Abstract
Many organisations create, store, or purchase information that links individuals’ identities to other data. Termed personally identifiable information (PII), this information has become the lifeblood of many firms across the globe. As organisations accumulate their constituencies’ PII (e.g. customers’, students’, patients’, and employees’ data), individuals’ privacy will depend on the adequacy of organisations’ information privacy safeguards. Despite existing protections, many breaches still occur. For example, US organisations reported around 4,500 PII-breach events between 2005 and 2015. With such a high number of breaches, determining all threats to PII within organisations proves a burdensome task. In light of this difficulty, we utilise text-mining and cluster analysis techniques to create a taxonomy of various organisational PII breaches, which will help drive targeted research towards organisational PII protection. From an organisational systematics perspective, our classification system provides a foundation to explain the diversity among the myriad of threats. We identify eight major PII-breach types and provide initial literature reviews for each type of breach. We detail how US organisations differ regarding their exposure to these breaches, as well as how the level of severity (i.e. number of records affected) differs among these PII breaches. Finally, we offer several paths for future research.
Special Issue Editors: Paul Benjamin Lowry, Tamara Dinev, Robert Willison
Electronic supplementary material
The online version of this article (doi:10.1057/s41303-017-0065-y) contains supplementary material, which is available to authorized users.
Special Issue Editors: Paul Benjamin Lowry, Tamara Dinev, Robert Willison
Electronic supplementary material
The online version of this article (doi:10.1057/s41303-017-0065-y) contains supplementary material, which is available to authorized users.
Notes
1 This differentiation came to light during discussions with our second SME.
2 The National Conference of State Legislatures (www.ncsl.org) provides information on breach notification laws by state. As of the writing of this manuscript, 47 states and the District of Columbia have enacted breach notification legislations.
Additional information
Notes on contributors
Clay Posey
Clay Posey is an Associate Professor of Management with a joint appointment in the Institute for Simulation & Training at University of Central Florida. His research has appeared in various journals including MIS Quarterly, Journal of Management Information Systems, European Journal of Information Systems, and Information & Management, among others.
Uzma Raja
Uzma Raja is Professor of MIS at the University of Alabama. She received her PhD from Texas A&M University. Her research area is systems evolution, text mining, and open source ecosystems. She has published in journals such as IEEE Transactions on Software Engineering, Decision Sciences, and IIE Transactions.
Robert E. Crossler
Robert E. Crossler is an Assistant Professor of Information Systems at Washington State University. His research has been published in leading MIS journals, including MIS Quarterly, Decision Support Systems, and The DATA BASE for Advances in Information Systems, where his manuscript on privacy was recognised as best paper in 2014.
A. J. Burns
A. J. Burns is an Assistant Professor in the College of Business and Technology at the University of Texas at Tyler. He earned his DBA in Computer Information Systems from Louisiana Tech University. His research interests include behavioural cybersecurity, complex adaptive systems, and health information security and privacy.