Information Privacy Security: TJX Data Breach Crisis and Lessons
Protecting the privacy of consumer personal information continues to pose significant challenges for organisations.The complexity is aggravated by consumers’ vulnerability that comes about when they are unable to control the usage of personal information they share with business organisations.Given the importance of information privacy, there has been a host of privacy research focusing on the organisational decisions regarding the use and reuse of consumer personal information (Schwartz, 2009; Greenaway and Chan, 2005).
Culnan et al (2008) observes that the emerging decentralisation of technology environment has posed additional privacy challenge: data breaches.
Currently, it is only the United States that requires organisations to give formal notice in the event of data breach (Morley, 2014). European Union and its member countries are yet to establish any legal requirements for organisations to notify consumers of any data breach, thereby leaving such eventuality at the fate of an organisation’s management. Without any notification laws, data breaches remain private and under the discretion of the affected organization. Therefore, this paper focuses on one of the most prominent data security breaches that the world has ever witnessed: TJX data privacy breach crisis, in the context of, ethical principles and theories, legal, professional and social issues. .
The Information Privacy Concept
According to Xu et al. (2008), the concept of information privacy is multidimensional in nature and is largely dependent on the context as well as personal experiences. Although others see information privacy as full of definition ambiguity (Schwartz, 2009), others have defined consumer personal information as being made up of data generated when consumers conduct transactions. The problems of privacy often emerge from how this consumer information is stored, analysed, used, or shared (FTC, 2008). Information on how to address problems related to privacy management is limited due to minimal research in the area, particularly those issues dealing with management responsibilities on social issues. For example, there is limited research on how organisations should deal with consumers’ personal identifiable information, the role of managers in the protecting the consumer data and the moral duty of every party involved in the handling or accessing consumer data.
Overview of TJX Data Breach
TJX is a US-based off-price retailer operating over 2,400 stores in various countries and regions including US, Puerto Rico, Canada, and Europe. In the network of stores, the retailer collects and store customer information that would authorize purchases via payment cards, personal cheques , and processing of merchandise returned without a receipt. This violated the legal requirement that prohibits any business from retaining sensitive consumer card information, including the magnetic strips on credit cards (Smedinghoff and Hamady, 2008). In addition, the breach exposed TJX’s failure to observe basic ethical and professional principles.
The revelation emerged when in 2007 TJX issued a press release stating that criminals had intruded their data system and stolen over 45 million consumers’ card information within a period of 18 months (FTC, 2008). Although the TJX filed Form 8-K disclosure statement with the Securities and Exchange Commission as required by the law, the company was widely held to be at fault for the breach. The company was accused of breaching the law by storing unencrypted sensitive consumer information, for their failure to limit unauthorised access to the massive data via their wireless network, and the inability to establish adequate security measures within its networks among other issues (FTC, 2008).
The Legal and social Issues in the TJX Data Breach
The current global data protection guideline is based on the Fair Information Practices (FIPs), which deal with individual rights and organisational responsibilities with regard to management of consumer data (Morley, 2014). In other words, how responsibly the data is used is a pointer to the social expectations with regards to consumer data use. FIPs attempts to put a certain level of balance between the competing business and individual interests in terms of legitimate use of personal information, which serves as the foundation for privacy laws and industry-specific regulatory programmes. In this respect, FIPs lays the foundation for organisations on how to be socially responsible in dealing with privacy issues. On the other hand, the adoption of these guidelines lays the foundations for evaluation by the external audiences on an organisation’s degree of responsiveness (Allen, 2011).
There is a general consensus that responsible data management practice is paramount in every organisation (Morley, 2014). However, there is no consensus about how the implementation of individual principles should be carried out. Schwartz (2009, p.1) observes that in most parts of the world, “fair information practices are implemented through omnibus laws.” Curiously, the United States has no comprehensive laws that compel organisations to observe fair information practice, but instead developed sectoral laws and regulations to consumer privacy protection with laws being enacted in response to issues arising from specific industries. The challenge that comes with this approach is that there is uneven practice in terms of operations and implementations. Moreover, the TJX issue exposed some glaring weaknesses in the implementation of FIP laws and regulations based on the principles of notice, choice, access, security, and sanctions for noncompliance (Culnan, et al., 2008).
The effectiveness of data privacy management for organisations that collect, store, and use consumer personal data is curtailed by other issues including unclear law or policy, varied jurisdictions, and differences in data type. The challenge may be further aggravated by conflicting regional or state laws (Allen, 2011). The breaches in the TJX case involved unauthorised access to consumer personal information, which resulted in a variety of risks towards consumer personal information. Nevertheless, there is a general agreement within the statutory laws and regulations that every organisation should ensure there is duty of care with regards to information they collect and store based on consumer’s vulnerability and the actual possibility of harm (Allen, 2011).
Allen (2011) observes that although organisations that comply with government regulations are considered legitimate, and readily accepted by their external environment, including partners, this milestone is not easily achievable given the above challenges. For example, the term ‘reasonable procedure’ as stated in most sectoral data protection regulations does not specify what is actually ‘reasonable’, which may vary depending on the nature and size of the organisation, the types of information it captures and stores, the security equipments and tools in the possession of the organisation, and the nature of risk at display.
There has been criticism in regards to the prevailing laws and regulations because they are seen as reactive and outdated at the time when they are enacted (Morley, 2014). The other complaint is that most of privacy violation issues are only detected after the damage is done, thus doing little to reverse the loss on the affected consumers.
The Moral Issues and Responsibilities
Information ethics is based on the collection, use, and management of information (Morley, 2014). As technology becomes increasingly complex, it is evident that ethical problems related to these developments continue to increase. However, the normative theories (stockholder, stakeholder, and social contracts) used to address the prevailing challenges remain less developed, with many institutions only relying on bare legal minimum requirements in relation to consumer data protection (Culnan, et al., 2008). Morley (2014) observes that these theories are distinct and incompatible with regards to the obligations of a business person. Taking into consideration the large social and financial impact of privacy breach as observed in the TJX case, there are mainly two aspects of moral issues that are central to the data privacy: vulnerability and harm avoidance.
The concept of vulnerability highlights most of society’s moral intuitions, with the inherent scenario where one party is at disadvantage with regard to the other party in terms of data collection and use. This situation emerged because one party lacked the capacity to control the information givento the other party. Solove (2007) observed that the root cause of large-scale privacy invasions is embedded inthe lack of information control by the giver. In the case of TJX, consumers suffered outright vulnerability, although they expected TJX to protect their card information with a proper mechanism in place.
On the other hand, avoiding harm involves the need for managers to avoid using consumer data to harm the vulnerable consumer socially and financially. Many have argued that it is the responsibility of the managers to take a minimum moral standing to ensure no harm is done in the treatment of consumer information (Culnan, et al., 2008).
Information privacy is an important issue in the modern business environment. In order to protect consumer information, managers must learn to strike a balance between consumer privacy and business interests by constantly adhering to the principle of protecting the vulnerable consumer and not causing harm to them through their personal information. It is important to note that TJX caused harm when their consumer personal data were stolen by a third party intruder. Although TJX violated industry rules, it is more significant to highlight that the company’s failure to observe moral responsibility in the protection of consumer data should be viewed as more detrimental to the company. Businesses are expected to follow basic ethical principles in managing business activities.
While we can argue that the TJX data breach saga received the attention because of the United State’s comprehensive formal notice requirements within the laws on privacy data management, it is also apparent that personal data protection is beyond the laws and regulations and requires ethical foundations within the organisations. The need to integrate ethical reasoning into the privacy programmes of every organisation is paramount (Xu et al., 2008). We can argue that integrating moral responsibility within organisations will not only establish ethical standards for the organisations, but is growingly becoming a necessity considering the challenges surrounding the implementation of legal requirements. Furthermore, considering that consumers are vulnerable and are unable to control how businesses use their personal information, it is the moral responsibilities of every organisation to go beyond bare minimum legal compliance. That is, each organisation needs to take reasonable precaution when handling consumer data and ensure no harm is caused with this kind of data.
Allen, A. (2011). Unpopular Privacy: What Must We HideOxford: Oxford University Press.
Culnan, M. J., Foxman, E. R., and Ray, A. W. (2008). “Why ITExecutives Should Help Employees Secure Their Home Com- puters,” MIS Quarterly Executive (7:1), March, pp. 49-55.
Federal Trade Commission (FTC). (2008). “Press Release: Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers’ Data,” March 27(available at http://www.ftc.gov/opa/2008/03/datasec.shtm; accessed November 29, 2014).
Greenaway, K. E., and Chan, Y. E. (2005). “Theoretical Explana-tions of Firms’ Information Privacy Behaviors,” Journal of the Association for Information Systems (6:6), pp. 171-198.
Morley, D. (2014). Understanding Computers in a Changing Society. Chicago: Cengage Learning.
Schwartz, M. (2009). “Europe Debates Mandatory Data Breach Notifications.” The Privacy Advisor (9:2), p. 1.
Smedinghoff, T. J., and Hamady, L. E. (2008). “New State Regula-tions Signal Significant Expansion of Corporate Data SecurityObligations,” BNA Privacy and Security Law Report (7), October 20, p. 1518.
Solove, D. (2007). “The New Vulnerability: Data Security andPersonal Information,” in Securing Privacy in the Internet Age, A. Chander, L. Gelman, and M. J. Radin (eds.), Palo Alto, CA: Stanford University Press, pp. 111-136.
Xu, H., Dinev, T., Smith, H. J., and Hart, P. (2008). “Examining the Formation of Individual’s Privacy Concerns: Toward an Integra-tive View,” in Proceedings of the 29th International Conference on Information Systems, Paris (available at http://aisel.aisnet.org/icis2008/6; accessed October 29, 2014).