We hear of new data breaches every week with personal information compromised, whether it be account numbers, credit card information, passwords, credit report details, social security numbers, etc. IT Governance USA reported that in the six-month period between November 2023 – April 2024, there were over 2,700 publicly disclosed data breach incidents impacting nearly 7 billion known records. The overwhelming percentage of these attacks occur in small and medium-sized businesses, which are so prevalent in a state like Iowa. These data breaches can impact companies’ reputations (often their most prized asset) and financial performance and result in a loss of customer trust.

 ‌

“Data privacy should not just be viewed as a legal obligation, but also as an ethical responsibility.”

 ‌

While legal regulations differ from state to state, the law in Iowa (715C.2) says that when a data breach occurs, businesses must give notice to any consumer (either in writing or electronically) whose personal information was included in the information that was breached and immediately notify the owner or licensor of the information upon discovery. The consumer notice must include a description of the security breach, the approximate date of the breach, the type of personal information obtained, contact information for consumer reporting agencies and advice on
reporting suspected identity theft.

However, what about companies that want to go beyond the legal requirements despite limited resources for hardening their cybersecurity defenses? How much extra effort should be considered enough at the crossroads of where the law stops and ethical decision-making begins?

Data ethics consists of moral obligations that companies have to protect personally identifiable information while ensuring privacy, fairness, transparency, accountability and social responsibility. Consumers should expect that their private information is being handled with care. Organizations that collect and store user data have an ethical responsibility to implement robust security measures and enforce data protection efforts to safeguard their consumers’ information, use AI to protect against cyberattacks, ensure that any algorithms are used appropriately, examine responsibility and transparency in handling cybersecurity incidents, disclose vulnerabilities to consumers and offer to pay for credit monitoring services for a period of time. If companies address these and other ethical issues, they can do a much better job of repairing trust while providing transparency to their consumers.

It is not enough for governments to simply pass rules and regulations against data theft. Data privacy should not just be viewed as a legal obligation but also as an ethical responsibility. Neither ethics nor corporate social responsibility often yield easy solutions (that is why they are often called ethical dilemmas after all). However, all organizations can do better and be better. The choice should be clear.

Russell P. Guay, phD

Professor of Management and David W. Wilson Chair in Business Ethics

Former students, alumni, peers and community members, I would love to hear your thoughts. Please feel free to reach out anytime on LinkedIn or via email (russell.guay@uni.edu).

The views and opinions expressed are those of the author and do not imply endorsement by the University of Northern Iowa.