After over thirty data breaches spanning the third and fourth quarter of 2012, Forbes magazine labeled the summer of 2012 as “The Summer of the Data Breach.” Four years later, businesses across multiple industries have suffered brand-image damage and paid millions of dollars in remedial expenses; we are living in the era of the mega breach. In 2014, companies such as Target, Home Depot, JP Morgan Chase, Anthem, Sony, UPS, Jimmy John’s, Kmart, Neiman Marcus, Community Health Systems, and the White House suffered data breaches. The Home Depot breach alone resulted in the loss of “56 million credit card accounts,” “53 million email addresses,” and an estimated 63 million dollars in damage. In addition to the economic fallout associated with data breaches, the 2015 Ashley Madison data breach highlighted the personal toll faced by consumers when their “private” information becomes “public.” That data breach exposed the identities of millions of would-be philanderers, shaming not only the subscribers to Ashley Madison’s service, but also innocent bystanders such as their family members. The frequency of data breaches has shown no signs of abating in 2016—in the first quarter, multiple hospitals fell victim to “ransomware,” a data breach that allows hackers to literally hold patient data hostage.7 Several hospitals had to pay hackers to regain access to their patients’ data.

“Decentralized technology” creates a different set of problems than the simple misuse of a single individual’s “technological profile” and information. Today, unauthorized access to electronic information, a result of what Burnham in 1983 referred to as “transactional information,” includes “hackers breaking into systems or networks, third parties accessing personal information on lost laptops or other mobile devices, or organizations failing to dispose of personal information securely.” Data breaches exemplify the first type of unauthorized access and despite their frequent occurrence, they are little examined from an ethical standpoint. Though Google Scholar lists over 82,000 entries under “ethics of a data breach,” very few combine both terms in the title. One article that does so notes a “dearth of prior organizational-level privacy research, which has largely overlooked ethical issues or the personal harms often caused by privacy violations.” Even within the field of technology, “there has not been a huge literature on ethics within the mainstream of information systems journals.” Part of the problem is the novelty of data breach cases. They are so new and different that they appear to be technologically, morally, and legally unlike other problems. We suggest that analogies and analyses exist which can help resolve some of these moral and legal puzzles.

Last Page