Lieber does an excellent job in voicing the frustrations of everyday consumers whose lives were affected by the Equifax breach.  The quote from Brian Schill is quite compelling, and it brings to light the feelings of all individuals, whether they were affected by the breach or not.  “They have taken our information to sell it for their own profit. And all of a sudden, we find that none of this information is really safe. We’re all vulnerable to these kinds of attacks” said Brian Schill (Leiber pg 2).  Everyday consumers must rely on credit for any number of reasons, be they loans, applying for an apartment to rent, job applications, and background checks or security clearances.  Consumers have faith that companies will do what is morally right and sound regarding handling sensitive personal information.  In this Case Analysis I will argue that deontological ethics will show us that the Equifax breach harmed all consumers by their negligence and goal of maximizing profit in the wake of the breach.  This was morally bad for several reasons as revealed in the paper by Lieber.

One central concept from Friedman that shows up consistently throughout his paper is that C-suite executives are morally wrong if their objective strays off the path of maximizing profits.  Friedman notes that if a businessperson has a concern with enhancing the social condition, such as eliminating discrimination, or protecting the environment, that businessperson is doing a disservice to the shareholders and to the “basis of a free society” (Friedman pg 51).  However, this claim is a bit naïve to me.  Firstly, by maximizing profits in the short term, a company can fail to poise itself for consistent growth far into the future.  If a company eventually went out of business because it was solely seeking to maximize profits and was replaced by a business that had stronger customer support due to its positive stance on social responsibility, would Friedman argue that the failing company was correct because it was maximizing profits?

From a deontological standpoint we can easily determine that Equifax’s handling of the breach was not correct.  Deontology tells us that good results that occur from bad reasoning are not deontologically correct.  While Equifax putting a freeze on user’s credit was a good thing, the reasoning behind it was not.  Their reasoning was to continue to maximize profit in the wake of the breach, so deontology shows us that this was the wrong way to handle the aftermath of the breach.

Another concept from Friedman is that any “social responsibilities” of a businessperson are from them the individual themselves, not from the organization (Friedman pg 52).  However, we have seen time and time again, that while a business is its own entity, the actions of the C-suite members do have a huge impact on public perception of said company and C-suite members.  It is then noted, by Friedman, that these businesspeople are not acting in the best interests of their employers (Friedman pg 52).  The problem with this is that social interests play a huge role in generating profits for a company.  By neglecting social interests, a company can quickly fall out of favor of its customer base.  This would result in a steady decline in profits.

The stance of Friedman has great prevalence in the case of Equifax’s data breach.  According to Friedman, Equifax was doing the right thing when it was charging victims a fee to put a freeze on their credit.  From a deontological viewpoint, this is morally wrong.  In my opinion, data breaches are going to occur, that is not the point here.  Equifax’s negligence in handling the aftermath of the breach is what is morally wrong.  The correct deontological action to take from Equifax would have been to immediately notify those affected and put a freeze on their credit until the situation could be remedied.  This would have put Equifax in a better light, given the situation.  Instead, Equifax pursued profits all the way to the end.  This pursuit of profits led Equifax to have to pay up to $700 million between fines and giving affected customers monetary relief (Schneider & Arnold, 2019).

To put Friedman’s position in another light involving this case, I believe he would not have agreed with the actions of Equifax’s CFO.  The CFO sold shares of company stock after the breach was discovered, but before it was publicly announced (Lieber pg7).  This is morally wrong on many fronts.  As Friedman would most likely agree that it is wrong because it would hurt the shareholders, or owners of the company.  It is also morally wrong from a deontological standpoint because the CFO is profiting at the expense of the victims.  The CFO was able to sell shares at the top, and then buy them back later much cheaper after news of the breach tanked the share price.

Deontology ethics, and Kant specifically, teach us certain imperatives that are crucial to deontology.  When the Equifax CFO sold his company stock before public knowledge of the breach he essentially made an exception for himself at the expense of the public. 

Throughout his paper, Anshen, references the social contract and how that contract is shifting.  He makes a note that in the early 1900s, economic growth was seen as the only measure of progress (Anshen pg 9).  This makes perfect sense, as labor laws, were extremely lax or nonexistent.  Society was rapidly changing at this time, and Anshen points out that economic gains at that time were so great that the public really had no demand for retirement or unemployment benefits (Anshen pg 9).  On the theory of social contract, Anshen also makes it clear that organizations need to be forward thinking and adapt to new societal demands or face possible “destructive revolution”.  One key takeaway from Anshen, is that organizations must start to consider possible environmental costs.  As environmental costs were beginning to shift from the government to those organizations that were causing environmental harm (Anshen pg 11).  Also, companies must factor in safety costs for those products which inherit some form of safety or bodily risk.  Examples noted by Anshen include automobiles and nuclear power plants.  In my opinion, Anshen was very forward thinking as OSHA was created just a year later in 1971.  Organizations involved in construction, or industrial type work, would need to start implementing plans for worker safety.

From a deontological viewpoint, these companies should seek to implement plans to deal with their environmental hazards for the right reason.  Organizations seeking to eliminate their environmental waste solely for the purpose of avoiding fines are not deontologically ethical.  They should be eliminating the waste because it is their duty to operate their business in a way that does not leave the world worse off because of that organization’s existence.

Anshen also makes a fantastic point about the main lesson for private management.  He says that C-suite teams should actively engage in the “redesign of the social contract” (Anshen pg 12). He goes on to note that if the rules are created by only a small group of critics of the system, or by a larger group of people who are only motivated by social causes then the rules would not benefit all.  This is because the critics or the large group only have their own causes in mind and do not know the innerworkings of corporate business.  Anshen claims that corporate management must actively engage with the public to create solutions to issues that benefit both private enterprise and the public.

Based on Ashen’s reasoning, Equifax had multiple shortcomings from both his perspective of the social contract and from my view of a deontological viewpoint.  As Diane Beeney pointed out in Lieber’s article on Equifax, “I’m not very tech savvy, but I’m very tech wary.”  Equifax had an ethical shortcoming in expecting customers to put their Social Security number into the database of a company that just experienced a data breach.  It is not ethical to abuse consumer trust in this manner.  Instead of requiring customers to enter their Social to check if they were breached, Equifax should have notified all customers.  This would have given those affected time to take the proper actions after the breach, and it would have given those unaffected reassurance.

As I mentioned earlier in my analysis, I put less blame on Equifax over its breach compared with its handling of the aftermath of the breach.  However, given its handling of the aftermath of the breach, it makes the case that the company was extremely negligent and could have potentially prevented the breach if it were deontologically ethical.  One of the most alarming actions taken by Equifax was charging customers a fee to fix what the company caused.  This action is morally wrong on many affronts, but deontologically it should have righted its wrongs much earlier.  On the other hand, some would argue that Equifax did a good thing in righting its wrong and paying a huge sum of money as part of a settlement.  I beg to differ and note that Equifax’s actions directly after the breach show crystal clear how unethical it was operating.  I argue that Equifax is not paying that settlement because it is their duty, but because of complaints by consumers and the FTC.

Other Sources:

Schneider, A., & Arnold, C. (2019, July 22). Equifax to pay up to $700 million in Data Breach Settlement. NPR. Retrieved June 5, 2022, from https://www.npr.org/2019/07/22/744050565/equifax-to-pay-up-to-700-million-in-data-breach-settlement