Data breach notifications are a fairly new genre of business correspondence, brought upon by the ease of collecting--and stealing--digital information. In 2009 alone, the Data Loss Database collected reports of 480 separate incidents, affecting over than 220 million records. Data breach notifications alert users that sensitive personal information has been accessed or stolen, often putting users at a higher than normal risk of identity theft. To date 45 states mandate that companies notify the public when information security has been breached. As security expert Bruce Schneier explains, "It's common politeness that when you lose something of someone else's, you tell him." Like product recalls,data breach notifications must accomplish four goals: comply with notification laws, repair the company's image, rebuild customers' trust, and mitigate civil liability. Yet while legislation mandates that consumers must be contacted, the laws generally cannot help writers figure out what to say or how to say it.
On the other hand, business communication textbooks has a tradition of instructing students in a formula for writing negative (AKA bad or sensitive) news messages using an indirect pattern: open with a buffer that establishes the context of the message; present details, circumstances, or an explanation; tactfully deliver the bad news; and end with an expression of goodwill. Negative news messages are often included in sections about correspondence or "routine messages," yet data breaches are anything but routine. Data breaches can be a public relations nightmare that threatens a company's reputation and credibility with existing and potential customers.
This presentation will report on a study analyzing a collection of data breach notification messages to consider ways in which business communication practice and pedagogy inform the construction of effective data breach notifications.