CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices
- 386 Downloads
Relying heavily on Thomas Dunfee’s work, this article conducts an in-depth analysis of the relationship between law and business ethics in the context of corporate information security. It debunks the two dominant arguments against corporate investment in information security and explains why socially responsible corporate conduct necessitates strong information security practices. This article argues that companies have ethical obligations to improve information security arising out of a duty to avoid knowingly causing harm to others and, potentially, a duty to exercise unique capabilities for the greater social good and to buttress stable functioning of social institutions.
Keywordscorporate governance corporate social responsibility information security identity theft nondisclosure
Unable to display preview. Download preview PDF.
The author thanks the Zicklin Center for Business Ethics Research for the continued support of her research.
- Abelson, J.: 2009 ‘TJX holds sale related to breach of consumer data’, Boston.com. http://www.boston.com/business/articles/2009/01/22/tjx_holds_sale_related_to_breach_of_consumer_data/. Accessed 22 Jan 2009
- Acxiom, Inc.: 2009, http://www.acxiom.com/. January 20
- Anderson, B.: 1991, Imagined Communities. London: Verso.Google Scholar
- Carr, J.: 2008, SC Magazine, April 10. http://www.scmagazineus.com/From-RSA-Financial-services-companies-struggling-with-multichannel-authentication/article/108906/. Accessed 3 Jan 2009
- Caruso, D.: 2007, ‘When Balance Sheets Collide With the New Economy’, New York Times, September 9. http://www.nytimes.com/2007/09/09/business/09frame.html?_r=1&oref=slogin. Accessed 3 Jan 2009
- Chapman, M.: 2007, ‘Monster.com suffers job lot of data theft’, vnunet.com, August 21. http://www.itweek.co.uk/vnunet/news/2197133/monster-suffers-job-lot-theft.
- Charles Schwab Corp. v. Comm’r: 2004, U.S. Tax Ct. LEXIS 10 (T.C. Mar. 9, 2004)Google Scholar
- Claburn, T.: 2007a, ‘Facebook and MySpace Monetize Friendship with Targeted Ads’, ITNews.com, November 7. http://www.itnews.com.au/News/64502,facebook-and-myspace-monetize-frienship-with-targeted-ads.aspx.
- Claburn, T.: 2007b, ‘The Cost of Data Loss Rises’, Information Week, November 28. http://www.informationweek.com/management/showArticle.jhtml?articleID=204204152.
- Comments of Simple Nomad: 2003, Stanford University, Cybersecurity, Research and Disclosure Conference Google Scholar
- Dunfee, T. W.: 2002a, ‘Don’t Compel but Encourage’, Across the Board. January–February, p. 23Google Scholar
- Dunfee, T. W.: 2002b, ‘Stakeholder Theory: Managing Corporate Social Responsibility in a Multiple Actor Context’, in A. Crane, A. McWilliams, D. Matter, J. Moon and D. Siegel (eds.), The Oxford Handbook of Corporate Social Responsibility (Oxford University Press, Oxford), pp. 346–362Google Scholar
- Dunfee, T. W.: 2006, “Do Firms with Unique Competencies for Rescuing Victims of Human Catastrophes Have Special Obligations”, Business Ethics Quarterly 16, (2): 185-210.Google Scholar
- Dunfee TW 2007 “The World is Flat in the Twenty-First Century: A Response to Hasnas”, Business Ethics Quarterly 17, (3): 427-431.Google Scholar
- Ex-AOL Man Jailed For E-mail Scam: 2005, BBC, August 18. http://news.bbc.co.uk/2/hi/technology/4162320.stm. Accessed 30 Jan 2009
- Fichera, R. and S. Wenninger: 2004, ‘Islands of Automation are Dead—Long Live Islands of Automation’, Forrester, August 13. http://www.forrester.com/Research/Document/Excerpt/0,7211,35206,00.html.
- Gaudin, S.: 2007, ‘Banks Hit T.J. Maxx Owner With Class-Action Lawsuit’, Information Week, April 25. http://www.informationweek.com/news/showArticle.jhtml?articleID=199201456.
- Get Out the Red Pen: 2009, Barrons, February 17. http://online.barrons.com/article/SB123457702581886857.html?mod=wsjcrmain. Accessed 20 Feb 2009
- Goodin, D.: 2009, ‘After Mass Security Lapse, RBS Worldpay Gets IRS Contract’, The Register, April 24. http://www.facebook.com/ext/share.php?sid=76662123957&h=41EbF&u=LSKn1&ref=mf.
- Gramm-Leach-Bliley Financial Services Modernization Act: 1999, Pub. L. No. 106–102, 113 Stat. 1338 Google Scholar
- Hess, D. and T. W. Dunfee.: 2002, “The Kasky-Nike Threat to Corporate Social Reporting: Implementing a Standard for Optimal Truthful Disclosure as a Solution”, Business Ethics Quarterly 17 (1): 3-30.Google Scholar
- Hsieh N 2004 “The obligations of transnational corporations: Rawlsian justice and the duty of assistance”, Business Ethics Quarterly 14: 643-661.Google Scholar
- Identity Theft Resource Center: 2009, 2008 Data Breach Total Soars. January 5. http://www.idtheftcenter.org/artman2/publish/m_press/2008_Data_Breach_Totals_Soar.shtml. Accessed 30 Jan 2009
- “I’m into Clippy” group. Facebook: 2009, http://www.facebook.com/s.php?init=q&q=clipp&ref=ts&sid=ce08cec5d72135ff10e279eaecda4355#/group.php?sid=0&gid=33916191574. Accessed 3 Jan 2009
- IRS Freely Gives Out Employee User Name/Password Info: 2007, Slashdot, August 5. http://it.slashdot.org/article.pl?sid=07/08/05/1834201&tid=172. Accessed 3 Jan 2009
- Jewell, M.: 2007, ‘TJX Breach Could Top 94 Million Accounts’, MSNBC, October 24. http://www.msnbc.msn.com/id/21454847/.
- Kennedy, D. and J. Gelagin: 2003, ‘Want to Save 16 Minutes Every Day?’, Findlaw. February. http://practice.findlaw.com/archives/worldbeat_0203.html.
- King, R.: 2008, ‘Building a Brand with Widgets’, Businessweek, March 3. http://www.businessweek.com/technology/content/feb2008/tc20080303_000743_page_2.htm. Accessed 3 Jan 2009
- Leyden, J.: 2006, ‘Acxiom database hacker jailed for 8 years’, The Register, February 23. http://www.theregister.co.uk/2006/02/23/acxiom_spam_hack_sentencing/. Accessed 3 Feb 2009
- Lipowicz, A.: 2008, GAO: Los Alamos Lab has Cybersecurity Gaps, September 26. http://fcw.com/Articles/2008/09/26/GAO-Los-Alamos-Lab-has-cybersecurity-gaps.aspx. Accessed 3 Feb 2009
- Massachusetts, Connecticut Bankers Associations and the Maine Association of Community Banks and Individual Banks File Class Action Lawsuit Against TJX Companies Inc.: 2007, Massachusetts Bankers Association, April 24. https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf.
- Matwyshyn, A. M.: 2005, “Material Vulnerabilities: Data Privacy, Corporate Information Security and Securities Regulation”, Berkeley Business Law Journal 3: 129.Google Scholar
- Matwyshyn, A. M. 2007 “Technoconsen(t)sus”, Wash. U. L. Rev. 85: 529.Google Scholar
- McCullagh, D.: 2003, ‘Study: Millions Hit by ID Fraud’, News.com. September 3. http://news.com.com/Study+Millions+hit+by+ID+fraud/2100-1029_3-5071060.html?tag=st.rc.targ_mb. Accessed 3 Jan 2009
- McDonald’s Launches Fundraising Effort: 2008, November 18. http://www.philanthropyjournal.org/news/mcdonalds-launches-fundraising-effort. Accessed 3 Jan 2009
- Menn, J.: 2004, ‘Deleting Onling Extortion’, LA Times, October 25. http://www.josephmenn.com/other_delete_online_extortion.php.
- Miller, R. T 2008 “Wrongful Omissions by Corporate Directors: Stone v. Ritter and Adapting the Process Model of the Delaware Business Judgment Rule”. UPAJBEL 10: 911.Google Scholar
- Miller v. McDonald (In re Health Alternatives, Inc).: 2008 B.R., Adv. No. 07-51350, WL 1002035 at *1 (Bankr.D.Del., April 9, 2008)Google Scholar
- Monster.com Admits Keeping Data Breach Under Wraps: 2007, August 24. http://www.foxnews.com/story/0,2933,294471,00.html. Accessed 3 Jan 2009
- Néron, P.-Y. and W. Norman: 2008, ‘Corporations as Citizens: Political not Metaphorical, A Reply to Critics’, Business Ethics Quarterly.Google Scholar
- Neumeister, L.: 2003, ‘Guilty Plea in Huge ID Theft Case’, CBS, September 14. http://www.cbsnews.com/stories/2004/09/15/tech/main643714.shtml.
- Pereira, J.: 2009, CVS to Pay $2.25 Million in Privacy Case, February 19. http://www.wsj.com. Accessed 20 Feb 2009
- Pricewaterhouse Coopers: 2008, Global State of Informaiton Security. http://www.pwc.com/extweb/insights.nsf/docid/0E50FD887E3DC70F852574DB005DE509/$File/PwCsurvey2008_cio_reprint.pdf. Accessed 20 Jan 2009
- Pricewaterhouse Coopers: 2009, Safeguarding the New Currency, October. http://www.pwc.com/extweb/insights.nsf/docid/0E50FD887E3DC70F852574DB005DE509/$File/Safeguarding_the_new_currency.pdf. Accessed 2 Jan 2009
- Privacy Rights Clearinghouse: 2009, Chronology of Data Breaches. http://www.privacyrights.org/ar/ChronDataBreaches.htm. Accessed 30 Jan 2009
- Reuters: 2004, ‘Man Pleads Guilty in Massive Identity Theft’, CNET, September 15. http://news.com.com/Man+pleads+guilty+in+massive+identity+theft/2100-1029_3-5367658.html?tag=st.rc.targ_mb.
- Rowe, E.: 2007, ‘Saving Trade Secret Disclosures on the Internet Through Sequential Preservation’, Boston College Intellectual Property and Technology Forum: 091101Google Scholar
- Salbu, S. R.: 2002, “The European Union Data Privacy Directive and International Relations”, Vanderbilt Journal Transnational Law 35: 655-691.Google Scholar
- Schwartz P. M 2007 “Notifications of Data Security Breaches.” Mich. L. Rev. 105: 913.Google Scholar
- Shelvin, R.: 2007, ING Direct’s Emotional Connection with Customers, February 9. http://marketingroi.wordpress.com/2007/02/09/ing-directs-emotional-connection-with-customers/. Accessed 3 Feb 2009
- Soma, J. T., S. K. Black and A. R. Smith.: 1996, “Antitrust Pitfalls in Licensing”, Practicing Law Institute - Patent 449: 349.Google Scholar
- Talisma: 2008, Online Banking Audit Reveals Major Opportunities for Customer Service Improvement, February 21. http://www.talisma.com/tal_news/press_release.aspx?id=1448. Accessed 3 Jan 2009
- Time Magazine: 1983, Cover, January 3. http://www.time.com/time/covers/0,16641,19830103,00.html. Accessed 3 Jan 2009
- Trevino, L. and G. R. Weaver.: 2003, Managing Ethics in Business Organizations: Social Scientific Perspectives. Stanford University Press.Google Scholar
- Utah Attorney General: 2004, ID Theft + Mortgage Fraud = Utah’s Newest Scam, May 19. http://attorneygeneral.utah.gov/PrRel/prmay192004.htm. Accessed 30 Jan 2009
- Vamosi, R.: 2007, Monster Defends Delay in Notifying Users of Data Breach, August 30. http://news.cnet.com/8301-10784_3-9769438-7.html. Accessed 3 Jan 2009
- “Vhost Sitepal”: 2004, Oddcast. http://www.oddcast.com/sitepal/?promotionId=235&bannerId=128. Accessed 26 Nov 2004
- Vijayan, J.: 2009, Heartland Data Breach Could be Bigger Than TJX’s, January 21. http://www.infoworld.com/article/09/01/21/Heartland_data_breach_could_be_bigger_than_TJXs_1.html. Accessed 30 Jan 2009
- Wilson, T.: 2009, Data Breach Costs Rose Significantly In 2008, Ponemon Study Says, February 2. http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=213000466&cid=RSSfeed. Accessed 1 Mar 2009
- Winn, J. K. and J. R. Wrathall.: 2000, ‘Who Owns the Customer?’, Business Lawyer 56, 213–233Google Scholar
- Wright, B.: 2004 ‘IT Security Law’, Tax Administration. http://www.taxadmin.org/fta/meet/04tech_pres/wright.pdf.