A major issue in the digital age is how to safeguard the security of the massive amount of data being stored, processed and transferred through digital channels. Organisational communication research into data security shows that people are the weakest link. Non-compliant behaviour can lead to security breaches. Existing studies have focused above all on how employees can be motivated to comply with data security procedures. However, focusing on desirable behaviour does not explain why people often ignore security regulations. In addition, existing research tends to focus primarily on self-reported attitudes and perceptions, which can give a distorted impression of people’s actual behaviour. In this paper, we address these issues by combining individual, habitual and situational factors to explain non-compliant behaviour in a vignette study, using SmartPLS to analyse survey data from 651 subjects in a large Dutch government organisation. The results indicate that bad habits play a significant role in non-compliant behaviour. This behaviour is fuelled by situational factors like time pressure, while a lack of self-efficacy also increases non-compliant behaviour. Based on these results, a communication strategy that addresses bad habits in a situational context may provide an alternative way to improve people’s compliant behaviour.