Abstract
Relying heavily on Thomas Dunfee’s work, this article conducts an in-depth analysis of the relationship between law and business ethics in the context of corporate information security. It debunks the two dominant arguments against corporate investment in information security and explains why socially responsible corporate conduct necessitates strong information security practices. This article argues that companies have ethical obligations to improve information security arising out of a duty to avoid knowingly causing harm to others and, potentially, a duty to exercise unique capabilities for the greater social good and to buttress stable functioning of social institutions.
Similar content being viewed by others
References
Abelson, J.: 2009 ‘TJX holds sale related to breach of consumer data’, Boston.com. http://www.boston.com/business/articles/2009/01/22/tjx_holds_sale_related_to_breach_of_consumer_data/. Accessed 22 Jan 2009
Acxiom, Inc.: 2009, http://www.acxiom.com/. January 20
Anderson, B.: 1991, Imagined Communities. London: Verso.
Bowie, N. E., and T. W. Dunfee.: 2002, “Confronting Morality in Markets”, Journal of Business Ethics 38, (4) : 381-393.
Carr, J.: 2008, SC Magazine, April 10. http://www.scmagazineus.com/From-RSA-Financial-services-companies-struggling-with-multichannel-authentication/article/108906/. Accessed 3 Jan 2009
Caruso, D.: 2007, ‘When Balance Sheets Collide With the New Economy’, New York Times, September 9. http://www.nytimes.com/2007/09/09/business/09frame.html?_r=1&oref=slogin. Accessed 3 Jan 2009
Chapman, M.: 2007, ‘Monster.com suffers job lot of data theft’, vnunet.com, August 21. http://www.itweek.co.uk/vnunet/news/2197133/monster-suffers-job-lot-theft.
Charles Schwab Corp. v. Comm’r: 2004, U.S. Tax Ct. LEXIS 10 (T.C. Mar. 9, 2004)
Claburn, T.: 2007a, ‘Facebook and MySpace Monetize Friendship with Targeted Ads’, ITNews.com, November 7. http://www.itnews.com.au/News/64502,facebook-and-myspace-monetize-frienship-with-targeted-ads.aspx.
Claburn, T.: 2007b, ‘The Cost of Data Loss Rises’, Information Week, November 28. http://www.informationweek.com/management/showArticle.jhtml?articleID=204204152.
Comments of Simple Nomad: 2003, Stanford University, Cybersecurity, Research and Disclosure Conference
Donaldson, T. J., and T. W. Dunfee.: 2002, “Ties that Bind in Business Ethics: Social Contracts and Why They Matter”, Journal of Banking and Finance 26: 1853-1865.
Dunfee, T.: 1998, “The Marketplace of Morality: Small Steps Toward a Theory of Moral Choice”, Business Ethics Quarterly 8, (1): 127-145.
Dunfee, T. W.: 1999, “Corproate Governance in a Market with Morality”, Law and Contemporary Problems 62, (3): 101-129.
Dunfee, T. W.: 2002a, ‘Don’t Compel but Encourage’, Across the Board. January–February, p. 23
Dunfee, T. W.: 2002b, ‘Stakeholder Theory: Managing Corporate Social Responsibility in a Multiple Actor Context’, in A. Crane, A. McWilliams, D. Matter, J. Moon and D. Siegel (eds.), The Oxford Handbook of Corporate Social Responsibility (Oxford University Press, Oxford), pp. 346–362
Dunfee, T. W.: 2006, “Do Firms with Unique Competencies for Rescuing Victims of Human Catastrophes Have Special Obligations”, Business Ethics Quarterly 16, (2): 185-210.
Dunfee TW 2007 “The World is Flat in the Twenty-First Century: A Response to Hasnas”, Business Ethics Quarterly 17, (3): 427-431.
Ex-AOL Man Jailed For E-mail Scam: 2005, BBC, August 18. http://news.bbc.co.uk/2/hi/technology/4162320.stm. Accessed 30 Jan 2009
Fichera, R. and S. Wenninger: 2004, ‘Islands of Automation are Dead—Long Live Islands of Automation’, Forrester, August 13. http://www.forrester.com/Research/Document/Excerpt/0,7211,35206,00.html.
Ford, R. C., and W. D. Richardson.: 1994, “Ethical Decision Making: A review of the empirical literature”, Journal of Business Ethics 13: 205.
Gaudin, S.: 2007, ‘Banks Hit T.J. Maxx Owner With Class-Action Lawsuit’, Information Week, April 25. http://www.informationweek.com/news/showArticle.jhtml?articleID=199201456.
Get Out the Red Pen: 2009, Barrons, February 17. http://online.barrons.com/article/SB123457702581886857.html?mod=wsjcrmain. Accessed 20 Feb 2009
Goodin, D.: 2009, ‘After Mass Security Lapse, RBS Worldpay Gets IRS Contract’, The Register, April 24. http://www.facebook.com/ext/share.php?sid=76662123957&h=41EbF&u=LSKn1&ref=mf.
Gramm-Leach-Bliley Financial Services Modernization Act: 1999, Pub. L. No. 106–102, 113 Stat. 1338
Herek, M., J. R. Gillis and J. C. Cogan.: 1999, “Psychological Sequelae of Hate-Crime Victimization Among Lesbian, Gay, and Bisexual Adults”, J. Consulting & Clinical Psychol. 67: 945.
Hess, D. and T. W. Dunfee.: 2002, “The Kasky-Nike Threat to Corporate Social Reporting: Implementing a Standard for Optimal Truthful Disclosure as a Solution”, Business Ethics Quarterly 17 (1): 3-30.
Hsieh N 2004 “The obligations of transnational corporations: Rawlsian justice and the duty of assistance”, Business Ethics Quarterly 14: 643-661.
Identity Theft Resource Center: 2009, 2008 Data Breach Total Soars. January 5. http://www.idtheftcenter.org/artman2/publish/m_press/2008_Data_Breach_Totals_Soar.shtml. Accessed 30 Jan 2009
“I’m into Clippy” group. Facebook: 2009, http://www.facebook.com/s.php?init=q&q=clipp&ref=ts&sid=ce08cec5d72135ff10e279eaecda4355#/group.php?sid=0&gid=33916191574. Accessed 3 Jan 2009
IRS Freely Gives Out Employee User Name/Password Info: 2007, Slashdot, August 5. http://it.slashdot.org/article.pl?sid=07/08/05/1834201&tid=172. Accessed 3 Jan 2009
Jewell, M.: 2007, ‘TJX Breach Could Top 94 Million Accounts’, MSNBC, October 24. http://www.msnbc.msn.com/id/21454847/.
Kennedy, D. and J. Gelagin: 2003, ‘Want to Save 16 Minutes Every Day?’, Findlaw. February. http://practice.findlaw.com/archives/worldbeat_0203.html.
King, R.: 2008, ‘Building a Brand with Widgets’, Businessweek, March 3. http://www.businessweek.com/technology/content/feb2008/tc20080303_000743_page_2.htm. Accessed 3 Jan 2009
Leyden, J.: 2006, ‘Acxiom database hacker jailed for 8 years’, The Register, February 23. http://www.theregister.co.uk/2006/02/23/acxiom_spam_hack_sentencing/. Accessed 3 Feb 2009
Lipowicz, A.: 2008, GAO: Los Alamos Lab has Cybersecurity Gaps, September 26. http://fcw.com/Articles/2008/09/26/GAO-Los-Alamos-Lab-has-cybersecurity-gaps.aspx. Accessed 3 Feb 2009
Massachusetts, Connecticut Bankers Associations and the Maine Association of Community Banks and Individual Banks File Class Action Lawsuit Against TJX Companies Inc.: 2007, Massachusetts Bankers Association, April 24. https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf.
Matwyshyn, A. M.: 2005, “Material Vulnerabilities: Data Privacy, Corporate Information Security and Securities Regulation”, Berkeley Business Law Journal 3: 129.
Matwyshyn, A. M. 2007 “Technoconsen(t)sus”, Wash. U. L. Rev. 85: 529.
McCullagh, D.: 2003, ‘Study: Millions Hit by ID Fraud’, News.com. September 3. http://news.com.com/Study+Millions+hit+by+ID+fraud/2100-1029_3-5071060.html?tag=st.rc.targ_mb. Accessed 3 Jan 2009
McDonald’s Launches Fundraising Effort: 2008, November 18. http://www.philanthropyjournal.org/news/mcdonalds-launches-fundraising-effort. Accessed 3 Jan 2009
Menn, J.: 2004, ‘Deleting Onling Extortion’, LA Times, October 25. http://www.josephmenn.com/other_delete_online_extortion.php.
Miller, R. T 2008 “Wrongful Omissions by Corporate Directors: Stone v. Ritter and Adapting the Process Model of the Delaware Business Judgment Rule”. UPAJBEL 10: 911.
Miller v. McDonald (In re Health Alternatives, Inc).: 2008 B.R., Adv. No. 07-51350, WL 1002035 at *1 (Bankr.D.Del., April 9, 2008)
Monster.com Admits Keeping Data Breach Under Wraps: 2007, August 24. http://www.foxnews.com/story/0,2933,294471,00.html. Accessed 3 Jan 2009
Néron, P.-Y. and W. Norman: 2008, ‘Corporations as Citizens: Political not Metaphorical, A Reply to Critics’, Business Ethics Quarterly.
Neumeister, L.: 2003, ‘Guilty Plea in Huge ID Theft Case’, CBS, September 14. http://www.cbsnews.com/stories/2004/09/15/tech/main643714.shtml.
Pereira, J.: 2009, CVS to Pay $2.25 Million in Privacy Case, February 19. http://www.wsj.com. Accessed 20 Feb 2009
Pricewaterhouse Coopers: 2008, Global State of Informaiton Security. http://www.pwc.com/extweb/insights.nsf/docid/0E50FD887E3DC70F852574DB005DE509/$File/PwCsurvey2008_cio_reprint.pdf. Accessed 20 Jan 2009
Pricewaterhouse Coopers: 2009, Safeguarding the New Currency, October. http://www.pwc.com/extweb/insights.nsf/docid/0E50FD887E3DC70F852574DB005DE509/$File/Safeguarding_the_new_currency.pdf. Accessed 2 Jan 2009
Privacy Rights Clearinghouse: 2009, Chronology of Data Breaches. http://www.privacyrights.org/ar/ChronDataBreaches.htm. Accessed 30 Jan 2009
Reuters: 2004, ‘Man Pleads Guilty in Massive Identity Theft’, CNET, September 15. http://news.com.com/Man+pleads+guilty+in+massive+identity+theft/2100-1029_3-5367658.html?tag=st.rc.targ_mb.
Rowe, E.: 2007, ‘Saving Trade Secret Disclosures on the Internet Through Sequential Preservation’, Boston College Intellectual Property and Technology Forum: 091101
Salbu, S. R.: 2002, “The European Union Data Privacy Directive and International Relations”, Vanderbilt Journal Transnational Law 35: 655-691.
Schwartz P. M 2007 “Notifications of Data Security Breaches.” Mich. L. Rev. 105: 913.
Schwartz, M. S., T. W. Dunfee and M. J. Kline.: 2005, “Tone at the Top:An Ethics Code for Directors?” Journal of Business Ethics 58, (1): 79-100.
Shelvin, R.: 2007, ING Direct’s Emotional Connection with Customers, February 9. http://marketingroi.wordpress.com/2007/02/09/ing-directs-emotional-connection-with-customers/. Accessed 3 Feb 2009
Soma, J. T., S. K. Black and A. R. Smith.: 1996, “Antitrust Pitfalls in Licensing”, Practicing Law Institute - Patent 449: 349.
Talisma: 2008, Online Banking Audit Reveals Major Opportunities for Customer Service Improvement, February 21. http://www.talisma.com/tal_news/press_release.aspx?id=1448. Accessed 3 Jan 2009
Time Magazine: 1983, Cover, January 3. http://www.time.com/time/covers/0,16641,19830103,00.html. Accessed 3 Jan 2009
Trevino, L. and G. R. Weaver.: 2003, Managing Ethics in Business Organizations: Social Scientific Perspectives. Stanford University Press.
Utah Attorney General: 2004, ID Theft + Mortgage Fraud = Utah’s Newest Scam, May 19. http://attorneygeneral.utah.gov/PrRel/prmay192004.htm. Accessed 30 Jan 2009
Vamosi, R.: 2007, Monster Defends Delay in Notifying Users of Data Breach, August 30. http://news.cnet.com/8301-10784_3-9769438-7.html. Accessed 3 Jan 2009
“Vhost Sitepal”: 2004, Oddcast. http://www.oddcast.com/sitepal/?promotionId=235&bannerId=128. Accessed 26 Nov 2004
Vijayan, J.: 2009, Heartland Data Breach Could be Bigger Than TJX’s, January 21. http://www.infoworld.com/article/09/01/21/Heartland_data_breach_could_be_bigger_than_TJXs_1.html. Accessed 30 Jan 2009
Wilson, T.: 2009, Data Breach Costs Rose Significantly In 2008, Ponemon Study Says, February 2. http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=213000466&cid=RSSfeed. Accessed 1 Mar 2009
Winn, J. K. and J. R. Wrathall.: 2000, ‘Who Owns the Customer?’, Business Lawyer 56, 213–233
Wright, B.: 2004 ‘IT Security Law’, Tax Administration. http://www.taxadmin.org/fta/meet/04tech_pres/wright.pdf.
Acknowledgment
The author thanks the Zicklin Center for Business Ethics Research for the continued support of her research.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Matwyshyn, A.M. CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices. J Bus Ethics 88 (Suppl 4), 579–594 (2009). https://doi.org/10.1007/s10551-009-0312-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10551-009-0312-9