Information Privacy Security: TJX Data Breach Crisis and Lessons

IntroductionProtecting the secretiveness of consumer personalized culture continues to pose significant repugns for organisations. The complexity is aggravated by consumers photo that comes about when they are unable to control the usage of personal discipline they share with craft organisations. Given the importance of information secrecy, there has been a host of privacy research focusing on the organisational decisions regarding the use and reuse of consumer personal information (Schwartz, 2009 Greenaway and Chan, 2005). Culnan et al (2008) observes that the emerging decentralisation of technology environment has posed additional privacy challenge data buckes. Currently, it is only the United States that requires organisations to give formal notice in the event of data breach (Morley, 2014). European Union and its member countries are yet to establish any legal requirements for organisations to notify consumers of any data breach, thereby leaving such contingency at t he fate of an organisations wariness. Without any notification laws, data breaches remain private and under the discretion of the affected organization. Therefore, this paper focuses on genius of the most prominent data security breaches that the world has ever witnessed TJX data privacy breach crisis, in the context of, respectable principles and theories, legal, professional and social issues. .The info concealing ConceptAccording to Xu et al. (2008), the concept of information privacy is multidimensional in nature and is largely dependent on the context as healthy as personal experiences. Although others see information privacy as full of definition ambiguity (Schwartz, 2009), others have defined consumer personal information as macrocosm made up of data generated when consumers conduct transactions. The problems of privacy often emerge from how this consumer information is stored, analysed, used, or shared (FTC, 2008). Information on how to address problems related to pri vacy management is limited due to minimal research in the area, particularly those issues dealing with management responsibilities on social issues. For example, there is limited research on how organisations should deal with consumers personal identifiable information, the role of managers in the protecting the consumer data and the chaste duty of all troupe involved in the handling or accessing consumer data.Overview of TJX data BreachTJX is a US-based off-price retailer operating over 2,400 stores in various countries and regions including US, Puerto Rico, Canada, and Europe. In the network of stores, the retailer collects and store customer information that would realise purchases via payment cards, personal cheques , and processing of merchandise returned without a receipt. This violated the legal requirement that prohibits any business from retaining sensitive consumer card information, including the magnetic strips on belief cards (Smedinghoff and Hamady, 2008). In addi tion, the breach exposed TJXs ill luck to observe basic ethical and professional principles. The revelation emerged when in 2007 TJX issued a press emission stating that criminals had intruded their data system and stolen over 45 million consumers card information within a period of 18 months (FTC, 2008). Although the TJX filed Form 8-K disclosure statement with the Securities and sub boot as required by the law, the company was widely held to be at fault for the breach. The company was accused of breaching the law by storing unencrypted sensitive consumer information, for their failure to limit wildcat access to the massive data via their wireless network, and the inability to establish adequate security measures within its networks among other issues (FTC, 2008).The Legal and social Issues in the TJX Data BreachThe current global data protection guideline is based on the Fair Information Practices (FIPs), which deal with individual rights and organisational responsibilities w ith regard to management of consumer data (Morley, 2014). In other words, how responsibly the data is used is a pointer to the social expectations with regards to consumer data use. FIPs attempts to put a certain level of fit between the competing business and individual interests in terms of legitimate use of personal information, which serves as the foundation for privacy laws and industry-specific regulatory programmes. In this respect, FIPs lays the foundation for organisations on how to be socially responsible in dealing with privacy issues. On the other hand, the adoption of these guidelines lays the foundations for evaluation by the external audiences on an organisations degree of responsiveness (Allen, 2011). There is a general consensus that responsible data management practice is paramount in every organisation (Morley, 2014). However, there is no consensus about how the implementation of individual principles should be carried out. Schwartz (2009, p.1) observes that in m ost parts of the world, fair information practices are implemented through omnibus laws. Curiously, the United States has no comprehensive laws that compel organisations to observe fair information practice, exclusively instead developed sectoral laws and regulations to consumer privacy protection with laws being enacted in response to issues arising from specific industries. The challenge that comes with this approach is that there is uneven practice in terms of operations and implementations. Moreover, the TJX issue exposed some glaring weaknesses in the implementation of FIP laws and regulations based on the principles of notice, choice, access, security, and sanctions for noncompliance (Culnan, et al., 2008). The effectiveness of data privacy management for organisations that collect, store, and use consumer personal data is curtailed by other issues including unclear law or policy, varied jurisdictions, and differences in data type. The challenge may be further aggravated by c onflicting regional or state laws (Allen, 2011). The breaches in the TJX case involved unauthorised access to consumer personal information, which resulted in a variety of risks towards consumer personal information. Nevertheless, there is a general agreement within the statutory laws and regulations that every organisation should verify there is duty of care with regards to information they collect and store based on consumers vulnerability and the actual possibility of harm (Allen, 2011). Allen (2011) observes that although organisations that comply with politics regulations are considered legitimate, and readily accepted by their external environment, including partners, this milestone is not easily achievable given the above challenges. For example, the term reasonable procedure as stated in most sectoral data protection regulations does not specify what is actually reasonable, which may vary depending on the nature and size of the organisation, the types of information it cap tures and stores, the security equipments and tools in the possession of the organisation, and the nature of risk at display. There has been criticism in regards to the prevailing laws and regulations because they are seen as reactive and outdated at the time when they are enacted (Morley, 2014). The other complaint is that most of privacy violation issues are only detected after the damage is done, thus doing little to retrogression the loss on the affected consumers.The Moral Issues and ResponsibilitiesInformation ethics is based on the collection, use, and management of information (Morley, 2014). As technology becomes increasingly complex, it is evident that ethical problems related to these developments continue to increase. However, the normative theories (stockholder, stakeholder, and social contracts) used to address the prevailing challenges remain less developed, with many institutions only relying on bare legal borderline requirements in relation to consumer data protec tion (Culnan, et al., 2008). Morley (2014) observes that these theories are distinct and incompatible with regards to the obligations of a business person. Taking into consideration the large social and financial intrusion of privacy breach as observed in the TJX case, there are mainly two aspects of moral issues that are central to the data privacy vulnerability and harm avoidance. The concept of vulnerability highlights most of societys moral intuitions, with the inherent scenario where one party is at disadvantage with regard to the other party in terms of data collection and use. This situation emerged because one party lacked the capacity to control the information givento the other party. Solove (2007) observed that the root cause of large privacy invasions is embedded inthe lack of information control by the giver. In the case of TJX, consumers suffered outright vulnerability, although they expected TJX to protect their card information with a proper(a) mechanism in place. On the other hand, avoiding harm involves the need for managers to avoid using consumer data to harm the vulnerable consumer socially and financially. Many have argued that it is the state of the managers to take a minimum moral standing to check no harm is done in the treatment of consumer information (Culnan, et al., 2008).ConclusionInformation privacy is an important issue in the modern business environment. In order to protect consumer information, managers must learn to strike a balance between consumer privacy and business interests by constantly adhering to the principle of protecting the vulnerable consumer and not causing harm to them through their personal information. It is important to note that TJX caused harm when their consumer personal data were stolen by a third party intruder. Although TJX violated industry rules, it is more significant to highlight that the companys failure to observe moral responsibility in the protection of consumer data should be viewed as mo re detrimental to the company. Businesses are expected to follow basic ethical principles in managing business activities. While we can argue that the TJX data breach saga received the attention because of the United States comprehensive formal notice requirements within the laws on privacy data management, it is also apparent that personal data protection is beyond the laws and regulations and requires ethical foundations within the organisations. The need to integrate ethical reasoning into the privacy programmes of every organisation is paramount (Xu et al., 2008). We can argue that integrating moral responsibility within organisations will not only establish ethical standards for the organisations, but is growingly becoming a necessity considering the challenges surrounding the implementation of legal requirements. Furthermore, considering that consumers are vulnerable and are unable to control how businesses use their personal information, it is the moral responsibilities of ev ery organisation to go beyond bare minimum legal compliance. That is, each organisation needs to take reasonable precaution when handling consumer data and ensure no harm is caused with this kind of data.ReferencesAllen, A. (2011). Unpopular Privacy What Must We HideOxford Oxford University Press. Culnan, M. J., Foxman, E. R., and Ray, A. W. (2008). Why ITExecutives Should Help Employees Secure Their Home Com- puters, MIS Quarterly Executive (71), March, pp. 49-55. Federal Trade Commission (FTC). (2008). Press Release Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers Data, March 27(available at http//www.ftc.gov/opa/2008/03/datasec.shtm accessed November 29, 2014). Greenaway, K. E., and Chan, Y. E. (2005). hypothetic Explana-tions of Firms Information Privacy Behaviors, Journal of the Association for Information Systems (66), pp. 171-198. Morley, D. (2014). Understa nding Computers in a Changing Society. Chicago Cengage Learning. Schwartz, M. (2009). Europe Debates Mandatory Data Breach Notifications. The Privacy Advisor (92), p. 1. Smedinghoff, T. J., and Hamady, L. E. (2008). New State Regula-tions Signal Significant Expansion of Corporate Data SecurityObligations, BNA Privacy and Security Law Report (7), October 20, p. 1518. Solove, D. (2007). The New Vulnerability Data Security andPersonal Information, in Securing Privacy in the Internet Age, A. Chander, L. Gelman, and M. J. Radin (eds.), Palo Alto, CA Stanford University Press, pp. 111-136. Xu, H., Dinev, T., Smith, H. J., and Hart, P. (2008). Examining the Formation of Individuals Privacy Concerns Toward an Integra-tive View, in Proceedings of the 29th International company on Information Systems, Paris (available at http//aisel.aisnet.org/icis2008/6 accessed October 29, 2014).