The Economic Impact of Privacy Violations and Security Breaches

Privacy and security incidents represent a serious threat for a company’s business success. While previous research in this area mainly investigated second-order effects (e.g., capital market reactions to privacy or security incidents), this study focuses on first-order effects, that is, the direct consumer reaction. In a laboratory experiment, the authors distinguish between the impact of privacy violations and security breaches on the subjects’ trust and behavior. They provide evidence for the so-called “privacy paradox” which describes that people’s intentions, with regard to privacy, differ from their actual behavior. While privacy is of prime importance for building trust, the actual behavior is affected less and customers value security higher when it comes to actual decision making. According to the results, consumers’ privacy related intention-behavior gap persists after the privacy breach occurred

Perceived patient control over personal health information in the presence of context-specific concerns

Information privacy issues have plagued the world of electronic media since its inception. This research focused mainly on factors that increase or decrease perceived patient control over personal health information (CTL) in the presence of context-specific concerns. Control agency theory was used for the paper\u27s theoretical contributions. Personal and proxy control agencies acted as the independent variables, and context-specific concerns for information privacy (CFIP) were used as the moderator between proxy control agency, healthcare provider, and CTL. Demographic data and three control variables— the desire for information control, privacy experience, and trust propensity—were also included in the model to gauge the contribution to CTL from external factors. Only personal control agency and desire for information control were found to impact CT

Understanding the Whistle-blowing Intention to Report Breach of Confidentiality

We examine the factors that encourage employees to whistle-blow wrongdoings in relation to confidentiality breaches. We investigate how their anticipated regret about remaining silent changes over time, how such changes influence their whistle-blowing intentions, and what employee characteristics and organizational policies moderate this relationship. Drawing on attribution theory, we develop three hypotheses. Our experiment findings show that: 1) employees’ perceptions of the controllability and intentionality (but not stability) of the wrongdoing act affect how their anticipated regret evolves, 2) anticipated regret increases employees’ whistle-blowing intentions, 3) anticipated regret has a stronger effect on whistle-blowing intentions when organizations implement policies that promote efforts to protect information confidentiality, and 4) employees with information technology knowledge have a stronger intention to whistle-blow. Theoretically, our study extends the organization security literature’s focus to individuals’ whistle-blowing and highlights an IS research agenda around whistle-blowing in relation to confidentiality breaches. Practically, it informs organizations about how to encourage employees to whistle-blow when they observe confidentiality breaches

Privacy, Mass Intrusion and the Modern Data Breach

Massive data breaches have practically become a daily occurrence. These breaches reveal intrusive private information about individuals, as well as priceless corporate secrets. Ashley Madison’s breach ruined lives and resulted in suicides. The HSBC breach, accomplished by one of their own, revealed valuable commercial information about the bank and personal information about HSBC customers. The employee responsible for the breach has since been convicted of aggravated personal espionage, while third-party news outlets have been free to republish the hacked information. Some information disclosed in data breaches can serve a public purpose. The Snowden disclosures, for example, revealed sensitive government information and were also crucial to public policy debate, a significant amount of disclosed information is destructive to individuals and companies alike, and often has little, if any, public value. The conflict between publicly important disclosures and disturbing private intrusions creates a direct confrontation between freedom of expression and privacy. A full analysis of this confrontation requires assessment of the specific circumstances of breach—from the vulnerabilities present beforehand to the aftermath when the media, companies, and individuals all must cope with the information exposed. This analysis begins by evaluating the importance of information in modern society. Big data is now an inescapable part of our culture. A data breach may contain intimate details about medical conditions or national security secrets. The disclosure of either has its own kind of devastating effect. Examples of the impact of a mass data breach include the hacking of Target Corporation, Yahoo! Inc., Home Depot, Inc., Sony Corporation, Anthem Inc., HSBC Private Bank (Suisse), SA, and AshleyMadison.com. A dissection of these breaches reveals a common theme—the ineffectual legal system, which provides little protection or remedy for any party involved. Several factors—including the anonymity of hackers, outdated legal remedies, and free speech protections for third-party publishers—together create an uncertain and uncharted legal landscape. After evaluating the available statutory and common law remedies, this Article posits that reinvigorated private causes of action can be a starting point for developing stronger legal remedies for those damaged in a breach. The right facts and legal arguments can create new remedies out of existing legal doctrines. Further, public values on protecting privacy are in flux. More protective policies in the European Union demonstrate that privacy and free expression can coexist. Some EU policies may provide examples of legislative options. Corporate entities and individuals are at risk and are suffering real harm in a world with daily data breaches and ineffective laws. The need for new perspectives is urgent

Disclosure of Personal Information under Risk of Privacy Shocks - 2nd ed

Breaches of the security of personal data collected by firms are reported almost daily. Companies are under an increasing political pressure to notify individuals whose privacy as been breached. At the moment, we know virtually nothing about the behavioral impact of data breach notifications. We present the results of an experimental study designed to investigate how breach notifications change the individual’s propensity to provide sensitive personal information to firms. In contrast to the theory (where breach notifications have no behavioral effect), our main result shows that notifications induce a sub-group of individuals to disclose less information to a firm, i.e. those with personally sensitive information

The Value of Social Media for Predicting Stock Returns - Preconditions, Instruments and Performance Analysis

The cumulative dissertation of Michael Nofer examines whether Social Media platforms can be used to predict stock returns. Market-relevant information is available on various platforms on the Internet, which consist largely of user generated content. For instance, emotions can be extracted in order to identify the investors' risk appetite and in turn the willingness to invest in stocks. Discussion forums also provide an opportunity to extract opinions on certain stocks. Taking Social Media platforms as examples, the dissertation examines the forecasting quality of user generated content on the Internet

A Dearth of Remedies

Federal privacy statutes purport to solidify norms for the privacy of our personal information, whether financial, medical, or other. They impose burdens on those who have control over such information. However, they often fail to offer real remedies when those burdens are not met. As a consequence, individuals may falsely perceive that the disclosure of their private data will be punished, while the regulated receive comfort that they can breach privacy with impunity. This trend of toothlessness in federal privacy law began with the Fair Credit Reporting Act, which allows some, but not complete, private remedies, and has continued through the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Fair and Accurate Credit Transactions Act. Most recently, the trend appears in congressional bills offered to protect the security of personal information, bills that prohibit private remedies and preempt such remedies that otherwise exist in state laws. However, given the importance of privacy norms and the tradition of rights and remedies for privacy at the state level, states should seek to push their capacities to use laws, whether common or enacted, to protect their citizens to the very limits they can. Enforcement of social privacy norms, as embodied in laws state or federal, is necessary to protect personality and dignity. States can resume their traditional roles as protectors of their citizens by responding to increased threats to privacy through adapting common law torts or by enacting legislation; where these instruments provide enforcement through private causes of action, those protected by the instruments can vindicate their rights. More importantly, such remedies can deter violations to begin with, the ultimate aim of any privacy provision

From Social Data Mining to Forecasting Socio-Economic Crisis

Socio-economic data mining has a great potential in terms of gaining a better understanding of problems that our economy and society are facing, such as financial instability, shortages of resources, or conflicts. Without large-scale data mining, progress in these areas seems hard or impossible. Therefore, a suitable, distributed data mining infrastructure and research centers should be built in Europe. It also appears appropriate to build a network of Crisis Observatories. They can be imagined as laboratories devoted to the gathering and processing of enormous volumes of data on both natural systems such as the Earth and its ecosystem, as well as on human techno-socio-economic systems, so as to gain early warnings of impending events. Reality mining provides the chance to adapt more quickly and more accurately to changing situations. Further opportunities arise by individually customized services, which however should be provided in a privacy-respecting way. This requires the development of novel ICT (such as a self- organizing Web), but most likely new legal regulations and suitable institutions as well. As long as such regulations are lacking on a world-wide scale, it is in the public interest that scientists explore what can be done with the huge data available. Big data do have the potential to change or even threaten democratic societies. The same applies to sudden and large-scale failures of ICT systems. Therefore, dealing with data must be done with a large degree of responsibility and care. Self-interests of individuals, companies or institutions have limits, where the public interest is affected, and public interest is not a sufficient justification to violate human rights of individuals. Privacy is a high good, as confidentiality is, and damaging it would have serious side effects for society.Comment: 65 pages, 1 figure, Visioneer White Paper, see http://www.visioneer.ethz.c