2%, variable loyalty was 63.8% and
pensation, apology, and expectation. The expectation vari- word of mouth was 67.8%.
able was formed with a higher-order construct of the factors It was found that expectation (.077; significant at .05) and
expectation compensation (M = 4.70, SD = 2.00) and expec- confirmation (.688; significant at .01) exerted a significant
tation apology (M = 5.87, SD = 1.70). positive effect on satisfaction. Compensation (.136; signifi-
It was found that all reflection-modeled constructs’ ele- cant at .05) and apology (.168; significant at .01) exerted a
ment loads and internal consistencies were above the 0.7 significant positive effect on confirmation. Furthermore, a
limit. The only exceptions were the first and third items of significant positive influence from satisfaction on trust (.522;
the expectation confirmation construct, but they were not significant for .01), loyalty (.638 significant for .01), and
removed, as they were very close to the 0.7 limit. word of mouth (.678; significant for .01) could be observed.

Table 4  Construct validation

Cronbach’s AVE CR Exp Comp Exp Apo1 Comp Apo1 Conf Satisf Trust Loy WoM
alpha

ExpComp .534 .764 .521 .874

ExpApo1 .629 .802 .575 .282 .896
Comp n/a n/a n/a .033 .020 n/a
Apo1 n/a n/a n/a .002 .003 .030 n/a
Conf .792 .878 .709 .055 − .073 .140 .172 .937
Satisf .902 .928 .723 .130 .002 .171 .168 .706 .963
Trust .950 .964 .870 .084 .003 .036 .045 .551 .522 .982
Loy .891 .924 .754 .091 .013 .011 .067 .586 .638 .711 .961
WoM .948 .967 .906 .142 − .027 .031 .054 .581 .678 .710 .753 .983

ExpComp expectation compensation, ExpApol ExpectationApology, Comp compensation, Apol apology, Conf confirmation, Satisf satisfac-
tion, Loy loyalty, WoM word of mouth
Bold Diagonal Numbers = Square Root of AVE

13
What to do after a data breach? Examining apology and compensation as response strategies for… 841

Expectation
towards Recovery .077**
Action Trust
-.023
.522***

Satisfaction with
Confirmation .688*** .638*** Loyalty
Recovery Strategy

.136** . 678***
.168***
Word of Mouth
Control Variables
• Age • Running Activity
Compensation Apology • Gender • Fitness Tracker Use
• Sport Activity level • Paid Tracker Service
• Data Breach Severity
Recovery Action
Expectation-Confirmation Theory

Fig. 3  Structural model with path coefficients (***significant at .01, **significant at .05)

The negative effect observed from expectations on confirma- and apology on satisfaction with recovery action. We
tion was insignificant (− .023 not significant). also found significant main effects from compensation
Furthermore, the following control variables were used: [F(1,503) = 8.552, p = .004] and apology [F(1,503) = 14.95,
age; gender; sports activity level; data breach severity; running p < .001] on confirmation. The results with means are
activity; use of a paid fitness tracker app; and use of the fitness reported in the Appendix 2.
tracker. Except for data breach severity (− .056 significant at .1),
the control variables exerted no significant effect on satisfaction.
Table 5 enables a further overview of all hypotheses and results. Discussion and implications
As an additional post hoc analysis, we conducted a fac-
torial variance analysis, with the research model’s latent Summary of findings
variables used as dependent variables. We found signifi-
cant main effects from compensation [F(1,503) = 15.89, This study examined satisfaction with recovery actions
p < .001] and apology [F(1,503) = 14.288, p < .001], and and how they affect customers’ behaviors after a data
a significant interaction effect between compensation breach using typical real-world compensation and apology

Table 5  Support for hypotheses; Note: (***significant at .01, **significant at .05)

Hypotheses Support for hypothesis

H1: Users’ expectations of a data breach recovery action are associated Not supported, with a negative influence on confirmation − .023
negatively with confirmation
H2a: After a data breach, a typical compensation is associated positively Supported with a positive influence on confirmation .136**
with confirmation
H2b: After a data breach, a typical apology is associated positively with Supported with a positive influence on confirmation .168***
confirmation
H3: Users’ expectations of a data breach recovery action are associated Supported with a positive influence on satisfaction .077**
positively with their satisfaction with the actual data breach recovery
action
H4: Users’ extent of confirmation is associated positively with their Supported with a positive influence on satisfaction .688***
satisfaction with the actual data breach recovery action
H5: Users’ level of satisfaction with the data breach recovery action is Supported with a positive influence on trust .522***
associated positively with users’ trust in the company
H6: Users’ level of satisfaction with the data breach recovery action is Supported with a positive influence on loyalty .638***
associated positively with users’ loyalty
H7: Users’ level of satisfaction with the data breach recovery action is Supported with a positive influence on word of mouth .678***
associated positively with users’ word of mouth

13
842 K. Masuch et al.

as healthcare providers’ recovery actions. Specifically, Furthermore, research on the assimilation-contrast model can
healthcare data breaches provide an understanding of how be extended to indicate that a response to a data breach in the
strategic recovery actions can impact satisfaction levels tolerance range leads not only to satisfaction based on fulfilled
with recovery actions positively and overcome damage to expectations, but also positive long-term behavior among cus-
customer trust, while positively influencing behavior. To tomers as far as trust, loyalty, and positive word of mouth. We
sum up, both compensation and apology used in practice also demonstrated that these variables, which already have been
exert a positive impact on confirmation. resolved in the underlying expectation confirmation theory for ful-
In this context, it can be stated that customers expect both filled expectations, also apply to the assimilation-contrast model’s
after a data breach, but particularly an apology. This expecta- tolerance area. Thus, our research adds more dependent variables
tion, which is formed before the actual recovery action occurs, to the literature on the assimilation-contrast model domain.
negatively affects confirmation. However, this influence is Second, we helped ground the literature on data breach
insignificant, considering that disconfirmation between expec- recovery actions used in practice. We complemented the lit-
tation and confirmation lies within the assimilation-contrast erature by introducing another form of recovery action, the
model’s tolerance range due to the use of typical recovery apology, by coding data breach response strategies, thereby
actions. Therefore, as shown in Goode et al. (2017), expecta- complementing Goode et al.’s (2017) response strategy.
tions should be adjusted to reflect experience afterward. We expanded on Goode et al.’s (2017) research, demonstrat-
Based on the post hoc variance analysis, it can be inferred ing how recovery actions after a data breach that are applied
that disconfirmation between expectations and experiences in practice act in the theoretical framework of the (modified)
is highest when customers do not experience an apology or assimilation-contrast model. Here, we demonstrated that these
compensation. Considering that customers are more likely to recovery actions build on Goode et al.’s (2017) explanation in
expect an apology than compensation, the mean values indi- the tolerance range and that both positive and negative discon-
cate that disconfirmation between expected apology and not firmations exist, but are assimilated due to the tolerance range.
experienced is second-highest, followed by disconfirmation Third, we can build on existing literature on data breach
in the case of expected compensation not being received. recovery actions after healthcare breaches by investigating vari-
Also, positive disconfirmation can be observed, although ous data recovery actions after a data breach through experimen-
this also lies within the tolerance range and, thus, does not tal research, thereby complementing existing security literature.
exert a significantly positive effect if either an apology or This can illustrate how further research can explain cus-
compensation is expected, and the customer receives both. tomer responses to help health service providers determine
Thus, confirmation’s strongly significant influence on sat- recovery actions, such as compensation and apology, in
isfaction with recovery action can be explained, ultimately response to a data breach. Although research to date has
impacting trust, word of mouth, and customer loyalty positively. focused on how companies can prevent data breaches and
Although this is a ubiquitous and topical issue, the recov- how security policies are managed (Romanosky et al.,
ery actions used here are used almost routinely in practice 2014), researchers and companies, particularly health
and, thus, have strong practical relevance. Little research service providers, need to understand and apply recov-
has been done on different data breach recovery actions’ ery actions. It is also essential that research and practice
influence in practice, particularly in the healthcare sector. address the problem, as data breaches are inevitable and
Therefore, this paper provides both theoretical and practical unplanned. Both health service providers and customers
implications. Nonetheless, this work is not without limita- also incur unplanned costs after data breaches (Gatzlaff &
tions and provides opportunities for future research. McCullough, 2010).
Fourth, we demonstrated that the service failure literature has
Theoretical implications applicability and, thus, transferability to health data breaches
(Goode et al., 2017). Therefore, our paper also can contribute to
This research offers several theoretical contributions to the service recovery literature by investigating recovery actions’ impact
literature. on customer behavior after a health data breach and, conversely, by
First, we built on assimilation-contrast model literature in drawing new conclusions for service recovery literature.
the context of crises. It now is clear that in the case of crises
that must be addressed publicly and occur regularly, by pro- Practical implications
viding a comparative benchmark for companies’ responses, it
is possible to stick to past strategies because satisfaction with In addition to theoretical contributions, our results can help
the response is elicited. This is because the response, if unsur- health service providers optimize their strategies for their
prising, lies within the assimilation contrast model’s tolerance future company communications after a data breach and
range; thus, the expectation is adjusted to the experience. adapt them in such a way that the best possible results are
achieved, even after a data breach.

13
What to do after a data breach? Examining apology and compensation as response strategies for… 843

Based on the identified results, health service providers Limitations and opportunities for future research
can derive communication strategies in advance of a data
breach to minimize the breach of trust and its consequences Our study has some limitations that need to be considered when
in case of a similar data breach, as well as restore customer interpreting the results and suggesting future research directions.
satisfaction, loyalty, and trust in a best-case scenario. Primary, even if the experiment’s participants owned
It can be demonstrated that customer expectations fitness trackers, the experiment was based on a fictitious
strongly influence later consequences from a data breach. health data breach situation in which the participants had to
Therefore, it would be useful for health service providers to empathize with the given situation. In the ideal case, future
know their customers’ expectations in the run-up to a data studies should provide a comprehensive validation of the
breach, or else find a way to determine them. measurements in which participants are affected by a data
It could be demonstrated that these expectations can breach from a digital health app.
be derived from the company’s previous recovery actions Furthermore, only two recovery actions were applied in
after earlier data breaches or otherwise be based on other the present work. Although two independent researchers
companies’ recovery actions in the industry. As previously conducted the development of the two categories for recov-
mentioned, data breaches are inevitable, particularly in the ery strategies, it cannot be guaranteed that no other impor-
specific case of fitness trackers, and should be prepared for tant aspects could belong to a different category and that
as thoroughly as possible. In addition to expectations, recov- all aspects were captured during the coding process. Future
ery actions exert influence and can lead to more positive researchers can refine the coding of recovery actions and
customer behavior. If no experiential data exist, it would find other possible categorization levels.
be reasonable and positive for a healthcare provider, after As mentioned above, the injured parties in the study
a similar data breach, to offer both compensation and an received either fixed compensation and/or a defined apology
apology, and to match, or slightly exceed, expectations, from the health service provider. It also should be noted that
which are known in the best-case scenario. If the healthcare different formulations could have elicited different effects on
service provider chooses this route and offers its customers satisfaction with recovery action, i.e., different formulations
the recovery action that they expect, the company can com- of apologies and compensation forms and levels should be
pensate for the data breach’s consequences cost-effectively. tested to determine future satisfaction levels.
Furthermore, the healthcare service provider can make a Furthermore, the control variable severity exerted sig-
distinction between the two recovery actions. For example, our nificant influence on satisfaction with recovery action. This
study’s results suggest that an apology after an incident is the most suggests that when severe data breaches cause low satisfac-
cost-effective and recommended route, leading to satisfaction with tion levels, recovery actions are crucial.
the recovery action, and customers expect less compensation with It also should be considered whether it makes a difference when
an apology. However, it generally is the case that matching expec- a recovery action is executed in terms of how long after the breach.
tations with the actual recovery action received is most important In addition, future studies could use other variables to
for positive customer behavior and for bridging the breach of trust. measure satisfaction with recovery actions, such as whether
In addition, one important aspect, particularly for health class action lawsuits are pursued against providers.
service providers, was identified: the significant influence Finally, it should be noted that future studies with real
from the data breach’s severity. For health service provid- health data breach scenarios should consider that expectations
ers, this means that if only minor important data are sto- change over time (Bhattacherjee & Premkumar, 2004). Thus,
len—which, for example, do not reveal the person’s health expectations before consumption might deviate from expec-
status—then customer satisfaction, trust, and loyalty can tations “during” and “after” consumption (Oliver & Burke,
be regained more easily, and word of mouth incurs less 1999), considering that firsthand experiences often “color”
damage. Conversely, the theft of health-related data leads consumer expectations. Therefore, scientists have argued that
to higher expectations of recovery action from the health expectations after consumption (perceived utility) are more
service provider, which should not go unfulfilled. realistic and should be considered (Bhattacherjee, 2001).
To sum up, health service providers would be well-
advised to assume that they will be victims of a data breach
at least once during their business years, so they should Conclusion
determine their customers’ expectations to strike the right
balance between apology and compensation and, thus, Given that fitness trackers belong to the category of health appli-
achieve the ultimate recovery effect. cations subject to a low level of security, this study examined
typical recovery actions’ impact on bridging the loss of customer
trust caused by a data breach. We theorized and investigated how

13
844 K. Masuch et al.

two widely used recovery actions affect customer reactions after 2010; Rosati et al., 2017, 2019), which has been collecting all
a data breach in the specific context of fitness trackers. notifications of privacy breaches since 2005.
Based on expectation confirmation theory, through the assim- This analysis only uses data breaches since 2007. This
ilation-contrast model, we argued that a combination of response topic was chosen because the costs of security breaches dou-
strategy characteristics and individual customer expectations bled from 2006 to 2007, i.e., higher relevance can be deter-
influences satisfaction with recovery actions and, thus, customer mined from 2007 onward (Richardson, 2008). Altogether,
behavior. In particular, we investigated the effects from compen- 8376 reported data breaches were found in the database
sation and apology on customers’ satisfaction with the received between January 2007 and October 2019 (Privacy Rights
recovery action. How these recovery actions affect customers’ Clearinghouse, 2019).
attitudes toward the health service provider also was investi- Of these reported incidents, 348 data breaches occurred at
gated, measured through trust, loyalty, and word of mouth. publicly traded companies, i.e., listed on stock exchanges, at
A scenario-based experiment with two independent variables the time of the incidents. Each company also had to be listed
was conducted with 507 participants at a community running during the estimated period, usually in the range of [130, 1]
event. Our study’s results provide valuable insights into how recov- from the date of the event. Also, each security breach was
ery actions used by healthcare providers following a data breach in investigated to determine whether it violated data confidenti-
practice affect customer satisfaction with recovery actions and the ality to consider only breaches that comprised an actual data
resulting impact on customer trust, loyalty, and word of mouth. It breach (Campbell et al., 2003; Ko et al., 2009).
was demonstrated that different practiced recovery actions posi- Altogether, 321 data sets from the 348 breaches were
tively impact customer satisfaction and behavior, and are within the revealed. Of these data breaches, each company’s responses
assimilation-contrast model’s tolerance range; therefore, any dis- on the day of disclosure were researched. For 18 companies,
confirmation between expectations and experiences is assimilated. no further information on the announcements of data breaches
This can complement the growing knowledge base on how could be found (see Fig. 4).
to recover after a health data breach based on the health service The additional information on the data breach events
provider’s strategic management. It also will allow healthcare that needed to be collected included the company’s official
providers to understand how to derive their customers’ expecta- announcement or, if not available, news reports on the event
tions for recovery action if they already have experience with that cited the official response and additional information on
data breach recovery strategies. Otherwise, it allows them to the breach’s severity.
identify and derive initial strategies to mitigate a data breach’s The company’s announcements can be found by searching
consequences. Therefore, this study’s results provide practi- each company’s official website for press releases or through
cal applications for health service providers, and the research U.S.-American public prosecutor offices’ databases. In several
can be expanded further through future studies on health data states, such as New Hampshire and New Jersey, laws (Digital
breach recovery actions. Guardian, 2018) require public companies to disclose any data
breach that entails customer and/or employee information. These
announcements, as well as the information made available to those
Appendix 1 concerned, are publicly available in relevant offices’ databases.
If the announcement was not found on the company’s website
Data collection procedure and sample selection or in the public prosecutor’s office database, news reports were
for a practical review of data breach recovery used to find the necessary information. These news reports cited
actions in healthcare official announcements and were found using the Lexis-Nexis
database and information from the Privacy Rights Clearinghouse
The data collected are secondary data related to 72 database.
announcements of data breaches by public U.S. compa- Whenever the incident report was no longer publicly
nies. In addition, the sample referred only to companies available online, the Wayback Machine web archive was
listed on public stock exchanges (i.e., NYSE, AMEX, or used. This archive contains a collection of all websites that
NASDAQ). have ever been available publicly online. If not all required
To identify company-specific data breach announcements information was included in the announcement, additional
with defined characteristics, we used the nonprofit online Pri- news reports were collected (data collection period: 11-01-
vacy Rights Clearinghouse database (Gatzlaff & McCullough, 2019 to 11-25-2019).

Fig. 4  Data collection process Data Breach Final Data Set for
Public Companies: Confidentiality Final Data Set for all
Announcements: Healthcare
348 Breaches: 321 Industries: 303
8376 Industries: 72

13
What to do after a data breach? Examining apology and compensation as response strategies for… 845

After the announcements of the data breaches for each inci- Appendix 2
dent were collected, two independent researchers coded them.
The inter-rater reliability in the coding of the categories for Variance analysis
the whitewash and apology, calculated using Cohen’s Kappa,
had an agreement of 0.6. To make the data set usable for this We conducted a two-way ANOVA for further analysis. The
paper, the companies in the sample all are within the healthcare binary variable compensation (Comp) and apology (Apol)
industry. In the end, 72 data breaches remained, which were are the independent variables. For all latent variables, we
considered for the chapter “Practical Review of Data Breach calculated the average item measures and used them, as
Recovery Actions in Healthcare.” well as the control variables, as dependent measures. See
Table 6.

Table 6  Two-way variance analysis and descriptive statistics on dependent variables

Dependent variable All Treatment ANOVA
N = 507 Control Comp Apol Comp + Apol
N = 133 N = 126 N = 120 N = 128

Expectation compensation Mean 4.70 4.63 4.77 4.69 4.72 Comp: F(1,503) = 0.443, n.s
SD 1.44 1.58 1.48 1,49 1.21 Apol: F(1,503) = 0.004, n.s
Comp*Apol: F(1,503) = 0.164,n.s
Expectation apology Mean 5.87 5.78 5.96 5.92 5.83 Comp: F(1,503) = 0.139, n.s
SD 1.26 1.29 1.19 1.22 1.32 Apol: F(1,503) = 0.001, n.s
Comp*Apol: F(1,503) = 1,391,n.s
Confirmation Mean 3.26 2.93 3.10 3.24 3.78 Comp: F(1,503) = 8.552, p = .004**
SD 1.45 1.36 1.52 1.42 1.39 Apol: F(1,503) = 14.95, p < .001***
Comp*Apol: F(1,503) = 2.184, n.s
Satisfaction Mean 3.51 2.98 3.57 3.55 3.99 Comp: F(1,503) = 15.89, p < .001***
SD 1.53 1.39 1.63 1.43 1.51 Apol: F(1,503) = 14.288, p < .001***
Comp*Apol: F(1,503) = 0.354,n.s
Word of Mouth Mean 3.01 2.78 3.08 3.15 3.06 Comp: F(1,503) = 0.480, n.s
SD 1.70 1.54 1.69 1.74 1.82 Apol: F(1,503) = 1,418, n.s
Comp*Apol: F(1,503) = 1.685,n.s
Loyalty Mean 3.38 3.13 3.42 3.61 3.37 Comp: F(1,503) = 0.102, n.s
SD 1.61 1.51 1.72 1.60 1.61 Apol: F(1,503) = 2.338, n.s
Comp*Apol: F(1,503) = 3.420,n.s
Trust Mean 2.93 2.72 3.01 3.04 2.97 Comp: F(1,503) = 0.630, n.s
SD 1.60 1.56 1.64 1.57 1.62 Apol: F(1,503) = 1.034, n.s
Comp*Apol: F(1,503) = 1.644,n.s
Age Mean 30.5 31.1 29.4 31.1 30.6 Comp: F(1,503) = 0.525, n.s
SD 9.14 9.22 7.63 9.93 9.63 Apol: F(1,503) = 1.928, n.s
Comp*Apol: F(1,503) = 0.534,n.s
Sport activity Mean 3.15 2.85 3.25 3.33 3.18 Comp: F(1,503) = 0.803, n.s
SD 1.62 1.64 1.47 1.76 1.59 Apol: F(1,503) = 2.190, n.s
Comp*Apol: F(1,503) = 3.711,n.s
Running activity Mean 1.43 1.26 1.49 1.52 1.46 Comp: F(1,503) = 0.559, n.s
SD 1.40 1.14 1.29 1.31 1.42 Apol: F(1,503) = 0.889, n.s
Comp*Apol: F(1,503) = 1.349,n.s
Tracker use Mean 2.90 3.22 2.82 2.82 2.73 Comp: F(1,503) = 1.276, n.s
SD 2.48 2.54 2.48 2.45 2.45 Apol: F(1,503) = 1.315, n.s
Comp*Apol: F(1,503) = 0.469,n.s

SD standard deviation, p p-value; significance level: *0.05; **0.01; ***0.001; n.s. not significant

13
846 K. Masuch et al.

Funding Open Access funding enabled and organized by Projekt Brown, S. A., Venkatesh, V., & Goyal, S. (2014). Expectation confir-
DEAL. mation in information systems research: A test of six competing
models. MIS Quarterly, 38(3), 729–756.
Open Access This article is licensed under a Creative Commons Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The
Attribution 4.0 International License, which permits use, sharing, economic cost of publicly announced information security
adaptation, distribution and reproduction in any medium or format, breaches: Empirical evidence from the stock market. Journal
as long as you give appropriate credit to the original author(s) and the of Computer Security, 11(3), 431–448. https://​doi.​org/​10.​3233/​
source, provide a link to the Creative Commons licence, and indicate JCS-​2003-​11308
if changes were made. The images or other third party material in this Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of
article are included in the article’s Creative Commons licence, unless internet security breach announcements on market value: Capital
indicated otherwise in a credit line to the material. If material is not market reactions for breached firms and internet security develop-
included in the article’s Creative Commons licence and your intended ers. International Journal of Electronic Commerce, 9(1), 70–104.
use is not permitted by statutory regulation or exceeds the permitted https://​doi.​org/​10.​1080/​10864​415.​2004.​11044​320
use, you will need to obtain permission directly from the copyright Chang, H. H., Wang, Y.-H., & Yang, W.-Y. (2009). The impact of
holder. To view a copy of this licence, visit http://​creat​iveco​mmons.​ e-service quality, customer satisfaction and loyalty on e-market-
org/​licen​ses/​by/4.​0/. ing: Moderating effect of perceived value. Total Quality Man-
agement & Business Excellence, 20(4), 423–443. https://​doi.​
org/​10.​1080/​14783​36090​27819​23
Choi, J. K., & Ji, Y. G. (2015). Investigating the importance of trust
on adopting an autonomous vehicle. International Journal of
References Human-Computer Interaction, 31(10), 692–702. https://​doi.​org/​
10.​1080/​10447​318.​2015.​10705​49
Anderson, C. L., Agarwal, R., & Anderson, C. L. (2011). The digitiza- Chuah, S. H. W., Rauschnabel, P. A., Krey, N., Nguyen, B., Ramayah,
tion of healthcare: Boundary risks, emotion, information. Infor- T., & Lade, S. (2016). Wearable technologies: The role of use-
mation Systems Research, 22(3), 469–490. fulness and visibility in smartwatch adoption. Computers in
Anderson, E. W. (1988). Customer satisfaction and word of mouth. Human Behavior, 65, 276–284. https://​doi.​org/​10.​1016/j.​chb.​
Journal of Service Research, 1(1), 5–17. 2016.​07.​047
Anderson, E. W., & Sullivan, M. W. (1993). The antecedents and con- Churchill, G. A., & Surprenant, C. (1982). An investigation into
sequences of customer satisfaction for firms. Marketing Science, the determinants of customer satisfaction. Journal of Marketing
12(2), 125–143. https://​doi.​org/​10.​1287/​mksc.​12.2.​125 Research, 19(4), 491–504. https://​doi.​org/​10.​1177/​00222​43782​
Angst, C. M., Block, E. S., Arcy, J. D., & Kelley, K. (2017). When do 01900​410
IT security investments matter? Accounting for the influence of Coulter, K. S., & Coulter, R. A. (2002). Determinants of trust in a
institutional factors in the context of healthcare data breaches. service provider: The moderating role of length of relationship.
MIS Quarterly, 41(3), 893–916. https://​doi.​org/​10.​25300/​MISQ/​ Journal of Services Marketing, 16(1), 35–50. https://​doi.​org/​10.​
2017/​41.3.​10 1108/​08876​04021​04194​06
Atzmüller, C., & Steiner, P. M. (2010). Experimental vignette studies Cronin, J. J., Brady, M. K., & Hult, G. T. M. (2000). Assessing the
in survey research. Methodology, 6(3), 128–138. https://​doi.​org/​ effects of quality, value, and customer satisfaction on consumer
10.​1027/​1614-​2241/​a0000​14 behavioral intentions in service environments. Journal of Retail-
Bagozzi, R. P., & Yi, Y. (1988). On the evaluation of structural equa- ing, 76(2), 193–218. https://​doi.​org/​10.​1016/​S0022-​4359(00)​
tion models. Journal of the Academy of Marketing Science, 16(1), 00028-2
74–94. https://​doi.​org/​10.​1007/​BF027​23327 Dai H., Salam A.F., & King R. (2008). Service convenience and rela-
Becker, B. W., Berry, L. L., & Parasuraman, A. (1992). Marketing tional exchange in electronic mediated environment: An empiri-
services: Competing through quality. Journal of Marketing, 56(2), cal investigation. Proceedings of the International Conference
132. https://​doi.​org/​10.​2307/​12520​50 on Information Systems (ICIS), Paris
Behne, A., & Teuteberg, F. (2020). A healthy lifestyle and the adverse DaVita Inc. (2013). DaVita—Recommended steps to help protect
impact of its digitalization: The dark side of using eHealth tech- your identity. Retrieved October 25, 2020, from https://​oag.​ca.​
nologies. Proceedings of the Internationale Tagung Wirtschaft- gov/​system/​files/​Sampl​es Notices_0.pdf
sinformatik, Potsdam. DaVita Inc. (2020). Kidney disease and dialysis information—DaV-
Berezina, K., Cobanoglu, C., Miller, B. L., & Kwansa, F. A. (2012). ita. Retrieved October 25, 2020, from https://​www.​davita.​com/
The impact of information security breach on hotel guest percep- Digital Guardian. (2018). The definitive guide to U.S. state data
tion of service quality, satisfaction, revisit intentions, and word breach laws. Retrieved October 25, 2020, from https://​info.​digit​
of mouth. International Journal of Contemporary Hospitality algua​rdian.​com/​rs/​768-​OQW-​145/​images/​the-​defin​itive-​guide-​
Management, 24(7), 991–1010. https://​doi.​org/​10.​1108/​09596​ to-​us-​state-​data-​breach-​laws.​pdf
11121​12588​83 Flavián, C., Guinalíu, M., & Gurrea, R. (2006). The role played
Bhattacherjee, A. (2001). Understanding information systems continu- by perceived usability, satisfaction, and consumer trust on
ance: An expectation-confirmation model. MIS Quarterly, 25(3), website loyalty. Information and Management, 43(1), 1–14.
351–370. https://​d oi.​o rg/​1 0.​1 016/j.​i m.​2 005.​0 1.​0 02
Bhattacherjee, A., & Premkumar, G. (2004). Understanding changes Fombelle, P. W., Bone, S. A., & Lemon, K. N. (2016). Responding
in belief and attitude toward information technology usage. to the 98%: Face-enhancing strategies for dealing with rejected
MIS Quarterly, 28(2), 229–254. https://​doi.​org/​10.​2307/​25148​ customer ideas. Journal of the Academy of Marketing Science,
634 44(6), 685–706. https://​doi.​org/​10.​1007/​s11747-​015-​0469-y
Brown, S. A., Venkatesh, V., & Goyal, S. (2012). Expectation confir- Fornell, C., & Larcker, D. F. (1981). Evaluating structural equation
mation in technology use. Information Systems Research, 23(2), models with unobservable variables and measurement error: A
287–598. https://​doi.​org/​10.​1287/​isre.​1110.​0357 comment. Journal of Marketing Research, 18(1), 39–50.
Gatzlaff, K. M., & McCullough, K. A. (2010). The effect of data
breaches on shareholder wealth. Risk Management and

13
What to do after a data breach? Examining apology and compensation as response strategies for… 847

Insurance Review, 13(1), 61–83. https://​doi.​org/​10.​1111/j.​1540-​ Ko, M., Osei-Bryson, K. M., & Dorantes, C. (2009). Investigating
6296.​2010.​01178.x the impact of publicly announced information security breaches
Goel, S., & Shawky, H. A. (2009). Estimating the market impact on three performance indicators of the breached firms. Informa-
of security breach announcements on firm values. Information tion Resources Management Journal, 22(2), 1–21. https://​doi.​
& Management, 46(7), 404–410. https://​doi.​org/​10.​1016/j.​im.​ org/​10.​4018/​irmj.​20090​40101
2009.​06.​005 Kruse, C. S., Frederick, B., Jacobson, T., & Monticone, D. K. (2017).
Goode, S., Hoehle, H., Venkatesh, V., & Brown, S. A. (2017). USER Cybersecurity in healthcare: A systematic review of modern
compensation as a data breach recovery action: An investiga- threats and trends. Technology and Health Care, 25(1), 1–10.
tion of the Sony PlayStation network breach. MIS Quarterly: https://​doi.​org/​10.​3233/​THC-​161263
Management Information Systems., 41(3), 703–727. https://​doi.​ Kude, T., Hoehle, H., & Sykes, T. A. (2017). Big data breaches and
org/​10.​25300/​MISQ/​2017/​41.3.​03 customer compensation strategies: Personality traits and social
Greve, M., Lembcke, T.-B., Diederich, S., Brendel, A. B., & Kolbe, influence as antecedents of perceived compensation. Interna-
L. M. (2020). Healthy by app—Toward a taxonomy of mobile tional Journal of Operations and Production Management,
health applications. In Proceedings of the Pacific Asia confer- 37(1), 56–74. https://​doi.​org/​10.​1108/​IJOPM-​03-​2015-​0156
ence on information systems (PACIS), Dubai, UAE. Kwon, J., & Johnson, M. E. (2015). Protecting patient data—The
Grönroos, C. (1988). New competition in the service economy: The five economic perspective of healthcare security. IEEE Security and
rules of service. International Journal of Operations & Produc- Privacy, 13(5), 90–95. https://​doi.​org/​10.​1109/​MSP.​2015.​113
tion Management, 8(3), 9–19. https://​doi.​org/​10.​1108/​eb054​821 Larzelere, R. E., & Huston, T. L. (1980). The dyadic trust scale:
Gundlach, G. T., & Murphy, P. E. (1993). Ethical and legal foundations Toward understanding interpersonal trust in close relationships.
of relational marketing exchanges. Journal of Marketing, 57(4), Journal of Marriage and the Family, 42(3), 595. https://​doi.​org/​
35. https://​doi.​org/​10.​2307/​12522​17 10.​2307/​351903
Gwebu, K. L., Wang, J., & Wang, L. (2018). the role of corporate repu- Li, M., & Green, R. D. (2011). A mediating influence on customer
tation and crisis response strategies in data breach management. loyalty: The role of perceived value. Journal of Management
Journal of Management Information Systems, 35(2), 683–714. and Marketing Research, 1–12. http://​www.​aabri.​com/​manus​
https://​doi.​org/​10.​1080/​07421​222.​2018.​14519​62 cripts/​10627.​pdf. Last access on August 10 2020
Hair, J. F., Sarstedt, M., Ringle, C. M., & Mena, J. A. (2012). An Liu, J., & Sun, W. (2016). Smart attacks against intelligent weara-
assessment of the use of partial least squares structural equa- bles in people-centric internet of things. IEEE Communications
tion modeling in marketing research. Journal of the Academy Magazine, 54(12), 44–49.
of Marketing Science, 40(3), 414–433. https://​doi.​org/​10.​1007/​ Malhotra, A., & Kubowicz Malhotra, C. (2011). Evaluating cus-
s11747-​011-​0261-6 tomer information breaches as service failures: An event study
Irving, P. G., & Meyer, J. P. (1994). Reexamination of the met-expec- approach. Journal of Service Research, 14(1), 44–59. https://​
tations hypothesis: A longitudinal analysis. Journal of Applied doi.​org/​10.​1177/​10946​70510​383409
Psychology, 79(6), 937–949. https://​doi.​org/​10.​1037/​0021-​9010.​ Masuch, K., Greve, M., & Trang, S. (2020). Please be silent? Exam-
79.6.​937 ining the impact of data breach response strategies on the stock
Islam, A. K. M. N., Mäntymäki, M., & Bhattacherjee, A. (2017). value. Proceedings of the International Conference on Informa-
Towards a decomposed expectation-confirmation model of IT tion Systems (ICIS), Hyderabad, India (pp. 1–16)
continuance: The role of usability. Communications of the Asso- Masuch, K., Greve, M., & Trang, S. (2021). Apologize or Justify?
ciation for Information Systems, 40(1), 502–523. https://​doi.​org/​ Examining the Impact of Data Breach Response Actions on Stock
10.​17705/​1CAIS.​04023 Value of Affected Companies, Computers & Security, 112(2022),
Johnston, R. (1995). The zone of tolerance: Exploring the relation- 102502. https://​doi.​org/​10.​1016/j.​cose.​2021.​102502
ship between service transactions and satisfaction with the over- Mattila, A. S., & Cranage, D. (2005). The impact of choice on fairness
all service. International Journal of Service Industry Manage- in the context of service recovery. Journal of Services Market-
ment., 6(2), 46–61. https://​doi.​org/​10.​1108/​09564​23951​00849​ ing, 19(5), 271–279. https://d​ oi.o​ rg/1​ 0.1​ 108/0​ 88760​ 40510​ 60989​ 9
41 McColl-Kennedy, J. R., & Sparks, B. A. (2003). Application of fair-
Kantsperger, R., & Kunz, W. H. (2010). Consumer trust in service ness theory to service failures and service recovery. Journal of
companies: A multiple mediating analysis. Managing Service Service Research, 5(3), 251–266. https://​doi.​org/​10.​1177/​10946​
Quality: An International Journal, 20(1), 4–25. https://​doi.​org/​ 70502​238918
10.​1108/​09604​52101​10116​03 McLeod, A., & Dolezel, D. (2018). Understanding healthcare data
Kau, A. K., & Loh, E. W. Y. (2006). The effects of service recovery breaches: Crafting security profiles. 24th Americas Conference
on consumer satisfaction: A comparison between complainants on Information Systems (AMCIS), New Orleans
and non-complainants. Journal of Services Marketing, 20(2), Medtronic. (2018). Security Breach Notification. https://​www.​doj.​nh.​
101–111. https://​doi.​org/​10.​1108/​08876​04061​06570​39 gov/c​ onsum​ er/s​ ecuri​ ty-b​ reach​ es/d​ ocume​ nts/​medtro​ nic-​minime​ d-​
Kettinger, W. J., & Lee, C. C. (2005). Zones of tolerance: Alternative 20181​126.​pdf. Last access on August 10, 2020
scales for measuring information systems service quality. MIS Morse, E. A., Raval, V., & Wingender, J. R. (2011). Market price
Quarterly: Management Information Systems, 29(4), 607–623. effects of data security breaches. Information Security Journal,
https://​doi.​org/​10.​2307/​25148​702 20(6), 263–273. https://​doi.​org/​10.​1080/​19393​555.​2011.​611860
Kim, S. H., & Kwon, J. (2019). How do EHRs and a meaningful use Mousavizadeh, M., Kim, D. J., & Chen, R. (2016). Effects of assurance
initiative affect breaches of patient information? Information mechanisms and consumer concerns on online purchase decisions:
Systems Research, 30(4), 1184. https://​d oi.​o rg/​1 0.​1 287/​i sre.​ An empirical study. Decision Support Systems, 92, 79–90. https://​
2019.​0858 doi.​org/​10.​1016/j.​dss.​2016.​09.​011
Kim, S. S., & Son, J.-Y. (2009). Out of dedication or constraint? A Oliver, R. L. (1977). Effect of expectation and disconfirmation on
dual model of post-adoption phenomena and its empirical test postexposure product evaluations: An alternative interpretation.
in the context of online services. MIS Quarterly, 33(1), 49–70. Journal of Applied Psychology, 62(4), 480–486.
Klein, J. G. (1999). Developing negatives: Expectancy assimila- Oliver, R. L. (1980). A cognitive model of the antecedents and conse-
tion and contrast in product judgments. Advances in Consumer quences of satisfaction decisions. Journal of Marketing Research,
Research, 26, 463. 17(4), 460–469.

13
848 K. Masuch et al.

Oliver, R. L., & Burke, R. R. (1999). Expectation processes in satis- Rosati, P., Deeney, P., Cummins, M., van der Werff, L., & Lynn, T.
faction formation. Journal of Service Research, 1(3), 196–214. (2019). Social media and stock price reaction to data breach
Patterson, P. G., Cowley, E., & Prasongsukarn, K. (2006). Service fail- announcements: Evidence from U.S. listed companies. Research
ure recovery: The moderating impact of individual-level cultural in International Business and Finance, 47, 458–469. https://​doi.​
value orientation on perceptions of justice. International Journal org/​10.​1016/j.​ribaf.​2018.​09.​007
of Research in Marketing, 23(3), 263–277. https://​doi.​org/​10.​ Sherif, M., & Sherif, C. (1965). Attitudes as the individual’s own cat-
1016/j.​ijres​mar.​2006.​02.​004 egories: The social-judgment approach to attitude and attitude
Patterson, P. G., Johnson, L. W., & Spreng, R. A. (1996). Modeling change. In C. Sherif & M. Sherif (Eds.), Attitude, ego-involve-
the determinants of customer satisfaction for business-to-business ment, and change (pp. 105–139). Wiley Publishing
professional services. Journal of the Academy of Marketing Sci- Sherr, I., & Wingfield, N. (2011). Play by play: Sony’s struggles on
ence, 25(1), 4–17. https://​doi.​org/​10.​1177/​00920​70397​251002 breach. Wall Street Journal. https://​www.​wsj.​com/​artic​les/​SB100​
Piccoli, G., Rodriguez, J., Palese, B., & Bartosiak, M. (2018). The dark 01424​05274​87048​10504​57630​73227​59299​038. Last access on
side of digital transformation: The case of information systems August 10, 2020
education. Proceedings of the International Conference on Infor- Staples, D. S., Wong, I., & Seddon, P. B. (2002). Having expectations
mation Systems (ICIS), Louisiana of information systems benefits that match received benefits: Does
Piwek, L., Ellis, D. A., Andrews, S., & Joinson, A. (2016). The rise of it really matter? Information and Management. https://d​ oi.o​ rg/1​ 0.​
consumer health wearables: Promises and barriers. PLoS Medi- 1016/​S0378-​7206(01)​00138-0
cine, 13(2), e1001953. Szajna, B., & Scamell, R. W. (1993). The effects of information sys-
Podsakoff, P. M., & Organ, D. W. (1986). Self-reports in organizational tem user expectations on their performance and perceptions. MIS
research: Problems and prospects. Journal of Management, 12(4), Quarterly: Management Information Systems, 17(4), 493–516.
531. https://​doi.​org/​10.​1177/​01492​06386​01200​408 https://​doi.​org/​10.​2307/​249589
Ponemon Institute LLC. (2013). 2013 cost of data breach study: Global Trenz, M., Veit, D. J., & Tan, C.-W. (2020). Disentangling the impact
analysis. Retrieved November 30, 2020, from https://w ​ ww.p​ onem​ of omnichannel integration services on consumer behavior in inte-
on.​org/​local/​upload/​file/​2013R​eport​GLOBA​LCODB​FINAL5-​2.​ grated sales channels. MIS Quarterly. https://​doi.​org/​10.​25300/​
pdf MISQ/​2020/​14121
Ponemon Institute LLC. (2018). 2018 cost of data breach study: Impact UnitedHealthcare. (2007). Security breach information. Retrieved
of business continuity management. Retrieved November 30, November 30, 2020, from https://w ​ ww.d​ oj.n​ h.g​ ov/c​ onsum
​ er/s​ ecur​
2020, from https://​www.​ibm.​com/​downl​oads/​cas/​AEJYB​PWA ity-​breac​hes/​docum​ents/​united-​healt​hcare-​20070​625.​pdf
Privacy Rights Clearinghouse. (2019). Privacy rights clearinghouse. Valvi, A. C., & West, D. C. (2013). E-loyalty is not all about trust,
Retrieved September 30, 2020, from https://​priva​cyrig​hts.​org/​ price also matters: Extending expectation-confirmation theory in
data-​breac​hes bookselling websites. Journal of Electronic Commerce Research,
Quest Diagnostics. (2015). Security breach information. Retrieved 14(1), 99–123.
November 30, 2020, from https://​oag.​ca.​gov/​system/​files/​Quest Venkatesh, V., & Goyal, S. (2010). Expectation disconfirmation and
attachment to CA online submission_0.pdf? technology adoption: Polynomial modeling and response surface
Richardson, R. (2008). CSI computer crime and security survey. Com- analysis. MIS Quarterly, 34(2), 281–303.
puter security institute. Retrieved October 25, 2020, from http://​ Wanous, J. P., Poland, T. D., Premack, S. L., & Davis, K. S. (1992).
www.​sis.​pitt.​edu/​jjoshi/​cours​es/​IS2150/​Fall10/​CSIsu​r vey2​008.​ The effects of met expectations on newcomer attitudes and behav-
pdf iors: A review and meta-analysis. Journal of Applied Psychology,
Richins, M. L. (1983). Negative word-consumers: Pilot study. Journal 77(3), 288–297. https://​doi.​org/​10.​1037/​0021-​9010.​77.3.​288
of Consumer Research, 47(1), 68–78.
Romanosky, S., Hoffman, D., & Acquisti, A. (2014). Empirical analy- Publisher’s note Springer Nature remains neutral with regard to
sis of data breach litigation. Journal of Empirical Legal Studies, jurisdictional claims in published maps and institutional affiliations.
11(1), 74–104. https://​doi.​org/​10.​1111/​jels.​12035
Rosati, P., Cummins, M., Deeney, P., Gogolin, F., van der Werff, L., &
Lynn, T. (2017). The effect of data breach announcements beyond
the stock price: Empirical evidence on market activity. Interna-
tional Review of Financial Analysis, 49, 146–154. https://​doi.​org/​
10.​1016/j.​irfa.​2017.​01.​001

13