An Ethical Analysis of the Customer Data Breach in Target Corporation

Target Corporation, which is one of the leading retail companies the United States, was founded in 1902. The first target store was opened in 1962. Through the 52 years rapid development, Target stores are now located in over 1,924 places. About 90% of the stores are located within the United States, the other 10% stores are in Canada, Australia, and other countries (Target, 2014). All the Target stores are selling products at discount, from clothes to shoes, toys to electronics, home furniture to cosmetics etc., almost cover everything in people’s daily life. Target’s biggest competitors are Walmart and Kmart. However, the competitive advantage of Target is that Target provides not only low price, but also upscale and fashionable products, which is also coincided with the slogan: Expect More, Pay Less. 2012 Target Annual Report shows that Target annual sales is $71,960 million U.S. dollars, and net earnings $2,999 million U.S. dollars (Target, 2014). With the business expansion, more and more loyal customers applied for Target’s REDcard. This debit/credit card gives loyal customers further benefits, including 5% extra discount and everyday free shipping.

Details of the Scandal
In the late of 2013, we start hearing the scandal that our customers’ personal information is leaking. The customer private information including customer’s name, phone number, home address, and even credit card information. Our customers entered their private information when purchasing our products online at target.com, and registering for our loyal reward card REDcard. According to the latest customer survey in United States, there are around 189.4 million digital shoppers in 2013 and will be expected 210.2 million digital shoppers in 2017 (Statista, 2014). From the feedback in stores, about 20% customers use REDcard to pay for their purchase (Target, 2014).

Therefore, the scandal would directly affect a very large number of our customers. Besides our customers, the scandal will also negatively influence on other related parties, such as shareholders, suppliers, prospective investors, etc. This scandal is also destroying our reputation. Furthermore, in legal circumstance, after the first breach notification law passed and took effect in California in 2003, other states also followed up and set up laws to prevent data breach (Culnan & Williams, 2009). If we treat the scandal inappropriately, we may face legal liability as well. Since we have not announce any confirmation about the scandal, we need to analyze the issue and come up with feasible action plans as soon as possible to prevent further worse-off.

Relevant Stakeholders
According to Freeman (2001) stakeholder theory, the wide-definition of stakeholder is any individual or group “who can affect or is affected by the corporation”. In this scandal, I listed all the stakeholders groups which will affect our corporation or get affected by the scandal. Management: Management team is appointed by board of directors and make decisions in operations. Shareholders: Shareholders are the owner of the company. They invested money in the business and expected some kind of financial return from the business in some way. We basically pay quarterly dividends to the shareholders. The profitability of our company affects the ability to pay dividends, and other kinds of return to shareholders. The shareholder who has the voting rights will vote for the board of directors. Customers: Customers exchange their money with our products. This exchange results is the main source of business income. They trust our business, so they are willing to give us their private information when purchasing products. In this scandal, the most influenced group is our customers.

Some of them may have suspicious credit expenses. The customers whose information leaked would be anxious about suffering financial losses or other loss. The uninvolved current customer would worry their information safety in Target. Furthermore, our prospective customer may avoid their first purchase in our stores. Suppliers: To be a successful retailing business, suppliers are vital to our company. The well-established and well-retained relationships will help us continue getting good quality goods in low price. We need our suppliers have confidence on our business. Employees: Employees who work in our business is the main supporting productive forces. Their productivity is also affected by their confidence on the company. If they have “bad faith”, it may lead “mock participation” to poor productive behaviors (Freeman, 2001).

Retail industry: Target is one of the largest retail companies in America. As a leader in the industry, if the scandal were been proved to be true, it may destroy stakeholders’ faith in the industry. They may question on smaller retail companies who may not have sufficient fund investing in the cybersecurity system. Local government and legal organization: The scandal may lead concern from local government. They may put pressure on us to research on the scandal as soon as possible in order to avoid panic market. We may be penalized by the related legal organization if it is our fault. On the other hand, we do need these sectors support us in forensic investigation. Reporters and Media: Reporters’ opinions are very important to us. Their views will be spread through all kinds of media, especially websites and social media like wildfire. We want to make sure they state the truth instead of spreading rumors.

Identified Ethical Issues and Support Theories
The major ethical dilemma in this event is: Should Target take action on the data breaching scandal? To analyze this complex issue, we need start looking at different ethical theories in order to get a clear answer. I will examine the scandal from Kant’s perspective and Utilitarianism perspective.

Kant’s Deontology:
In Kant’s perspective, the moral individual or group should follow the rules. Any actions break the law would treated as immoral (Charles, 2009). Furthermore, Kantian non-consequential philosophy is focused on the intention of actions, instead of consequence. If the intention of an action is morally and legally good, then the action is moral. In Kant’s further study, he brought up the theory of categorical imperative, which guide us evaluate any actions is right or wrong in three maxims.

The first maxim is whether the action has universality. If it is universally right and good, the action can be treated as moral (Murphy, 2013). More specifically, if everyone else in the society would agree to do the same behavior as you do, then your behavior is right within the society circumstances. In our situation, all the customers and other stakeholders would believe that the Target Corporation have the responsible for the data breach, because customer put their personal information into our system with their trust on us. If we don’t take any further procedure, it violate the first maxim.

The second maxim is that any individual or group never use others as means to the individual or group’s end (Murphy, 2013). In other words, do not lie! For business circumstances, organizations and employers should not use others making profit without paying reasonable return to them. Target’s loyal customers put good faith and make purchase in Target, it is morally unacceptable for us to make any deception or coercion to them. Moreover, the mission of the United States Federal Trade Commission (FTC) also states to prevent deceptive or unfair to customers (2014). Therefore, any deception or coercion is not only moral matters, also could be legal liability.

The final maxim suggests that a moral person will be both “subject and sovereign” in the ideal moral society (Bowie, 2002). Bowie (2002) also indicates that any business groups are composed by people, like employees and customers, they are our responsibility to show respect on and should be treated with dignity. This is also connected with the first and the second maxim. In order to respect our stakeholders, we should not lie to them and hide inside information.

Utilitarianism Perspective:
The utilitarianism perspective is consequential idea that focus on consequence instead of intention of the action. It main goal is to bring the great happiness for the greatest number of people. If any decisions are able to bring the great number of benefit to the great number of people, then it is morally right decision. The utilitarian views of Bentham agreed on that the end justifies the means by government and laws. Anyone breaks the law should be punished by other people.

Bentham Hedonistic Calculus:
I brought Bentham’s Hedonistic Calculus (Murphy, 2013) and applied this method in the case. By this way, we are able to have more clear view of our decision making in mathematics. Morality of our decision is based on the impact of it. Hedonistic Calculus gives impacts a positive or negative value. When the positive consequences is greater than the negative consequences, the decision can be treated as moral. Since our decision would affect numbers of groups, we would use the full seven factors to analyze the situation. Firstly, the intensity of the decision of taking action on the scandal is high. It will bring more pleasure result from stakeholders since we take our responsibility and try to solve the problem. Secondly, if we don’t take any action on the scandal, it will have growing publicity by the media. The duration would be unexpected long to wait the scandal fizzle out by itself.

Thirdly, if we take actions on the scandal, our stakeholder will get accurate information directly from our company instead of hearing from others’ mouth. The action definitely will provide advantage for us to stop the scandal quickly. Fourthly, as soon as we take actions on the scandal, we will benefit from the actions. Under current semi-efficient market, all the public available information will be transmitted as wildfire. Therefore, the benefit of action taking would come very soon from public. Fifthly, this pleasure action have great chance to be followed by pleasure at the end. Sixthly, the chance of this pleasure action followed by disadvantage is low. Finally, all our stakeholder and the public will be affected by the action. Overall, from Bentham Hedonistic Calculus, the number of positive consequences is much higher than the negative impacts. Therefore, we should take actions right away on the scandal.

Feasible Action Plan
As we are now fully aware of the scandal of Target customers’ date breach. The main reason of the data breaching is inadequate cybersecurity implementation and internal control. Due to the broad influence on our stakeholders and public, it is likely that we need act sooner and try to prevent it in the future.

Forensic investigation and audit: Hire third party companies to do the investigations in our company. We need cybersecurity company help us investigate whether the customers’ data has leaked. We would also like hire professional accounting firm to audit on the company with internal and external control (Culnan & Williams, 2009). Release information updates to the public: During the process of forensic investigation, we would update the latest investigation information and our follow up actions to the public. Let our stakeholders have the first hand information. Internal weekly meeting: As Board of Directors, we need set up weekly meeting to redesign or reschedule our action plan according to the updated investigation and stakeholder feedback. Inform each customer: Email our customer with updated research result. Provide designated hotline for customers who have any questions or concerns.

Prepare lawsuits against the slanderer or leaker: In the process of investigation, if it is proved that there is no customer information leak, we should prepare the lawsuit charge against the original slanderer who damaged our reputation. If there is customer information breech, we need to report it to public prosecutors for criminal charges, and we also need to press civil charges for damages. Security breach response plan: According to this experience, develop security breach response plan, in order to react quickly when the incident happen again.

Internal control: According to the United States Privacy Rights Clearinghouse (2013), it stated that organization must have installed appropriate internal and external control over the customers’ private data, which means that only specifically authorized staff can have the access to the data, and they must have segregation duties on access and supervision. We should review our current internal control procedures, and make any necessary adjustments along the review. Government: Work with government to set up laws, regulations or amendment to prevent data breach happen again. Cybersecurity system and data backup: Upgrade corporation’s cybersecurity system and backup all the data, avoid secondary data leaking.

Conclusion
Aligned with both of the Kant and Utilitarianism perspective, Target Corporation should take actions on the scandal and be ethically responsible for any coming results. As a leader in retailing industry, we need take the above feasible actions to rebuild our stakeholders’ faith in our company. It is also a precious opportunity for us to get deeper understanding on how important the cybersecurity system is. After this event, the newly upgraded system will prevent information leaking in the maximum extent. It is also an
alert to other business organizations to protect their customers private information instead of treat them as means.

References
Bowie, N.E. (2002). A Kantian approach to business ethics. Ethical issues in business: A philosophical approach (7th ed.). New Jersey: Prentice Hall.

Charles, J.M. (2009). Health ethics. Illinois, Champagne: Stripes Publishing LLC.

Culnan, M.J. & Williams, C.C. (2009). How ethics can enhance organizational privacy: Lessons from the ChoicePoint and TJX data breaches. MIS Quarterly, 33 (4), pages 673-687.

Murphy, D.J. (Ed.). (2013). The theoretical foundations of ethics, law, & civil society: A primer. Toronto: 11th Dimensions Press

Federal Trade Commission. (2014). Retrieved from https://www.ftc.gov

Freeman, R. E. (2001). A stakeholder theory of the modern corporation. Perspectives in Business Ethics Sie, 3, 144.

Privacy Rights Clearinghouse (2014). Retrieved from https://www.privacyrights.org/checklist-responsible-information-handling-practices

Statista: The Statistics Portal. (2014). Number of digital shoppers in the United States from 2010 to 2017. Retrieved from http://www.statista.com/statistics/183755/number-of-us-internet-shoppers-since-2009/

Target Corporation. (2014). Retrieved from https://corporate.target.com