Journal of Business Ethics

, Volume 88, Supplement 4, pp 579–594 | Cite as

CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices

  • Andrea M. MatwyshynEmail author


Relying heavily on Thomas Dunfee’s work, this article conducts an in-depth analysis of the relationship between law and business ethics in the context of corporate information security. It debunks the two dominant arguments against corporate investment in information security and explains why socially responsible corporate conduct necessitates strong information security practices. This article argues that companies have ethical obligations to improve information security arising out of a duty to avoid knowingly causing harm to others and, potentially, a duty to exercise unique capabilities for the greater social good and to buttress stable functioning of social institutions.


corporate governance corporate social responsibility information security identity theft nondisclosure 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.



The author thanks the Zicklin Center for Business Ethics Research for the continued support of her research.


  1. Abelson, J.: 2009 ‘TJX holds sale related to breach of consumer data’, Accessed 22 Jan 2009
  2. Acxiom, Inc.: 2009, January 20
  3. Anderson, B.: 1991, Imagined Communities. London: Verso.Google Scholar
  4. Bowie, N. E., and T. W. Dunfee.: 2002, “Confronting Morality in Markets”, Journal of Business Ethics 38, (4) : 381-393.CrossRefGoogle Scholar
  5. Caruso, D.: 2007, ‘When Balance Sheets Collide With the New Economy’, New York Times, September 9. Accessed 3 Jan 2009
  6. Chapman, M.: 2007, ‘ suffers job lot of data theft’,, August 21.
  7. Charles Schwab Corp. v. Commr: 2004, U.S. Tax Ct. LEXIS 10 (T.C. Mar. 9, 2004)Google Scholar
  8. Claburn, T.: 2007a, ‘Facebook and MySpace Monetize Friendship with Targeted Ads’,, November 7.,facebook-and-myspace-monetize-frienship-with-targeted-ads.aspx.
  9. Claburn, T.: 2007b, ‘The Cost of Data Loss Rises’, Information Week, November 28.
  10. Comments of Simple Nomad: 2003, Stanford University, Cybersecurity, Research and Disclosure Conference Google Scholar
  11. Donaldson, T. J., and T. W. Dunfee.: 2002, “Ties that Bind in Business Ethics: Social Contracts and Why They Matter”, Journal of Banking and Finance 26: 1853-1865.CrossRefGoogle Scholar
  12. Dunfee, T.: 1998, “The Marketplace of Morality: Small Steps Toward a Theory of Moral Choice”, Business Ethics Quarterly 8, (1): 127-145.CrossRefGoogle Scholar
  13. Dunfee, T. W.: 1999, “Corproate Governance in a Market with Morality”, Law and Contemporary Problems 62, (3): 101-129.CrossRefGoogle Scholar
  14. Dunfee, T. W.: 2002a, ‘Don’t Compel but Encourage’, Across the Board. January–February, p. 23Google Scholar
  15. Dunfee, T. W.: 2002b, ‘Stakeholder Theory: Managing Corporate Social Responsibility in a Multiple Actor Context’, in A. Crane, A. McWilliams, D. Matter, J. Moon and D. Siegel (eds.), The Oxford Handbook of Corporate Social Responsibility (Oxford University Press, Oxford), pp. 346–362Google Scholar
  16. Dunfee, T. W.: 2006, “Do Firms with Unique Competencies for Rescuing Victims of Human Catastrophes Have Special Obligations”, Business Ethics Quarterly 16, (2): 185-210.Google Scholar
  17. Dunfee TW 2007 “The World is Flat in the Twenty-First Century: A Response to Hasnas”, Business Ethics Quarterly 17, (3): 427-431.Google Scholar
  18. Ex-AOL Man Jailed For E-mail Scam: 2005, BBC, August 18. Accessed 30 Jan 2009
  19. Fichera, R. and S. Wenninger: 2004, ‘Islands of Automation are Dead—Long Live Islands of Automation’, Forrester, August 13.,7211,35206,00.html.
  20. Ford, R. C., and W. D. Richardson.: 1994, “Ethical Decision Making: A review of the empirical literature”, Journal of Business Ethics 13: 205.CrossRefGoogle Scholar
  21. Gaudin, S.: 2007, ‘Banks Hit T.J. Maxx Owner With Class-Action Lawsuit’, Information Week, April 25.
  22. Get Out the Red Pen: 2009, Barrons, February 17. Accessed 20 Feb 2009
  23. Goodin, D.: 2009, ‘After Mass Security Lapse, RBS Worldpay Gets IRS Contract’, The Register, April 24.
  24. Gramm-Leach-Bliley Financial Services Modernization Act: 1999, Pub. L. No. 106–102, 113 Stat. 1338 Google Scholar
  25. Herek, M., J. R. Gillis and J. C. Cogan.: 1999, “Psychological Sequelae of Hate-Crime Victimization Among Lesbian, Gay, and Bisexual Adults”, J. Consulting & Clinical Psychol. 67: 945.CrossRefGoogle Scholar
  26. Hess, D. and T. W. Dunfee.: 2002, “The Kasky-Nike Threat to Corporate Social Reporting: Implementing a Standard for Optimal Truthful Disclosure as a Solution”, Business Ethics Quarterly 17 (1): 3-30.Google Scholar
  27. Hsieh N 2004 “The obligations of transnational corporations: Rawlsian justice and the duty of assistance”, Business Ethics Quarterly 14: 643-661.Google Scholar
  28. Identity Theft Resource Center: 2009, 2008 Data Breach Total Soars. January 5. Accessed 30 Jan 2009
  29. IRS Freely Gives Out Employee User Name/Password Info: 2007, Slashdot, August 5. Accessed 3 Jan 2009
  30. Jewell, M.: 2007, ‘TJX Breach Could Top 94 Million Accounts’, MSNBC, October 24.
  31. Kennedy, D. and J. Gelagin: 2003, ‘Want to Save 16 Minutes Every Day?’, Findlaw. February.
  32. King, R.: 2008, ‘Building a Brand with Widgets’, Businessweek, March 3. Accessed 3 Jan 2009
  33. Leyden, J.: 2006, ‘Acxiom database hacker jailed for 8 years’, The Register, February 23. Accessed 3 Feb 2009
  34. Lipowicz, A.: 2008, GAO: Los Alamos Lab has Cybersecurity Gaps, September 26. Accessed 3 Feb 2009
  35. Massachusetts, Connecticut Bankers Associations and the Maine Association of Community Banks and Individual Banks File Class Action Lawsuit Against TJX Companies Inc.: 2007, Massachusetts Bankers Association, April 24.
  36. Matwyshyn, A. M.: 2005, “Material Vulnerabilities: Data Privacy, Corporate Information Security and Securities Regulation”, Berkeley Business Law Journal 3: 129.Google Scholar
  37. Matwyshyn, A. M. 2007 “Technoconsen(t)sus”, Wash. U. L. Rev. 85: 529.Google Scholar
  38. McCullagh, D.: 2003, ‘Study: Millions Hit by ID Fraud’, September 3. Accessed 3 Jan 2009
  39. McDonald’s Launches Fundraising Effort: 2008, November 18. Accessed 3 Jan 2009
  40. Menn, J.: 2004, ‘Deleting Onling Extortion’, LA Times, October 25.
  41. Miller, R. T 2008 “Wrongful Omissions by Corporate Directors: Stone v. Ritter and Adapting the Process Model of the Delaware Business Judgment Rule”. UPAJBEL 10: 911.Google Scholar
  42. Miller v. McDonald (In re Health Alternatives, Inc).: 2008 B.R., Adv. No. 07-51350, WL 1002035 at *1 (Bankr.D.Del., April 9, 2008)Google Scholar
  43. Admits Keeping Data Breach Under Wraps: 2007, August 24.,2933,294471,00.html. Accessed 3 Jan 2009
  44. Néron, P.-Y. and W. Norman: 2008, ‘Corporations as Citizens: Political not Metaphorical, A Reply to Critics’, Business Ethics Quarterly.Google Scholar
  45. Neumeister, L.: 2003, ‘Guilty Plea in Huge ID Theft Case’, CBS, September 14.
  46. Pereira, J.: 2009, CVS to Pay $2.25 Million in Privacy Case, February 19. Accessed 20 Feb 2009
  47. Pricewaterhouse Coopers: 2008, Global State of Informaiton Security.$File/PwCsurvey2008_cio_reprint.pdf. Accessed 20 Jan 2009
  48. Pricewaterhouse Coopers: 2009, Safeguarding the New Currency, October.$File/Safeguarding_the_new_currency.pdf. Accessed 2 Jan 2009
  49. Privacy Rights Clearinghouse: 2009, Chronology of Data Breaches. Accessed 30 Jan 2009
  50. Reuters: 2004, ‘Man Pleads Guilty in Massive Identity Theft’, CNET, September 15.
  51. Rowe, E.: 2007, ‘Saving Trade Secret Disclosures on the Internet Through Sequential Preservation’, Boston College Intellectual Property and Technology Forum: 091101Google Scholar
  52. Salbu, S. R.: 2002, “The European Union Data Privacy Directive and International Relations”, Vanderbilt Journal Transnational Law 35: 655-691.Google Scholar
  53. Schwartz P. M 2007 “Notifications of Data Security Breaches.” Mich. L. Rev. 105: 913.Google Scholar
  54. Schwartz, M. S., T. W. Dunfee and M. J. Kline.: 2005, “Tone at the Top:An Ethics Code for Directors?” Journal of Business Ethics 58, (1): 79-100.CrossRefGoogle Scholar
  55. Shelvin, R.: 2007, ING Direct’s Emotional Connection with Customers, February 9. Accessed 3 Feb 2009
  56. Soma, J. T., S. K. Black and A. R. Smith.: 1996, “Antitrust Pitfalls in Licensing”, Practicing Law Institute - Patent 449: 349.Google Scholar
  57. Talisma: 2008, Online Banking Audit Reveals Major Opportunities for Customer Service Improvement, February 21. Accessed 3 Jan 2009
  58. Time Magazine: 1983, Cover, January 3.,16641,19830103,00.html. Accessed 3 Jan 2009
  59. Trevino, L. and G. R. Weaver.: 2003, Managing Ethics in Business Organizations: Social Scientific Perspectives. Stanford University Press.Google Scholar
  60. Utah Attorney General: 2004, ID Theft + Mortgage Fraud = Utah’s Newest Scam, May 19. Accessed 30 Jan 2009
  61. Vamosi, R.: 2007, Monster Defends Delay in Notifying Users of Data Breach, August 30. Accessed 3 Jan 2009
  62. “Vhost Sitepal”: 2004, Oddcast. Accessed 26 Nov 2004
  63. Vijayan, J.: 2009, Heartland Data Breach Could be Bigger Than TJX’s, January 21. Accessed 30 Jan 2009
  64. Wilson, T.: 2009, Data Breach Costs Rose Significantly In 2008, Ponemon Study Says, February 2. Accessed 1 Mar 2009
  65. Winn, J. K. and J. R. Wrathall.: 2000, ‘Who Owns the Customer?’, Business Lawyer 56, 213–233Google Scholar
  66. Wright, B.: 2004 ‘IT Security Law’, Tax Administration.

Copyright information

© Springer Science+Business Media B.V. 2010

Authors and Affiliations

  1. 1.Department of Legal Studies and Business EthicsThe Wharton SchoolPhiladelphiaU.S.A.

Personalised recommendations