Tuesday, November 24, 2015

JP Morgan Data Breach (2014)

Over the past few years, there have been a large number of companies who find themselves suffering from a data breach - or, in other words, having their customer's personal information stolen via electronic means. One of the largest of these breaches was that of the JP Morgan bank in early to mid-2014. For several months from March to August of 2014, hackers were able to access the bank's systems, and gather information on millions of customers; email addresses, phone numbers, and physical addresses were all stolen(nytimes.com).
For a brief introduction to the case, see this brief video clip. While there appears to be some early debate about the actual number of customers affected, later sources tend to hold a majority of 83000000 affected households. What makes the background of this case especially interesting is that, unlike other well-known hacks, JP Morgan's systems were breached due to neglect. Specifically, a server that lacked proper two-factor authentication protocols (www.computerworld.com). Had these simple security systems been in place, the attackers would have been stopped in their tracks. It is my intent to perform an ethical analysis of the JP Morgan case, including a list of affected parties, and several different ethical perspectives.

Before any ethical analysis can take place, it is important to figure out who was affected by the breach, or who the stakeholders were in this situation.
There are four major groups of stakeholders:
The customers whose information was stolen, and other customers of JP Morgan who now have to worry about whether their data is safe.
JP Morgan itself; its management, public image, and employees.
Other banks in the industry who now have a chance to woo away JP Morgan's customers.
The U.S. government, which declared JP Morgan a part of the nation's "critical infrastructure"(nytimes.com).
Ethical analyses
I will examine the JP Morgan case through four different ethical perspectives: individualism, utilitarianism, Kantianism and virtue theory. Finally, I will include my own perspective on the situation. Taken together, these perspectives will provide a well-rounded review of the ethics involved in the case.

The theory of individualism is possibly the simplest to discuss. It states that the soul goal of a company is to make profit for its shareholders, while remaining within the bounds of the law.
There are two major branches of individualism: Friedman's theory and Machan's theory.
In short, Friedman argues that any action whatsoever that is not taken to maximize profits for the business is unethical, because the business is stealing potential profit from its shareholders.
JP Morgan headquarters in Manhattan, NY
Machan argues that, while profit should be the focus of the business, it is sometimes necessary to take actions that do not directly benefit the company in order to gain consumer trust or respect (Salazar, 18). Thus, it is clear that an individualist would declare JP Morgan's actions highly unethical. Not only did the bank cost its shareholders money through the direct consequences of the breach, but it also caused customers to reconsider their loyalty to the bank; every customer that left the bank because of this breach is a direct profit loss.

The theory of utilitarianism conceals a relatively complicated process of determining ethicality beneath a simple statement. An action is ethical if it results in the greatest amount of happiness for the largest number of beings (Salazar, 19). The reason this is complicated is two fold. Firstly, what is the meaning of "happiness"? Secondly, how does one determine if an individual was affected by some action? For the sake of brevity, I will declare that happiness is defined as a state of overall well-being, and that the affected parties are those listed above as stakeholders in the breach. Given this, were each of the groups made happy or unhappy by the breach?

The bank's customers were most certainly not made happy. They must now worry about identity theft for the rest of their lives, and whether or not to remain with JP Morgan after such a devastating breach. JP Morgan must now find some way to recover from this breach. It must deal with the immediate problem, and implement a program to prevent such issues from occurring in the future. Furthermore, it must find a way to regain the trust of its customers. None of these tasks are particularly conducive to a state of happiness.
Other banks, on the other hand, now have an opportunity to gain a tremendous number of new customers. All they need show is that they can prevent such attacks, and JP Morgan's power base will begin to crumble. The U.S. government is most certainly unhappy; it was forced to expend large amounts of resources on a federal investigation of the breach, as well as to support JP Morgan's recovery efforts (nytimes.com). Since three out of the four major groups of stakeholders were made unhappy by this breach, a utilitarian would declare this situation unethical.

Jamie Dimon, CEO of JP Morgan since 2005

The theory of Kantianism is based on two major principles: rationality and doing the right thing.
There are a number of different ways of analyzing a situation from a Kantian perspective, but the method, or "formula", that I will be using is known as the formula of humanity.
This theory, in short, says that it is unethical to treat people as a means or as only a way to achieve a goal. Furthermore, Kantianism says that a business action is unethical if customers are not given all necessary information when making decisions and that the company must be taking actions for the right reasons instead of simply trying to take advantage of customers (Salazar, 21-22).

It is my belief that a Kantian would declare JP Morgan's actions unethical, for one simple reason: the bank says in its privacy policy that "We use reasonable physical, electronic, and procedural safeguards that comply with federal standards to protect and limit access to personal information". Clearly, these safeguards were not in place. Thus the bank lied to its customers and therefore is unethical.

Virtue theory
The concept behind virtue theory is ancient - reaching back to the Greek philosopher Aristotle. In short, it says that the ethicality of an action is determined by whether that action embodies a number of traits, or "virtues". An action that helps to further these virtues is considered ethical, whereas an action that fails to support them or actively hinders them is considered unethical. When discussing the JP Morgan breach, I will consider four of the major virtues: courage, honesty, temperance (or self control), and justice (Salazar, 23).

Courage: JP Morgan certainly demonstrated courage. As soon as it detected the breach in its systems, the bank published a FAQ sheet for its customers, and owned up to the fact it had failed to protect their data (jpmorganchase.com).
Honesty: while the bank gave its customers false information about the security of their data, once the breach occurred it did provide them with honest and open information about the situation. Therefore the presence of honesty is debatable, but I do believe it exists.
Temperance: if JP Morgan had demonstrated temperance, the breach would have been impossible. Negligence, or in layman's terms laziness in attending to one's duties, is the antithesis of temperance.
Justice: there is very little just about this situation, especially because those who really need it - the customers whose personal information was stolen - have no recourse whatsoever to repair the damage to their lives. JP Morgan did very little to help these stranded individuals. Therefore, justice was - and is - not present in this case.
Given these four virtues, it seems that JP Morgan demonstrated one strongly and one weakly. The other two virtues were completely lacking. Therefore, this case is unethical, because the majority of virtues are missing or inadequate.

Justified Ethics Analysis
It is my personal opinion that this case is highly unethical. When JP Morgan required customers to provide it with personal information, it accepted an obligation to keep that data safe. The theft of that data, especially when said theft was only possible due to the bank's failure to live up to its own word, is completely reprehensible. JP Morgan has absolutely no excuse for what occurred. Regardless of what it may have done after the fact, there is no way for the bank to declare the breach an ethical event.


Constantin, Lucian. "Two-factor Authentication Oversight Led to JP Morgan Breach." Computerworld. 23 Dec. 2014. Web. 15 Sept. 2015.

Goldstein, Matthew, Nicole Perlroth, and Michael Corkery. "Neglected Server Provided Entry for JP Morgan Hackers." The New York Times. New York Times, 22 Dec. 2014. Web. 16 Sept. 2015.

JP Morgan Chase. "Customer Notice FAQs." JP Morgan Chase, 2 Oct. 2014. Web. 15 Sept. 2015.

JP Morgan Chase. "Online Privacy Policy." Chase Online Security Center. JP Morgan Chase, 17 Nov. 2013. Web. 15 Sept. 2015.

No comments:

Post a Comment