Management Information Systems Quarterly


Protecting the privacy of personal information continues to pose significant challenges for organizations. Because consumers are vulnerable in their dealings with businesses due to a lack of information about and an inability to control the subsequent use of their personal information, we argue that organizations have a moral responsibility to these individuals to avoid causing harm and to take reasonable precautions toward that end. We further argue that firms can enhance their privacy programs by moving beyond merely complying with laws and other regulations and creating a culture of integrity that combines a concern for the law with an emphasis on managerial responsibility for the firm’s organizational privacy behaviors. We use two high-profile data breaches experienced by two U.S. companies, ChoicePoint and TJX, to illustrate our arguments for enhancing organizational level privacy programs based on ethical reasoning. In doing so, this paper contributes to the dearth of prior organizational-level privacy research, which has largely overlooked ethical issues or the personal harms often caused by privacy violations. We conclude with recommendations for ways organizations can improve their privacy programs by incorporating moral responsibility.