In 2017, a major data breach was reported by Equifax, one of the largest credit reporting agencies in the US. This data breach resulted in the leaking of sensitive personal data belonging to approximately 143 million individuals, to include both Equifax customers as well as individuals not associated with the agency.  The breach was investigated and was found to have been caused by a vulnerability in Equifax’s website software. Unfortunately, the vulnerability discovered in the software allowed hackers to access sensitive user data to include names, social security numbers, birth dates, and driver’s license numbers and use them for malicious purposes. The breach contributed to many consequences with most affecting its users with little consequence to the corporation itself. The breach also contributed to a loss of trust in Equifax’s ability to protect personal information, as well as creating a negative impact regarding its public image due to the company’s poor response and solutions regarding the breach. This breach of personal information also resulted in customers having to pay for credit freezes to further protect their credit from hackers and other entities wishing to utilize their data for harmful and malicious purposes. In this Case Analysis, I will argue that the contractarian ethical tool sheds light as to the harm inflicted on Equifax’s customers because of the data breach. Equifax failed to protect its customers’ data adequately and effectively, thus violating its contractual obligations to them. To address these detrimental breaches of data, Equifax also failed to take a contractarian approach by violating its social contract by means of which include the charging of its customers for credit freezes and failing to take appropriate responsibility or provide any effective course of action to the company’s customer base. These disingenuous “solutions” further contributed to the morally and ethically wrong actions taken by Equifax regarding this data breach, as well as Equifax’s lack of ethical standing regarding the protection and rectifying action taken to protect its customers.

Friedman’s concept of shareholder primacy is based on the idea that the only social responsibility of a corporation is to maximize profits for its shareholders. According to this view, corporations exist solely to generate wealth for their shareholders, and any actions or decisions that do not directly contribute to this goal are a misuse of corporate resources. Friedman argued that corporations have no moral or social obligations beyond making a profit, and that any attempts to pursue social or environmental goals are ultimately detrimental to the interests of shareholders. He believed that the pursuit of social responsibility by corporations was a form of “taxation without representation,” as shareholders were not directly involved in the decision-making process. With regards to this theory, Equifax’s actions could technically be justified under Friedman’s concept, as the company is not legally obligated to protect consumer data past what the law states. Under Friedman’s concept of shareholder primacy, corporations have a legal obligation to maximize profits for their shareholders and are not required to pursue any actions that do not contribute to this goal. Therefore, if a corporation like Equifax believes that it can increase its profits by cutting corners on data security, it is free to do so, if its actions are legal. Equifax’s actions, therefore, could be technically justified under Friedman’s concept because the company was not legally required to protect consumer data beyond what was required by law. In this case, Equifax may have believed that it was in the best interest of its shareholders to prioritize cost-cutting measures over investing in stronger cybersecurity measures, as this would have increased profits in the short term. However, from a contractarian perspective, it could be argued that Equifax breached its social contract with customers by failing to protect their personal data. Customers agreed to trust Equifax with their personal information. With that trust does come the expectation that the company should assess and take reasonable steps to safeguard that information to the best of their ability. However, their poor security measures to protect customer data led to a data breach that ended up causing significant harm to customers to include identity theft and financial loss.

The Equifax breach also caused a reduction in the trust of Equifax and other companies, which then can lead to a breakdown of the social contract that makes up and contributes to a capitalistic system. In this sense, Equifax’s actions can be seen as a violation of the principles of capitalism that Friedman’s theory looks to enforce. This means that it is in the best interest of corporations to honor and adhere to their social contract with their customers, as doing so helps to create trust and a long-term relationship that is beneficial to both corporations and their customers. In addition, the contractarian perspective stresses the importance of considering the societal implications of corporate actions. A corporation’s relationship with its customers is not the only social contract that it has; it also has a social contract with society as a whole. This contract requires corporations to act in a way that benefits society and not just their shareholders. much to the contrast of Friedman’s theory.

Equifax’s failure to effectively protect its customers’ personal data negatively impacted not only the individuals affected by the breach, but it also contributed to a loss of public trust in corporations in general, to include the loss of perception in that they possess the ability to protect the sensitive information of their customers as well. This loss of trust can lead to consequences not in line with Friedman’s theory regarding that a company has a sole responsibility to its shareholders, profit-making, and nothing else. These negative consequences can and will affect the company and its shareholders to include reduced economic growth, as well increased government regulation.  These consequences will then harm the long-term interests of corporations and their shareholders to create profit, as well as increase the risk of increased government oversight.

In contrast to Friedman, Anshen’s article “Changing the Social Contract: A Role for Business” explains the concept of stakeholder theory in the context of corporate social responsibility. According to stakeholder theory, a corporation has a responsibility not only to its shareholders but also to other groups of stakeholders or individuals affected by the corporation’s actions. These groups include a corporation’s customers, employees, as well as their suppliers. Anshen argues that corporations should embrace their social responsibilities by recognizing and actively engaging with their various stakeholders. This means examining and considering the interests and concerns of all stakeholders and working to balance them in a way that contributes to the overall benefit for society as a whole. In the case of Equifax, this would involve taking immediate action to address the harm caused to customers, compensating the individuals affected by this breach, as well as improving cybersecurity measures to prevent future breaches. Furthermore, Anshen also emphasizes the importance of transparency and communication in fulfilling a corporation’s social responsibilities. Equifax should have been transparent about the breach as well as its response. Equifax should have then demonstrated a commitment to protecting customer data in the future. By doing so, the company could have helped to rebuild trust with its stakeholders and demonstrate its commitment to being a responsible corporate citizen.

Looking at it further from a contractarian perspective, Equifax had a duty to fulfill its obligations to customers and employees, including the protecting of sensitive customer data, as well as providing adequate training and resources for employees responsible for maintaining data security. Anshen’s stakeholder theory states that corporations have a social responsibility to consider regarding the interests of all its stakeholders, as opposed to just its shareholders. Considering this perspective, Equifax did have a moral obligation to protect customer data as well as to act in the best interests of all its stakeholders successfully and morally. However, the breach ended up causing a significant amount of harm to its customers. Equifax’s poorly communicated and inadequate response, as well as its failure to take responsibility for the breach, were, in their own regard, breaches of its own obligations under stakeholder theory. In failing to successfully fulfill these obligations, Equifax may have also breached the social contract it had with its stakeholders as well.

To fulfill its obligations under both stakeholder theory and contractarianism, Equifax should have taken immediate steps to address the harm caused to customers. This would have included providing free credit monitoring, compensating affected individuals, and strengthening cybersecurity measures to prevent future breaches. Equifax should also have worked to rebuild trust with its stakeholders by being transparent about the breach and its response and demonstrating a commitment to protecting customer data in the future. In addition, Equifax should have conducted an investigation with the assistance of outside regulatory entities to identify the cause of the breach and prevent similar incidents from occurring in the future. This would have required the company to implement a risk management plan, including regular vulnerability assessments such as penetration testing and audits of its data security protocols.

Furthermore, Equifax could have taken a collaborative and interdisciplinary approach to the breach to rectify the negative consequences of the compromised data and fulfill its social contract to customers. The company could have collaborated with leading industry experts, various government and legislative groups, and other stakeholders to develop and adopt better practices for protecting sensitive customer information. By fulfilling its obligations under these theories, Equifax could have acted in the best interests of all stakeholders and fulfilled its social responsibilities as a corporate citizen. If Equifax had taken this contractarian approach to the issue at hand, the company could have demonstrated its commitment to being responsible as a corporation entrusted with sensitive user data, thus helping to restore public trust with both shareholders and stakeholders.

In conclusion, the Equifax data breach in 2017 resulted in sensitive personal data belonging to approximately 143 million individuals being compromised. Equifax failed to adequately protect its customers’ data, thus violating its contractual obligations to them. From a contractarian ethical perspective, Equifax breached its social contract with customers by failing to protect their personal data, leading to a breakdown of trust and loss of perception that corporations can protect sensitive customer information. This breach also contributed to a loss of public trust in corporations in general and can lead to negative consequences such as reduced economic growth and increased government regulation. Friedman’s concept of shareholder primacy could technically justify Equifax’s actions, as the company was not legally required to protect consumer data beyond what was required by law. However, Anshen’s stakeholder theory stresses the importance of considering the societal implications of corporate actions and a corporation’s responsibility to its stakeholders. Equifax’s lack of ethical standing regarding the protection and rectifying action taken to protect its customers violated the principles of capitalism and contributed to a breakdown of the social contract. Therefore, it is in the best interest of corporations to honor and adhere to their social contract with their customers, as doing so helps to create trust and a long-term relationship that is beneficial to both corporations and their customers.