Taking stock of organisations’ protection of privacy: categorising and assessing threats to personally identifiable information in the USA

Many organisations create, store, or purchase information that links individuals’ identities to other data. Termed personally identifiable information (PII), this information has become the lifeblood of many firms across the globe. As organisations accumulate their constituencies’ PII (e.g. customers’, students’, patients’, and employees’ data), individuals’ privacy will depend on the adequacy of organisations’ information privacy safeguards. Despite existing protections, many breaches still occur. For example, US organisations reported around 4,500 PII-breach events between 2005 and 2015. With such a high number of breaches, determining all threats to PII within organisations proves a burdensome task. In light of this difficulty, we utilise text-mining and cluster analysis techniques to create a taxonomy of various organisational PII breaches, which will help drive targeted research towards organisational PII protection. From an organisational systematics perspective, our classification system provides a foundation to explain the diversity among the myriad of threats. We identify eight major PII-breach types and provide initial literature reviews for each type of breach. We detail how US organisations differ regarding their exposure to these breaches, as well as how the level of severity (i.e. number of records affected) differs among these PII breaches. Finally, we offer several paths for future research.

[1]  B. L. Welch ON THE COMPARISON OF SEVERAL MEAN VALUES: AN ALTERNATIVE APPROACH , 1951 .

[2]  Pieter H. Hartel,et al.  Effectiveness of Physical, Social and Digital Mechanisms against Laptop Theft in Open Organizations , 2010, 2010 IEEE/ACM Int'l Conference on Green Computing and Communications & Int'l Conference on Cyber, Physical and Social Computing.

[3]  Christopher Bolan,et al.  Information leakage through second hand USB flash drives within the United Kingdom , 2011 .

[4]  Richard A. Harshman,et al.  Indexing by Latent Semantic Analysis , 1990, J. Am. Soc. Inf. Sci..

[5]  Lance J. Hoffman,et al.  Exploring a national cybersecurity exercise for universities , 2005, IEEE Security & Privacy Magazine.

[6]  Hai Nguyen,et al.  Security Breach: The Case of TJX Companies, Inc , 2008, Commun. Assoc. Inf. Syst..

[7]  Yong Wang,et al.  Privacy threat modeling framework for online social networks , 2015, 2015 International Conference on Collaboration Technologies and Systems (CTS).

[8]  Lynn M. Daggett FERPA in the Twenty-First Century: Failure to Effectively Regulate Privacy for All Students , 2008 .

[9]  David W. Bates,et al.  White Paper: Personal Health Records: Definitions, Benefits, and Strategies for Overcoming Barriers to Adoption , 2006, J. Am. Medical Informatics Assoc..

[10]  Won Kim,et al.  The dark side of the Internet: Attacks, costs and responses , 2011, Inf. Syst..

[11]  Jan H. P. Eloff,et al.  A taxonomy for information security technologies , 2003, Comput. Secur..

[12]  Sanjay Goel,et al.  Estimating the market impact of security breach announcements on firm values , 2009, Inf. Manag..

[13]  Monica Chiarini Tremblay,et al.  Identifying fall-related injuries: Text mining the electronic medical record , 2009, Inf. Technol. Manag..

[14]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[15]  Tim Mather,et al.  Cloud Security and Privacy - An Enterprise Perspective on Risks and Compliance , 2009, Theory in practice.

[16]  Joyce L.T. Chang The Dark Cloud of Convenience: How the New HIPAA Omnibus Rules Fail to Protect Electronic Personal Health Information , 2014 .

[17]  R. Willison,et al.  The expanded security action cycle: a temporal analysis , 2010 .

[18]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[19]  Heith Copes,et al.  Bounded rationality of identity thieves: Using offender‐based research to inform policy* , 2009 .

[20]  Albert L. Harris,et al.  Incorporating Ethics and Social Responsibility in IS Education , 2011, J. Inf. Syst. Educ..

[21]  N. D. Jayaram,et al.  Network security-a taxonomic view , 1997 .

[22]  Morton B. Brown,et al.  372: The Anova and Multiple Comparisons for Data with Heterogeneous Variances , 1974 .

[23]  Jennifer Lai,et al.  Unintended Consequences of Information Technologies in Health Care—An Interactive Sociotechnical Analysis , 2007 .

[24]  Victor R. Prybutok,et al.  Latent Semantic Analysis: five methodological recommendations , 2012, Eur. J. Inf. Syst..

[25]  Elise Young Educational Privacy in the Online Classroom: FERPA, MOOCS, and the Big Data Conundrum , 2015 .

[26]  Florencia Marotta-Wurgler Self-Regulation and Competition in Privacy Policies , 2016, The Journal of Legal Studies.

[27]  Jon Friedman,et al.  Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses , 2008, Inf. Knowl. Syst. Manag..

[28]  Uzma Raja,et al.  Classification of software patches: a text mining approach , 2011, J. Softw. Maintenance Res. Pract..

[29]  T. Landauer,et al.  Indexing by Latent Semantic Analysis , 1990 .

[30]  James A. Gardner The "States-as-Laboratories" Metaphor in State Constitutional Law , 2011 .

[31]  Philip N. Howard,et al.  Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005-2014 , 2014 .

[32]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[33]  Tom Roberts,et al.  Exploring the Role of Contextual Integrity in Electronic Medical Record (EMR) System Workaround Decisions: An Information Security and Privacy Perspective , 2015, AIS Trans. Hum. Comput. Interact..

[34]  David Jaramillo,et al.  Cooperative solutions for Bring Your Own Device (BYOD) , 2013, IBM J. Res. Dev..

[35]  Ronald D. Williams,et al.  Taxonomies of attacks and vulnerabilities in computer systems , 2008, IEEE Communications Surveys & Tutorials.

[36]  B. McKelvey Organizational Systematics-Taxonomy, Evolution, Classification , 1982 .

[37]  Ramakrishna Ayyagari,et al.  Disaster at a University: A Case Study in Information Security , 2012, J. Inf. Technol. Educ. Innov. Pract..

[38]  Gregory C. Shaffer Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting up of U.S. Data Privacy Standards , 2004 .

[39]  Richard Baskerville,et al.  A longitudinal study of information system threat categories: the enduring problem of human error , 2005, DATB.

[40]  Sharad Borle,et al.  Estimating the Contextual Risk of Data Breach: An Empirical Approach , 2015, J. Manag. Inf. Syst..

[41]  Kenneth D. Mandl,et al.  Viewpoint Paper: Early Experiences with Personal Health Records , 2008, J. Am. Medical Informatics Assoc..

[42]  Sophia Alim,et al.  Axioms for vulnerability measurement of online social network profiles , 2011, International Conference on Information Society (i-Society 2011).

[43]  Stephanie D Humphries Institutes of Higher Education, Safety Swords, and Privacy Shields: Reconciling FERPA and the Common Law , 2008 .

[44]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[45]  Matthew Pemble Don't panic: taxonomy for identity theft , 2008 .

[46]  O. E. Asiribo,et al.  Coping with variance heterogeneity , 1990 .

[47]  Lawrence J. Trautman,et al.  The Board’s Responsibility for Information Technology Governance , 2010 .

[48]  Sandra Blanke,et al.  When it comes to securing patient health information from breaches, your best medicine is a dose of prevention: A cybersecurity risk assessment checklist. , 2016, Journal of healthcare risk management : the journal of the American Society for Healthcare Risk Management.

[49]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[50]  H. Levene Robust tests for equality of variances , 1961 .

[51]  Jangam Upendar,et al.  AN OVERVIEW OF PLASTIC CARD FRAUDS AND SOLUTIONS FOR AVOIDING FRAUDSTER TRANSACTIONS , 2013 .

[52]  Morton B. Brown,et al.  Robust Tests for the Equality of Variances , 1974 .

[53]  Heng Xu,et al.  Information Privacy Research: An Interdisciplinary Review , 2011, MIS Q..

[54]  Mary J. Culnan,et al.  Online privacy practices in higher education: making the grade? , 2009, CACM.

[55]  Jongwoo Kim,et al.  Incident-centered information security: Managing a strategic balance between prevention and response , 2014, Inf. Manag..

[56]  S. Shankar Sastry,et al.  A Fine-Grained Taxonomy of Security Vulnerability in Active Network Environments , 2004, ICCSA.

[57]  Markus,et al.  Editor's Comments: Looking for a Few Good Concepts...and Theories...for the Information Systems Field , 2007 .

[58]  Shuting Xu,et al.  Applying Protection Motivation Theory to Information Security Training for College Students , 2013 .

[59]  Krishnun Sansurooah,et al.  A study of remnant data found on USB storage devices offered for sale on the Australian second hand market in 2011 , 2012 .

[60]  Helen Nissenbaum,et al.  Privacy in Context - Technology, Policy, and the Integrity of Social Life , 2009 .

[61]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[62]  B. McKelvey Organizational Systematics: Taxonomic Lessons from Biology , 1978 .

[63]  Richard Baskerville,et al.  Generalizing Generalizability in Information Systems Research , 2003, Inf. Syst. Res..

[64]  Kimberly Peretti Data Breaches: What the Underground World of Carding Reveals , 2009 .

[65]  R. Steinbrook Personally controlled online health data--the next big thing in medical care? , 2008, The New England journal of medicine.

[66]  Cindy Casey,et al.  An analysis of security vulnerabilities of the Xbox 360 and Xbox Live mobile network , 2013 .

[67]  Ashley L. Podhradsky,et al.  Xbox 360 Hoaxes, Social Engineering, and Gamertag Exploits , 2013, 2013 46th Hawaii International Conference on System Sciences.

[68]  Malka N. Halgamuge,et al.  Universal serial bus based software attacks and protection solutions , 2011, Digit. Investig..

[69]  Steven Furnell Password practices on leading websites – revisited , 2014 .

[70]  Bharat K. Bhargava,et al.  Protection of Identity Information in Cloud Computing without Trusted Third Party , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[71]  Chris F. Kemerer,et al.  An Empirical Approach to Studying Software Evolution , 1999, IEEE Trans. Software Eng..

[72]  Anna Sidorova,et al.  Uncovering the Intellectual Core of the Information Systems Discipline , 2008, MIS Q..

[73]  Ronald L. Krutz,et al.  Cloud Security: A Comprehensive Guide to Secure Cloud Computing , 2010 .

[74]  Jordan Shropshire,et al.  Handheld versus Traditional Computer Security Threats and Practices , 2011 .

[75]  William Patry Does Deterrence Work , 2012 .

[76]  Lara Khansa,et al.  How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management , 2009, Computers & security.

[77]  Ramakrishna Ayyagari An Exploratory Analysis of Data Breaches from 2005-2011: Trends and Insights , 2012 .

[78]  Siani Pearson,et al.  Taking account of privacy when designing cloud computing services , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[79]  Martin C. Libicki,et al.  Markets for Cybercrime Tools and Stolen Information: Hackers' Bazaar , 2014 .

[80]  Paul A. Pavlou,et al.  State of the information privacy literature: where are we now and where should we go? , 2011 .

[81]  Xiao-Bai Li,et al.  Anonymizing and Sharing Medical Text Records , 2017, Inf. Syst. Res..

[82]  Robert E. Crossler,et al.  Privacy in the Digital Age: A Review of Information Privacy Research in Information Systems , 2011, MIS Q..

[83]  Michael I. Harrison,et al.  Viewpoint Paper: Unintended Consequences of Information Technologies in Health Care - An Interactive Sociotechnical Analysis , 2007, J. Am. Medical Informatics Assoc..

[84]  Yuval Ben-Itzhak,et al.  Organised cybercrime and payment cards , 2009 .

[85]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[86]  Stanislav Kurkovsky,et al.  Monitoring of Electronic Communications at Universities: Policies and Perceptions of Privacy , 2011, 2011 44th Hawaii International Conference on System Sciences.

[87]  Rey LeClerc,et al.  Customer Information: Protecting the Organization’s Most Critical Asset from Misappropriation and Identity Theft , 2006 .

[88]  김성문,et al.  [해외 대학 연구센터 소개] Rutgers, The State University of New Jersey , 2012 .

[89]  InduShobha N. Chengalur-Smith,et al.  An overview of social engineering malware: Trends, tactics, and implications , 2010 .

[90]  Michael W. Berry,et al.  Email Surveillance Using Non-negative Matrix Factorization , 2005, Comput. Math. Organ. Theory.

[91]  Katherine J. Barker,et al.  Credit card fraud: awareness and prevention , 2008 .

[92]  Paul Benjamin Lowry,et al.  Seeking Middle-Range Theories in Information Systems Research , 2015, ICIS.

[93]  Jeong Hyun Kim,et al.  INFORMATION THEFT WITHIN DIFFERENT ORGANIZATIONAL TYPES: A RATIONAL CHOICE ANALYSIS By , 2015 .

[94]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[95]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[96]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[97]  Kathryn E. Picanso Protecting Information Security Under a Uniform Data Breach Notification Law , 2006 .

[98]  Richard Chbeir,et al.  Privacy in Online Social Networks , 2013, Security and Privacy Preserving in Social Networks.

[99]  Martin F. Porter,et al.  An algorithm for suffix stripping , 1997, Program.

[100]  Nora Ni Loideain The End of Safe Harbor: Implications for EU Digital Privacy and Data Protection Law , 2016 .

[101]  Paul Benjamin Lowry,et al.  Examining the intended and unintended consequences of organisational privacy safeguards , 2016, Eur. J. Inf. Syst..

[102]  Jackie Rees Ulmer,et al.  The Association Between the Disclosure and the Realization of Information Security Risk Factors , 2013, Inf. Syst. Res..

[103]  Srdjan Capkun,et al.  Home is safer than the cloud!: privacy concerns for consumer cloud storage , 2011, SOUPS.

[104]  Scott Mensch,et al.  Information Security Activities of College Students: An Exploratory Study , 2011 .

[105]  Paul Benjamin Lowry,et al.  Organizational Violations of Externally Governed Privacy and Security Rules: Explaining and Predicting Selective Violations Under Conditions of Strain and Excess , 2015, J. Assoc. Inf. Syst..

[106]  Chad Pinson New Legal Frontier: Mass Information Loss and Security Breach , 2008 .

[107]  Jung P. Shim,et al.  Current Status, Issues, and Future of Bring Your Own Device (BYOD) , 2014, Commun. Assoc. Inf. Syst..

[108]  A. Hedayati,et al.  An analysis of identity theft: Motives, related frauds, techniques and prevention , 2012 .

[109]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[110]  Xavier Tracol EU-U.S. Privacy Shield: The saga continues , 2016, Comput. Law Secur. Rev..

[111]  Shambhu Upadhyaya,et al.  Role of Perceived Importance of Information Security: An Exploratory Study of Middle School Children's Information Security Behavior , 2006 .

[112]  Marifran Mattson,et al.  Toward a Typology of Confidentiality Breaches in Health Care Communication: An Ethic of Care Analysis of Provider Practices and Patient Perceptions , 2004, Health communication.

[113]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..

[114]  S. Verma,et al.  Data theft prevention & endpoint protection from unauthorized USB devices — Implementation , 2012, 2012 Fourth International Conference on Advanced Computing (ICoAC).

[115]  Carl J. Pacini,et al.  Identity theft: the US legal environment and organisations’ related responsibilities , 2005 .

[116]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[117]  Andrew McCallum,et al.  Efficient clustering of high-dimensional data sets with application to reference matching , 2000, KDD '00.

[118]  David-Olivier Jaquet-Chiffelle,et al.  A TYPOLOGY OF IDENTITY-RELATED CRIME , 2009 .

[119]  Dahli Gray,et al.  The Implementation of EMV Chip Card Technology to Improve Cyber Security Accelerates in the U.S. Following Target Corporation's Data Breach , 2015 .

[120]  T. Grance,et al.  SP 800-122. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) , 2010 .

[121]  Timothy J. Muris,et al.  Choice or Consequences: Protecting Privacy in Commercial Information , 2008 .

[122]  Robert E. Crossler,et al.  Understanding Compliance with Bring Your Own Device Policies Utilizing Protection Motivation Theory: Bridging the Intention-Behavior Gap , 2014, J. Inf. Syst..