Computer Personal Use and Security Infringements
Two Dilemmas Concerning Ethics in Information Technology:
Computer Personal Use and Security Infringement
Ethical dilemmas in Information Technology (IT) remain a continually growing problem as technology increases faster than ever before. IT Professionals are people designing or programming “IT systems or [professionals] in any area who must make decisions and/or set policy about the use of computers” (Payne and Landry 2005, 74). This wide field covers people such as computer programmers, network administrators, systems analysts, information systems executives, network security experts, and many other specific jobs. Two dilemmas encountered in the field of IT are how to deal with employees work machines for personal use and how to handle security breaches when private customer information is stolen.
Monitoring employees on their work computers is not so much a question of whether or not to do it, but how to do it. Employers monitor employee computer use because they are concerned about how their computers and networks are being used, to prevent viewing of objectionable websites by employees, breaches of customer confidentiality, the compromise of data integrity, introduction of viruses or malware, as well as increasing employee productivity (Strohmeyer 2011, para. 4-5). One ethical deontological dilemma commonly encountered is that employers find employees using work computers for personal reasons and are unsure what action, if any, to take about it. Many companies state in policy that computers are for work use only, but overlook the rule when employees do innocent things such send messages to friends or family on a lunch break, or as long as the usage isn’t harming productivity. Others may discover personal use includes things that make them uncomfortable or wonder about the company’s liability if the activity continues. The deontological dilemma can be exacerbated by the fact that the rule is not enforced all the time, and employers may wonder what, if anything, can be done about computer personal use problems.
Recent lawsuits, including Stengart v. Loving Care Agency, Inc. (New Jersey 2010) and Holmes v. Petrovich Development Company LLC (California 2011) address this issue (Busser 2011, para. 10-11). In the 2010 New Jersey case, “an employee emailed her lawyer on a company laptop, but through her personal password protected Yahoo account,” and the court decided that even though the emails were sent from a company laptop, they were still protected by attorney client privilege since they came from a personal email account (Busser 2011, para. 10). In the California case, however, “an employee contacted her attorney on a company computer with a company email account,” and the court found that by using the company account to send the email, the employee waived attorney client privilege (Busser 2011, para. 11).
Resolving this kind of conflict in advance is the best method of problem prevention. The Electronic Communications Privacy Act of 1986 (ECT) “generally prohibits unauthorized ‘interception’ or access to electronic communications and would include telephone, email and computer use,” but also has exceptions offering guidance to employers in dealing with personal use of work computers (Busser 2011, para. 15). For instance, the “Employer Owned Systems” exception states that “The owner of the email, IM and phone message systems is also allowed to access the communications even if they are personal” (Busser 2011, para. 18). To be sure that employees understand proper use of work computers and the employer’s policies on monitoring and privacy, employers need to be straightforward and thorough about addressing policies and expectations rather than presenting a piece of paper with a lot of fine print that employees do not bother to read and understand before they sign their names. Making sure both employers and employees understand the ECT is another step toward problem prevention. Additionally, employers can limit the access employees have to particular websites that tend to cause a problem in the workplace. Many problems regarding use of work computers for personal things can be resolved with a simple conversation between an employee and his or her superior rather than resorting to lawsuits, firing, or other harsh and possibly expensive measures.
The consequences of misusing an employee’s information through monitoring mean that a company could be subject to an expensive lawsuit. In the previously mentioned lawsuit, Stengart v. Loving Care Agency, Inc, the court found in the employee’s favor since she was using a personal account. Similarly, IT professionals using work computers may discover that a consequence of using work computers for personal matters could lead to anything from embarrassment of co-workers learning about intimate life details to firing if the personal use breaches the company’s code of conduct or other company rules. An employee with access to monitoring software and its results is at risk if using the data for unethical things such as personal gain or in a discriminatory manner. Using data this way puts not only the individual but also the company at risk for job loss, prosecution, and other industry sanctions.
Security of the network is of utmost importance to IT firms, but the increasing sophistication of hackers also increases the probability that malicious people will steal a firm’s database contents, including private customer information. Many hackers target customer data including names, addresses, phone numbers, social security numbers, credit card numbers, and any other personal data stored and accessible from the Internet. Both deontological and virtue ethical dilemmas result from this situation. The deontological dilemma results from how to inform customers of the problems according to company and industry standards or regulations, while the virtue ethics dilemma results from the expectations of the customer base because the company would like to maintain their trustworthiness.
Between April 17 and 19 of 2011, “Sony suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts” (Baker & Finkel 2011, para. 1-2).. The big ethical problem that Wedbush Securities analyst Michael Pachter points out is that “Sony probably did not pay enough attention to security when it was developing the software that runs its network” and that security design often takes “a backseat” when delivering innovative new products to consumers (Baker & Finkle 2011, para. 15).
Sony reacted at the time by taking down its gaming servers, meaning no public access to its networks. It advised its customers that “If you have provided your credit card data through PlayStation Network or Qriocity, . . .out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained” (Schiesel 2011, para. 5). It was quickly revealed that “Sony didn’t even realize that its trove of customer data had been stolen until an external security consultant discovered the theft on Monday, a week after the fact” (Schiesel 2011, para. 9). The company initially estimated its servers would have downtime for about a week, but the actual time its services were down was almost a month (Olson 2011, para. 7). Notifying customers and improving security are two measures Sony took to improve data security; however, on October 11, 2011, Sony “shut down approximately 93,000 accounts on its online gaming and entertainment networks after detecting a mass, attempted sign-in by a third party using stolen IDs and passwords” (Olsen 2011, para. 2). In the October incident, customers were informed within 24 hours of the breach.
Although Sony warned its customers when it found out about the breach, it lost both reputation and profits by ignoring security to begin with and failing to monitor its own systems holding millions of people’s purportedly confidential information thoroughly. Consumers have a lot to worry about when data is stolen from a trusted company, including identity theft, credit card fraud, or other malicious acts by people who obtain the data. The consequences to individuals who become victims of things like identity theft as a result of Sony’s inattention to security can be devastating. A company’s decision not to continually invest in security measures and monitoring that has the potential to have devastating effects on customers is likely to lead to a devastating effect for the company as well, because “any sane consumer” says, “If you are cavalier with my personal information I will punish you by walking away” (Schiesel 2011, para. 16).
Baker, Liana B. & Finkle, Jim (26 Apr. 2011). Sony PlayStation Suffers Massive Data Breach. Reuters. Retrieved from http://www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426
Bussing, Heather (4 Oct. 2011). Employee Privacy-What Can Employers Monitor? HR Examiner. Retrieved from http://www.hrexaminer.com/employee-privacy-what-can-employers-monitor/
Olsen, Parmy (12 Nov. 2011). Sony Freezes 93,000 Online Accounts After Security Breach. Forbes. Retrieved from http://www.forbes.com/sites/parmyolson/2011/10/12/sony-freezes-93000-online-accounts-after-security-breach/
Payne, Dinah & Landry Brett J. L. (Nov. 2005). Similarities in Business and IT Professional Ethics: The Need for and Development of a Comprehensive Code of Ethics. Journal of Business Ethics 62(1), 73-85. DOI 10.1007/s10551-005-3439-3
Schiesel, Seth (27 Apr. 2011). PlayStation Security Breach a Test of Consumers’ Trust. The New York Times. Retrieved from http://www.nytimes.com/2011/04/28/arts/video-games/sony-playstation-security-flaw-tests-consumer-trust.html
Strohmeyer, Robert (22 Mar. 2011). How to Monitor Your Employees' PCs Without Going Too Far. PC World. Retrieved from http://www.pcworld.com/businesscenter/article/222169