Search This Blog

Tuesday, January 10, 2023

Conflict of interest

From Wikipedia, the free encyclopedia
https://en.wikipedia.org/wiki/Conflict_of_interest
 
A conflict of interest (COI) is a situation in which a person or organization is involved in multiple interests, financial or otherwise, and serving one interest could involve working against another. Typically, this relates to situations in which the personal interest of an individual or organization might adversely affect a duty owed to make decisions for the benefit of a third party.

An "interest" is a commitment, obligation, duty or goal associated with a particular social role or practice. By definition, a "conflict of interest" occurs if, within a particular decision-making context, an individual is subject to two coexisting interests that are in direct conflict with each other. Such a matter is of importance because under such circumstances the decision-making process can be disrupted or compromised in a manner that affects the integrity or the reliability of the outcomes.

Typically, a conflict of interest arises when an individual finds themselves occupying two social roles simultaneously which generate opposing benefits or loyalties. The interests involved can be pecuniary or non-pecuniary. The existence of such conflicts is an objective fact, not a state of mind, and does not in itself indicate any lapse or moral error. However, especially where a decision is being taken in a fiduciary context, it is important that the contending interests be clearly identified and the process for separating them is rigorously established. Typically, this will involve the conflicted individual either giving up one of the conflicting roles or else recusing himself or herself from the particular decision-making process in question.

The presence of a conflict of interest is independent of the occurrence of inappropriateness. Therefore, a conflict of interest can be discovered and voluntarily defused before any corruption occurs. A conflict of interest exists if the circumstances are reasonably believed (on the basis of past experience and objective evidence) to create a risk that a decision may be unduly influenced by other, secondary interests, and not on whether a particular individual is actually influenced by a secondary interest.

A widely used definition is: "A conflict of interest is a set of circumstances that creates a risk that professional judgement or actions regarding a primary interest will be unduly influenced by a secondary interest." Primary interest refers to the principal goals of the profession or activity, such as the protection of clients, the health of patients, the integrity of research, and the duties of public officer. Secondary interest includes personal benefit and is not limited to only financial gain but also such motives as the desire for professional advancement, or the wish to do favours for family and friends. These secondary interests are not treated as wrong in and of themselves, but become objectionable when they are believed to have greater weight than the primary interests. Conflict of interest rules in the public sphere mainly focus on financial relationships since they are relatively more objective, fungible, and quantifiable, and usually involve the political, legal, and medical fields.

A conflict of interest is a set of conditions in which professional judgment concerning a primary interest (such as a patient's welfare or the validity of research) tends to be unduly influenced by a secondary interest (such as financial gain). Conflict-of-interest rules [...] regulate the disclosure and avoidance of these conditions.

Related to the practice of law

Conflict of interests have been described as the most pervasive issue facing modern lawyers. Legal conflicts rules are at their core corollaries to a lawyer's two basic fiduciary duties: (1) the duty of loyalty and (2) the duty to preserve client confidences. The lawyer's duty of loyalty is fundamental to the attorney-client relationship and has developed from the biblical maxim that no person can serve more than one master. Just as fundamental is the lawyer's duty to maintain client confidences, which protects clients' legitimate expectations that they can make full disclosure of all facts to their attorneys without fear of exposure.

The basic formulation of the conflicts of interest rule is that a conflict exists "if there is a substantial risk that the lawyer's representation of the client would be materially and adversely affected by the lawyer's own interests or by the lawyers' duties to another current client, a former client, or a third person." The duty of loyalty requires an attorney not to act directly adverse to an existing client, even on an unrelated matter where the lawyer has no client confidences. Such a loyalty conflict has been labeled a concurrent conflict of interest. The duty of confidentiality is protected in rules prohibiting so-called successive conflicts of interest, when a lawyer proposes to act adversely to the interests of a former client. A lawyer who has formerly represented a client in a matter is precluded from representing another person in the same or a substantially related matter that is materially adverse to the former client. These two basic formulations – that a lawyer may not act directly adverse to a current client or adverse to a former client on a substantially related matter – form the cornerstone of modern legal conflicts of interest rules.

Concurrent conflicts of interest

Direct adversity to current client

An attorney owes the client undivided loyalty. The courts have described this principle as "integral to the nature of an attorney's duty." Without undivided loyalty, irreparable damage may be done "to the existing client's sense of trust and security – features essential to the effective functioning of the fiduciary relationship…" A key feature of the duty of loyalty is that an attorney may not act directly adverse to a current client or represent a litigation adversary of the client in an unrelated matter. The damage done is to the client's confidence that the lawyer is serving his or her interests faithfully. The most obvious example of a lawyer acting directly adverse to a client is when the lawyer sues the client. At the other end of the spectrum is when a lawyer represents business competitors of the client who are not adverse to it in a lawsuit or negotiation. Representing business competitors of a client in unrelated matters does not constitute direct adversity nor give rise to a loyalty conflict. As one state bar ethics committee has noted:

An attorney's representation of one client will often have indirect effects on other existing clients. For example, simultaneously representing business competitors on unrelated matters may indirectly impair the interests of each. It will be rare indeed when an attorney's representation of a client will not have numerous indirect adverse effects on others. Obtaining a benefit for a client will often mean disadvantaging another person or entity, and indirect consequences may follow to all who may be dependents or owners of the attorney's opponents. The attorney's duty of loyalty, however, extends only to adverse consequences on existing clients which are 'direct.'…Of the numerous and varied consequences which a representation of one client may have on other clients, well-established legal authority interpreting the duty of loyalty limits the scope of ethical inquiry to whether the other affected clients are parties to the case or transaction in which the attorney is acting. --CALIFORNIA STATE BAR ETHICS OPINION 1989-113.

Direct adversity may arise in litigation when an attorney sues a client or defends an adversary in an action his or her client has brought. It may also arise in the context of business negotiations, when a lawyer negotiates on behalf of an adversary against a current client, even if the matter is unrelated to any matter the lawyer is handling for the client. However, merely advocating opposite sides of the same legal issue does not give rise to direct adversity. Even if a lawyer's advocacy in an unrelated matter may make unfavorable law for another client, such effects are only indirect and not subject to the conflicts rules. There is no conflict in advocating positions that may turn out to be unfavorable to another client so long as the lawyer is not directly litigating or negotiating against that client.

Identity of the client - corporations

One of the most frequently arising questions in corporate practice is whether parent corporations and their subsidiaries are to be treated as the same or different entities for conflicts purposes. The first authority to rule on this question was the California State Bar Ethics Committee, which issued a formal opinion ruling that parent corporations and their subsidiaries are to be considered distinct entities for conflicts purposes. The California committee considered a situation where an attorney undertook a representation directly adverse to the wholly owned subsidiary of a client, when the lawyer did not represent the subsidiary. Relying on the entity as client framework in Model Rule 1.13, the California committee opined that there was no conflict as long as the parent and subsidiary did not have a "sufficient unity of interests." The committee announced the following standard for evaluating the separateness of parent and subsidiary:

In determining whether there is a sufficient unity of interests to require an attorney to disregard separate corporate entities for conflict purposes, the attorney should evaluate the separateness of the entities involved, whether corporate formalities are observed, the extent to which each entity has distinct and independent managements and board of directors, and whether, for legal purposes, one entity could be considered the alter ego of the other. -CALIFORNIA STATE BAR ETHICS OPINION 1989-113.

As one commentator has noted, "For a state ethics opinion, California Opinion 1989-113 has been unusually influential, both with courts there, with ethics committees elsewhere, and through the latter set of ethics committee opinions, with… recent decisions in other jurisdictions." The California opinion has been followed by ethics committees in such jurisdictions as New York, Illinois and the District of Columbia, and served as the basis of ABA Formal Ethics Opinion 95-390. The law in most jurisdictions is that parent corporations and their subsidiaries are treated as distinct entities, except in limited circumstances noted by the California ethics committee where they have a unity of interests.

The Second Circuit has adopted a variation of the California standard. In GSI Commerce Solutions, Inc. v. BabyCenter LLC, the court ruled that parent corporations and their subsidiaries should be treated as the same entity for conflicts purposes when both companies rely "on the same in-house legal department to handle their legal affairs." However, the court ruled that the lawyer and client can contract around this default standard. The court quoted with approval the opinion of the City of New York Committee on Professional and Judicial Ethics, which stated, "corporate family conflicts may be averted by ... an engagement letter ... that delineates which affiliates, if any, of a corporate client the law firm represents..."

Material limitation conflicts

A concurrent conflict will also exist when "there is a significant risk that the representation of one or more clients will be materially limited by the lawyer's responsibilities to another client, a former client or a third person or by a personal interest of the lawyer." Comment 8 to Model Rule 1.7 states, by way of example, that an attorney representing multiple persons forming a joint venture may be materially limited in recommending the courses of action that any jointly represented client may take because of the lawyer's duty to the other participants in the joint venture.

The Supreme Court of Minnesota found a material limitation conflict in In re Petition for Disciplinary Action Against Christopher Thomas Kalla. In Kalla, an attorney was disciplined for representing a borrower bringing suit against her lender for charging a usurious interest rate while simultaneously representing the mortgage broker who arranged the loan as a third party defendant in the same lawsuit. Although neither client had brought an action against the other, the court found a material limitation conflict: "Advocating for Client A would potentially harm Client B, who was potentially liable for contribution. Kalla's ability to fully advocate for both was materially limited by Kalla's dual representation."

Consent to concurrent conflicts of interest

Consent to current conflicts

A concurrent conflict of interest may be resolved if four conditions are met. They are:

  1. the lawyer reasonably believes that the lawyer will be able to provide competent and diligent representation to each affected client;
  2. the representation is not prohibited by law;
  3. the representation does not involve the assertion of a claim by one client against another client represented by the lawyer in the same litigation or other proceeding before a tribunal; and
  4. each affected client gives informed consent, confirmed in writing.

Informed consent requires that each affected client be fully advised about the material ways that the representation could adversely affect that client. In joint representations, the information provided should include the interests of the lawyer and other affected client, the courses of action that could be foreclosed due to the joint representation, the potential danger that the client's confidential information might be disclosed, and the potential consequences if the lawyer had to withdraw at a later stage in the proceedings. Merely telling the client that there are conflicts, without further explanation, is not adequate disclosure. The lawyer must fully disclose the potential impairment to the lawyer's loyalty and explain how another unconflicted attorney might better serve the client's interests.

Prospective consent to future conflicts

It is not unusual in the current legal environment of large multinational and global law firms for the firms to seek advance or prospective waivers of future conflicts from their clients. A law firm is particularly likely to seek a prospective waiver when a large corporation seeks the specialized knowledge of the firm in a small matter, without a high likelihood of repeat business. As the ABA stated in its Ethics Opinion 93-372:

when corporate clients with multiple operating divisions hire tens if not hundreds of law firms, the idea that, for example, a corporation in Miami retaining the Florida office of a national law firm to negotiate a lease should preclude that firm's New York office from taking an adverse position in a totally unrelated commercial dispute against another division of the same corporation strikes some as placing unreasonable limitations on the opportunities of both clients and lawyers. -ABA Formal Opinion 93-372 (1993).

Prospective waivers are most likely to be upheld by the courts when they are given by sophisticated corporate clients represented by independent counsel in the negotiation of the waiver. However, in Sheppard, Mullin, Richter & Hampton, LLP v. J-M Manufacturing Co., the California Supreme court held that a prospective waiver that did not make specific disclosure of an actual current conflict was not effective to waive that conflict. As the court said,

By asking J-M to waive current conflicts as well as future ones, Sheppard Mullin did put J-M on notice that a current conflict might exist. But by failing to disclose to J-M the fact that a current conflict actually existed, the law firm failed to disclose to its client all the 'relevant circumstances' within its knowledge relating to its representation of J-M. 6 Cal. 5th 59 (2018) at p. 84.

The Sheppard Mullin case does not invalidate prospective waivers in California. It only holds that waivers of current and actual conflicts must specifically disclose those conflicts, an unremarkable conclusion.

The hot potato doctrine

If a client will not consent to a conflict and allow a lawyer to take on another representation, the lawyer cannot then withdraw from the existing representation, thus turning the existing client into a former client and ending the duty of loyalty. As the courts have stated, the lawyer cannot "drop a client like a hot potato" to cure a conflict. This label has stuck, and the doctrine is now aptly called the "hot potato" doctrine. However, as one commentator has pointed out, the reasoning underlying this line of cases has been sparse, and few courts have attempted to justify this result through an analysis of the ethics rules. The unstated rationale behind the Hot Potato doctrine is that a withdrawal attempted without good cause under Model Rule 1.16(b) is an ineffective withdrawal, which does not successfully terminate the existing attorney-client relationship. When viewed in this light, a withdrawal accomplished with good cause should be an effective withdrawal that does permit a lawyer to take on a representation that would otherwise be conflicting, as long as there is no substantial relationship with the prior matter. The standard used to assess conflicts involving such former clients will be discussed in the next section.

Successive conflicts of interest

The substantial relationship test

Conflicts of interest rules involving former clients are primarily designed to enforce the attorney's duty to preserve a client's confidential information. Model Rule 1.9(a) sets forth this doctrine in a rule that has come to be known as the substantial relationship test. The rule states:

A lawyer who has formerly represented a client in a matter shall not thereafter represent another person in the same or a substantially related matter in which that person's interests are materially adverse to the interests of the former client unless the former client gives informed consent, confirmed in writing. -MODEL RULES OF PROF'L CONDUCT r. 1.9(a).

Without the substantial relationship test, a client attempting to prove that its former lawyer possesses its confidential information might have to disclose publicly the very confidential information it is trying to protect. The substantial relationship test was designed to protect against such disclosures. Under this test, the attorney's possession of the former client's confidential information is presumed if "confidential information material to the current dispute would normally have been imparted to the attorney by virtue of the nature of the former representation." The substantial relationship test reconstructs whether confidential information was likely to imparted by the former client to the lawyer by analyzing "the similarities between the two factual situations, the legal questions posed, and the nature and extent of the attorney's involvement with the cases."

Imputation of conflicts

The conflicts of an individual lawyer are imputed to all attorneys who "are associated with that lawyer in rendering legal services to others through a law partnership, professional corporation, sole proprietorship, or similar association." This imputation of conflicts can lead to difficulties when attorneys from one law firm leave and join another firm. The issue then arises whether the conflicts of the itinerant lawyer's former firm are imputed to his or her new firm.

In Kirk v. First American Title Co., the court ruled that an itinerant lawyer's conflicts are not imputed to his or her new law firm if that firm timely sets up an effective ethics screen preventing the lawyers from imparting any confidential information to the lawyers in the new firm. An effective ethics screen rebuts the presumption that the itinerant lawyers shared confidential information with the lawyers in the new firm. The components of an effective ethics screen, as described by the court in Kirk, are:

  1. physical, geographic, and departmental separation of attorneys;
  2. prohibitions against and sanctions for discussing confidential matters;
  3. established rules and procedures preventing access to confidential information and files;
  4. procedures preventing a disqualified attorney from sharing in the profits from the representation;
  5. continuing education in professional responsibility.

Judicial disqualification, also referred to as recusal, refers to the act of abstaining from participation in an official action such as a court case/legal proceeding due to a conflict of interest of the presiding court official or administrative officer. Applicable statutes or canons of ethics may provide standards for recusal in a given proceeding or matter. Providing that the judge or presiding officer must be free from disabling conflicts of interest makes the fairness of the proceedings less likely to be questioned.

In the practice of law, the duty of loyalty owed to a client prohibits an attorney (or a law firm) from representing any other party with interests adverse to those of a current client. The few exceptions to this rule require informed written consent from all affected clients, i.e., an "ethical wall". In some circumstances, a conflict of interest can never be waived by a client. In perhaps the most common example encountered by the general public, the same firm should not represent both parties in a divorce or child custody matter. Found conflict can lead to denial or disgorgement of legal fees, or in some cases (such as the failure to make mandatory disclosure), criminal proceedings. In 1998, a Milbank, Tweed, Hadley & McCloy partner was found guilty of failing to disclose a conflict of interest, disbarred, and sentenced to 15 months of imprisonment. In the United States, a law firm usually cannot represent a client if the client's interests conflict with those of another client, even if the two clients are represented by separate lawyers within the firm, unless (in some jurisdictions) the lawyer is segregated from the rest of the firm for the duration of the conflict. Law firms often employ software in conjunction with their case management and accounting systems in order to meet their duties to monitor their conflict of interest exposure and to assist in obtaining waivers.

Generally (unrelated to the practice of law)

More generally, conflicts of interest can be defined as any situation in which an individual or corporation (either private or governmental) is in a position to exploit a professional or official capacity in some way for their personal or corporate benefit.

Depending upon the law or rules related to a particular organization, the existence of a conflict of interest may not, in and of itself, be evidence of wrongdoing. In fact, for many professionals, it is virtually impossible to avoid having conflicts of interest from time to time. A conflict of interest can, however, become a legal matter, for example, when an individual tries (and/or succeeds in) influencing the outcome of a decision, for personal benefit. A director or executive of a corporation will be subject to legal liability if a conflict of interest breaches his/her duty of loyalty.

There often is confusion over these two situations. Someone accused of a conflict of interest may deny that a conflict exists because he/she did not act improperly. In fact, a conflict of interest can exist even if there are no improper acts as a result of it. (One way to understand this is to use the term "conflict of roles". A person with two roles—an individual who owns stock and is also a government official, for example—may experience situations where those two roles conflict. The conflict can be mitigated—see below—but it still exists. In and of itself, having two roles is not illegal, but the differing roles will certainly provide an incentive for improper acts in some circumstances.)

As an example, in the sphere of business and control, according to the Institute of Internal Auditors:

conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties and responsibilities objective. A few examples of conflict of interest are:

  • When a member of the commissioners of a state highway commission owns a piece of property where the state will have to condemn it. The conflict of interest comes in because the commission will want to acquire the property at the lowest possible price (subject to it being at least fair market value) while as the property owner, they are going to want the highest possible price they can get.
  • When an officer or director of a corporation owns a patent or copyright which either was developed before they were involved with the corporation (which means it cannot be subject to a contractual right of assignment or work for hire) or that it was developed for a type of product not related to the scope of their employment. As an author or inventor, they are going to want a large license fee or royalty, while as an officer of the corporation they are expected to offer as little as possible.
  • A judge deciding a bench trial or arbitrator in binding arbitration must not decide a case where a relative, acquaintance, or business partner is a party. Because they may give overly favorable terms to that party, or where they might impose excessively harsh terms (such as a judge having their estranged child, parent, or ex-spouse as a criminal defendant being sentenced before them.)

Conflict of interest in UN Security Council

In the United Nations the permanent members of the UN Security Council have an interest in wanting to retain their veto power which conflicts with their obligation.

Organizational

An organizational conflict of interest (OCI) may exist in the same way as described above, for instance where a corporation provides two types of service to the government and these services conflict (e.g.: manufacturing parts and then participating on a selection committee comparing parts manufacturers). Corporations may develop simple or complex systems to mitigate the risk or perceived risk of a conflict of interest. These risks can be evaluated by a government agency (for example, in a U.S. Government RFP) to determine whether the risks create a substantial advantage to the organization in question over its competition, or will decrease the overall competitiveness of the bidding process.

Conflict of interest in the health care industry

The influence of the pharmaceutical industry on medical research has been a major cause for concern. In 2009 a study found that "a number of academic institutions" do not have clear guidelines for relationships between Institutional Review Boards and industry. The medical-industrial complex describes the interaction between physician's conflict of interest with for-profit healthcare, continuing medical education, and patient's ethical considerations.

In contrast to this viewpoint, an article and associated editorial in the New England Journal of Medicine in May 2015 emphasized the importance of pharmaceutical industry-physician interactions for the development of novel treatments, and argued that moral outrage over industry malfeasance had unjustifiably led many to overemphasize the problems created by financial conflicts of interest. The article noted that major healthcare organizations such as National Center for Advancing Translational Sciences of the National Institutes of Health, the President's Council of Advisors on Science and Technology, the World Economic Forum, the Gates Foundation, the Wellcome Trust, and the Food and Drug Administration had encouraged greater interactions between physicians and industry in order to bring greater benefits to patients.

Types

The following are the most common forms of conflicts of interests:

  • Self-dealing, in which an official who controls an organization causes it to enter into a transaction with the official, or with another organization that benefits the official only. The official is on both sides of the "deal."
  • Outside employment, in which the interests of one job conflict with another.
  • Nepotism, in which a spouse, child, or other close relative is employed (or applies for employment) by an individual, or where goods or services are purchased from a relative or from a firm controlled by a relative. To avoid nepotism in hiring, many employment applications ask if the applicant is related to a current employee of the company. This allows recusal if the employed relative has a role in the hiring process. If this is the case, the relative could then recuse from any hiring decisions.
  • Gifts from friends who also do business with the person receiving the gifts or from individuals or corporations who do business with the organization in which the gift recipient is employed. Such gifts may include non-tangible things of value such as transportation and lodging.
  • Pump and dump, in which a stock broker who owns a security artificially inflates the price by "upgrading" it or spreading rumors, sells the security and adds short position, then "downgrades" the security or spreads negative rumors to push the price down.

Other improper acts that are sometimes classified as conflicts of interests may have better classification. For example, accepting bribes can be classified as corruption, use of government or corporate property or assets for personal use is fraud, and unauthorized distribution of confidential information is a security breach. For these improper acts, there is no inherent conflict.

COI is sometimes termed competition of interest rather than "conflict", emphasizing a connotation of natural competition between valid interests—rather than the classical definition of conflict, which would include by definition including a victim and unfair aggression. Nevertheless, this denotation of conflict of interest is not generally seen.

Examples

Environmental hazards and human health

Baker summarized 176 studies of the potential impact of Bisphenol A on human health as follows:

Funding Harm No Harm
Industry 0 13 (100%)
Independent (e.g., government) 152 (86%) 11 (14%)

Lessig noted that this does not mean that the funding source influenced the results. However, it does raise questions about the validity of the industry-funded studies specifically, because the researchers conducting those studies have a conflict of interest; they are subject at minimum to a natural human inclination to please the people who paid for their work. Lessig provided a similar summary of 326 studies of the potential harm from cell phone usage with results that were similar but not as stark.

Self-regulation

Self-regulation of any group may also be a conflict of interest. If an entity, such as a corporation or government bureaucracy, is asked to eliminate unethical behavior within their own group, it may be in their interest in the short run to eliminate the appearance of unethical behavior, rather than the behavior itself, by keeping any ethical breaches hidden, instead of exposing and correcting them. An exception occurs when the ethical breach is already known by the public. In that case, it could be in the group's interest to end the ethical problem to which the public has knowledge, but keep remaining breaches hidden.

Insurance claims adjusters

Insurance companies retain claims adjusters to represent their interest in adjusting claims. It is in the best interest of the insurance companies that the very smallest settlement is reached with its claimants. Based on the adjuster's experience and knowledge of the insurance policy it is very easy for the adjuster to convince an unknowing claimant to settle for less than what they may otherwise be entitled which could be a larger settlement. There is always a very good chance of a conflict of interest to exist when one adjuster tries to represent both sides of a financial transaction such as an insurance claim. This problem is exacerbated when the claimant is told, or believes, the insurance company's claims adjuster is fair and impartial enough to satisfy both theirs and the insurance company's interests. These types of conflicts could easily be avoided by the use of a third party platform independent of the insurers and is agreed to, and named in the policy.

Purchasing agents and sales personnel

A person working as the equipment purchaser for a company may get a bonus proportionate to the amount he's under budget by year end. However, this becomes an incentive for him to purchase inexpensive, substandard equipment. Therefore, this is counter to the interests of those in his company who must actually use the equipment. W. Edwards Deming listed "purchasing on price alone" as number 4 of his famous 14 points, and he often said things to the effect that "He who purchases on price alone deserves to get rooked."

Real estate agents

Real estate brokers have an inherent conflict of interest with the sellers they represent, because the usual commission structures of brokers motivate them to sell quickly rather than to sell at a higher price. However, a broker representing a buyer has a distinct disincentive to negotiate a lower price on behalf of their client, because they will simultaneously be negotiating their own commission lower.

Government officials

Conflict of interest in legislation; the interests of the poor and the interests of the rich. A personification of corrupt legislation weighs a bag of money and denies an appeal of poverty.

Regulating conflict of interest in government is one of the aims of political ethics. Public officials are expected to put service to the public and their constituents ahead of their personal interests. Conflict of interest rules are intended to prevent officials from making decisions in circumstances that could reasonably be perceived as violating this duty of office. Rules in the executive branch tend to be stricter and easier to enforce than in the legislative branch. This is visible through one study which highlights how Members of Congress who have specific stock investments may vote on regulatory and interventionist legislation. Two problems make legislative ethics of conflicts difficult and distinctive. First, as James Madison wrote, legislators should share a "communion of interests" with their constituents. Legislators cannot adequately represent the interests of constituents without also representing some of their own. As Senator Robert S. Kerr once said, "I represent the farmers of Oklahoma, although I have large farm interests. I represent the oil business in Oklahoma...and I am in the oil business...They don't want to send a man here who has no community of interest with them, because he wouldn't be worth a nickel to them." The problem is to distinguish special interests from the general interests of all constituents. Second, the "political interests" of legislatures include campaign contributions which they need to get elected, and which are generally not illegal and not the same as a bribe. But under many circumstances they can have the same effect. The problem here is how to keep the secondary interest in raising campaign funds from overwhelming what should be their primary interest—fulfilling the duties of office.

Politics in the United States is dominated in many ways by political campaign contributions. Candidates are often not considered "credible" unless they have a campaign budget far beyond what could reasonably be raised from citizens of ordinary means. The impact of this money can be found in many places, most notably in studies of how campaign contributions affect legislative behavior. For example, the price of sugar in the United States has been roughly double the international price for over half a century. In the 1980s, this added $3 billion to the annual budget of U.S. consumers, according to Stern, who provided the following summary of one part of how this happens:

Contributions from the sugar lobby, 1983–1986 Percent voting in 1985 against gradually reducing sugar subsidies
> $5,000 100%
$2,500–5,000 97%
$1,000–2,500 68%
$1–1,000 45%
$0 20%

This $3 billion translates into $41 per household per year. This is in essence a tax collected by a nongovernmental agency: It is a cost imposed on consumers by governmental decisions, but never considered in any of the standard data on tax collections.

Stern notes that sugar interests contributed $2.6 million to political campaigns, representing well over $1,000 return for each $1 contributed to political campaigns. This, however, does not include the cost of lobbying. Lessig cites six different studies that consider the cost of lobbying with campaign contributions on a variety of issues considered in Washington, D.C. These studies produced estimates of the anticipated return on each $1 invested in lobbying and political campaigns that ranged from $6 to $220. Lessig notes that clients who pay tens of millions of dollars to lobbyists typically receive billions.

Lessig insists that this does not mean that any legislator has sold his or her vote. One of several possible explanations Lessig gives for this phenomenon is that the money helped elect candidates more supportive of the issues pushed by the big money spent on lobbying and political campaigns. He notes that if any money perverts democracy, it is the large contributions beyond the budgets of citizens of ordinary means; small contributions from common citizens have long been considered supporting of democracy.

When such large sums become virtually essential to a politician's future, it generates a substantive conflict of interest contributing to a fairly well documented distortion on the nation's priorities and policies.

Beyond this, governmental officials, whether elected or not, often leave public service to work for companies affected by legislation they helped enact or companies they used to regulate or companies affected by legislation they helped enact. This practice is called the "revolving door". Former legislators and regulators are accused of (a) using inside information for their new employers or (b) compromising laws and regulations in hopes of securing lucrative employment in the private sector. This possibility creates a conflict of interest for all public officials whose future may depend on the revolving door.

Finance industry and elected officials

Conflicts of interest among elected officials is part of the story behind the increase in the percent of US corporate domestic profits captured by the finance industry depicted in that accompanying figure.

Finance as a percent of US Domestic Corporate Profits Finance includes banks, securities and insurance. In 1932–1933, the total U.S. domestic corporate profit was negative. However, the financial sector made a profit in those years, which made its percentage negative, below 0 and off the scale in this plot.

From 1934 through 1985, the finance industry averaged 13.8% of U.S. domestic corporate profit. Between 1986 and 1999, it averaged 23.5%. From 2000 through 2010, it averaged 32.6%. Some of this increase is doubtless due to increased efficiency from banking consolidation and innovations in new financial products that benefit consumers. However, if most consumers had refused to accept financial products they did not understand, e.g., negative amortization loans, the finance industry would not have been as profitable as it has been, and the Late-2000s recession might have been avoided or postponed. Stiglitz argued that the Late-2000s recession was created in part because, "Bankers acted greedily because they had incentives and opportunities to do so". They did this in part by innovating to make consumer financial products like retail banking services and home mortgages as complicated as possible to make it easy for them to charge higher fees. Consumers who shop carefully for financial services typically find better options than the primary offerings of the major banks. However, few consumers think to do that. This explains part of this increase in financial industry profits. (Note, however, that Stiglitz has been accused of a conflict of interests and violation of Columbia University transparency policies for failing to disclose his status as a paid consultant to government of Argentina at the same time he was writing articles in defense of Argentina's planned default of over $1billion in bond debt during the 1998–2002 Argentine great depression, and for failing to disclose his paid consultancy to the government of Greece at the same time he was downplaying the risk of Greece defaulting on their debt during the Greek government-debt crisis of 2009.)

However, it is argued that a major portion of this increase and a driving force behind Late-2000s recession has been the corrosive effect of money in politics, giving legislators and the President of the U.S. a conflict of interest, because if they protect the public, they will offend the finance industry, which contributed $1.7 billion to political campaigns and spent $3.4 billion ($5.1 billion total) on lobbying from 1998 to 2008.

To be conservative, suppose we attribute only the increase from 23.5% of 1986 through 1999 to the recent 32.6% average to governmental actions subject to conflicts of interest created by the $1.7 billion in campaign contributions. That's 9% of the $3 trillion in profits claimed by the finance industry during that period or $270 billion. This represents a return of over $50 for each $1 invested in political campaigns and lobbying for that industry. (This $270 billion represents almost $1,000 for every man, woman and child in the United States.) There is hardly any place outside politics with such a high return on investment in such a short time.

Finance industry and economists

Economists (unlike other professions such as sociologists) do not formally subscribe to a professional ethical code. Close to 300 economists have signed a letter urging the American Economic Association (the discipline's foremost professional body), to adopt such a code. The signatories include George Akerlof, a Nobel laureate, and Christina Romer, who headed Barack Obama's Council of Economic Advisers.

This call for a code of ethics was supported by the public attention the documentary Inside Job (winner of an Academy Award) drew to the consulting relationships of several influential economists. This documentary focused on conflicts that may arise when economists publish results or provide public recommendation on topics that affect industries or companies with which they have financial links. Critics of the profession argue, for example, that it is no coincidence that financial economists, many of whom were engaged as consultants by Wall Street firms, were opposed to regulating the financial sector.

In response to criticism that the profession not only failed to predict the financial crisis of 2007–2008 but may actually have helped create it, the American Economic Association has adopted new rules in 2012: economists will have to disclose financial ties and other potential conflicts of interest in papers published in academic journals. Backers argue such disclosures will help restore faith in the profession by increasing transparency which will help in assessing economists' advice.

Stockbrokers

A conflict of interest is a manifestation of moral hazard, particularly when a financial institution provides multiple services and the potentially competing interests of those services may lead to a concealment of information or dissemination of misleading information. A conflict of interest exists when a party to a transaction could potentially make a gain from taking actions that are detrimental to the other party in the transaction.

There are many types of conflicts of interest such as a pump and dump by stockbrokers. This is when a stockbroker who owns a security artificially inflates the price by upgrading it or spreading rumors, and then sells the security and adds short position. They will then downgrade the security or spread negative rumors to push the price back down. This is an example of stock fraud. It is a conflict of interest because the stockbrokers are concealing and manipulating information to make it misleading for the buyers. The broker may claim to have the "inside" information about impending news and will urge buyers to buy the stock quickly. Investors will buy the stock, which creates a high demand and raises the prices. This rise in prices can entice more people to believe the hype and then buy shares as well. The stockbrokers will then sell their shares and stop promoting, the price will drop, and other investors are left holding stock that is worth nothing compared to what they paid for it. In this way, brokers use their knowledge and position to gain personally at the expense of others.

The Enron scandal is a major example of pump and dump. Executives participated in an elaborate scheme, falsely reporting profits, thus inflating its stock prices, and covered up the real numbers with questionable accounting; 29 executives sold overvalued stock for more than a billion dollars before the company went bankrupt.

A financial institution with a conflict of interest may also be charged with market manipulation. Stockbrokers that act as market makers have a duty to establish bona fide. A conflict of interest serves against that regulation. Stockbrokers have to prove that their trading interests and transacting interests do not interfere with serving the interests of investors at brokerages

Media

Any media organization has a conflict of interest in discussing anything that may impact its ability to communicate as it wants with its audience. Most media, when reporting a story which involves a parent company or a subsidiary, will explicitly report this fact as part of the story, in order to alert the audience that their reporting has the potential for bias due to the possibility of a conflict of interest.

The business model of commercial media organizations (i.e., any that accept advertising) is selling behavior change in their audience to advertisers. However, few in their audience are aware of the conflict of interest between the profit motive and the altruistic desire to serve the public and "give the audience what it wants".

Many major advertisers test their ads in various ways to measure the return on investment in advertising. Advertising rates are set as a function of the size and spending habits of the audience as measured by the Nielsen Ratings. Media action expressing this conflict of interest is evident in the reaction of Rupert Murdoch, Chairman of News Corporation, owner of Fox, to changes in data collection methodology adopted in 2004 by the Nielsen Company to more accurately measure viewing habits. The results corrected a previous overestimate of the market share of Fox. Murdoch reacted by getting leading politicians to denounce the Nielsen Ratings as racists. Susan Whiting Archived 2012-10-27 at the Wayback Machine, president and CEO of Nielsen Media Research, responded by quietly sharing Nielsen's data with her leading critics. The criticism disappeared, and Fox paid Nielsen's fees. Murdoch had a conflict of interest between the reality of his market and his finances.

Commercial media organizations lose money if they provide content that offends either their audience or their advertisers. The substantial media consolidation that occurred since the 1980s has reduced the alternatives available to the audience, thereby making it easier for the ever-larger companies in this increasingly oligopolistic industry to hide news and entertainment potentially offensive to advertisers without losing audience. If the media provide too much information on how congress spends its time, a major advertiser could be offended and could reduce their advertising expenditures with the offending media company; indeed, this is one of the ways the market system has determined which companies won and which either went out of business or were purchased by others in this media consolidation. (Advertisers don't like to feed the mouth that bites them, and often don't. Similarly, commercial media organizations are not eager to bite the hand that feeds them.) Advertisers have been known to fund media organizations with editorial policies they find offensive if that media outlet provides access to a sufficiently attractive audience segment they cannot efficiently reach otherwise.

Election years are a major boon to commercial broadcasters, because virtually all political advertising is purchased with minimal advance planning, paying therefore the highest rates. The commercial media have a conflict of interest in anything that could make it easier for candidates to get elected with less money.

Accompanying this trend in media consolidation has been a substantial reduction in investigative journalism, reflecting this conflict of interest between the business objectives of the commercial media and the public's need to know what government is doing in their name. This change has been tied to substantial changes in law and culture in the United States. To cite only one example, researchers have tied this decline in investigative journalism to an increased coverage of the "police blotter". This has further been tied to the fact that the United States has the highest incarceration rate in the world.

Beyond this, virtually all commercial media companies own substantial quantities of copyrighted material. This gives them an inherent conflict of interest in any public policy issue affecting copyrights. McChesney noted that the commercial media have lobbied successfully for changes in copyright law that have led "to higher prices and a shrinking of the marketplace of ideas", increasing the power and profits of the large media corporations at public expense. One result of this is that "the people cease to have a means of clarifying social priorities and organizing social reform". A free market has a mechanism for controlling abuses of power by media corporations: If their censorship becomes too egregious, they lose audience, which in turn reduces their advertising rates. However, the effectiveness of this mechanism has been substantially reduced over the past quarter century by "the changes in the concentration and integration of the media." Would the Anti-Counterfeiting Trade Agreement have advanced to the point of generating substantial protests without the secrecy behind which that agreement was negotiated—and would the government attempts to sustain that secrecy have been as successful if the commercial media had not been a primary beneficiary and had not had a conflict of interest in suppressing discussion thereof?

Mitigation

Removal

Sometimes, people who may be perceived to have a conflict of interest resign from a position or sell a shareholding in a venture, to eliminate the conflict of interest going forward. For example, Lord Evans of Weardale resigned as a non-executive director of the UK National Crime Agency after a tax-avoidance-related controversy about HSBC, where Lord Evans was also a non-executive director. This resignation was stated to have taken place in order to avoid the appearance of conflict of interest.

"Blind trust"

Blind trusts can perhaps mitigate conflicts of interest scenarios by giving an independent trustee control of a beneficiary's assets. The independent trustee must have the power to sell or transfer interests without knowledge of the beneficiary. Thus, the beneficiary becomes "blind" to the impact of official actions on private interests held in trust.

As an example, a politician who owns shares in a company that may be affected by government policy may put those shares in a blind trust with themselves or their family as the beneficiary. It is disputed whether this really removes the conflict of interest, however.

Blind trusts may in fact obscure conflicts of interest, and for this reason it is illegal to fund political parties in the UK via a blind trust if the identity of the real donor is concealed.

Disclosure

Commonly, politicians and high-ranking government officials are required to disclose financial information—assets such as stock, debts such as loans, and/or corporate positions held, typically annually. To protect privacy (to some extent), financial figures are often disclosed in ranges such as "$100,000 to $500,000" and "over $2,000,000". Certain professionals are required either by rules related to their professional organization, or by statute, to disclose any actual or potential conflicts of interest. In some instances, the failure to provide full disclosure is a crime.

However, there is limited evidence regarding the effect of conflict of interest disclosure despite its widespread acceptance. A 2012 study published in the Journal of the American Medical Association showed that routine disclosure of conflicts of interest by American medical school educators to pre-clinical medical students were associated with an increased desire among students for limitations in some industry relationships. However, there were no changes in the perceptions of students about the value of disclosure, the influence of industry relationships on educational content, or the instruction by faculty with relevant conflicts of interest.

And, an increasing line of research suggests that disclosure can have "perverse effects" or, at least, is not the panacea regulators often take it to be.

Recusal

Those with a conflict of interest are expected to recuse themselves from (i.e., abstain from) decisions where such a conflict exists. The imperative for recusal varies depending upon the circumstance and profession, either as common sense ethics, codified ethics, or by statute. For example, if the governing board of a government agency is considering hiring a consulting firm for some task, and one firm being considered has, as a partner, a close relative of one of the board's members, then that board member should not vote on which firm is to be selected. In fact, to minimize any conflict, the board member should not participate in any way in the decision, including discussions.

Judges are supposed to recuse themselves from cases when personal conflicts of interest may arise. For example, if a judge has participated in a case previously in some other judicial role he/she is not allowed to try that case. Recusal is also expected when one of the lawyers in a case might be a close personal friend, or when the outcome of the case might affect the judge directly, such as whether a car maker is obliged to recall a model that a judge drives. This is required by law under Continental civil law systems and by the Rome Statute, organic law of the International Criminal Court.

Third-party evaluations

Consider a situation where the owner of a majority of a public companies decides to buy out the minority shareholders and take the corporation private. What is a fair price? Obviously it is improper (and, typically, illegal) for the majority owner to simply state a price and then have the (majority-controlled) board of directors approve that price. What is typically done is to hire an independent firm (a third party), well-qualified to evaluate such matters, to calculate a "fair price", which is then voted on by the minority shareholders.

Third-party evaluations may also be used as proof that transactions were, in fact, fair ("arm's-length"). For example, a corporation that leases an office building owned by the CEO might get an independent evaluation showing what the market rate is for such leases in the locale, to address the conflict of interest that exists between the fiduciary duty of the CEO (to the stockholders, by getting the lowest rent possible) and the personal interest of that CEO (to maximize the income that the CEO gets from owning that office building by getting the highest rent possible).

A January 2018 report by the Public Citizen non-profit describes dozens of foreign governments, special interest groups and GOP congressional campaign committees that spent hundreds of thousands of dollars at President Donald Trump's properties during his first year in office. The study said that these groups clearly intended to win over the president by helping his commercial business empire profit while he held the office.

Data breach

From Wikipedia, the free encyclopedia

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice (black hats), organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

Data breaches may involve financial information such as credit card and debit card details, bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Data breaches may involve overexposed and vulnerable unstructured data – files, documents, and sensitive information.

Data breaches can be quite costly to organizations with direct costs (remediation, investigation, etc) and indirect costs (reputational damages, providing cyber security to victims of compromised data, etc.).

According to the nonprofit consumer organization Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.

Many jurisdictions have passed data breach notification laws, which requires a company that has been subject to a data breach to inform customers and take other steps to remediate possible injuries.

In what can be touted as one of the biggest Twitter data breaches, the data of 400 million Twitter users have been put up for sale on the dark web. The revelation comes a day after The Irish Data Protection Commission (DPC) announced an investigation into an earlier Twitter data leak that had affected over 5.4 million users. The earlier breach was discovered in late November.

According to Alon Gal, co-Founder and CTO of Israeli cybercrime intelligence company, Hudson Rock, the data was probably obtained from an API vulnerability enabling the threat actor to query any email or phone and retrieve a Twitter profile.

Definition

A data breach may include incidents such as theft or loss of digital media such as computer tapes, hard drives, or laptop computers with unencrypted information, posting such information on the World Wide Web without proper information security precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited for security, such as unencrypted e-mail, or transfer of such information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.

ISO/IEC 27040 defines a data breach as: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed.

Trust and privacy

The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data after termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a web of trust. Data quality is one way of reducing the risk of a data breach, partly because it allows the owner of the data to rate data according to importance and give better protection to more important data.

Most such incidents publicized in the media involve private information on individuals, e.g. social security numbers. Loss of corporate information such as trade secrets, sensitive corporate information, and details of contracts, or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.

Insider versus external threats

Those working inside an organization are a significant cause of data breaches. Estimates of breaches caused by accidental "human factor" errors is around 20% by the Verizon 2021 Data Breach Investigations Report. The external threat category includes hackers, cybercriminal organizations and state-sponsored actors. Professional associations for IT asset managers work aggressively with IT professionals to educate them on best risk-reduction practices for both internal and external threats to IT assets, software and information. While security prevention may deflect a high percentage of attempts, ultimately a motivated attacker will likely find a way into any given network. One of the top 10 quotes from Cisco CEO John Chambers is, "There are two types of companies: those that have been hacked, and those that don't know they have been hacked." FBI Special Agent for Cyber Special Operations Leo Taddeo warned on Bloomberg television, "The notion that you can protect your perimeter is falling by the wayside & detection is now critical."

Medical data breach

Some celebrities have found themselves to be the victims of inappropriate medical record access breaches, albeit more so on an individual basis, not part of a typically much larger breach. Given the series of medical data breaches and the lack of public trust, some countries have enacted laws requiring safeguards to be put in place to protect the security and confidentiality of medical information as it is shared electronically and to give patients some important rights to monitor their medical records and receive notification for loss and unauthorized acquisition of health information. The United States and the EU have imposed mandatory medical data breach notifications. Reportable breaches of medical information are increasingly common in the United States.

Average cost of data breaches in Germany

Consequences

Although such incidents pose the risk of identity theft or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages by providing to the victim's subscription to a credit reporting agency, for instance, new credit cards, or other instruments. In the case of Target, the 2013 breach cost Target a significant drop in profit, which dove an estimated 40 percent in the 4th quarter of the year. At the end of 2015, Target published a report claiming a total loss of $290 million to data breach related fees.

The Yahoo breach disclosed in 2016 may be one of the most expensive today. It may lower the price of its acquisition by Verizon by $1 billion. Verizon later released their renegotiation to Yahoo agreeing to lower the final price from $4.8 to $4.48 billion. Cybercrime cost energy and utilities companies an average of $12.8 million each year in lost business and damaged equipment according to DNV GL, an international certification body and classification society based in Norway. Data breaches cost healthcare organizations $6.2 billion in the last two years (presumably 2014 and 2015), according to a Ponemon study.

In health care, more than 25 million people have had their health care stolen, resulting in the identity theft of more than 6 million people, and the out-of-pocket cost of victims is close to $56 billion. Privacy Rights Clearinghouse (PRC) has shown records from January 2005 to December 2018 that there has been more than 9000 breaches events. Also, what causes lead to each breach such as, insider attack, payment card fraud, lost or stolen portable device, infected malware and sending an email to the wrong person (DISC). This shows that many common mistake that leads to a data breach is humans who make mistakes allowing hackers to exploit it and perform an attack.

It is notoriously difficult to obtain information on direct and indirect value loss resulting from a data breach. A common approach to assess the impact of data breaches is to study the market reaction to such an incident as a proxy for the economic consequences. This is typically conducted through the use of event studies, where a measure of the event's economic impact can be constructed by using the security prices observed over a relatively short period of time. Several studies such studies have been published with varying findings, including works by Kannan, Rees, and Sridhar (2007), Cavusoglu, Mishra, and Raghunathan (2004), Campbell, Gordon, Loeb, and Lei (2003) as well as Schatz and Bashroush (2017).

Since data volume is growing exponentially in the digital era and data leaks happen more frequently than ever before, preventing sensitive information from being leaked to unauthorized parties becomes one of the most pressing security concerns for enterprises. To safeguard data and finances, businesses and companies often have to put in additional costs to take preventive measure on potential data breaches. From 2017 to 2021, the predicted global spending on internet security is to be over $1 trillion.

Major incidents

Notable incidents include:

2005

2006

  • AOL search data scandal (sometimes referred to as a "Data Valdez", due to its size)
  • Department of Veterans Affairs, May, 28,600,000 veterans, reserves, and active duty military personnel
  • Ernst & Young, May, 234,000 customers of Hotels.com (after a similar loss of data on 38,000 employees of Ernst & Young clients in February)
  • Boeing, December, 382,000 employees (after similar losses of data on 3,600 employees in April and 161,000 employees in November, 2005)

2007

2008

  • In January 2008, GE Money, a division of General Electric, disclosed that a magnetic tape containing 150,000 social security numbers and in-store credit card information from 650,000 retail customers is known to be missing from an Iron Mountain Incorporated storage facility. J.C. Penney is among 230 retailers affected.
  • Horizon Blue Cross and Blue Shield of New Jersey, January, 300,000 members
  • Lifeblood, February, 321,000 blood donors
  • British National Party membership list leak
  • In early 2008, Countrywide Financial (since acquired by Bank of America) allegedly fell victim to a data breach when, according to news reports and court documents, employee Rene L. Rebollo Jr. stole and sold up to 2.5 million customers' personal information including social security numbers. According to the legal complaint: "Beginning in 2008 – coincidentally after they sold their mortgage portfolios under wrongful and fraudulent 'securitization pools,' and coincidentally after their mortgage portfolio went into massive default as a result thereof – Countrywide learned that the financial information of potentially millions of customers had been stolen by certain Countrywide agents, employees or other individuals." In July 2010, Bank of America settled more than 30 related class-action lawsuits by offering free credit monitoring, identity theft insurance and reimbursement for losses to as many as 17 million consumers impacted by the alleged data breach. The settlement was estimated at $56.5 million not including court costs.

2009

  • In December 2009 a RockYou! password database was breached containing 32 million usernames and plaintext passwords, further compromising the use of weak passwords for any purpose.
  • In May 2009 the United Kingdom parliamentary expenses scandal was revealed by The Daily Telegraph. A hard disk containing scanned receipts of UK Members of Parliament and Peers in the House of Lords was offered to various UK newspapers in late April, with The Daily Telegraph finally acquiring it. They published details in instalments from 8 May onwards. Although it was intended by Parliament that the data was to be published, this was to be in redacted form, with details the individual members considered "sensitive" blanked out. The newspaper published unredacted scans which showed details of the claims, many of which appeared to be in breach of the rules and suggested widespread abuse of the generous expenses system. The resulting media storm led to the resignation of the Speaker of the House of Commons and the prosecution and imprisonment of several MPs and Lords for fraud. The expenses system was overhauled and tightened up, being put more on a par with private industry schemes. The Metropolitan Police Service continues to investigate possible frauds, and the Crown Prosecution Service is considering further prosecutions. Several MPs and Lords apologised and made whole, partial or no restitution, and retained their seats. Others who had been shamed in the media did not offer themselves for re-election at the 2010 United Kingdom general election. Although numbering less than 1,500 individuals, the affair received the largest global media coverage of any data breach (as at February 2012).
  • In January 2009 Heartland Payment Systems announced that it had been "the victim of a security breach within its processing system", possibly part of a "global cyber fraud operation". The intrusion has been called the largest criminal breach of card data ever, with estimates of up to 100 million cards from more than 650 financial services companies compromised.

2010

  • Throughout the year, Chelsea Manning released large volumes of secret military data to the public.

2011

  • In April 2011, Sony experienced a data breach within their PlayStation Network. It is estimated that the information of 77 million users was compromised.
  • In March 2011, RSA SecurID suffered a breach of their SecurID token system seed-key warehouse, where the seed keys for their 2 Factor Authentication system were stolen, allowing the attackers to replicate the hardware tokens used for secure access in corporate and government environments.
  • In June 2011, Citigroup disclosed a data breach within their credit card operation, affecting approximately 210,000 or 1% of their customers' accounts.

2012

  • In the Summer of 2012, Wired.com Senior Writer Mat Honan claims that "hackers destroyed my entire digital life in the span of an hour” by hacking his Apple, Twitter, and Gmail passwords in order to gain access to his Twitter handle and in the process, claims the hackers wiped out every one of his devices, deleting all of his messages and documents, including every picture he had ever taken of his 18-month-old daughter. The exploit was achieved with a combination of information provided to the hackers by Amazon's tech support through social engineering, and the password recovery system of Apple which used this information. Related to his experience, Mat Honan wrote a piece outlining why passwords cannot keep users safe.
  • In October 2012, a law enforcement agency contacted the South Carolina Department of Revenue (DoR) with evidence that Personally Identifiable Information (PII) of three individuals had been stolen. It was later reported that an estimated 3.6 million Social Security numbers were compromised along with 387,000 credit card records.

2013

  • In October 2013, Adobe Systems revealed that their corporate database was hacked and some 130 million user records were stolen. According to Adobe, "For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored."
  • In late November to early December 2013, Target Corporation announced that data from around 70 million credit and debit cards was stolen. It is the second largest credit and debit card breach after the TJX Companies data breach where almost 46 million cards were affected.
  • In 2013, Edward Snowden published a series of secret documents that revealed widespread spying by the United States National Security Agency and similar agencies in other countries.

2014

  • In August 2014, nearly 200 photographs of celebrities were stolen from Apple iCloud accounts and posted to the image board website 4chan. An investigation by Apple found that the images were obtained "by a very targeted attack on user names, passwords and security questions". However, Apple toughened iCloud security through an opt-in 2 factor authentication, after celebrity breach.
  • In September 2014, Home Depot suffered a data breach of 56 million credit card numbers.
  • In October 2014, Staples suffered a data breach of 1.16 million customer payment cards.
  • In November 2014 and for weeks after, Sony Pictures Entertainment suffered a data breach involving personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of (previously) unreleased Sony films, and other information. The hackers involved claim to have taken over 100 terabytes of data from Sony.

2015

  • In October 2015, the British telecommunications provider TalkTalk suffered a data breach when a group of 15-year-old hackers stole information on its 4 million customers. The stock price of the company fell substantially due to the issue – around 12% – owing largely to the bad publicity surrounding the leak.
  • In July 2015, adult website Ashley Madison suffered a data breach when a hacker group stole information on its 37 million users. The hackers threatened to reveal usernames and specifics if Ashley Madison and a fellow site, EstablishedMen.com, did not shut down permanently.
  • In February 2015, Anthem suffered a data breach of nearly 80 million records, including personal information such as names, Social Security numbers, dates of birth, and other sensitive details.
  • In June 2015, The Office of Personnel Management of the U.S. government suffered a data breach in which the records of 22.1 million current and former federal employees of the United States were hacked and stolen.

2016

  • In February 2016, the 15-year-old British hacker Kane Gamble leaked the personal details of over 20,000 FBI employees, including employees' names, job titles, phone numbers and email addresses. The judge said Gamble engaged in "politically motivated cyber-terrorism."
  • In March 2016, the website of the Commission on Elections in the Philippines was defaced by hacktivist group, "Anonymous Philippines". A larger problem arose when a group called LulzSec Pilipinas uploaded COMELEC's entire database on Facebook the following day.
  • In April 2016, news media carried information stolen from a successful network attack of the Central American law firm, Mossack Fonseca, and the resulting “Panama Papers” sent reverberations throughout the world. Perhaps a justified vindication of illegal or unethical activity, this nonetheless illustrates the impact of secrets coming to light. The Prime Minister of Iceland was forced to resign and a major reshuffling of political offices occurred in countries as far-flung as Malta. Multiple investigations were immediately initiated in countries around the world, including a hard look at international or offshore banking rules in the U.S. Obviously the implications are enormous to the ability of an organization—whether a law firm or a governmental department—to keep secrets.
  • In September 2016 Yahoo reported that up to 500 million accounts in 2014 had been breached in an apparent "state-sponsored" data breach. It was later reported in October 2017 that 3 billion accounts had been breached, accounting for every Yahoo account at the time.

2017

  • Vault 7, CIA's hacking techniques revealed in data breach. Leaked documents, codenamed Vault 7 and dated from 2013–2016, detail the capabilities of the CIA to perform electronic surveillance and cyber warfare, such as the ability to compromise the operating systems of most smartphones (including Apple's iOS and Google's Android), as well as other operating systems such as Microsoft Windows, macOS, and Linux. Joshua Adam Schulte, a former CIA employee, has been convicted of leaking CIA hacking secrets to WikiLeaks.
  • Equifax, July 2017, 145,500,000 consumer records, the largest known data breach in history at the time leading to the potential for the largest class action lawsuit in history. As of early October 2017, the cities of Chicago and San Francisco and the Commonwealth of Massachusetts have filed enforcement actions against Equifax following the July 2017 data breach, in which hackers allegedly exploited a vulnerability in the open-source software used to create Equifax's online consumer dispute portal. The hackers had not only information of U.S. residents but also U.K. and Canadians as well.
  • United States-South Korea classified military documents, October 2017. A South Korean lawmaker claimed that North Korean hackers stole over 235 gigabytes of military documents from the Defense Integrated Data Center in September 2016. Leaked documents included South Korea-U.S. wartime operational plans.
  • Paradise Papers, November 2017.

2018

  • Facebook and Cambridge Analytica data scandal in March.
  • In March, Google identified a vulnerability exposing the personal information of nearly half a million users. While they patched the vulnerability, they did not disclose the exposure to users until the issue was reported on by The Wall Street Journal 6 months after the fact.
  • On 29 March, Under Armour disclosed a data breach of 150 million accounts at MyFitnessPal, with compromised data consisting of user names, the users' e-mail addresses and hashed passwords. Under Armour were notified of the breach on the week of 19–25 March, and that the leak happened sometime in February.
  • It was reported on 1 April that a data breach occurred at Saks Fifth Avenue / Lord & Taylor. About 5 million credit card holders may have had their data compromised in stores in North America.
  • It was reported on 20 July that a data breach on SingHealth, one of Singapore's largest health organisations, happened on 4 July, with about 1.5 million personal data (including data of some ministers, including Singapore's Prime Minister Lee Hsien Loong) being compromised. Ministers on a press conference dubbed the data breach as the "most serious breach of personal data".
  • On 1 August, Reddit disclosed they were hacked. The hacker was able to compromise employees accounts even though they used SMS based Two-factor authentication. Reddit refused to disclose the number of affected users.
  • On September 7 it was reported that British Airways experienced a data theft of about 380,000 customer records including full bank details.
  • On October 19, the US Centers for Medicare & Medicaid Services (CMS) reported a data breach that exposed files of 75,000 individuals.
  • On December 3, Quora reported a data breach that affected its 100 million users data.
  • In late 2018, the Epic Games Fortnite game was discovered to have a security vulnerability which would have allowed an attacker to use victims' payment card data. That and other breaches are estimated to have led to stolen Fortnite accounts being illegally sold to a value of over a million US dollars a year in underground forums. A class action lawsuit against Epic Games was forming in 2019.

2019

  • In May, personal data of roughly 139 million users of the graphic design service Canva were exposed, including real names of users, usernames, addresses and geographical information, and password hashes.
  • On July 16 Bulgaria’s National Revenue Agency, a branch of the country’s Ministry of Finance.
  • In September, personal data of Ecuador's entire population of 17 million along with deceased people was breached after a marketing analytics firm Novestrat managed unsecured server leaked out full names, dates, places of birth, education, phone numbers and national identity numbers.

2020

  • On July 7, the writing site Wattpad suffered a major data breach by ShinyHunters, involving over 270 million users; users' data were sold on a forum in the darknet, including password hashes.
  • In mid December 2020, it was reported that multiple US federal government entities and many private organizations across the globe that were using SolarWinds, Microsoft and VMWare products, became victims of an extensive data breach and hack.

2021

2022

Operator (computer programming)

From Wikipedia, the free encyclopedia https://en.wikipedia.org/wiki/Operator_(computer_programmin...