Slashdot Mirror
Ethical Obligations
MaxwellStreet writes "There's a great editorial on msnbc.com about the ethical dilemma of whether or not a system administrator (or the business they work for) is obligated to disclose credit card number theft from their machines. What does everyone here think?"
The company is legally obliged to inform their customers of the theft.
If they won't, they are (at least partially) responsible for any damages caused by the criminals.
The sysad should inform his manager and point out all legal consequences. This should sort out all problems.
Owner of a Mensa membership card.
Do unto others as you would have them do unto you.
Sorry but this is not an ethical dilemma - You should always disclose to the customers that you perceive a theft to have taken place.
The company has a duty to it's customers information. Demonstrating that your company is ignoring its duty is *far* more damaging than any reports of breached systems.
Also, if everybody knows about an insecurity then the company will HAVE to take remedial action.
Sadly many executives do not see it this way and some slimeballs will even punish those employees who tattle. In the UK we have the whistleblowing act that is designed to prevent loss of employment due to actions in the interest of the public good. I wonder if our stateside companions are as well protected.....
Remember kids! Guns don't kill people - Americans kill people.
Basically your credit card company gives you a bunch of numbers and says "that's the key to your money, to pay you just have to give those numbers to a vendor, and trust that they won't give the key to anyone else because we're not going to change the key before 2006".
Sorry but I don't buy it. I don't understand why the system hasn't collapsed yet.
Not only are they doing the 'ethical' thing, but they could be sued by consumers/CC companies if they don't.
Secondly, I still can't understand why CC companies don't have a one-time CC# system in place. Something like S/Key would work great. You enter your credit-card number (e.g. 1234-1234-1234) and an ammount (e.g. $450.00) into a program and get a one-time-use credit-card number. That way, stealing credit-card numbers is a thing of the past. Of course, the slight inconvience comes in carrying around a handheld and writing down the number, and not being able to just give the CC# to a company just once, and automatically having the future purchaces charged to the previous number. Of course, many people would like that system, and I would be at ease using credit-card numbers online.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
When your customer trusts you with the financial information to complete a transaction you have taken on a great deal of responsibility. If you respect your customers and appreciate the business this would not be a problem at all.
This is just another example of why in our current culture trust and respect are hard to come by.
Also, if everybody knows about an insecurity then the company will HAVE to take remedial action.
That magic word "should". I should floss more often. I also should get on the treadmill (and off the PC) more often. I should do the dishes every night, should save more money for retirement, should take classes to finish my cert, should thank a veteran on Veteran's Day, should clean my garage, should mail Dad a gift, and should eat out less. A perfect world would be a busy world, to be sure.
That said, there's about a 1 in 6.02x10^23 chance that corporations will voluntarily disclose theft of sensitive data. If everyone knows about Company A's insecurity, the customers will go to Company B which doesn't disclose such information. Press releases are sent out about getting pantsed, competitors create disparaging ads, customers leave, investors get nervous, stock prices drop. And then companies learn it pays to keep your mouth shut.
In fact, I'd wager a company is more likely to pay other people to keep their mouths shut as well than it is to be open and honest and forthcoming. Remember, a public company has one -- and only one -- duty: increase or maintain shareholder value. If they don't do that, then the board can be sued, the chairman ousted, etc, etc. Yeah, I'd bet that not getting thrown off the board is worth some hush-up money in the right places. If I were The Chairman, for instance, I'd make damn sure my sysadmins and IT group had fairly hefty NDAs/non-competes as well as hefty bonuses for "resolving" security issues in a discreet way.
Here's a hypothetical example: Datek gets broken into every once in a great while, has an insecure setup, whatever. Confidential data gets lost or intercepted easily maybe, who knows. But it decides to be honest with everyone. It gets a web page going of all the recent compromises, sends email to people whose info was pinched, fixes the problems via the aforementioned remedial actions. E*trade keeps quiet, Datek starts looking sloppy and has a "history" of being insecure, E*trade gets more business even if they don't decide to smear Datek. Datek is soon a fading memory with secure business systems.
Disabuse yourself of the notion that you will know who got what and when. It is not in a company's best interest to let you know your privacy and financial security was compromised, no matter how much grandstanding they do over security and trust. Just don't use a Visa/Mastercard debit card or your SSN online and everything will be fine.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
I still don't see the problem. If I discover this kind of problem, the first one I inform is my boss. If he fails to react, I have two things to consider:
And as I sit here typing this.. I think I shuold take a fellow admin as a witness, so we have no he-said/he-said crap later on.
-f
-'fester
A lot of people here are simply saying "Yes, he has to disclose it." It's not that easy. There are two big problems to this that I can see. First, the customers are NOT the victims here. Second, the sysadmin clearly has ethical obligations to his employer; whether he has ethical obligations to his employer's customers is less clear.
When a credit card number is used fraudulently, the credit card company is the victim. The holder of the credit card (the consumer) has no responsibility to pay for fraudulent charges; he only has a responsibility to notify the credit card company that the charges are not legitimate.
Some may say that the consumer is ultimately the victim because the credit card company will pass losses from fraud to their customers in the form of higher fees. If you believe this then you probably also believe that copying a CD actually takes money out of the music industry's bank accounts. The credit company has the power to change their system to stop fraud -- it is simply more profitable for them to absorb the losses instead.
This is one of the reasons I've never been afraid to use my credit card number online -- why there was ever fear over this is beyond my understanding. If someone steals my credit card number (it happened to me once), I just call up the credit card company and tell them. I don't have to pay for something I didn't buy. Period.
Anyway, my point is that there is not an ethical obligation to the customer because the customer is not a potential victim here. Some have said there is a legal obligation but I do not believe that (i am not a lawyer). If a restaurant discovers a waiter has been stealing credit card numbers they are not going to notify their customers. They will fire the waiter and notify the credit card company and possibly the police.
The second part of this -- who the sysadmin has an ethical obligation to -- goes like this: As a sysadmin you have an ethical obligation to your employer to not harm your employer. You also have an ethical obligation to not use your employer's customer data to contact the customers directly -- you would be stealing data just like the credit card thieves and could face prosecution from your (by this point, former) employer. You also have an ethical obligation to understand your position in the company and operate within those bounds -- you are a sysadmin, not a lawyer, not a PR person, not a manager. You also have an ethical obligation to your employer to notify an appropriate person *within the company* when someone else is behaving unethically. The company has an ethical and probably legal obligation to notify the credit card company -- since the credit card company stands to lose money of the stolen numbers are used.
Credit card companies have entire departments to deal with fraud -- they have the expertise the handle this situation. Joe sysadmin doesn't. Joe sysadmin's employer doesn't. And the customers certainly don't. The credit card company is really the one that should be notified here -- and since the credit card company is the potential victim, it should be up to them to decide whether or not to involve law enforcement.
If I were the sysadmin in this situation I would first try to convince my manager to involve the company's legal dept to find out what our legal obligations and risks are. I would encourage them to notify the credit card company and offer my time to work with the credit card company to investigate whether or not something actually happened. If the company decides to keep quiet, I would put my objections in writing and make sure they are known, and I would look for another employer. In this case, though, I wouldn't take it upon myself to notify anyone outside the company. If the crime involved human victims rather than corporate ones, I think I would feel obligated to notify law enforcement.
The solution here is obvious: tell the tenant, and change the locks asap. The tenant will feel much better about the apt management if this is done - also, if you keep quiet about it, what happens if the apt is burgled, and the fact that the keys were in an insecure location comes out later? You could potentially face liability.