Identify the six epolicies organizations should implement to protect themselves.

section 4.1

Ethics

LEARNING OUTCOMES

4.1Explain the ethical issues in the use of information technology.

4.2Identify the six epolicies organizations should implement to protect themselves.

INFORMATION ETHICS

LO 4.1: Explain the ethical issues in the use of information technology.

Ethics and security are two fundamental building blocks for all organizations. In recent years, enormous business scandals along with 9/11 have shed new light on the meaning of ethics and security. When the behavior of a few individuals can destroy billion-dollar organizations, the value of ethics and security should be evident.

Copyright is the legal protection afforded an expression of an idea, such as a song, book, or video game. Intellectual property is intangible creative work that is embodied in physical form and includes copyrights, trademarks, and patents. A patent is an exclusive right to make, use, and sell an invention and is granted by a government to the inventor. As it becomes easier for people to copy everything from words and data to music and video, the ethical issues surrounding copyright infringement and the violation of intellectual property rights are consuming the ebusiness world. Technology poses new challenges for our ethics —the principles and standards that guide our behavior toward other people.

The protection of customers’ privacy is one of the largest, and murkiest, ethical issues facing organizations today. Privacy is the right to be left alone when you want to be, to have control over your personal possessions, and not to be observed without your consent. Privacy is related to confidentiality , which is the assurance that messages and information remain available only to those authorized to view them. Each time employees make a decision about a privacy issue, the outcome could sink the company.

Trust among companies, customers, partners, and suppliers is the support structure of ebusiness. Privacy is one of its main ingredients. Consumers’ concerns that their privacy will be violated because of their interactions on the web continue to be one of the primary barriers to the growth of ebusiness.

Information ethics govern the ethical and moral issues arising from the development and use of information technologies as well as the creation, collection, duplication, distribution, and processing of information itself (with or without the aid of computer technologies). Ethical dilemmas in this area usually arise not as simple, clear-cut situations but as clashes among competing goals, responsibilities, and loyalties. Inevitably, there will be more than one socially acceptable or correct decision. The two primary areas concerning software include pirated software and counterfeit software. Pirated software is the unauthorized use, duplication, distribution, or sale of copyrighted software. Counterfeit software is software that is manufactured to look like the real thing and sold as such. Digital rights management is a technological solution that allows publishers to control their digital media to discourage, limit, or prevent illegal copying and distribution. Figure 4.2 contains examples of ethically questionable or unacceptable uses of information technology.2

FIGURE 4.2

Ethically Questionable or Unacceptable Information Technology Use

Page 137

APPLY YOUR KNOWLEDGE

BUSINESS DRIVEN DISCUSSION

Information—Does It Have Ethics?

A high school principal decided it was a good idea to hold a confidential conversation about teachers, salaries, and student test scores on his cellular phone in a local Starbucks. Not realizing that one of the students’ parents was sitting next to him, the principal accidentally divulged sensitive information about his employees and students. The irate parent soon notified the school board about the principal’s inappropriate behavior and a committee was formed to decide how to handle the situation.3

With the new wave of collaboration tools, electronic business, and the Internet, employees are finding themselves working outside the office and beyond traditional office hours. Advantages associated with remote workers include increased productivity, decreased expenses, and boosts in morale as employees are given greater flexibility to choose their work location and hours. Unfortunately, disadvantages associated with workers working remotely include new forms of ethical challenges and information security risks.

In a group, discuss the following statement: Information does not have any ethics. If you were elected to the committee to investigate the principal’s inappropriate Starbucks phone conversation, what types of questions would you want answered? What type of punishment, if any, would you enforce on the principal? What types of policies would you implement across the school district to ensure that this scenario is never repeated? Be sure to highlight how workers working remotely affect business along with any potential ethical challenges and information security issues.

Unfortunately, few hard and fast rules exist for always determining what is ethical. Many people can either justify or condemn the actions in Figure 4.2, for example. Knowing the law is important, but that knowledge will not always help because what is legal might not always be ethical, and what might be ethical is not always legal. For example, Joe Reidenberg received an offer for AT&T cell phone service. AT&T used Equifax, a credit reporting agency, to identify potential customers such as Joe Reidenberg. Overall, this seemed like a good business opportunity between Equifax and AT&T wireless. Unfortunately, the Fair Credit Reporting Act (FCRA) forbids repurposing credit information except when the information is used for “a firm offer of credit or insurance.” In other words, the only product that can be sold based on credit information is credit. A representative for Equifax stated, “As long as AT&T Wireless (or any company for that matter) is offering the cell phone service on a credit basis, such as allowing the use of the service before the consumer has to pay, it is in compliance with the FCRA.” However, the question remains—is it ethical?4

Figure 4.3 shows the four quadrants where ethical and legal behaviors intersect. The goal for most businesses is to make decisions within quadrant I that are both legal and ethical. There are times when a business will find itself in the position of making a decision in quadrant III, such as hiring child labor in foreign countries, or in quadrant II when a business might pay a foreigner who is getting her immigration status approved because the company is in the process of hiring the person. A business should never find itself operating in quadrant IV. Ethics are critical to operating a successful business today.

Information Does Not Have Ethics, People Do

Information itself has no ethics. It does not care how it is used. It will not stop itself from spamming customers, sharing itself if it is sensitive or personal, or revealing details to third parties. Information cannot delete or preserve itself. Therefore, it falls to those who own the information to develop ethical guidelines about how to manage it.

Page 138

APPLY YOUR KNOWLEDGE

BUSINESS DRIVEN ETHICS AND SECURITY

Is IT Really Worth the Risk?

Ethics. It’s just one tiny word, but it has monumental impact on every area of business. From the magazines, blogs, and newspapers you read to the courses you take, you will encounter ethics because it is a hot topic in today’s electronic world. Technology has provided so many incredible opportunities, but it has also provided those same opportunities to unethical people. Discuss the ethical issues surrounding each of the following situations (yes, these are true stories):

A student raises her hand in class and states, “I can legally copy any DVD I get from Netflix because Netflix purchased the DVD and the copyright only applies to the company who purchased the product.”

A student stands up the first day of class before the professor arrives and announces that his fraternity scans textbooks and he has the textbook for this course on his thumb drive, which he will gladly sell for $20. Several students pay on the spot and upload the scanned textbook to their PCs. One student takes down the student information and contacts the publisher about the incident.

A senior marketing manager is asked to monitor his employee’s email because there is a rumor that the employee is looking for another job.

A vice president of sales asks her employee to burn all of the customer data onto an external hard drive because she made a deal to provide customer information to a strategic partner.

A senior manager is asked to monitor his employee’s email to discover whether she is sexually harassing another employee.

An employee is looking at the shared network drive and discovers that his boss’s entire hard drive, including his email backup, has been copied to the network and is visible to all.

An employee is accidently copied on an email listing the targets for the next round of layoffs.

FIGURE 4.3

Acting Ethically and Acting Legally Are Not Always the Same Thing

Page 139

FIGURE 4.4

Ethical Guidelines for Information Management

A few years ago, the ideas of information management, governance, and compliance were relatively obscure. Today, these concepts are a must for virtually every company, both domestic and global, primarily due to the role digital information plays in corporate legal proceedings or litigation. Frequently, digital information serves as key evidence in legal proceedings, and it is far easier to search, organize, and filter than paper documents. Digital information is also extremely difficult to destroy, especially if it is on a corporate network or sent by email. In fact, the only reliable way to obliterate digital information reliably is to destroy the hard drives on which the file was stored. Ediscovery (or electronic discovery ) refers to the ability of a company to identify, search, gather, seize, or export digital information in responding to a litigation, audit, investigation, or information inquiry. As the importance of ediscovery grows, so does information governance and information compliance. The Child Online Protection Act (COPA) was passed to protect minors from accessing inappropriate material on the Internet. Figure 4.4 displays the ethical guidelines for information management.

DEVELOPING INFORMATION MANAGEMENT POLICIES

LO 4.2: Identify the six epolicies organizations should implement to protect themselves.

Treating sensitive corporate information as a valuable resource is good management. Building a corporate culture based on ethical principles that employees can understand and implement is responsible management. Organizations should develop written policies establishing employee guidelines, employee procedures, and organizational rules for information. These policies set employee expectations about the organization’s practices and standards and protect the organization from misuse of computer systems and IT resources. If an organization’s employees use computers at work, the organization should, at a minimum, implement epolicies. Epolicies are policies and procedures that address information management along with the ethical use of computers and the Internet in the business environment. Figure 4.5 displays the epolicies a firm should implement to set employee expectations.

Page 140

FIGURE 4.5

Overview of Epolicies

Ethical Computer Use Policy

In a case that illustrates the perils of online betting, a leading Internet poker site reported that a hacker exploited a security flaw to gain an insurmountable edge in high-stakes, no-limit Texas hold- ’em tournaments—the ability to see his opponents’ hole cards. The cheater, whose illegitimate winnings were estimated at between $400,000 and $700,000 by one victim, was an employee of AbsolutePoker.com and hacked the system to show that it could be done. Regardless of what business a company operates—even one that many view as unethical—the company must protect itself from unethical employee behavior.5 Cyberbullying includes threats, negative remarks, or defamatory comments transmitted through the Internet or posted on the website. A threat is an act or object that poses a danger to assets. Click-fraud is the abuse of pay-per-click, pay-per-call, and pay-per-conversion revenue models by repeatedly clicking a link to increase charges or costs for the advertiser. Competitive click-fraud is a computer crime in which a competitor or disgruntled employee increases a company’s search advertising costs by repeatedly clicking the advertiser’s link.

Cyberbullying and click-fraud are just a few examples of the many types of unethical computer use found today.

One essential step in creating an ethical corporate culture is establishing an ethical computer use policy. An ethical computer use policy contains general principles to guide computer user behavior. For example, it might explicitly state that users should refrain from playing computer games during working hours. This policy ensures that the users know how to behave at work and the organization has a published standard to deal with infractions. For example, after appropriate warnings, the company may terminate an employee who spends significant amounts of time playing computer games at work.

Organizations can legitimately vary in how they expect employees to use computers, but in any approach to controlling such use, the overriding principle should be informed consent. The users should be informed of the rules and, by agreeing to use the system on that basis, consent to abide by them.

Managers should make a conscientious effort to ensure all users are aware of the policy through formal training and other means. If an organization were to have only one epolicy, it should be an ethical computer use policy because that is the starting point and the umbrella for any other policies the organization might establish.

Part of an ethical computer use policy can include a BYOD policy. A bring your own device (BYOD) policy allows employees to use their personal mobile devices and computers to access enterprise data and applications. BYOD policies offer four basic options, including:

Unlimited access for personal devices.

Access only to nonsensitive systems and data.

Access, but with IT control over personal devices, apps, and stored data.

Access, but preventing local storage of data on personal devices.

Page 141

Information Privacy Policy

An organization that wants to protect its information should develop an information privacy policy , which contains general principles regarding information privacy. Visa created Innovant to handle all its information systems, including its coveted customer information, which details how people are spending their money, in which stores, on which days, and even at what time of day. Just imagine what a sales and marketing department could do if it gained access to this information. For this reason, Innovant bans the use of Visa’s customer information for anything outside its intended purpose—billing. Innovant’s privacy specialists developed a strict credit card information privacy policy, which it follows.