An investigation of the impact of data breach severity on the readability of mandatory data breach notification letters: evidence from U.S. firms

The aim of this paper is to investigate the impact of data breach severity on the readability of mandatory data breach notification letters. Using a content analysis approach to determine data breach severity attributes (measured by the total number of breached records, type of data accessed, the source of the data breach and how the data was used), in conjunction with readability measures (reading complexity, numerical intensity, length of letter, word size and unique words), 512 data breach incidents from 281 U.S. firms across the 2012 – 2015 period are examined. The results indicate that data breach severity has a positive impact on reading complexity, length of letter, word size and unique words, and a negative impact on numerical terms. Interpreting the results collectively through the lens of impression management, it can be inferred that business managers may be attempting to obfuscate bad news associated with high data breach severity incidents by manipulating syntactical features of the data breach notification letters in a way which makes the message difficult for individuals to comprehend. The paper contributes to the information studies and impression management behavior literatures, by analyzing linguistic cues in notifications following a data breach incident.