Dr. Chen, Information Systems 1 Chapter 9 Using Information Ethically Jason C. H. Chen, Ph.D. Professor of MIS School of Business Administration Gonzaga

Dr. Chen, Information Systems 1

Chapter 9Using Information

Ethically

Jason C. H. Chen, Ph.D.Professor of MIS

School of Business AdministrationGonzaga UniversitySpokane, WA 99258

[email protected]

Dr. Chen, Information Systems

Why Learning Ethics/IS Ethics?

• Protecting yourself• Protecting your organization• Ultimately, help to build a respectful and

safe society/community.

• What/How to prepare yourself while you are– at school now and – at work in the future.


Important/Critical Information Ethics Issues to You

• At School– Turnitin (for Assignments)

• Turnitin : Leading Plagiarism Checker, Online Grading and Peer ...

– Penalty• Moderate• Severely

• At work– Software copyrights– Documents – and more

http://www.google.com.tw/url?sa=t&rct=j&q=turnitin+assignments&source=web&cd=1&ved=0CFMQFjAA&url=http%3A%2F%2Fturnitin.com%2F&ei=BKb7T8_nC-HhmAX0kvGVBQ&usg=AFQjCNE82WrU_F1Md_U-H8qaLqMImzDf3g&cad=rja




Outlines of the Topic• Understand how ethics should be framed in the context

of business practices and the challenges surrounding these issues.

• Define and describe the three normative theories of business ethics.

• List and define PAPA and why it is important. • Understand security issues of organizations and how

organizations are bolstering security.• Describe how security can be best enacted.• Define the Sarbanes-Oxley Act and the COBIT

framework.


Real World Example

• TJX Companies Inc. (a Delaware corporation), the parent company of T.J. Maxx and Marshall stores, disclosed in January 2007 that its systems were hacked, exposing at least 45.7 million (later updated to 94 million) credit and debit cards to possible fraud.

• On January 17, 2007 TJX publically announced that it had experienced a massive data breach affecting credit card transaction information for thousands of consumers who had shopped at TJ Maxx, HomeGoods, A.J. Wright and Marshalls stores.


Real World Example (cont.)

• TJX Co. discovered the largest security breach of its computer system in the history of retailing, it faced a serious ethical dilemma not faced by many companies.

• As many as 94 million customers were affected.• Given the extent of the breach, multiple state, federal, and

foreign jurisdictions dictated how and when it must inform affected customers and what corrective steps it must take.

• Most jurisdictions allowed 45 days for it to act following the determination of the breach. Any extension beyond 45 days would incur heavy fines.

• On the ethical side it became an even more pressing issue.


Issues for Concern

• Two actions for TJX to decide:–1) notifying their customers immediately, or –2) waiting the 45 days allowed by the

jurisdictions. • Which action would you suggest?


Issues for Concern: Discussions1. If TJX Co. notifies their customers immediately?

a) customers might lose customer confidence as they might start taking preventive steps to protect themselves from the identity theft and avoid any resulting financial and psychological losses.

b) More hackers would learn about it and may exploit the weakness in its IT infrastructure and might further “threaten” their computer system.

c) TJX will face punishment from Wall Street

i. Financial markets would lose confidence in the company and severely punish shareholders.

ii. Loss of image would also affect its ability to attract and retain high-quality employees in the long run.


Issues for Concern: Discussions2. If TJX Co. waits the 45 days allowed by the

jurisdictions?

a) Financial stability of many customers would be further compromised through misuse of their credit card and other private records.

b) This could result in a major class-action litigation, which might permanent affect the company


Lessons Learned

• What lessons have you learned from the TJX case?


Lessons Learn from TJX case

• 1. As in the case of TJX, information collected in the course of business is important for the conduct of business and can even create valuable competitive advantage.

• 2. Ethical questions concerning just how that information will be used and by whom, whether they arise inside or outside the organization, can have powerful effects on the company’s ability to carry out its plans.


Lessons Learn from TJX case

• 3. As computer networks and their products come to touch every aspect of people’s lives, and as the power, speed, and capabilities of computers increase, managers are increasingly challenged to govern their use in an ethical manner.

• 4. No longer can managers afford to view information systems (IS) as discrete entities within the corporate structure. In many cases, IS are coming to comprise much of the corporate itself.

Dr. Chen, Information Systems 13

NORMATIVE THEORIES OF BUSINESS ETHICS


Why Normative Theories of Business Ethics Matter

• Managers must assess initiatives from an ethical view.

• Most managers are not trained in ethics, philosophy, and moral reasoning.– Difficult to determine or discuss social norms.

• Managers in the information age need to translate their current ethical norms into terms meaningful for the new electronic corporation.

• Therefore, to suggest a workable framework for this process, three theories of ethical behavior in the corporate environment that managers can develop and apply to the particular challenges they face.


Normative Theories of Business Ethics

• Three theories of business ethics are examined to develop and apply to particular challenges that they face (see Figure 1):– Stockholder theory– Stakeholder theory– Social contract theory

• These three theories are “normative” in that they attempt to derive what might be called “intermediate-level” ethical principles: principles expressed in language accessible to the ordinary businessperson, which can be applied to the concrete moral quandaries of the business domain.


Stockholder Theory

• Stockholders advance capital to corporate managers who act as agents in advancing their ends.

• Managers are bound to the interests of the shareholders (maximize shareholder value).

• Manager’s duties:– Bound to employ legal, non-fraudulent means.– Must take long view of shareholder interest.


What are the implications of “Stockholder” Theory to TJX case?

• The stipulation under stockholder theory that the pursuit of profits must be legal and non-fraudulent – the delay allowed by law might also have a positive

impact on TJX’s stock price.– a recent survey has shown that customers are reluctant

to shop in stores once data breaches have been announced, so delaying may be important for maintaining a steady stream of revenues for as long as possible.

– certainly, disgruntled customers would definitely stop shopping at its stores if TJX waited too long.


Stakeholder Theory• Managers are entrusted with a responsibility to all

those who hold a stake in or a claim on the firm.• Stakeholders are:

– Any group that vitally affects the corporation survival and success. It normally include:stockholders, customers, employees, suppliers, and the

local community.• Management must enact and follow policies that

balance the rights of all stakeholders without impinging upon the rights of any one particular stakeholder.


What are the implications of “Stakeholder” Theory to TJX case?

• Stakeholder theory diverges most consequentially from stockholder theory in affirming that the interests of parties other than the stockholders also play a legitimate role in the governance and management of the firm.

• TJX’s shareholders stand to gain in the short term, but what would be the effects on other stakeholders?

• One stakeholder group, the customers, definitely could benefit from knowing about the breach as soon as possible because they could take steps to protect themselves.


What are the implications of “Stakeholder” Theory to TJX case? (cont.)

• Customers could be informed of the severity of the breach and protective actions that they could take through a special Web page, toll-free service and compensate those who are injured.

• TJX could also offer them free credit-monitoring service and compensate those who are injured.

• Research has shown that customers who receive adequate compensation after making a complaint are actually more loyal than those without complaints.

• On the other hand, if the breach were not announced, fewer hackers might attempt to break into the systems.

• In general, the costs to customers outweighted the benefits within the larger stakeholder group.


Social Contract Theory

• Derives the social responsibilities of corporate managers by considering the needs of a society with no corporations or other complex business arrangements.

• Corporations are expected to create more value to society that it consumes.

• Social contract comprises two distinct components:– 1. Social welfare – corporations must produce greater

benefits than their associated costs, or society would not allow their creation.

– 2. Justice – corporations must pursue profits legally, without fraud or deception, and avoid actions that harm society.


What are the implications of “Social Contract” Theory to TJX case?

• Applied to the TJX case, social contract theory would demand that the manager ask whether the delay in notifying customers about the security breach could compromise fundamental tenets of fairness or social justice.

• If the customers were not apprised of the delay as soon as possible, TJX’s actions could be seen as unethical because if would not seem fair to delay notifying them.

• If, on the other hand, the time prior to notification were used to take corrective action with the consequence of limiting not only hackers from stealing confidential customer information but also of forestalling future attacks that would impact society as a whole, the delay conceivably could be considered ethical.


Figure 1 Three normative theories of business ethics.

Theory Definition Metrics

Stockholder Will this action maximize stockholder value? Can goals be accomplished without compromising company standards and without breaking laws?

Stakeholder Does the proposed action maximize collective benefits to the company? Does this action treat one of the corporate stakeholders unfairly?

Social contract

Does this action create a “net” benefit for society? Does the proposed action discriminate against any group in particular, and is its implementation socially just?

Maximize stockholder wealth, in legal and non-fraudulent manners.

Maximize benefits to all stakeholders while weighing costs to competing interests.

Create value for society in a manner that is just and nondiscriminatory.


Relationship among these three Theories

Social Contract

Stakeholder

• Although these three normative theories of business ethics possess distinct characteristics, they are not completely incompatible.

• They provide managers with an independent standard by which to judge the ethical nature of superiors’ order as well as their firms’ policies and codes of conduct.

Stockholder


Actions from TJX• What ultimately, did TJX do? TJX disclosed the breach in

January 2007, but, didn’t release a comprehensive executive summary of the attack until March 2007, when it made a regulatory filing.

• TJX had actually noticed suspicious software the preceding December, at which point it hired IBM and General Dynamics to investigate. Both companies believed the intrusion may have taken place in July 2005.

• That means that it took TJX 17 months (July 2006 – January 2007) to find out that their computer systems had been breached on numerous occasions on a colossal scale.

• It was over a year later, on February 29, 2008, when the President and CEO, Carol Meyrowitz, wrote a letter to “valued customers” about the breach that had been announced on January 17, 2007.


Actions from TJX (cont.)

• The TJX retail chain agreed to pay $24 and $41 million in restitution to MasterCard and Visa respectively.

• TJX brokered a separate agreement with a coalition of Masschusetts-based banks who had sued it.

• The only settlement to date to actual cardholders by TJX has been an offer of free credit monitoring for cardholders and a $30 store voucher.

Q: What “theory” was the TJX case based on?1.“Stockholder”2.“Stakeholder”3.“Social Contract”


What “theory” was TJX case based on?

• Answer: • “Stockholder” Theory.• Why?

• Given by the information stated above. We can surmise that TJX’s overriding approach was more consistent with the stockholder theory than other theories.

• Because at least one stakeholder group, the customers, were not well served.


CONTROL OF INFORMATION:

Issues of PAPA:

Privacy,

Accuracy,

Property,

Accessibility


Privacy

• Those who possess the “best” information and know how to use it, win.

• However, keeping this information safe and secure is a high priority (see Figure 2).

• Privacy – “the right to be left alone”.• Managers must be aware of regulations that are in

place regarding the authorized collection, disclosure and use of personal information.– COBIT framework of 1996.


Accuracy

• Managers must establish controls to insure that information is accurate.

• Data entry errors must be controlled and managed carefully.

• Data must also be kept up to date.• Keeping data as long as it is necessary or

legally mandated is a challenge.


Property

• Mass quantities of data are now stored on clients (how about on the “cloud” computing platform?).

• Who owns this data and has rights to it is are questions that a manager must answer.

• Managers must understand the legal rights and duties accorded to proper ownership.


Accessibility

• Access to information systems and the data that they hold is paramount.

• Users must be able to access this data from any location (if it can be properly secured and does not violate any laws or regulations).

• Major issue facing managers is how to create and maintain access to information for society at large.– This access needs to be controlled to those who

have a right to see and use it (identity theft).– Also, adequate security measures must be in place

on their partners end.


Area Critical Questions

Privacy

Accuracy

Property

Accessibility

Figure 2 Mason’s areas of managerial concern with PAPA.

What information must a person reveal about one’s self to others?

What information should others be able to access about you – with or without your permission? What safeguards exist for your protection?

Who is responsible for the reliability and accuracy of information? Who will be accountable for errors?

Who owns information? Who owns the channels of distribution, and how should they be regulated?

What information does a person or an organization have a right to obtain, under what conditions, and with what safeguards?


PAPA and Managers

• Managers must work hard to implement controls over information highlighted by PAPA.

• Limit access to data – avoid identify theft, and respect customer’s privacy.

• Federal Trade Commission (FTC) requires more disclosure of how companies use customer data.– Gramm-Leach-Bliley Act (1999)

• Information privacy guidelines must come from above: CEO, CFO, etc.


Security and Controls• PAPA principles work hand-in-hand with security and

controls.• Executives reported that hardware/software failures,

and major viruses, had resulted in unexpected or unscheduled outages of their critical business systems (Ernst & Young).

• Technologies have been devised to manage the security and control problems.

• RFID is being used to control access and manage assets.

• Employees require proper training and education.


Sarbanes-Oxley (SoX) Act of 2002

WHATWHYWHO


Sarbanes-Oxley Act of 2002:WHAT

• What the term 'Sarbanes-Oxley' stands for– Senator Paul Sarbanes and Representative Michael Oxley,

who drafted the Sarbanes-Oxley Act of 2002.

• Also known as “Public Company Accounting Reform and Investor Protection Act”


Sarbanes-Oxley Act of 2002:WHY

• The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, and WorldCom. – These scandals, which cost investors billions of dollars when

the share prices of affected companies collapsed, shook public confidence in the nation's securities markets.

• The intent of the Sarbanes-Oxley Act– To protect investors by improving the accuracy and

reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.


Sarbanes-Oxley Act of 2002:WHO

• Who the Act applies to– SOX applies to all public companies in the U.S. and

international companies that have registered equity or debt securities with the Securities and Exchange Commission (SEC) and the accounting firms that provide auditing services to them.


Sarbanes-Oxley Act of 2002 (cont.)

• What the Act is about– The Sarbanes-Oxley Act created new standards

for corporate accountability as well as new penalties for acts of wrongdoing.

– It changes how corporate boards and executives must interact with each other and with corporate auditors. It removes the defense of "I wasn't aware of financial issues" from CEOs and CFOs, holding them accountable for the accuracy of financial statements.


Sarbanes-Oxley Act of 2002 (cont.)

• If a company isn’t in compliance...– Non compliance penalties range from the loss of

exchange listing, loss of D&O (Directors and Officers) insurance to multimillion dollar fines and imprisonment. It can result in a lack of investor confidence.

– A CEO or CFO who submits a wrong certification is subject to a fine up to $1 million and imprisonment for up to ten years. If the wrong certification was submitted "willfully", the fine can be increased up to $5 million and the prison term can be increased up to twenty years.


Sarbanes-Oxley Act of 2002 Summary

• The Sarbanes-Oxley (SoX) Act of 2002 was enacted to increase regulatory visibility and accountability of public companies and their financial health.– CEO’s and CFO’s must personally certify and be

accountable for their firm’s financial records and accounting (stiff penalties).

– CIO works with auditors, CFO, and CEO.• CIO must tread carefully

– Firms must provide real-time disclosures of any events that may affect a firm’s stock price or financial performance.

– IT departments realized that they played a major role in ensuring the accuracy of financial data.


Frameworks for Implementing SoX -

COBIT


2009 ISACA All Rights reserved. 44

A Closer Look at


Frameworks for Implementing SoX - COBIT

• COBIT, initially an acronym for 'Control OBjectives for Information and related Technology' defines 34 generic processes to manage IT. Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model.

• The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes.



Harmonizing the Elements of IT Governance

IT Governance

ResourceManagement

Strate

gic

Alignm

ent ValueDelivery

Perfo

rmance

Measu

rem

ent

Ris

kM

anagem

ent



COBIT® Answers Key Business Questions

Is my information technologyorganization doing the right things?

Are we doing them the right way?

Are we getting them done well?

Are we getting the benefits? *

* Based on the “Four Ares” as described by John Thorp in his book The Information Paradox, written jointly with Fujitsu, first published in 1998 and

revised in 2003


Frameworks for Implementing SoX –

COBIT (cont.)

• The framework provides good practices across a domain and process framework.

• The process focus of COBIT is illustrated by a process model that subdivides IT into four domains (Plan and Organize, Acquire and Implement, Deliver and Support and Monitor and Evaluate) and 34 processes in line with the responsibility areas of plan, build, run and monitor.



The COBIT® Framework

[4]

[1]

[2]

[3]


Summary• Ethics - decisive action rooted in principles that express what is

right and important and about action that is publicly defensible and personally supportable.

• Three important normative theories describing business ethics are: Stockholder Theory, Stakeholder Theory and Social Contract Theory.

• PAPA is an acronym for the four areas in which control of information is crucial: privacy, accuracy, property, and accessibility.

• Issues related to the ethical governance of information systems are emerging in terms of the outward transactions of business that may impinge on the privacy of customers.

• Security looms as a major threat to Internet growth.• Sarbanes-Oxley Act (2002) - enacted to improve internal controls