Organizational Ethics in Dealing with Data Breaches within Credit Card Companies
Organizational Ethics in Dealing with Data Breaches within Credit Card Companies
Introduction
It is important to understand the concept of ethics before we discuss the dilemma in organizations that cause ethical issues. The term “ethics” is defined as the study of the nature of morals and the choices that can be made by people in their relationship with others. The definition of ethics is defined by the American Heritage Dictionary. Although Bradshaw et al. (2007) contend that the concept and definition of ethics are often vague because of the term's many nuances most definitions revolve around the determination of right and wrong, good and bad, just and unjust behavior of humans.
This determination of right and wrong is spread between many different decision situations and includes not only determination of personal behavior but also standards of behavior and judgment of the behavior of others (Herschel et al. 1997).
The Ethical Dilemma of Data Breaches within Credit Card Companies is an issue that I had come across with. I had experienced the issue of data breach because of which thousands of dollars was credited to my account; however, I felt being exposed to the situation of ethical dilemma because of someone else's negligence with my personal information.
Discussion
Negligence requires duty, breach (of the duty), causation, and damages. A data breach without damages also matters for the customer; therefore, the company needs to understand that breach of data is a serious crime. However, there is a fundamental flaw in thinking that unless you can demonstrate damages or risk of damages, data breaches do not matter and do not need to be disclosed. Consumers cannot make informed decisions about whom to trust with their business and their personal information if they are kept in the dark about security failures.
For instance, suppose that on Tuesday, the credit card company has a data breach in which they discover that a company laptop containing customers' names, contact details was stolen from an employee's car where it had been left overnight. Because there were no credit card data on the laptop, the company would probably not be required to notify consumers of the breach under proposed federal data breach notification laws (although they would be required under some states' laws that would get preempted by the federal law) (Bradshaw et al. 2007).
Some might argue that if notifying the consumers does not really help them as there is nothing they need to do or can do, we should not require notification. However, that neglects to give due weight to the fact that the customer who is notified might decide not to trust that business again and that by failing to require notification, we will have deprived the consumer of information that they may need and/or want. Additionally, we cannot assume that because the breach is over and done with and there has been no immediate evidence of misuse of data, the same company won't have the same security failure again next month ...