John D’Arcy, an associate professor of accounting and management information systems at the University of Delaware, delivered his presentation “Data Breach: Failures and Follow-ups” Monday afternoon in the Mendoza College of Business. The lecture was the first event of Mendoza’s annual Ethics Week and focused on data breaches.
“We hear about these [data breaches] all the time, and there’s even a term that’s come up recently, ‘data breach fatigue’ – it comes up so often, it’s not even a big deal anymore,” D’Arcy said. “Every week, we hear about another organization that’s high profile that’s been attacked.”
According to D’Arcy, a data breach is an incident in which “sensitive, protected or confidential data” is accessed by a party without authorization. This data includes personal health information, personal identifiable information, trade secrets, intellectual property and personal financial data, D’Arcy said. There is also a movement to expanding the definition to include emails, passwords and information specific to healthcare.
Healthcare is an industry that’s especially vulnerable to cybercriminals, D’Arcy said.
“Getting this information can be used to make fake insurance accounts — there’s a lot of money to be made,” he said. “Everything is being digitized in the health industry, and it’s a gold mine. In general, they’ve been a little lax in terms of security compared to other industries.”
D’Arcy explained the idea of a “compliance mindset,” which infers that the minimum required by law is enough protection.
“There’s plenty of laws in the book that require both notification and adequate level of security, but we’re still seeing more and more breaches,” he said. “The question is, is the law enough? Just to comply with legal requirements, is that enough? The obvious answer is no — companies have an ethical obligation to go beyond the requirements and to really protect its information.”
Contributing to this “compliance mindset" is the lack of incentive for companies to “step up” their precautions against data breaches.
“There’s concern for your personal information, but in terms of hardcore impact, it’s not really affecting companies negatively, from a shareholder’s perspective,” D’Arcy said. “They have litigation costs and all these other costs, but in terms of satisfying their shareholders, they’re not taking much of a hit. There’s not a hard case from a business standpoint to go above and beyond.”
D’Arcy presented case studies for four major data breaches: ChoicePoint, Inc. and TJX Companies in 2005, Target in 2013 and eBay in 2014.
Email addresses, encrypted passwords, birth dates and mailing addresses were accessed from eBay in 2014, and the company was very slow to react, taking weeks to notify customers who may have been affected, D’Arcy said.
“Their argument was since it wasn’t credit card data or drivers licenses, they didn’t need to notify customers right away,” D’Arcy said. “Also, because the passwords were in an encrypted format, their argument was that it wasn’t sensitive.”
D’Arcy said information security and ethics are complicated and past incidents should be viewed as learning opportunities instead of complete failures.
“It’s easy to look at these cases and be all high and mighty, but the reality is, ethics is difficult, and they’re dealing with pressures and other factors,” he said. “We can certainly learn lessons from these cases moving forward and begin to apply that ethical lens and acting on our ethical obligations.”
