Appendix
F. A comparison of data protection malpractices in our taxonomy and prior
literature
Category/ Subcategory |
Smith et al. (1996) |
Wang et al. (1998) |
Sen and Borle (2015) |
Posey et al. (2017) |
D'Arcy
et al. (2020) |
Khan et al. (2021) |
Data protection
obligations (A) |
|
|
|
|
|
|
Inadequate
information obligations (A1) |
|
|
|
|
|
|
Inadequate
data risk assessment obligations (A2) |
|
|
|
|
|
|
Inadequate
corporate oversight obligations (A3) |
|
|
|
|
|
|
Inadequate
cooperation obligations (A4) |
|
|
|
|
|
|
Inadequate
notification obligations (A5) |
|
|
|
|
|
|
Data harvesting
(B) |
|
|
|
|
|
|
Unauthorized
data harvesting (B1) |
|
|
|
|
|
|
Excessive
data harvesting (B2) |
|
|
|
|
|
|
Forced
consent (B3) |
|
|
|
|
|
|
Improper
procedure for informed consent (B4) |
|
|
|
|
|
|
Unfulfilled
request for consent revocation (B5) |
|
|
|
|
|
|
Data
fraud (B6) |
|
|
|
|
|
|
Data storage (C) |
|
|
|
|
|
|
Unauthorized
access to personal data (C1) |
|
|
|
|
|
|
Excessive
access to personal data (C2) |
|
|
|
|
|
|
Unfulfilled
request for data access (C3) |
|
|
|
|
|
|
Unfulfilled
request for data rectification (C4) |
|
|
|
|
|
|
Unfulfilled
request for data deletion (C5) |
|
|
|
|
|
|
Insecure
data storage (C6) |
|
|
|
|
|
|
Excessive
data storage (C7) |
|
|
|
|
|
|
Data processing
(D) |
|
|
|
|
|
|
Secondary
use of personal data (D1) |
|
|
|
|
|
|
Unauthorized
data processing (D2) |
|
|
|
|
|
|
Excessive
data processing (D3) |
|
|
|
|
|
|
Unfulfilled
request for objection to data processing (D4) |
|
|
|
|
|
|
Insecure
data processing (D5) |
|
|
|
|
|
|
Erroneous
data processing (D6) |
|
|
|
|
|
|
Data transfer (E) |
|
|
|
|
|
|
Unauthorized
data transfer (E1) |
|
|
|
|
|
|
Insecure
data transfer (E2) |
|
|
|
|
|
|
Data
selling (E3) |
|
|
|
|
|
|
Data disposal (F) |
|
|
|
|
|
|
Insecure
data disposal (F1) |
|
|
|
|
|
|
References
1.
D’Arcy J, Adjerid I, Angst C M and Glavas
A (2020) Too good to be true: Firm social performance and the risk of data
breach. Information Systems Research 31(4), 1200-1223.
2.
Khan F, Kim J H, Mathiassen L and Moore R
(2021) Data breach management: An integrated risk model. Information &
Management 58(1), 103392.
3.
Posey C, Raja U, Crossler R E and Burns A
J (2017) Taking stock of organisations’ protection of privacy: Categorising and
assessing threats to personally identifiable information in the USA. European
Journal of Information Systems 26(6), 585-604.
4.
Sen R and Borle S (2015) Estimating the
contextual risk of data breach: An empirical approach. Journal of Management
Information Systems 32(2), 314-341.
5.
Smith H J, Milberg S J and Burke S J
(1996) Information privacy: Measuring individuals' concerns about
organizational practices. MIS Quarterly 20(2), 167-196.
6.
Wang H, Lee M K and Wang C (1998) Consumer
privacy concerns about Internet marketing. Communications of the ACM 41(3),
63-70.