As companies like Equifax, Target, The Home Depot, eBay and Sony can attest, a successful public apology after a data breach involves more than a hasty “sorry.”

In graduate school, Joshua Bentley began studying the effectiveness of corporate apologies. Now an assistant professor of strategic communication in the Bob Schieffer College of Communication, Bentley has identified four tactics companies can use to make their apologies resonate with consumers after large-scale hacking.

TCU Strategic Communication assistant professor Joshua Bentley said crises like data breaches can destroy relationships within a company. Photo by Robert W. Hart

“What is particularly interesting about the data breach situation is that it’s more ambiguous about who is to blame,” Bentley said. “The highest responsibility resides with the hackers; these companies didn’t want the breach.”

Nonetheless, consumers find fault with corporations that failed to secure their sensitive information. Bentley’s research indicates that corporations can exercise considerable sway over consumer sentiment, depending on their apologies.

“The theory that dominates the work of public relations researchers and people who study crisis communication is that different types of situations call for different responses,” Bentley said. “You can’t type up a one-size-fits-all apology.”

What sets Bentley’s work apart is his ongoing interest in assessing consumer perspectives.

“The traditional approach by most scholars focuses more on organizations, but what we want to know is what a company can include in a public apology that makes a difference in the eyes of stakeholders,” said Lindsay Ma, assistant professor of strategic communication and Bentley’s colleague and collaborator.

Ma and Bentley presented the research paper “Testing Perceptions of Organizational Apologies After a Data Breach Crisis” at the annual conference of the Association for Education in Journalism and Mass Communication in August 2017.

“We have seen that companies can almost make the situation worse if they don’t do the apology right,” Ma said.

Bentley, who assessed responses from experimental design studies involving more than 1,600 participants, said, “If managed improperly, crises like data breaches can destroy the relationship between an organization and the stakeholders upon whom it depends for survival. But it is also remarkable how often apologies succeed.”

Lindsay Ma, assistant professor of strategic communication, said companies can make the situation worse if they don’t do the apology right. Photo by Mark Graham

Bentley and Ma identified four elements critical to the success of an apology: expression of remorse, acknowledgment of responsibility, promises of forbearance (i.e., delineating steps a company can take such as hiring new security experts to make sure the problem doesn’t happen again) and offers of reparations.

“Reparations or some kind of compensation might not repair the damage, but it invests in the relationship,” Bentley said. “A company could go as far as offering free monitoring of credit for a year or sending a customer a gift card to shop at their store. Either way, it makes people feel a lot better about the company.”

What often backfires are apologies laced with jargon or too obviously vetted by a team of legal experts. “There’s a certain art to expressing genuine regret for what you did, and that can be even trickier in the murky waters of a data breach, where the company is only partially at fault,” Bentley said. “But an apology is uniquely powerful in showing that you care about other people, and when done right, the public is usually willing to let the matter drop.”