Information Ethics & Intro to Information Security

Chapter 4

Laws & Ethics

Ethics in the Information Age

• Ethical issues in the areas of copyright infringement and intellectual property rights are consuming the e-business world

• Technology makes it extremely easy to copy everything digital!

As a result, several technology-related issues arise!

Intellectual Property Intangible creative work that is embodied in physical form

Copyright The legal protection afforded an expression of an idea

Fair Use Doctrine In certain situations, its legal to use copyrighted material

Pirated Software Unauthorized use, duplication, distribution, or sale of copyrighted software

Counterfeit Software Software that is manufactured to look like the real thing and sold as such

Privacy Protection • The protection of consumer

personal information over the Internet is getting an increasing amount of attention.

• As consumers become more aware of the many online threats that exist to their personal information and businesses attempt to find ways to retain their customers trust. (Peslak, 2005).

• Two areas of threats

1. Outside threats1. Hackers2. Phishing schemes

2. Inside threats1. Unintended use of

consumer PI2. PI sale to third parties

Privacy

• Is the right to be left alone when you want to be, have control over your own personal possessions, and not to be observed without your consent.

• Confidentiality: is related to privacy. Confidentiality says that messages and information are available to only those who are authorized to view them

» Hmmm…… what about the use of cookies then?

Trust

• Trust between companies, customers, partners, and suppliers is the support structure of e-business

• Privacy continues to be a barrier to the growth of e-business

• The unintentional use of consumer information and the resulting uncertainty of where consumer information ultimately end up diminishes consumer trust of e-commerce websites.

• When consumers feel that they cannot trust how their personal information is going to be used by online businesses consumers simply choose not to shop online.

E-business practices & Consumer Mistrust

• Initially, e-businesses reported that they collected large amounts of consumer personal information for the purposes of;

1. improving services

2. and personalizing the customer’s experience while visiting their website.

• Today more and more frequently, e-businesses are using PI for uses other than what it is originally authorized to do!

Reason for Misuse

• Book discusses Saab public relations fiasco when a marketing firm “bent” the opt-in rules governing the use of email promotions.

• In 2005, a survey of large and small businesses found that private smaller companies often placed marketing causes ahead of the altruistic motivation of protecting their customers (Peslak, A.R., 2005)

Consumer Protection

• Information has no ethics. Information does not care how it is used. It will not stop itself from spamming customers, sharing itself (sensitive or not), or revealing details to third parties, information cannot delete or restore itself

• Therefore it is the responsibility of those who own or manage information to develop ethical use policies / guidelines

Established Information related laws

• Laws were developed to ensure that consumer personal information is being handled securely and that the right to privacy is being enforced.

• Examples of these laws include;

• the Health Insurance Portability and Accountability Act (HIPAA),

• • the Family Education Rights and

Privacy Act (FERPA),

• Electronic Communications Privacy Act,

• Sarbanes-Oxley Act, and the CAN-Spam Act

Information Management Policies

• Sensitive corporate information is a valuable resource

• Management needs to develop a culture that is based on ethical principles that they can easily implement and employees can understand

• Establishing this culture is based in the development of written policies that will guide personnel procedures and set organizational rules for the use of information

ePolicies• Organizational practices

& standards related to information

• Protection from misuse of computer systems and IT resources

• Minimally, Organizations should develop ePolicies.

• ePolicies: are policies and procedures that address the ethical use of computers and Internet usage in the business environment

ePolicy types

»Ethical computer use policy»Information privacy policy»Acceptable use policy»E-mail privacy»Internet use policy»Anti-spam policy

Ethical computer use Guide computer use behavior; don’t play games at work; Policy should be clear on what happens after several infractions

Information Privacy Policy Includes components related to adoption & Implementation, notice and disclosure, choice & consent, Information security, and information quality and access

Acceptable Use Policy Users must agree to follow in order to have access to a network or the Internet.

•AUPs are common for most business and educational facilities

Email Privacy Policy Details the extent to which email messages may be read by others

More policies• Internet Use Policy:

contains general principles to guide the proper use of the Internet at work; this limits access to certain categories of websites, why the Internet is available to employees (and why it is not!)

• Anti-Spam Policy: employees can not send unsolicited emails.

• Spam by estimates accounts for 40-60% of most organizations email traffic

• Spam clog e-mail systems and siphons IT resources away from legitimate business projects

Ethics: Monitoring in the Workplace

• Employees shop online at work and email/IM friends and family from work….

• Employees consume portions of their work day surfing the web…..

• As a result of this behavior…..

• Employers are taken a “big brother” approach and monitoring employee Internet usage and emails.

Information Technology Monitoring

• Tracks employees activities using measures such as;

– Number of keystrokes– Error rates– And # of transactions

processed

Key loggers / hardware key loggers

Record keystrokes and mouse clicks

Web Log Consists of one line of information for every visitor to a website

Employee Monitoring Policies

• The best path for an organization planning to engage in employee monitoring is open communication surrounding the issue

• CSO’s that are open about how, when, and where they monitor employees will find that employees police themselves

Intellectual Capital• Organizational

information is intellectual capital

• Just like protecting Money in a bank and providing a safe environment for employees, organizations must also protect their intellectual capital

Information Security

• Information Security is a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside the organization

• Security is the most fundamental & critical of all technologies/ disciplines an organization must have squarely in place to execute its business strategy