Should Organizations Be Held Responsible

Managers at businesses and organizations all over the United States collect and store information. It can be with tangible documents via filing cabinets, or digitally via networked servers. They may even rent "cloud" space to safeguard and keep vast volumes of personal information. Despite the growing occurrence of data breaches affecting private, public, and nonprofit organizations, the majority of organizations and businesses admit knowing too little concerning the consequences and risks of failing to sufficiently safeguard personal information collected from volunteers, employees, donors, and clients. The news has shown companies like Sony, Kmart, and Dairy Queen that have let leak sensitive information like credit card numbers and home addresses (MONEY.com, 2014). The question is should organizations and businesses like these be held liable for damages from the compromise of leaked sensitive data? The answer is yes.

People are convinced by businesses and organizations to hand over sensitive information. They put their trust in these companies and nonprofits with information that, if in the wrong hands could wreak havoc in their lives from identity fraud to credit score damage. It truly shows how much people believe in the organization to let go of such potentially damaging information. Therefore, when a company/organization has a hacking incident or accidentally leaks the private information, they should pay the consequences.

People often cite hackers as the culprits for leaked information. However, sometimes-private information can be leaked from inside sources. In a 2015 article, council workers and social workers have been found to leak sensitive information or reveal private information and evade punishment. Some examples of leaked personal information go as far as revealing personal information of children. "In one instance, a social worker left papers containing confidential records about children and information linked to sex offenders on a train, and in another, an unencrypted laptop containing the details of 200 schoolchildren was stolen" (Ward, 2015). Because few of them faced any real consequences for their actions and the act itself was not frowned upon, the instances of leaked personal information grew.

People must be held responsible for their actions. If they are not, it could prove disastrous to many people's lives. The example from the article is just a fraction of the reported instances of leaked private information. There are many more examples in private sector organizations. If the consequences for these actions continue to be lax, then people within these organizations will never learn to spot suspicious activity like card reader placements or implement standards that reduce exposure of sensitive data. Going back to the example of the sensitive documents left in the train, if standard protocol involved never leaving the office with physical copies of people's personal information that accident would have never happened.

Improving oversight must take priority. This is especially true as newer technology takes personal information off tangible documents and onto apps. "Yet few studies have evaluated the legal implications of the expansion of mHealth applications, or "apps." Such apps are affected by a patchwork of policies related to medical licensure, privacy and security protection, and malpractice liability" (Yang & Silverman, 2014, p. 222). Apps can be used with mobile phones and viewed from anywhere there is a mobile connection. It can also be easily accessed by hackers as mobile phones have become notoriously easy targets to hack into. Therefore, it becomes an issue of whether or not people are able to handle the influx of potential threats and/or care to handle them. If consequences are not met for those who break confidentiality, what will motivate them to improve? To safeguard the private data?

Google Inc. has made searching the internet easy and quick. However, it has also exposed people to those that wish to find them and gain their personal information. "In May 2014 the Court of Justice of the European Union delivered a landmark ruling in Google Spain SL, Google Inc. v Agencia Espanola de Proteccion de Datos Mario Costeja Gonzalez" (Lindsay, 2014, p. 159). The ruling helped to establish a "right to be forgotten" understanding that existed and continues to exist under the existing European data privacy law and the 1995 Data Protection Directive. People have under this law, the right to ask Google to remove certain material from their search results. Although Google Inc. has receive well over 170,000 requests by the middle of November 2014, they have refused to cooperate as quickly as expected.

Although companies like Google and other organizations, may not enforce protection of sensitive data or give the option to, companies and organizations are still liable for any damages should the personal information leaked result in any. This is known as liability. "Liability is the legal obligation of an entity that extends beyond criminal or contract law; it includes the legal obligation to make restitution, or to compensate for wrongs committed. An organization increases its liability if it refuses to take measures known as due care" (Whitman & Mattord, 2003, p. 111). The majority of organizations know that liability is an important issue to acknowledge and try to train their employees and volunteers on what is unacceptable and acceptable behavior. They also educate their employees or volunteers the consequences of prohibited or immoral actions.

While it is correct that cybercrimes such as hacking, or the decided loss and damage of data are a realistic concern for organizations, it is imperative to spot that accidental privacy breaches can be even more costly. If organizations were penalized severely, even giving the accused jail time for releasing private information or sensitive information, organizations might include in their standard training a simple rule of not allowing personal information to be stored on smartphone or laptop. These two devices are some of the most sought after and stolen items. They are also the most susceptible at being damaged.

What is PII or Personally Identifiable Information? PII is the starting point in understanding the responsibility of guarding personal information. Information found for example in a phonebook, cannot be considered PII. For instance, in Illinois the meaning of "personal information" delimited in the Personal Information Protection Act (815 ILCS 530) is " ... a person's first initial or first name and last name in conjunction with any of the following data elements, if either the data or the name elements are not redacted or encrypted. Social security number; state identification card number; Driver's license number and, account number/credit/debit card number (MacKinnon, 2012, p. 84). When a company lets, employees take personal information with them outside the office or building and lets them take it home or on public transportation, it opens them up to the chance of losing or revealing the sensitive information.