LO 4.1: Explain the ethical issues in the use of information technology.
Ethics and security are two fundamental building blocks for all organizations. In recent years, enormous business scandals along with 9/11 have shed new light on the meaning of ethics and security. When the behavior of a few individuals can destroy billion-dollar organizations, the value of ethics and security should be evident.
Copyright is the legal protection afforded an expression of an idea, such as a song, book, or video game. Intellectual property is intangible creative work that is embodied in physical form and includes copyrights, trademarks, and patents. A patent is an exclusive right to make, use, and sell an invention and is granted by a government to the inventor. As it becomes easier for people to copy everything from words and data to music and video, the ethical issues surrounding copyright infringement and the violation of intellectual property rights are consuming the ebusiness world. Technology poses new challenges for our ethics —the principles and standards that guide our behavior toward other people.
The protection of customers’ privacy is one of the largest, and murkiest, ethical issues facing organizations today. Privacy is the right to be left alone when you want to be, to have control over your personal possessions, and not to be observed without your consent. Privacy is related to confidentiality , which is the assurance that messages and information remain available only to those authorized to view them. Each time employees make a decision about a privacy issue, the outcome could sink the company.
Trust among companies, customers, partners, and suppliers is the support structure of ebusiness. Privacy is one of its main ingredients. Consumers’ concerns that their privacy will be violated because of their interactions on the web continue to be one of the primary barriers to the growth of ebusiness.
Information ethics govern the ethical and moral issues arising from the development and use of information technologies as well as the creation, collection, duplication, distribution, and processing of information itself (with or without the aid of computer technologies). Ethical dilemmas in this area usually arise not as simple, clear-cut situations but as clashes among competing goals, responsibilities, and loyalties. Inevitably, there will be more than one socially acceptable or correct decision. The two primary areas concerning software include pirated software and counterfeit software. Pirated software is the unauthorized use, duplication, distribution, or sale of copyrighted software. Counterfeit software is software that is manufactured to look like the real thing and sold as such. Digital rights management is a technological solution that allows publishers to control their digital media to discourage, limit, or prevent illegal copying and distribution. Figure 4.2 contains examples of ethically questionable or unacceptable uses of information technology.2
Ethically Questionable or Unacceptable Information Technology Use
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN DISCUSSION
Information—Does It Have Ethics?
A high school principal decided it was a good idea to hold a confidential conversation about teachers, salaries, and student test scores on his cellular phone in a local Starbucks. Not realizing that one of the students’ parents was sitting next to him, the principal accidentally divulged sensitive information about his employees and students. The irate parent soon notified the school board about the principal’s inappropriate behavior and a committee was formed to decide how to handle the situation.3
With the new wave of collaboration tools, electronic business, and the Internet, employees are finding themselves working outside the office and beyond traditional office hours. Advantages associated with remote workers include increased productivity, decreased expenses, and boosts in morale as employees are given greater flexibility to choose their work location and hours. Unfortunately, disadvantages associated with workers working remotely include new forms of ethical challenges and information security risks.
In a group, discuss the following statement: Information does not have any ethics. If you were elected to the committee to investigate the principal’s inappropriate Starbucks phone conversation, what types of questions would you want answered? What type of punishment, if any, would you enforce on the principal? What types of policies would you implement across the school district to ensure that this scenario is never repeated? Be sure to highlight how workers working remotely affect business along with any potential ethical challenges and information security issues.
Unfortunately, few hard and fast rules exist for always determining what is ethical. Many people can either justify or condemn the actions in Figure 4.2, for example. Knowing the law is important, but that knowledge will not always help because what is legal might not always be ethical, and what might be ethical is not always legal. For example, Joe Reidenberg received an offer for AT&T cell phone service. AT&T used Equifax, a credit reporting agency, to identify potential customers such as Joe Reidenberg. Overall, this seemed like a good business opportunity between Equifax and AT&T wireless. Unfortunately, the Fair Credit Reporting Act (FCRA) forbids repurposing credit information except when the information is used for “a firm offer of credit or insurance.” In other words, the only product that can be sold based on credit information is credit. A representative for Equifax stated, “As long as AT&T Wireless (or any company for that matter) is offering the cell phone service on a credit basis, such as allowing the use of the service before the consumer has to pay, it is in compliance with the FCRA.” However, the question remains—is it ethical?4
Figure 4.3 shows the four quadrants where ethical and legal behaviors intersect. The goal for most businesses is to make decisions within quadrant I that are both legal and ethical. There are times when a business will find itself in the position of making a decision in quadrant III, such as hiring child labor in foreign countries, or in quadrant II when a business might pay a foreigner who is getting her immigration status approved because the company is in the process of hiring the person. A business should never find itself operating in quadrant IV. Ethics are critical to operating a successful business today.
Information Does Not Have Ethics, People Do
Information itself has no ethics. It does not care how it is used. It will not stop itself from spamming customers, sharing itself if it is sensitive or personal, or revealing details to third parties. Information cannot delete or preserve itself. Therefore, it falls to those who own the information to develop ethical guidelines about how to manage it.
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN ETHICS AND SECURITY
Is IT Really Worth the Risk?
Ethics. It’s just one tiny word, but it has monumental impact on every area of business. From the magazines, blogs, and newspapers you read to the courses you take, you will encounter ethics because it is a hot topic in today’s electronic world. Technology has provided so many incredible opportunities, but it has also provided those same opportunities to unethical people. Discuss the ethical issues surrounding each of the following situations (yes, these are true stories):
A student raises her hand in class and states, “I can legally copy any DVD I get from Netflix because Netflix purchased the DVD and the copyright only applies to the company who purchased the product.”
A student stands up the first day of class before the professor arrives and announces that his fraternity scans textbooks and he has the textbook for this course on his thumb drive, which he will gladly sell for $20. Several students pay on the spot and upload the scanned textbook to their PCs. One student takes down the student information and contacts the publisher about the incident.
A senior marketing manager is asked to monitor his employee’s email because there is a rumor that the employee is looking for another job.
A vice president of sales asks her employee to burn all of the customer data onto an external hard drive because she made a deal to provide customer information to a strategic partner.
A senior manager is asked to monitor his employee’s email to discover whether she is sexually harassing another employee.
An employee is looking at the shared network drive and discovers that his boss’s entire hard drive, including his email backup, has been copied to the network and is visible to all.
An employee is accidently copied on an email listing the targets for the next round of layoffs.
Acting Ethically and Acting Legally Are Not Always the Same Thing
Ethical Guidelines for Information Management
A few years ago, the ideas of information management, governance, and compliance were relatively obscure. Today, these concepts are a must for virtually every company, both domestic and global, primarily due to the role digital information plays in corporate legal proceedings or litigation. Frequently, digital information serves as key evidence in legal proceedings, and it is far easier to search, organize, and filter than paper documents. Digital information is also extremely difficult to destroy, especially if it is on a corporate network or sent by email. In fact, the only reliable way to obliterate digital information reliably is to destroy the hard drives on which the file was stored. Ediscovery (or electronic discovery ) refers to the ability of a company to identify, search, gather, seize, or export digital information in responding to a litigation, audit, investigation, or information inquiry. As the importance of ediscovery grows, so does information governance and information compliance. The Child Online Protection Act (COPA) was passed to protect minors from accessing inappropriate material on the Internet. Figure 4.4 displays the ethical guidelines for information management.
DEVELOPING INFORMATION MANAGEMENT POLICIES
LO 4.2: Identify the six epolicies organizations should implement to protect themselves.
Treating sensitive corporate information as a valuable resource is good management. Building a corporate culture based on ethical principles that employees can understand and implement is responsible management. Organizations should develop written policies establishing employee guidelines, employee procedures, and organizational rules for information. These policies set employee expectations about the organization’s practices and standards and protect the organization from misuse of computer systems and IT resources. If an organization’s employees use computers at work, the organization should, at a minimum, implement epolicies. Epolicies are policies and procedures that address information management along with the ethical use of computers and the Internet in the business environment. Figure 4.5 displays the epolicies a firm should implement to set employee expectations.
Overview of Epolicies
Ethical Computer Use Policy
In a case that illustrates the perils of online betting, a leading Internet poker site reported that a hacker exploited a security flaw to gain an insurmountable edge in high-stakes, no-limit Texas hold- ’em tournaments—the ability to see his opponents’ hole cards. The cheater, whose illegitimate winnings were estimated at between $400,000 and $700,000 by one victim, was an employee of AbsolutePoker.com and hacked the system to show that it could be done. Regardless of what business a company operates—even one that many view as unethical—the company must protect itself from unethical employee behavior.5 Cyberbullying includes threats, negative remarks, or defamatory comments transmitted through the Internet or posted on the website. A threat is an act or object that poses a danger to assets. Click-fraud is the abuse of pay-per-click, pay-per-call, and pay-per-conversion revenue models by repeatedly clicking a link to increase charges or costs for the advertiser. Competitive click-fraud is a computer crime in which a competitor or disgruntled employee increases a company’s search advertising costs by repeatedly clicking the advertiser’s link.
Cyberbullying and click-fraud are just a few examples of the many types of unethical computer use found today.
One essential step in creating an ethical corporate culture is establishing an ethical computer use policy. An ethical computer use policy contains general principles to guide computer user behavior. For example, it might explicitly state that users should refrain from playing computer games during working hours. This policy ensures that the users know how to behave at work and the organization has a published standard to deal with infractions. For example, after appropriate warnings, the company may terminate an employee who spends significant amounts of time playing computer games at work.
Organizations can legitimately vary in how they expect employees to use computers, but in any approach to controlling such use, the overriding principle should be informed consent. The users should be informed of the rules and, by agreeing to use the system on that basis, consent to abide by them.
Managers should make a conscientious effort to ensure all users are aware of the policy through formal training and other means. If an organization were to have only one epolicy, it should be an ethical computer use policy because that is the starting point and the umbrella for any other policies the organization might establish.
Part of an ethical computer use policy can include a BYOD policy. A bring your own device (BYOD) policy allows employees to use their personal mobile devices and computers to access enterprise data and applications. BYOD policies offer four basic options, including:
Unlimited access for personal devices.
Access only to nonsensitive systems and data.
Access, but with IT control over personal devices, apps, and stored data.
Access, but preventing local storage of data on personal devices.
Innovant has been asked whether it can guarantee that unethical use of credit card information will never occur. In a large majority of cases, the unethical use of information happens not through the malicious scheming of a rogue marketer but, rather, unintentionally. For instance, information is collected and stored for some purpose, such as record keeping or billing. Then, a sales or marketing professional figures out another way to use it internally, share it with partners, or sell it to a trusted third party. The information is “unintentionally” used for new purposes. The classic example of this type of unintentional information reuse is the Social Security number, which started simply as a way to identify government retirement benefits and then was used as a sort of universal personal ID, found on everything from drivers’ licenses to savings accounts.
Fair information practices is a general term for a set of standards governing the collection and use of personal data and addressing issues of privacy and accuracy. Different organizations and countries have their own terms for these concerns. The United Kingdom terms it “Data Protection,” and the European Union calls it “Personal Data Privacy”; the Organisation for Economic Co-operation and Development (OECD) has written Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which can be found at www.oecd.org/unitedstates.6
Acceptable Use Policy
An acceptable use policy (AUP) requires a user to agree to follow it to be provided access to corporate email, information systems, and the Internet. Nonrepudiation is a contractual stipulation to ensure that ebusiness participants do not deny (repudiate) their online actions. A nonrepudiation clause is typically contained in an acceptable use policy. Many businesses and educational facilities require employees or students to sign an acceptable use policy before gaining network access. When signing up with an email provider, each customer is typically presented with an AUP, which states that the user agrees to adhere to certain stipulations. Users agree to the following in a typical acceptable use policy:
Not using the service as part of violating any law.
Not attempting to break the security of any computer network or user.
Not posting commercial messages to groups without prior permission.
Not performing any nonrepudiation.
Some organizations go so far as to create a unique information management policy focusing solely on Internet use. An Internet use policy contains general principles to guide the proper use of the Internet. Because of the large amounts of computing resources that Internet users can expend, it is essential for such use to be legitimate. In addition, the Internet contains numerous materials that some believe are offensive, making regulation in the workplace a requirement. Cybervandalism is the electronic defacing of an existing website. Typosquatting is a problem that occurs when someone registers purposely misspelled variations of well-known domain names. These variants sometimes lure consumers who make typographical errors when entering a URL. Website name stealing is the theft of a website’s name that occurs when someone, posing as a site’s administrator, changes the ownership of the domain name assigned to the website to another website owner. These are all examples of unacceptable Internet use. Internet censorship is government attempts to control Internet traffic, thus preventing some material from being viewed by a country’s citizens. Generally, an Internet use policy:
Describes the Internet services available to users.
Defines the organization’s position on the purpose of Internet access and what restrictions, if any, are placed on that access.
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN GLOBALIZATION
The Right to Be Forgotten
The European Commissioner for Justice, Fundamental Rights, and Citizenship, Viviane Reding, announced the European Commission’s proposal to create a sweeping new privacy right—the right to be forgotten, allowing individuals to request to have all content that violates their privacy removed. The right to be forgotten addresses an urgent problem in the digital age: the great difficulty of escaping your past on the Internet now that every photo, status update, and tweet lives forever in the cloud. To comply with the European Court of Justice’s decision, Google created a new online form by which individuals can request search providers to remove links that violate their online privacy. In the first month, Google received more than 50,000 submissions from people asking the company to remove links. Many people in the United States believe that the right to be forgotten conflicts with the right to free speech. Do people who want to erase their past deserve a second chance? Do you agree or disagree?7
Describes user responsibility for citing sources, properly handling offensive material, and protecting the organization’s good name.
States the ramifications if the policy is violated.
Email Is Stored on Multiple Computers
Defines legitimate email users and explains what happens to accounts after a person leaves the organization.
Explains backup procedure so users will know that at some point, even if a message is deleted from their computer, it is still stored by the company.
Describes the legitimate grounds for reading email and the process required before such action is performed.
Discourages sending junk email or spam to anyone who does not want to receive it.
Prohibits attempting to mail bomb a site. A mail bomb sends a massive amount of email to a specific person or system that can cause that user’s server to stop functioning.
Informs users that the organization has no control over email once it has been transmitted outside the organization.
Spam is unsolicited email. It plagues employees at all levels within an organization, from receptionist to CEO, and clogs email systems and siphons MIS resources away from legitimate business projects. An anti-spam policy simply states that email users will not send unsolicited emails (or spam). It is difficult to write anti-spam policies, laws, or software because there is no such thing as a universal litmus test for spam. One person’s spam is another person’s newsletter. End users have to decide what spam is, because it can vary widely not just from one company to the next, but from one person to the next. A user can opt out of receiving emails by choosing to deny permission to incoming emails. A user can opt in to receive emails by choosing to allow permissions to incoming emails.
Teergrubing is an anti-spamming approach by which the receiving computer launches a return attack against the spammer, sending email messages back to the computer that originated the suspected spam.
Social Media Policy
Did you see the YouTube video showing two Domino’s Pizza employees violating health codes while preparing food by passing gas on sandwiches? Millions of people did, and the company took notice when disgusted customers began posting negative comments all over Twitter. Because they did not have a Twitter account, corporate executives at Domino’s did not know about the damaging tweets until it was too late. The use of social media can contribute many benefits to an organization, and implemented correctly, it can become a huge opportunity for employees to build brands. But there are also tremendous risks because a few employees representing an entire company can cause tremendous brand damage. Defining a set of guidelines implemented in a social media policy can help mitigate that risk. Companies can protect themselves by implementing a social media policy outlining the corporate guidelines or principles governing employee online communications. Having a single social media policy might not be enough to ensure that the company’s online reputation is protected. Additional, more specific, social media policies a company might choose to implement include:
Employee online communication policy detailing brand communication.
Employee blog and personal blog policies.
Employee social network and personal social network policies.
Employee Twitter, corporate Twitter, and personal Twitter policies.
Employee LinkedIn policy.
Employee Facebook usage and brand usage policy.
Corporate YouTube policy.
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN MIS
15 Million Identity Theft Victims
Identity theft has quickly become the most common, expensive, and pervasive crime in the United States. The identities of more than 15 million U.S. citizens are stolen each year, with financial losses exceeding $50 billion. This means that the identities of almost 10 percent of U.S. adults will be stolen this year, with losses of around $4,000 each, not to mention the 100 million U.S. citizens whose personal data will be compromised due to data breaches on corporate and government databases.
The growth of organized crime can be attributed to the massive amounts of data collection along with the increased cleverness of professional identity thieves. Starting with individually tailored phishing and vishing scams, increasingly successful corporate and government databases hackings, and intricate networks of botnets that hijack millions of computers without a trace, we must wake up to this ever-increasing threat to all Americans.8
You have the responsibility to protect yourself from data theft. In a group, visit the Federal Trade Commission’s Consumer Information Identity Theft website at http://www.consumer.ftc.gov/features/feature-0014-identity-theft and review what you can do today to protect your identity and how you can ensure that your personal information is safe.
Social media monitoring is the process of monitoring and responding to what is being said about a company, individual, product, or brand. Social media monitoring typically falls to the social media manager , a person within the organization who is trusted to monitor, contribute, filter, and guide the social media presence of a company, individual, product, or brand. Organizations must protect their online reputations and continuously monitor blogs, message boards, social networking sites, and media sharing sites. However, monitoring the hundreds of social media sites can quickly become overwhelming. To combat these issues, a number of companies specialize in online social media monitoring; for example, Trackur.com creates digital dashboards that allow executives to view at a glance the date published, source, title, and summary of every item tracked. The dashboard not only highlights what’s being said but also the influence of the particular person, blog, or social media site.
Workplace Monitoring Policy
Increasingly, employee monitoring is not a choice; it is a risk-management obligation. Michael Soden, CEO of the Bank of Ireland, issued a mandate stating that company employees could not surf illicit websites with company equipment. Next, he hired Hewlett-Packard to run the MIS department, and illicit websites were discovered on Soden’s own computer, forcing Soden to resign. Monitoring employees is one of the biggest challenges CIOs face when developing information management policies.9
Physical security is tangible protection such as alarms, guards, fireproof doors, fences, and vaults. New technologies enable employers to monitor many aspects of their employees’ jobs, especially on telephones, computer terminals, through electronic and voice mail, and when employees are using the Internet. Such monitoring is virtually unregulated. Therefore, unless company policy specifically states otherwise (and even this is not ensured), your employer may listen, watch, and read most of your workplace communications. Workplace MIS monitoring tracks people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed (see Figure 4.7 for an overview). The best path for an organization planning to engage …