Week 6


section 4.1



4.1Explain the ethical issues in the use of information technology.

4.2Identify the six epolicies organizations should implement to protect themselves.


LO 4.1: Explain the ethical issues in the use of information technology.

Ethics and security are two fundamental building blocks for all organizations. In recent years, enormous business scandals along with 9/11 have shed new light on the meaning of ethics and security. When the behavior of a few individuals can destroy billion-dollar organizations, the value of ethics and security should be evident.

Copyright  is the legal protection afforded an expression of an idea, such as a song, book, or video game.  Intellectual property  is intangible creative work that is embodied in physical form and includes copyrights, trademarks, and patents. A  patent  is an exclusive right to make, use, and sell an invention and is granted by a government to the inventor. As it becomes easier for people to copy everything from words and data to music and video, the ethical issues surrounding copyright infringement and the violation of intellectual property rights are consuming the ebusiness world. Technology poses new challenges for our  ethics —the principles and standards that guide our behavior toward other people.

The protection of customers’ privacy is one of the largest, and murkiest, ethical issues facing organizations today.  Privacy  is the right to be left alone when you want to be, to have control over your personal possessions, and not to be observed without your consent. Privacy is related to  confidentiality , which is the assurance that messages and information remain available only to those authorized to view them. Each time employees make a decision about a privacy issue, the outcome could sink the company.

Trust among companies, customers, partners, and suppliers is the support structure of ebusiness. Privacy is one of its main ingredients. Consumers’ concerns that their privacy will be violated because of their interactions on the web continue to be one of the primary barriers to the growth of ebusiness.

Information ethics  govern the ethical and moral issues arising from the development and use of information technologies as well as the creation, collection, duplication, distribution, and processing of information itself (with or without the aid of computer technologies). Ethical dilemmas in this area usually arise not as simple, clear-cut situations but as clashes among competing goals, responsibilities, and loyalties. Inevitably, there will be more than one socially acceptable or correct decision. The two primary areas concerning software include pirated software and counterfeit software.  Pirated software  is the unauthorized use, duplication, distribution, or sale of copyrighted software.  Counterfeit software  is software that is manufactured to look like the real thing and sold as such.  Digital rights management  is a technological solution that allows publishers to control their digital media to discourage, limit, or prevent illegal copying and distribution. Figure 4.2 contains examples of ethically questionable or unacceptable uses of information technology.2


Ethically Questionable or Unacceptable Information Technology Use

Page 137



Information—Does It Have Ethics?

A high school principal decided it was a good idea to hold a confidential conversation about teachers, salaries, and student test scores on his cellular phone in a local Starbucks. Not realizing that one of the students’ parents was sitting next to him, the principal accidentally divulged sensitive information about his employees and students. The irate parent soon notified the school board about the principal’s inappropriate behavior and a committee was formed to decide how to handle the situation.3

With the new wave of collaboration tools, electronic business, and the Internet, employees are finding themselves working outside the office and beyond traditional office hours. Advantages associated with remote workers include increased productivity, decreased expenses, and boosts in morale as employees are given greater flexibility to choose their work location and hours. Unfortunately, disadvantages associated with workers working remotely include new forms of ethical challenges and information security risks.

In a group, discuss the following statement: Information does not have any ethics. If you were elected to the committee to investigate the principal’s inappropriate Starbucks phone conversation, what types of questions would you want answered? What type of punishment, if any, would you enforce on the principal? What types of policies would you implement across the school district to ensure that this scenario is never repeated? Be sure to highlight how workers working remotely affect business along with any potential ethical challenges and information security issues.


Unfortunately, few hard and fast rules exist for always determining what is ethical. Many people can either justify or condemn the actions in Figure 4.2, for example. Knowing the law is important, but that knowledge will not always help because what is legal might not always be ethical, and what might be ethical is not always legal. For example, Joe Reidenberg received an offer for AT&T cell phone service. AT&T used Equifax, a credit reporting agency, to identify potential customers such as Joe Reidenberg. Overall, this seemed like a good business opportunity between Equifax and AT&T wireless. Unfortunately, the Fair Credit Reporting Act (FCRA) forbids repurposing credit information except when the information is used for “a firm offer of credit or insurance.” In other words, the only product that can be sold based on credit information is credit. A representative for Equifax stated, “As long as AT&T Wireless (or any company for that matter) is offering the cell phone service on a credit basis, such as allowing the use of the service before the consumer has to pay, it is in compliance with the FCRA.” However, the question remains—is it ethical?4

Figure 4.3 shows the four quadrants where ethical and legal behaviors intersect. The goal for most businesses is to make decisions within quadrant I that are both legal and ethical. There are times when a business will find itself in the position of making a decision in quadrant III, such as hiring child labor in foreign countries, or in quadrant II when a business might pay a foreigner who is getting her immigration status approved because the company is in the process of hiring the person. A business should never find itself operating in quadrant IV. Ethics are critical to operating a successful business today.

Information Does Not Have Ethics, People Do

Information itself has no ethics. It does not care how it is used. It will not stop itself from spamming customers, sharing itself if it is sensitive or personal, or revealing details to third parties. Information cannot delete or preserve itself. Therefore, it falls to those who own the information to develop ethical guidelines about how to manage it.

Page 138



Is IT Really Worth the Risk?

Ethics. It’s just one tiny word, but it has monumental impact on every area of business. From the magazines, blogs, and newspapers you read to the courses you take, you will encounter ethics because it is a hot topic in today’s electronic world. Technology has provided so many incredible opportunities, but it has also provided those same opportunities to unethical people. Discuss the ethical issues surrounding each of the following situations (yes, these are true stories):

A student raises her hand in class and states, “I can legally copy any DVD I get from Netflix because Netflix purchased the DVD and the copyright only applies to the company who purchased the product.”

A student stands up the first day of class before the professor arrives and announces that his fraternity scans textbooks and he has the textbook for this course on his thumb drive, which he will gladly sell for $20. Several students pay on the spot and upload the scanned textbook to their PCs. One student takes down the student information and contacts the publisher about the incident.

A senior marketing manager is asked to monitor his employee’s email because there is a rumor that the employee is looking for another job.

A vice president of sales asks her employee to burn all of the customer data onto an external hard drive because she made a deal to provide customer information to a strategic partner.

A senior manager is asked to monitor his employee’s email to discover whether she is sexually harassing another employee.

An employee is looking at the shared network drive and discovers that his boss’s entire hard drive, including his email backup, has been copied to the network and is visible to all.

An employee is accidently copied on an email listing the targets for the next round of layoffs.



Acting Ethically and Acting Legally Are Not Always the Same Thing

Page 139


Ethical Guidelines for Information Management

A few years ago, the ideas of information management, governance, and compliance were relatively obscure. Today, these concepts are a must for virtually every company, both domestic and global, primarily due to the role digital information plays in corporate legal proceedings or litigation. Frequently, digital information serves as key evidence in legal proceedings, and it is far easier to search, organize, and filter than paper documents. Digital information is also extremely difficult to destroy, especially if it is on a corporate network or sent by email. In fact, the only reliable way to obliterate digital information reliably is to destroy the hard drives on which the file was stored.  Ediscovery  (or  electronic discovery ) refers to the ability of a company to identify, search, gather, seize, or export digital information in responding to a litigation, audit, investigation, or information inquiry. As the importance of ediscovery grows, so does information governance and information compliance. The  Child Online Protection Act (COPA)  was passed to protect minors from accessing inappropriate material on the Internet. Figure 4.4 displays the ethical guidelines for information management.


LO 4.2: Identify the six epolicies organizations should implement to protect themselves.

Treating sensitive corporate information as a valuable resource is good management. Building a corporate culture based on ethical principles that employees can understand and implement is responsible management. Organizations should develop written policies establishing employee guidelines, employee procedures, and organizational rules for information. These policies set employee expectations about the organization’s practices and standards and protect the organization from misuse of computer systems and IT resources. If an organization’s employees use computers at work, the organization should, at a minimum, implement epolicies.  Epolicies  are policies and procedures that address information management along with the ethical use of computers and the Internet in the business environment. Figure 4.5 displays the epolicies a firm should implement to set employee expectations.

Page 140


Overview of Epolicies

Ethical Computer Use Policy

In a case that illustrates the perils of online betting, a leading Internet poker site reported that a hacker exploited a security flaw to gain an insurmountable edge in high-stakes, no-limit Texas hold- ’em tournaments—the ability to see his opponents’ hole cards. The cheater, whose illegitimate winnings were estimated at between $400,000 and $700,000 by one victim, was an employee of AbsolutePoker.com and hacked the system to show that it could be done. Regardless of what business a company operates—even one that many view as unethical—the company must protect itself from unethical employee behavior.5  Cyberbullying  includes threats, negative remarks, or defamatory comments transmitted through the Internet or posted on the website. A  threat  is an act or object that poses a danger to assets.  Click-fraud  is the abuse of pay-per-click, pay-per-call, and pay-per-conversion revenue models by repeatedly clicking a link to increase charges or costs for the advertiser.  Competitive click-fraud  is a computer crime in which a competitor or disgruntled employee increases a company’s search advertising costs by repeatedly clicking the advertiser’s link.

Cyberbullying and click-fraud are just a few examples of the many types of unethical computer use found today.

One essential step in creating an ethical corporate culture is establishing an ethical computer use policy. An  ethical computer use policy  contains general principles to guide computer user behavior. For example, it might explicitly state that users should refrain from playing computer games during working hours. This policy ensures that the users know how to behave at work and the organization has a published standard to deal with infractions. For example, after appropriate warnings, the company may terminate an employee who spends significant amounts of time playing computer games at work.

Organizations can legitimately vary in how they expect employees to use computers, but in any approach to controlling such use, the overriding principle should be informed consent. The users should be informed of the rules and, by agreeing to use the system on that basis, consent to abide by them.

Managers should make a conscientious effort to ensure all users are aware of the policy through formal training and other means. If an organization were to have only one epolicy, it should be an ethical computer use policy because that is the starting point and the umbrella for any other policies the organization might establish.

Part of an ethical computer use policy can include a BYOD policy. A  bring your own device (BYOD)  policy allows employees to use their personal mobile devices and computers to access enterprise data and applications. BYOD policies offer four basic options, including:

Unlimited access for personal devices.

Access only to nonsensitive systems and data.

Access, but with IT control over personal devices, apps, and stored data.

Access, but preventing local storage of data on personal devices.

Page 141

Information Privacy Policy

An organization that wants to protect its information should develop an  information privacy policy , which contains general principles regarding information privacy. Visa created Innovant to handle all its information systems, including its coveted customer information, which details how people are spending their money, in which stores, on which days, and even at what time of day. Just imagine what a sales and marketing department could do if it gained access to this information. For this reason, Innovant bans the use of Visa’s customer information for anything outside its intended purpose—billing. Innovant’s privacy specialists developed a strict credit card information privacy policy, which it follows.

Innovant has been asked whether it can guarantee that unethical use of credit card information will never occur. In a large majority of cases, the unethical use of information happens not through the malicious scheming of a rogue marketer but, rather, unintentionally. For instance, information is collected and stored for some purpose, such as record keeping or billing. Then, a sales or marketing professional figures out another way to use it internally, share it with partners, or sell it to a trusted third party. The information is “unintentionally” used for new purposes. The classic example of this type of unintentional information reuse is the Social Security number, which started simply as a way to identify government retirement benefits and then was used as a sort of universal personal ID, found on everything from drivers’ licenses to savings accounts.

Fair information practices  is a general term for a set of standards governing the collection and use of personal data and addressing issues of privacy and accuracy. Different organizations and countries have their own terms for these concerns. The United Kingdom terms it “Data Protection,” and the European Union calls it “Personal Data Privacy”; the Organisation for Economic Co-operation and Development (OECD) has written Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which can be found at www.oecd.org/unitedstates.6

Acceptable Use Policy

An  acceptable use policy (AUP)  requires a user to agree to follow it to be provided access to corporate email, information systems, and the Internet.  Nonrepudiation  is a contractual stipulation to ensure that ebusiness participants do not deny (repudiate) their online actions. A nonrepudiation clause is typically contained in an acceptable use policy. Many businesses and educational facilities require employees or students to sign an acceptable use policy before gaining network access. When signing up with an email provider, each customer is typically presented with an AUP, which states that the user agrees to adhere to certain stipulations. Users agree to the following in a typical acceptable use policy:

Not using the service as part of violating any law.

Not attempting to break the security of any computer network or user.

Not posting commercial messages to groups without prior permission.

Not performing any nonrepudiation.

Some organizations go so far as to create a unique information management policy focusing solely on Internet use. An  Internet use policy  contains general principles to guide the proper use of the Internet. Because of the large amounts of computing resources that Internet users can expend, it is essential for such use to be legitimate. In addition, the Internet contains numerous materials that some believe are offensive, making regulation in the workplace a requirement.  Cybervandalism  is the electronic defacing of an existing website.  Typosquatting  is a problem that occurs when someone registers purposely misspelled variations of well-known domain names. These variants sometimes lure consumers who make typographical errors when entering a URL.  Website name stealing  is the theft of a website’s name that occurs when someone, posing as a site’s administrator, changes the ownership of the domain name assigned to the website to another website owner. These are all examples of unacceptable Internet use.  Internet censorship  is government attempts to control Internet traffic, thus preventing some material from being viewed by a country’s citizens. Generally, an Internet use policy:

Describes the Internet services available to users.

Defines the organization’s position on the purpose of Internet access and what restrictions, if any, are placed on that access.

Page 142



The Right to Be Forgotten

The European Commissioner for Justice, Fundamental Rights, and Citizenship, Viviane Reding, announced the European Commission’s proposal to create a sweeping new privacy right—the right to be forgotten, allowing individuals to request to have all content that violates their privacy removed. The right to be forgotten addresses an urgent problem in the digital age: the great difficulty of escaping your past on the Internet now that every photo, status update, and tweet lives forever in the cloud. To comply with the European Court of Justice’s decision, Google created a new online form by which individuals can request search providers to remove links that violate their online privacy. In the first month, Google received more than 50,000 submissions from people asking the company to remove links. Many people in the United States believe that the right to be forgotten conflicts with the right to free speech. Do people who want to erase their past deserve a second chance? Do you agree or disagree?7

Describes user responsibility for citing sources, properly handling offensive material, and protecting the organization’s good name.

States the ramifications if the policy is violated.

Email Privacy Policy

An  email privacy policy  details the extent to which email messages may be read by others. Email is so pervasive in organizations that it requires its own specific policy. Most working professionals use email as their preferred means of corporate communications. Although email and instant messaging are common business communication tools, risks are associated with using them. For instance, a sent email is stored on at least three or four computers (see Figure 4.6). Simply deleting an email from one computer does not delete it from the others. Companies can mitigate many of the risks of using electronic messaging systems by implementing and adhering to an email privacy policy.


Email Is Stored on Multiple Computers

Page 143

One major problem with email is the user’s expectations of privacy. To a large extent, this expectation is based on the false assumption that email privacy protection exists somehow analogous to that of U.S. first-class mail. Generally, the organization that owns the email system can operate the system as openly or as privately as it wishes. Surveys indicate that the majority of large firms regularly read and analyze employees’ email looking for confidential data leaks such as unannounced financial results or the sharing of trade secrets that result in the violation of an email privacy policy and eventual termination of the employee. That means that if the organization wants to read everyone’s email, it can do so. Basically, using work email for anything other than work is not a good idea. A typical email privacy policy:

Defines legitimate email users and explains what happens to accounts after a person leaves the organization.

Explains backup procedure so users will know that at some point, even if a message is deleted from their computer, it is still stored by the company.

Describes the legitimate grounds for reading email and the process required before such action is performed.

Discourages sending junk email or spam to anyone who does not want to receive it.

Prohibits attempting to mail bomb a site. A  mail bomb  sends a massive amount of email to a specific person or system that can cause that user’s server to stop functioning.

Informs users that the organization has no control over email once it has been transmitted outside the organization.

Spam  is unsolicited email. It plagues employees at all levels within an organization, from receptionist to CEO, and clogs email systems and siphons MIS resources away from legitimate business projects. An  anti-spam policy  simply states that email users will not send unsolicited emails (or spam). It is difficult to write anti-spam policies, laws, or software because there is no such thing as a universal litmus test for spam. One person’s spam is another person’s newsletter. End users have to decide what spam is, because it can vary widely not just from one company to the next, but from one person to the next. A user can  opt out  of receiving emails by choosing to deny permission to incoming emails. A user can  opt in  to receive emails by choosing to allow permissions to incoming emails.

Teergrubing  is an anti-spamming approach by which the receiving computer launches a return attack against the spammer, sending email messages back to the computer that originated the suspected spam.

Social Media Policy

Did you see the YouTube video showing two Domino’s Pizza employees violating health codes while preparing food by passing gas on sandwiches? Millions of people did, and the company took notice when disgusted customers began posting negative comments all over Twitter. Because they did not have a Twitter account, corporate executives at Domino’s did not know about the damaging tweets until it was too late. The use of social media can contribute many benefits to an organization, and implemented correctly, it can become a huge opportunity for employees to build brands. But there are also tremendous risks because a few employees representing an entire company can cause tremendous brand damage. Defining a set of guidelines implemented in a social media policy can help mitigate that risk. Companies can protect themselves by implementing a  social media policy  outlining the corporate guidelines or principles governing employee online communications. Having a single social media policy might not be enough to ensure that the company’s online reputation is protected. Additional, more specific, social media policies a company might choose to implement include:

Employee online communication policy detailing brand communication.

Employee blog and personal blog policies.

Employee social network and personal social network policies.

Employee Twitter, corporate Twitter, and personal Twitter policies.

Employee LinkedIn policy.

Employee Facebook usage and brand usage policy.

Corporate YouTube policy.

Page 144



15 Million Identity Theft Victims

Identity theft has quickly become the most common, expensive, and pervasive crime in the United States. The identities of more than 15 million U.S. citizens are stolen each year, with financial losses exceeding $50 billion. This means that the identities of almost 10 percent of U.S. adults will be stolen this year, with losses of around $4,000 each, not to mention the 100 million U.S. citizens whose personal data will be compromised due to data breaches on corporate and government databases.

The growth of organized crime can be attributed to the massive amounts of data collection along with the increased cleverness of professional identity thieves. Starting with individually tailored phishing and vishing scams, increasingly successful corporate and government databases hackings, and intricate networks of botnets that hijack millions of computers without a trace, we must wake up to this ever-increasing threat to all Americans.8

You have the responsibility to protect yourself from data theft. In a group, visit the Federal Trade Commission’s Consumer Information Identity Theft website at http://www.consumer.ftc.gov/features/feature-0014-identity-theft and review what you can do today to protect your identity and how you can ensure that your personal information is safe.

Social media monitoring  is the process of monitoring and responding to what is being said about a company, individual, product, or brand. Social media monitoring typically falls to the  social media manager , a person within the organization who is trusted to monitor, contribute, filter, and guide the social media presence of a company, individual, product, or brand. Organizations must protect their online reputations and continuously monitor blogs, message boards, social networking sites, and media sharing sites. However, monitoring the hundreds of social media sites can quickly become overwhelming. To combat these issues, a number of companies specialize in online social media monitoring; for example, Trackur.com creates digital dashboards that allow executives to view at a glance the date published, source, title, and summary of every item tracked. The dashboard not only highlights what’s being said but also the influence of the particular person, blog, or social media site.

Workplace Monitoring Policy

Increasingly, employee monitoring is not a choice; it is a risk-management obligation. Michael Soden, CEO of the Bank of Ireland, issued a mandate stating that company employees could not surf illicit websites with company equipment. Next, he hired Hewlett-Packard to run the MIS department, and illicit websites were discovered on Soden’s own computer, forcing Soden to resign. Monitoring employees is one of the biggest challenges CIOs face when developing information management policies.9

Physical security  is tangible protection such as alarms, guards, fireproof doors, fences, and vaults. New technologies enable employers to monitor many aspects of their employees’ jobs, especially on telephones, computer terminals, through electronic and voice mail, and when employees are using the Internet. Such monitoring is virtually unregulated. Therefore, unless company policy specifically states otherwise (and even this is not ensured), your employer may listen, watch, and read most of your workplace communications.  Workplace MIS monitoring  tracks people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed (see Figure 4.7 for an overview). The best path for an organization planning to engage …