DATA (FTC): A Case Study

Walker, Russell. “Maxxed Out: TJX Companies and the Largest-Ever Consumer Data Breach.” Kellogg Case Publishing, 2013.

During the last Christmas season, Target announced that their data security was breached. According to David Lazarus in Los Angeles Times, Target stated that roughly 110 million customers’ information was illegally taken from their database. The information included their credit/debit card info, phone numbers, and email addresses. Target is one of the most popular grocery stores in the U.S.; they have a substantial amount of consumers. Because of this incident, consumers' trusts for the store have been decreasing. Worrying about losing its customers, the company offered a free year of credit monitoring and identity-theft protection, so the customers will feel more secure. Not only Target, some other large retailers also faced the same issues. They want their customers to trust that the companies can protect private data. However, should we not worry? Data breaches have been going on for about a decade, but we have not seriously thought about the issue. In order to protect people’s privacy, the federal government should make new laws concerning companies’ handling of customer information.

Companies have an obligation to protect their customer’s information, which goes beyond that of complying with state and federal regulations. If the company loses the trust of their customers, they risk the chance of damaging

FTC first became involved with consumer privacy issues in 1995, when it promoted industry self-regulation. After determining that self-regulation was not effective, FTC began taking legal action under Section 5 of the FTC Act. Section 5 limits practices considered to be unfair to instances where, among other things, 1) the practice causes or is likely to cause substantial injury to consumers; (2) the substantial injury is not reasonably avoidable by consumers; and (3) the substantial injury is not outweighed by countervailing benefits to consumers or to competition. Since 2002, the FTC has brought over 50 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk. Most of these cases resulted in settlements and did not provide judicial decisions addressing the FTC’s authority to regulate the data security practices of companies which have suffered a data breach.

Anthem is a medical insurance provider that currently serves over 74 million people. On December 10, 2014, Anthem was victim to a data breach that resulted in over 37 million personal records being hacked from their servers. Fortunately, the attack was contained to only one day, but it was still enough to become one of the largest data breaches in corporate history. Shockingly, the hack wasn’t actually discovered until January 27, 2015. What lead to the discovery was when a data administrator discovered a query that was started using his own credentials (Ragan). Just over a week later - on February 4th - Anthem announced that there had been a massive data breach to the public. The breach was so severe, that even Anthem’s own CEO, Joseph Swedish, said that his personal information along with several other Anthem associates were taken during the breach.

Security breaches of EMRs vary from someone without consent viewing the patient’s information, to a hacker using the information to steal one’s identity. According to Privacy Rights Clearing House, more than 260 million data breaches have occurred in the United States, including those of health related records. Approximately 12 percent of data breaches involve medical organizations (Gellman, 2012). According to Redspin, a provider of Health Insurance Portability and Accountability Act risk analysis and IT security assessment services, more than 6 million individual’s health records were compromised during a period from August 2009 and December 2010 (Author Unknown, 2010). A provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act requires all breaches affecting 500 or more people to be reported to the Department of Health and Human Services. This reporting is to be accomplished within 60 days of discovery. The Redspin report covering the period above involved 225 breaches of protected health information. The amount of people with access to an individual’s health record creates concern with confidentiality. According to the Los Angeles

The health insurance company Premera Blue Cross was hacked back in March when 11 million people had their accounts leaked and taken. Six of the eleven million that had their information stolen were employees and customers of major technology companies like Amazon and Microsoft. Some of them even work for Star Bucks, all of these people lived in Washington. The other five million were scattered across the United States but the majority were from Washington. As far as we know the leaked client information hasn’t been used for anything.

According to the Federal Trade Commission (FTC),advertising must be truthful and non-deceptive, advertisers must have evidence to back up their claims , and advertisements cannot be unfair, ccording to advertising law, an advertisement is considered deceptive if it contains a statement or omits information thatis likely to mislead consumers acting reasonably under the circumstances and ismaterial; - that is, important to a consumer's decision to buy or use the product. Essentially, the law states that your advertising cannot be misleading. You have to tell the truth, or clearly label your ads so that no reasonable person could mistake your intent. Advertisers [and their advertising agencies] need to have a reasonable basis for advertising claims before they are published. According to the FTC, an

On January 2007 a press release was issued according to CPA journal article “Analyzing the TJ Maxx Data Security Fiasco” that TJX Companies, Inc. the parent company to retail stores like TJ Maxx, Marshalls, HomeGoods, and A.J Wright stores; computer systems had been breached and that customers’ information had been stolen. (Berg, G. 2008, August) This data breach became the largest one of it’s kind because during the investigation there was reported that approximately 94 million Visa and MasterCard accounts had been compromised (Berg, G. 2008, August).

Consumers see a data breach as a violation of their social contract with a company that has a negative effect on the client-customer relationship (Janakiraman, Lin, & Rishika, 2018). In response to the 2017 data breach, the New York State Department of Financial Services now has Equifax under regulatory jurisdiction, requiring the company to notify consumers and law enforcement immediately when a breach occurs (Primoff & Kess, 2017). In the future, the company must have adequate network segmentation in place on their computer systems, a sufficient employee crisis management plan organized, secure incident recovery procedures situated, and consumer assistance policies structured to recover after an attack, as the company failed to warn the public about the 2017 data breach in a reasonable time frame (Franke-Ruta,

Data Breach is where sensitive, confidential, or protected information has been stolen, viewed, or used by someone unauthorized to do so. The Henry Ford Health System in Detroit, Michigan has had many data breaches. A laptop that was unattended, that had over four thousand patients information on it, was stolen from a physician’s office. The chief privacy officer of The Henry Ford Health System, Meredith Phillips, went over all of the security of patients and the company’s information.

During the past two years, the health information privacy of nearly 18 million Americans has been breached electronically. The numbers back it up. During the past two years, the health information privacy of nearly 18 million Americans has been breached electronically,

3. Earlier this year Snapchat had a security breach. The cyber attacker pretended to be the chief executive, Evan Spiegel, and sent out a phishing email asking a current employee for payroll information. Unfortunately the employee fell for the scam. Over 700 former and current employees had personal information including social security numbers and wage data comprised in the attack. Premier Healthcare also suffered a data security breach this year when a laptop was stolen from their billing department at their headquarters. The laptop contained sensitive data pertaining to over 200,000 patients. While most patients had their basic information comprised around 1769 people may have had their social security numbers and financial information taken

The nation’s second-biggest wellbeing insurance agency have encountered real security rupture in which that programmers have stolen individuals ' Social Security numbers, names, birthdays, medicinal IDs, and more delicate individual data in a monstrous information break. The rupture influences an expected 80 million clients and workers. Right now, Anthem does not accept the programmers got to credit card or medicinal information.

All the consumers affected were also made vulnerable to subsequent identity theft given malicious attackers stole their personal data. Equifax was directly affected since its stock began to plunge immediately the news was made public. Additionally, the corporate governance of the company was tarnished given three Equifax executives sold shares worth around $2 million days after the breach discovery, and the “retiring” of the chief security information officers is questionable (Surane & Melin, 2017). Also, the company was exposed to litigations with some lobbyists and interest groups pushing regulators to hold Equifax accountable for the negligence and poor treatment of affected consumers. The proposed new data security laws will present a greater burden to other corporations. Two such laws are the Promoting Responsible Oversight of Transactions and Examinations of Credit Technology (PROTECT), and Freedom From Equifax Exploitation (FREE) will attract more government scrutiny and limit the type of personal data that companies can collect from customers (Alperan, Carter, & Sofio, 2017).