The document discusses several topics related to information ethics including intellectual property, privacy, trust, and information security. It describes laws and regulations that have been developed to protect consumer privacy such as HIPAA and FTC guidelines. It also discusses the need for organizations to establish information policies and security practices to responsibly manage data and protect against threats from both outside and inside sources.

1. Information Ethics Chapter 4

2. Laws & Ethics

3. Ethical issues in the areas of copyright infringement and intellectual property rights are consuming the e-business world Technology makes it extremely easy to copy everything digital! Ethics in the Information Age

4. As a result, several technology-related issues arise! Intellectual Property Intangible creative work that is embodied in physical form Copyright The legal protection afforded an expression of an idea Fair Use Doctrine In certain situations, its legal to use copyrighted material Pirated Software Unauthorized use, duplication, distribution, or sale of copyrighted software Counterfeit Software Software that is manufactured to look like the real thing and sold as such

5. The protection of consumer personal information over the Internet is getting an increasing amount of attention as consumers become more aware of the many online threats that exist to their personal information and businesses attempt to find ways to retain their customers trust (Peslak, 2005). Two areas of threats Outside threats Hackers Phishing schemes Inside threats Unintended use of consumer PI PI sale to third parties Privacy Protection

6. Is the right to be left alone when you want to be, have control over your own personal possessions, and not to be observed without your consent. Hmmm…… what about the use of cookies then? Privacy

7. Trust between companies, customers, partners, and suppliers is the support structure of e-business Privacy continues to be a barrier to the growth of e-business The unintentional use of consumer information and the resulting uncertainty of where consumer information ultimately end up diminishes consumer trust of e-commerce websites. When consumers feel that they cannot trust how their personal information is going to be used by online businesses consumers simply choose not to shop online. Trust

8. Initially, e-businesses reported that they collected large amounts of consumer personal information for the purposes of; improving services and personalizing the customer’s experience while visiting their website. Today more and more frequently, e-businesses are using PI for uses other than what it is originally authorized to do! E-business practices & Consumer Mistrust

9. Book discusses Saab public relations fiasco when a marketing firm “bent” the opt-in rules governing the use of email promotions. In 2005, a survey of large and small businesses found that private smaller companies often placed marketing causes ahead of the altruistic motivation of protecting their customers (Peslak, A.R., 2005) Reason for Misuse

10. Consumer Protection Information has no ethics. Information does not care how it is used. It will not stop itself from spamming customers, sharing itself (sensitive or not), or revealing details to third parties, information cannot delete or restore itself Therefore it is the responsibility of those who own or manage information to develop ethical use policies / guidelines

11. Laws were developed to ensure that consumer personal information is being handled securely and that the right to privacy is being enforced. Examples of these laws include; the Health Insurance Portability and Accountability Act (HIPAA), the Family Education Rights and Privacy Act (FERPA), Electronic Communications Privacy Act, Sarbanes-Oxley Act, and the CAN-Spam Act Established Information related laws

12. In addition to these examples, the Federal Trade Commission developed five fair information practices for companies to follow that have Internet sites as part of their business. These five principles are listed on the next slide; Federal Trade Commission

13. Data collectors must disclose to consumers their information practices as it relates to the collection of personal information Consumers must be given the options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided Consumers should be able to view and contest the accuracy and completeness of data collected about them 4. Data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use 5. A reliable mechanism must be used to impose sanctions for noncompliance with these fair information practices as a critical ingredient in any governmental or self-regulating program to ensure privacy online FTC Five Fair Information Practices

14. Information Management Policies Sensitive corporate information is a valuable resource Management needs to develop a culture that is based on ethical principles that they can easily implement and employees can understand Establishing this culture is based in the development of written policies that will guide personnel procedures and set organizational rules for the use of information

15. ePolicies Organizational practices & standards related to information Protection from misuse of computer systems and IT resources Minimally, Organizations should develop ePolicies . ePolicies: are policies and procedures that address the ethical use of computers and Internet usage in the business environment

16. ePolicy types Ethical computer use policy Information privacy policy Acceptable use policy E-mail privacy Internet use policy Anti-spam policy

17. Ethical computer use Guide computer use behavior; don’t play games at work; Policy should be clear on what happens after several infractions Information Privacy Policy Includes components related to adoption & Implementation, notice and disclosure, choice & consent, Information security, and information quality and access Acceptable Use Policy Users must agree to follow in order to have access to a network or the Internet. AUPs are common for most business and educational facilities

18. Email at Work…Private? Email in the workplace is not Private! This means that any email sent over your companies LAN and processed through a company owned computers is subject to monitoring…. This also includes emails through web-based email accounts such as Yahoo!, Gmail, etc… All Iming is also subject to monitoring Email Privacy Policy Details the extent to which email messages may be read by others

19. More policies Internet Use Policy: contains general principles to guide the proper use of the Internet at work; this limits access to certain categories of websites, why the Internet is available to employees (and why it is not!) Anti-Spam Policy: employees can not send unsolicited emails. Spam by estimates accounts for 40-60% of most organizations email traffic Spam clog e-mail systems and siphons IT resources away from legitimate business projects

20. Monitoring in the Workplace Employees shop online at work and email/IM friends and family from work…. Employees consume portions of their work day surfing the web….. As a result of this behavior….. Employers are taken a “big brother” approach and monitoring employee Internet usage and emails.

21. Information Technology Monitoring Tracks employees activities using measures such as; Number of keystrokes Error rates And # of transactions processed Key loggers / hardware key loggers Record keystrokes and mouse clicks Web Log Consists of one line of information for every visitor to a website

22. Employee Monitoring Policies The best path for an organization planning to engage in employee monitoring is open communication surrounding the issue CSO’s that are open about how, when, and where they monitor employees will find that employees police themselves

23. Organizational information is intellectual capital Just like protecting Money in a bank and providing a safe environment for employees, organizations must also protect their intellectual capital Intellectual Capital

24. Information Security is a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside the organization Security is the most fundamental & critical of all technologies/ disciplines an organization must have squarely in place to execute its business strategy Information Security

25. Types of Attacks Phishing Attacks Socially engineered attempts to gain access to credentials or other information valuable to the attacker Man-in-the-Middle Attacks A man-in-the-Middle (MITM) attack also known as TCP hijacking, occurs when an attacker sniffs packets from the network, modifies them, and then inserts them back into the network MITM attack to obtain a user’s credential such as passwords, usernames, or user ID’s. Once the MITM hijack has occurred, the attacker also has the ability to eavesdrop on communications, change, delete, reroute, add, and divert the intercepted data

26. Organizations make information available to employees, customers, and partners electronically Doing business electronically automatically creates tremendous information security risks for organizations As we have discussed before, most information security issues are not a technical issue but rather a people issue CSI/FBI Computer Crime and Security survey reported that 38% of respondents indicated security incidences originated within the enterprise Defending Information Systems

27. People: The First Line of Defense Insiders: are people that are legitimate users who purposely or accidentally misuse their access to the business environment and cause some kind of business-affecting incident To protect against security breaches internally, organizations need to develop PW policies, and implement plans that create checks and balances that limit the risk of social engineering attacks

28. Information Security Policy & Security Plans Information Security Policy: identify rules required to maintain information security Security Plans: details how information security policy will be implemented. Cover such things as;

29. Security Plans Ensure security & confidentiality of protected info Protect against anticipated threats or hazards to security or integrity of info Protect against unauthorized access to or use of Protected info that could result in substantial harm or inconvenience to any customer Meeting these criteria also ensures that organizations are in compliance with the Gramm-Leach Bliley Act Incident Response Plans and Disaster Recovery Plans are included in Security planning

30. Security Planning in Practice Organizations typically use IS security professionals to conduct threat assessments and risk analyses that are specific to that organizations needs. These site security evaluations often include; identifying organizational assets, identifying relevant threats comparing the expected costs that the threat would cause the organization against the costs associated with protecting the organization against such threats. This process of evaluating organizations information systems and technology security works but leaves the issue of information assurance as an afterthought in the information system development process