Chapter 10 • Global, Ethics, and Security Management  279


              TJX Cos., parent of T.J. Maxx, Marshalls, and HomeGoods retail stores had a major security
              breach  in  2006  when  hackers  entered  their  network  and  stole  the  data  on  millions  of
              consumers from the United States, Ireland, the United Kingdom, and Canada. The hackers
              were able to access a wide range of financial information, including credit cards, debit cards
              linked to checking accounts, and transactions for returned merchandise, and make fraudulent
              purchases with the stolen customer data. For example, one TJX customer reported that $6,700
              in unauthorized transactions—including purchases from Wal-Mart Stores Inc., Flowers.com,
                                                            22
              and iTunes.com—were made with his card account number. This breach could impact more
              than 40 million credit card users. Although U.S. retailers are required to follow stringent card
              industry rules (e.g., the establishment of firewalls to protect databases and prohibited from
              storing unprotected cardholder information), many merchants don’t comply with them. Of its
              330 largest merchants, 31 percent comply with the requirements, according to Visa.


            PRIVACY Privacy means providing individuals with the right to be left alone. In most societies,
            adult human beings have the right to control what information about themselves needs to be
            safeguarded and what can be made available to the public. This right, however, must be balanced
            with the public’s right to know or societal needs (e.g., Patriot Act of 2001). Any organization that
            collects personal information must follow a process on how this information is collected, used, and
            shared. This process is influenced by laws of the land and ethics. Information systems in general
            provide easy mechanisms to collect, use, and share these data without any knowledge of the
            information owner. Temptations exist in a competitive market for organizations to use such infor-
            mation systems as ERP to violate individual privacy rights for marketing or accidentally releasing
            this information to third parties that do not have the right to it. Other problems are hacking, snoop-
            ing, and virus attacks on the system, which also violate the privacy rights of individuals.
                 Until recently there have been very few privacy legislations around the world. Examples of
            privacy laws passed in the United States are the Privacy Act of 1974, which mostly applied to
            governmental agencies, the Children’s Online Privacy Protection Act of 1998, and the e-Privacy
            Act of 2002. The latter two laws take into account for system-related or online violations. The
            European Union, ASEAN, and other countries have similarly passed regulations to protect
            individual privacy. The key tenets of these regulations are getting prior consent of the individuals
            before collecting the data, getting approval for sharing, informing individuals when their infor-
            mation is requested or shared with a third party, and setting regulations on collecting information
            on individuals from Internet browsing, junk-mail, fraud prevention, and others.
                 The biggest threat to privacy from ERP systems is from data mining activities. ERP
            systems simplify the process of collecting, sorting, filing, and sharing information on customers
            with external organizations. It was very complex, cumbersome, and expensive before to collect
            and look for consumer patterns on buying or predicting purchasing behaviors. With easy access
            to large amounts of data, new data mining software can reveal hidden consumer spending habits
            for business or identify patients with high risk for health care and insurance companies or reveal
            terrorists for security agencies or reveal fraudulent transactions for financial and credit card
            companies. Although these are beneficial to companies and society, they can be dangerous if
            they end up in the wrong hands. Identity theft (i.e., crooks using another individual’s profile for
            fraudulent transactions) is now the number one crime in many parts of the world. ERP systems


            22  Pereira, P. (January 25, 2007). Wide Credit-Card Fraud Surfaces in TJX Hacking. Wall Street Journal, D3.