Data Security

Published on June 2016 | Categories: Documents | Downloads: 115 | Comments: 0 | Views: 1014
of 8
Download PDF   Embed   Report

Comments

Content

Barnali Chakrabarty Introduction: Ethics refers to what comes off as right or wrong to an individual‟s conscience .The internet age has brought about new ethical issues, not only for an individual but for the society as well as it has eased anonymous manipulation and distribution of information, creating new and easier paths for committing crimes like piracy, identity theft, infringement of an individual‟s privacy etc. In this paper we will be analyzing the Choice-point case and the „Sony data breach „case from an ethical point of view. (Laudon &Laudon, 2010, p.128) Background: The ChoicePoint Data breach:

On September 27 of 2004, ChoicePoint,a company that aggregates and stores personal information, suspected that some of its small business customers were involved in suspicious activities and informed the police. (Paine, Phillips, 2008)On February of 2005, ChoicePoint only notified those residents of California whose data had been leaked to the illegal customers, since a certain law in California requires it. A protest from the public, however, forced the company to notify the details of the breach to the other involved parties residing in the other states. The swindlers who scammed ChoicePoint had created over 50 accounts with previously stolen identities over the course of a year or even longer. (Pantesco, 2006)

Changes in business practices (Otto, Anton & Baumer, 2007):

ChoicePoint made numerous changes after the 2004-2005 data breach. The company closed the 50 fake accounts and made a policy to refuse any faxed business licenses in the future .The Company formed a new policy, that all nongovernmental organizations need to be re-credentialed in order to do business with it, and increased its procedures in verifying the identity of the company. More stringent and better

business policies in ensuring the safety of their customer‟s data, for e.g. partial masking of social security numbers were employed. The company continued its investigations of its databases for further indications of foul play and brought in outsiders to assess and rectify their practices.

The Sony Data Breach:

The Sony data breach was a result of an intrusion from an outsider party, causing an outage in the PlayStation Network and Qriocity‟s services between 17th April 2011 and 19th April, 2011.A confirmation from Sony revealed that pieces of personal information had been stolen from each and every 77 million accounts. This breach resulted in Sony shutting off the PlayStation Network for 23 days. (Hirai, 2011)

Sony stated that the chairman of the company had submitted explanations wanted by United States House subcommittee regarding the attack and that they were taking some measures to prevent further breaches. When questioned about the delay in making the breach public, Sony explained that they‟d sought help from outside officials to conduct an investigation in order to comprehend the nature and magnitude of the incident; and hence forensic analysis and investigation had caused the delay since they wanted to have all the necessary details before making the breach public. On May 14, 2011, Sony released a security patch called PlayStation 3 firmware version 3.61 requiring users to change their password upon signing into their account in the PlayStation Network. (Seybold, 2011)

Compensation: In compensation for this outage, Sony announced hosting of special events for their users. Sony wanted to appreciate the loyalty of the customers who stuck to using Play Station network and didn‟t look for other alternatives. Hence Sony announced an extension of free 30 days of its various services for its existing users. Also, few of their games in the PlayStation network were made free, though these games are available only in some regions or countries. In addition to that Sony also offered one year‟s worth of “free identity theft protection‟ to all of its customers. (Wesley, 2011) Ethical Analysis

According to Culnan and Williams (2009, p.679),the two aspects of morality that are principal to the relationship between information aggregators and information providers are vulnerability and avoiding harm.

Aspect of Vulnerability

Analysis: Since the customer gives away his data in exchange for something in return, he loses control on how that information would be used in the future.(Culnan& Williams, 2009, p. 681) The firm that is aggregating the data has the duty to exercise caution in protecting the consumer‟s vulnerability, not only for the sake of the customer but also to build its own reputation.

However, in the cases of both ChoicePoint and Sony breach, the consumers were vulnerable. Individuals whose data ChoicePoint and Sony stored lacked knowledge about the risks posed by - Choice Point‟s credentialing procedures or the way personal information was stored by Sony.

Aspect of “Do No Harm”

Analysis: Most ethicists are of the opinion that data aggregators have the minimum duty of doing no harm whenever there is an issue concerning information privacy rights (DeGeorge 2006; Goodpaster 1987; Marcoux 2003; Valesquez 2003 as cited in Culnan& Williams, 2009), even more so when their treatment of the consumer‟s sensitive personal information makes the consumers unnecessarily vulnerable. (Culnan& Williams, 2009, p. 682)

In both the cases of ChoicePoint and Sony Data breach however, the „DO NO Harm‟ principle was violated and moral responsibility was clearly absent in the behavior of the officials of these firms. (Culnan& Williams, 2009, p. 682)ChoicePoint‟s questionable intentions in delaying the notification of the breach to the public and the fact that ChoicePoint only bothered to search records that were leaked within 15 months to the date of the search ,until pressurized, were criticized heavily.( Evers, 2005)Further investigations revealed that ChoicePoint had been subjected to a similar scam in 2002.( Paine, Phillips, 2008)The fact that ChoicePoint could be duped so easily within two years proved that ChoicePoint hadn‟t done anything to improve its practices since the last breach. Similarly, Sony also had a delay in notifying the users of PlayStation network about the breach. The public disputed Sony‟s reason for its delay by speculating that, if Sony judged the situation to be so grave that it felt the need to shut down its PlayStation network, then they should have warned the public without any delay as well. Moreover, Sony failed to give any concrete reports regarding the breach and merely stated that they cannot rule out the possibility of a „username or password „leak. One more thing to be noted is that the fiends could have possibly gotten information like email addresses and first names of the customers who had consented to receiving information about new deals or products from Sony or its partners.Now, there is a pretty good chance that the fiends might send emails in the format of a Sony webpage template and extract valuable information from those customers. Hence this breach indirectly paved the way for more unintentional breaches in the future. (Eddy, 2011)

According to, (Laudon &Laudon, 2010,p.135),the basic Concepts of ethics are as follows:

Responsibility: where the individual or the organization should accept the duties, costs and obligations for the decisions that it made. Accountability: where the organization should be aware of what decision is taken by whom. If it is impossible to find out who was responsible for what action then that organization is basically incapable of ethical analysis. Liability: this basically extends the concept of responsibility to legal actions where the affected individuals should be able to get compensation for their damages.

Analysis : In my opinion, both ChoicePoint and Sony showed half-hearted ethics on these incidents as a whole. While Choicepoint did inform officials about the breach as soon as it found out, yet it only felt necessary to inform the public because of the California law. The people in the other states were notified because of public outcry. Also limiting the search results for leaked records to only 15 months prior to the date of the search just because it was necessary by the law was another mistake on ChoicePoint‟s part. Thus ChoicePoint violated the ethical concepts of responsibility and accountability yet they seemed to have understood their mistake when they were making changes in their policies and practices after the 2004-2005 breach, and were willing to take corrective actions. But it is debatable whether ChoicePoint‟s corrective measures were taken to save its own business or whether it genuinely cared for the affected individuals. Similarly, though Sony did do necessary investigations, it failed to concretely identify which parties had been affected or what kind of information have been stolen. Similar to ChoicePoint, there was a delay in notifying the public regarding the breach. Hence, there is a dearth of responsibility and accountability from Sony‟s side as well .The compensations given can similarly be argued to be a ploy for keeping itself in the market. While, ChoicePoint and Sony offered free credit monitoring and free identity theft protection respectively for one year, they disregarded the possibility that the thieves might lie low and take advantage of the

stolen information after the passage of a year. Hence these companies showed half-heartedness in being ethically liable as well.

According to Laudon and Laudon(2010, p.135), some of the candidate ethical principles that have survived across many generations and cultures in history are as follows: 1.” Do unto others as you would have them do unto you (the Golden Rule).”- putting oneself in the place of others and thinking about fairness.

2.” If an action is not right for everyone to take, it is not right for anyone (Immanuel Kant‟s Categorical Imperative). “

3. “ If an action cannot be taken repeatedly, it is not right to take at all (Descartes‟

rule of change).”

4. “Take the action that achieves the higher or greater value (the Utilitarian Principle).”

5. Take the action that produces the least harm or the least potential cost

(Risk Aversion Principle).– some of the issues pertaining to this principle have already been discussed in the „Do No Harm‟ subsection.

Analysis : ChoicePoint‟s continuing malpractices, in spite of a similar breach two years back, proved that it didn‟t uphold any of the principles mentioned above .Would ChoicePoint‟s employees have liked it if some other organization, to which they entrust their own personal information to, did such careless background checks? If logic and common sense prevail, the answer is clearly „NO‟. Thus ChoicePoint‟s actions violate the Golden Rule and Immanuel Kant‟s Categorical Imperative .Would ChoicePoint‟s employees have appreciated it if the company they entrusted their data to took no measures to rectify their practices even after a breach? A logical answer should be “No”. Yet they did nothing in two years to make changes towards better practices. Thus ChoicePoint‟s actions clearly violate the Utilitarian Principle and Risk Aversion Principle. The delay taken by Sony and by ChoicePoint as well, violates Descartes‟ rule of change as a big company can‟t continuously afford procrastinations in making incidents of this nature public, as it will affect the company‟s own reputation. For obvious reasons, this very delay violates the Utilitarian Principle and Risk Aversion Principle as well. Sony‟s ill ways of storing the user‟s personal information also violate the Golden Rule and Immanuel Kant‟s Categorical Imperative.

Conclusion: Both ChoicePoint and Sony seemed to lack ethical morals in doing business, irrespective of whether the ethics considered is just a part of information systems or whether it has spanned across many generations and cultures.

References



Laudon, K. & , Laudon, J(2010).Management Information Systems .(11th edition).New Jersey: Prentice Hall

 

Paine, L.S., Phillips, Zack. (2008, March 21)ChoicePoint (A). Harvard Business School Paine, L.S., Phillips, Zack. (2008, March 21)ChoicePoint (B). (2008, March 21). Harvard Business School



Otto, P. N., Anton, A. I., & Baumer, D. L. (2007). The choicepoint dilemma:how data brokers should handle the privacy of personal information. Security & Privacy, IEEE , 5(5), 15-23. Retrieved from http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4336274



Culnan, Mary J. and Williams, Cynthia C. 2009. "How Ethics Can Enhance Organizational Privacy: Lessons from the ChoicePoint and TJX Data Breaches," MIS Quarterly, (33: 4) pp.673687.



Eddy, N. PROTEGRITY USA Inc., (2011). Sony, epsilon security breaches preventable: Report. Retrieved from Channel Insider website: http://ehis.ebscohost.com/eds/pdfviewer/pdfviewer?sid=b99f314e-783d-43c4-ba77b09a4dd0ca8d@sessionmgr15&vid=3&hid=22



Seybold, P. (2011, May 04). [Web log message]. Retrieved from http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/



Pantesco, J. Jurist Legal News and Research , (2006). Ftc imposes record fine on choicepoint in data-loss case . Retrieved from Paper Chase Newsburst website: http://jurist.law.pitt.edu/paperchase/2006/01/ftc-imposes-record-fine-on-choicepoint.php



Evers, J. Jurist Legal News and Research , (2005). Break-in costs choicepoint millions. Retrieved from CNet News website: http://news.cnet.com/Break-in-costs-ChoicePoint-millions



Hirai, K. (2011). Kazuo hirai's letter to the u.s. house of representatives. Retrieved from website: http://www.flickr.com/photos/playstationblog/sets/72157626521862165/



Wesley, Y. (2011). Psn: Sony outlines "welcome back" gifts. Retrieved from website: http://www.eurogamer.net/articles/2011-05-01-psn-sony-outlines-welcome-back-gifts

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close