Slashdot Mirror
Ethical Obligations
MaxwellStreet writes "There's a great editorial on msnbc.com about the ethical dilemma of whether or not a system administrator (or the business they work for) is obligated to disclose credit card number theft from their machines. What does everyone here think?"
sure there are some system administrators who would rather not reveal themselves as having an insecure network, for the fear of having more security violations or even, god forbid, having to fess up to a mistake, however we all make mistakes and protecting the commerce of your website and payment processing system should be top priority while disclosing to your customers the potential of the intrusion as well as informing them that there is a fix in the works, otherwise the check and balance system that any worker must follow, as well as trust would be violated in the process.
The company is legally obliged to inform their customers of the theft.
If they won't, they are (at least partially) responsible for any damages caused by the criminals.
The sysad should inform his manager and point out all legal consequences. This should sort out all problems.
Owner of a Mensa membership card.
Sorry but this is not an ethical dilemma - You should always disclose to the customers that you perceive a theft to have taken place.
The company has a duty to it's customers information. Demonstrating that your company is ignoring its duty is *far* more damaging than any reports of breached systems.
Also, if everybody knows about an insecurity then the company will HAVE to take remedial action.
Sadly many executives do not see it this way and some slimeballs will even punish those employees who tattle. In the UK we have the whistleblowing act that is designed to prevent loss of employment due to actions in the interest of the public good. I wonder if our stateside companions are as well protected.....
Remember kids! Guns don't kill people - Americans kill people.
Dealing with this kind of ethical quandry isn't an admin's job and yet it seems that they end up stuck. In other professions where we have similar possible ethical dilemmas (medical, legal, etc.) there are established and deeply entrenched codes of ethics to which practitioners are expected, even by employers and associates, to adhere. Why don't system administrators have such a thing?
I think the revelation in the article that a business would prefer to sweep such a theft under the rug is frightening and opens the door to all kinds of problems. Maybe making employers understand that their admins are obligated by their own professional standards to expose this kind of thing will effect a positive change. I can't imagine what hiding it will achieve. You don't have to think hard to come up with examples of past situations where hiding "undesireable" information caused more problems than it solved. We're seeing the end results of that very attitude playing itself out with Enron/Arthur Andersen as well as the Catholic church right now.
Admins should be expected to expose this kind of thing with the understanding that doing so will avoid bigger and worse problems down the road. It should be viewed as a service to the public which takes priority over protecting petty business interests.
We will either learn from history or repeat it... again.
--Rick
--Rick "If it isn't broken, take it apart and find out why."
Not only are they doing the 'ethical' thing, but they could be sued by consumers/CC companies if they don't.
Secondly, I still can't understand why CC companies don't have a one-time CC# system in place. Something like S/Key would work great. You enter your credit-card number (e.g. 1234-1234-1234) and an ammount (e.g. $450.00) into a program and get a one-time-use credit-card number. That way, stealing credit-card numbers is a thing of the past. Of course, the slight inconvience comes in carrying around a handheld and writing down the number, and not being able to just give the CC# to a company just once, and automatically having the future purchaces charged to the previous number. Of course, many people would like that system, and I would be at ease using credit-card numbers online.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Secondly, I still can't understand why CC companies don't have a one-time CC# system in place. Something like S/Key would work great. You enter your credit-card number (e.g. 1234-1234-1234) and an ammount (e.g. $450.00) into a program and get a one-time-use credit-card number.
My Citibank Mastercard provides this service via an online service. I also hear that many credit cards, like the GetSmart Visa offer it via physical card readers that you connect to your computer.
http://www.iccp.org/iccpnew/ethics%20practice%2
full text below, doesn't address this issue directly. However, it states clearly that a computer professional has an "obligation to the public at large," must "Serve the interests of their employers and clients' loyally," and "shall have special regard for the potential effects of computer-based systems on the right of privacy of individuals whether this is within one's own organization, among customers or suppliers, or in relation to the general public".
This would seem to me to require disclosure of privacy breaches to members of the public who might be affected.
However, the ICCP has never emphasized the code of ethics much and I've always suspected they just did it because (some) definitions of a "professional" requires adherence to a code of ethics.
I once told my employer that I couldn't do something because I hold a CDP and was bound by the CDP code of ethics. To say he was shocked was putting it mildly. He knew I was a CDP but didn't believe it meant anything. He was not happy with the notion that I had obligations to anyone but my employer, but fortunately it wasn't an important matter and he "let me get away with it, this time."
Code of Ethics
ICCP Code of Ethics
Certified computing professionals, consistent with their obligation to the public at large, should promote the understanding of information processing methods and procedures using every resource at their command.
Certified computing professionals have an obligation to their profession to uphold the high ideals and level of personal knowledge as evidenced by the Certificate held. They should also encourage the dissemination of knowledge pertaining to the development of the computing profession.
Certified computing professionals have an obligation to serve the interests of their employers and clients loyally, diligently and honestly.
Certified computing professionals must not engage in any conduct or commit any act which is a discredit to the reputation or integrity of the information processing profession.
Certified computing professionals must not imply that the Certificates which they hold are their sole claim to professional competence.
Code of Conduct and Good Practice for certified computing professionals
The essential elements relating to conduct that identify a professional activity are:
A high standard of skill and knowledge.
A confidential relationship with people served.
Public reliance upon the standards of conduct and established practice.
The observance of an ethical code.
Therefore, these Codes have been formulated to strengthen the professional status of certified computing professionals.
1. Preamble
1.1: The basic issue, which may arise in connection with any ethical proceedings before a Certification Council, is whether a holder of a Certificate administered by that Council has acted in a manner which violates the Code of Ethics for certified computing professionals.
1.2: Therefore, the ICCP has elaborated the existing Code of Conduct, which defines more specifically an individual's professional responsibility. This step was taken in recognition of questions and concerns as to what constitutes professional and ethical conduct in the computing profession.
1.3: The ICCP has reserved for and delegated to each Certification Council the right to revoke any Certificate which has been issued under its administration in the event that the recipient violates the Codes of Ethics, as amplified by the Code of Conduct. The revocation proceedings are specified by rules governing the business of the Certification Council and provide protection of the rights of any individual who may be subject to revocation of a certificate held. The ICCP may bypass revocation proceedings and automatically revoke any Certificate for non-compliance with mandatory recertification processes, providing the certificate was awarded subject to mandatory recertification requirements.
1.4: Insofar as violation of the Code of Conduct may be difficult to adjudicate, the ICCP has also promulgated a Code of Good Practice, the violation of which does not in itself constitute a reason to revoke a Certificate. However, any evidence concerning a serious and consistent breach of the Code of Good Practice may be considered as additional circumstantial evidence in any ethical proceedings before a Certification Council.
1.5: Whereas the Code of Conduct is of a fundamental nature, the Code of Good Practice is expected to be amended from time to time to accommodate changes in the social environment and to keep up with the development of the information processing profession.
1.6: A Certification Council will not consider a complaint where the holder's conduct is already subject to legal proceedings. Any complaint will only be considered when the legal action is completed, or it is established that no legal proceedings will take place.
1.7: Recognizing that the language contained in all sections of either the Code of Conduct or Code of Good Practice is subject to interpretations beyond those intended, the ICCP intends to confine all Codes to the matters pertaining to personal actions of individual certified computing professionals in situations for which they can be held directly accountable without reasonable doubt.
1.8: Certified computing professionals have a responsibility to respect intellectual property rights, including copyrights, patents and trademarks. Violation of copyrights, patents and terms of license agreements is prohibited by law in most circumstances. Even when not so protected, such violations are contrary to professional behavior. Software should be copied only with proper authorization. Unauthorized duplication of both printed and electronic materials must be discouraged including those cases where the work has not been explicitly protected by any means. Credit should not be taken for the work of others. The work of others should not be used without specific acknowledgment and authorization.
2. Code of Conduct
2.1: Disclosure: Subject to the confidential relationships between oneself and one's employer or client one is expected not to transmit information which one acquires during the practice of one's profession in any situation which may seriously affect a third party.
2.2: Social Responsibility: One is expected to accept a responsibility to the public to diminish, through a continuing educational process, confusion and misconceptions surrounding the information processing industry. One is expected to be cognizant of and act in accordance with all procedures and regulations to improve public safety through the protection of information vital to the security of the nation and its people, both collectively and individually.
2.3: Conclusions and Opinions: One is expected to state a conclusion on a subject in one's field only when it can be demonstrated that it has been founded on adequate knowledge. One will state a qualified opinion when expressing a view in an area within one's professional competence but not supported by relevant facts.
2.4: Identification: One shall properly qualify oneself when expressing an opinion outside one's professional competence in the event that such an opinion could be identified by a third party as expert testimony, or if by inference the opinion can be expected to be used improperly.
2.5: Integrity: One will not knowingly lay claims to competence one does not demonstrably possess. One shall not take advantage of the lack of knowledge or inexperience of others.
2.6: Conflict of Interest: One shall act with strict impartiality when purporting to give independent advice. In the event that the advice given is currently or potentially influential to one's personal benefit, full and detailed disclosure to all relevant interested parties will be made at the time the advice is provided. One's employer especially should be made aware of any potential conflicts of interest. One will not denigrate the honesty or competence of a fellow professional or a competitor, with the intent to gain an unfair advantage.
2.7: Accountability: The degree of professional accountability for results will be dependent on the position held and type of work performed. For instance: A senior executive is accountable for the quality of work performed by all individuals the person supervises and for ensuring that recipients of information are fully aware of known limitations in the results provided. The personal accountability of consultants and technical experts is especially important because of the positions of unique trust inherent in their advisory roles. Consequently, they are accountable for seeing to it that known limitations of their work are fully disclosed, documented and explained. Furthermore, information processing professionals have a responsibility to take appropriate action regarding any illegal or unethical practices that come to their attention. Charges should be brought against a person only when a reasonable basis for the allegations has been established, without regard to personal interest.
2.8: Protection of Privacy: One shall protect the privacy and confidentiality of all entrusted information. One shall have special regard for the potential effects of computer-based systems on the right of privacy of individuals whether this is within one's own organization, among customers or suppliers, or in relation to the general public. Because of the privileged capability of computing professionals to gain access to computerized files, especially strong strictures will be applied to those who have used their position of trust to obtain information from computerized files for their personal gain.
Where it is possible that decisions can be made within a computer-based system could adversely affect the personal security, work or career of an individual, the system design shall specifically provide for decision review by a responsible executive who will thus remain accountable and identifiable for that decision.
3. Code of Good Practice
3.1: Education: One has a special responsibility to keep oneself fully aware of developments in information processing technology relevant to one's current professional occupation. One will contribute to the interchange of technical and professional information by encouraging and participating in educational activities directed to both fellow professionals and to the public at large. One will do all in one's power to further public understanding of computer systems. One will contribute to the growth of knowledge in the field to the extent that one's expertise, and ability allow.
3.2: Personal Conduct: Insofar as one's personal and professional activities interact visibly to the same public, one is expected to support, respect and abide by the appropriate laws and in general to apply the same high standards of behavior in one's personal life as are demanded in one's professional activities.
3.3: Competence: One shall at all times exercise technical and professional competence at least to the level one claims. One shall not deliberately withhold information in one's possession unless disclosure of that information could harm or seriously affect another party, or unless one is bound by a proper, clearly defined confidential relationship. One shall not deliberately destroy or diminish the value or effectiveness of a computer? based system through acts of commission or omission.
3.4: Statements: One shall not make false or exaggerated statements as to the state of affairs existing or expected regarding any aspect of information technology or the use of computers. In communicating with lay persons, one shall use general language wherever possible and shall not use technical terms or expressions unless there exist no adequate equivalents in the general language.
3.5: Discretion: One shall exercise maximum discretion in disclosing, or permitting to be disclosed, or using to one's own advantage, any information relating the affairs of one's present or previous employers or clients.
3.6: Conflict of interest: One shall not knowingly hold, assume, or accept a position or a client with which one's interests conflict or are likely to conflict with one's current duties or clients unless that interest has been disclosed in advance to all parties involved.
3.7: Public Safety: One has a responsibility to protect fundamental human rights and dignity and to respect cultural diversity. Those who design, develop and maintain computer systems shall be alert to and make others aware of any potential damage to the local and global environment. When developing information systems, computing professionals must ensure that their efforts are used to benefit humanity. Harmful effects to general health and welfare of the public shall be avoided.
3.8: Violations: One is expected to report violations of the Code, testify in ethical proceedings where one has expert or firsthand knowledge, and serve on panels to judge complaints of violations of ethical conduct.
4. Procedural requirements for revocation of certificate awarded
4.1: The ICCP may automatically revoke Certificates for non?compliance with mandatory recertification processes, providing the certificate was awarded subject to mandatory recertification requirements.
4.2: A Certification Council, on behalf of the Institute for Certification of Computing Professionals, has the right to revoke any Certificate which has been awarded by it in the event that the recipient violates the Codes, or engages in conduct which is a discredit or disgrace to the computing profession.
4.3: The grounds for revocation, except for failure to comply with mandatory recertification requirements, will be based upon the opinion of at least two-thirds of the members of the Council.
4.4: Procedure for handling revocation:
1. A formal written statement of charges alleging facts which constitute the grounds for revocation will be prepared.
2. A copy of said charges will be forwarded to the person accused, fixing a time within which such person may file with the Council answers to the charges.
3. If the charges are denied in the answer, the Council will fix a time for the hearing and give notice of the time and place of the hearing to the person accused.
4. Presentation of evidence in support of the charges will be made by the secretary (a nonvoting member) of the Certification Council.
5. Presentation of the evidence in defense of the charges will be made by the accused or the designated representative of the accused.
6. Ample opportunity for both sides to present facts and arguments will be allowed at the hearing.
7. At the conclusion of the hearing, the Council will determine whether or not the charges have been sufficiently established by the evidence and whether the Certificate should be revoked or should not be revoked.
8. The accused will be notified of the decision by registered mail.
9. The accused has the right to request review of the decision by the Executive Committee of ICCP, provided an appeal in writing is submitted to the President of ICCP within 30 days of the accused's receipt of the Council's decision.
"How to Do Nothing," kids activities, back in print!
Because the credit card issuers make a butt-ton of money. Credit card merchant fees act as a 3-7% tax on every retail transaction (including for those who pay cash--the fees are already reflected in the prices), in addition to charging rates that exceed 20% in some cases to those carrying balances.
What's happened here is that the credit card companies are aware of what it would take to secure the system (e.g. SET), and have decided that it's cheaper to write off the fraud.
Another proud carrier of the $rtbl flag
While most people don't realize it there is more than an ethical problem here; there is a legal one. Assuming that an administrator works in the U.S. here is the legal situation:
Anyone who has knowledge of a Federal Felony in the U.S. is required by law to report it to the proper law enforcement authorities ( U.S. Attorney, FBI etc.). Failure to do so makes that person an indictable co-conspirator.
Computer break-ins and credit card theft are Federal Felonies; if 'Dana' is in the U.S. he has no choice but to report or become a criminal himself.
Federal whistle blower statutes apply once something has been reported to the legal authorities but not before; Dana could be fired now - but not once he reports the theft and invokes the whistle blower act.
Found out about this from some federal agents and attorneys I work out with after some bad personal experiences with a company.
I suggest that 'Dana' talk to an attorney and make a decision about how good his information is. Like Spider Man ignoring the theft of the gate receipts - a failure to act can come back to bite you; how does he know that this theft was not an Al-Qaeda action?
Also, if everybody knows about an insecurity then the company will HAVE to take remedial action.
That magic word "should". I should floss more often. I also should get on the treadmill (and off the PC) more often. I should do the dishes every night, should save more money for retirement, should take classes to finish my cert, should thank a veteran on Veteran's Day, should clean my garage, should mail Dad a gift, and should eat out less. A perfect world would be a busy world, to be sure.
That said, there's about a 1 in 6.02x10^23 chance that corporations will voluntarily disclose theft of sensitive data. If everyone knows about Company A's insecurity, the customers will go to Company B which doesn't disclose such information. Press releases are sent out about getting pantsed, competitors create disparaging ads, customers leave, investors get nervous, stock prices drop. And then companies learn it pays to keep your mouth shut.
In fact, I'd wager a company is more likely to pay other people to keep their mouths shut as well than it is to be open and honest and forthcoming. Remember, a public company has one -- and only one -- duty: increase or maintain shareholder value. If they don't do that, then the board can be sued, the chairman ousted, etc, etc. Yeah, I'd bet that not getting thrown off the board is worth some hush-up money in the right places. If I were The Chairman, for instance, I'd make damn sure my sysadmins and IT group had fairly hefty NDAs/non-competes as well as hefty bonuses for "resolving" security issues in a discreet way.
Here's a hypothetical example: Datek gets broken into every once in a great while, has an insecure setup, whatever. Confidential data gets lost or intercepted easily maybe, who knows. But it decides to be honest with everyone. It gets a web page going of all the recent compromises, sends email to people whose info was pinched, fixes the problems via the aforementioned remedial actions. E*trade keeps quiet, Datek starts looking sloppy and has a "history" of being insecure, E*trade gets more business even if they don't decide to smear Datek. Datek is soon a fading memory with secure business systems.
Disabuse yourself of the notion that you will know who got what and when. It is not in a company's best interest to let you know your privacy and financial security was compromised, no matter how much grandstanding they do over security and trust. Just don't use a Visa/Mastercard debit card or your SSN online and everything will be fine.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
I still don't see the problem. If I discover this kind of problem, the first one I inform is my boss. If he fails to react, I have two things to consider:
And as I sit here typing this.. I think I shuold take a fellow admin as a witness, so we have no he-said/he-said crap later on.
-f
-'fester
However, one all of that has failed, the decision then gets forced onto the sysadmin. That person then is stuck with the delimma of making that decision and losing his or her job. Even worse, if they are under contract, they could be personally sued as well for breaking terms of the contract.
It's a shame that we even have to read articles like this. The SANS institute was way off - I would rather know that something happened to my CC so that I can simply get it replaced then have my credit card used to purchase items (like equipment for the "enemy") and have to dispute the charges.
Random Musings
Whether or not the merchant is required to disclose credit card theft from their files should be covered by their agreement with the card issuer.
Why?
Because THAT is who the cards and numbers belong to. It's right there on the back of my cards.
"THIS CARD IS THE PROPERTY OF AND ISSUED BY *** AND MUST BE RETURNED ON REQUEST"
and..
"ESTA TARJETA ES PERSONAL, INTRANSFERIBLE Y PROPIEDAD DEL BANCO"
Let's all *please* remember what a credit card really is. It's a token, issued to the customer of a credit card issuer, used to identify yourself to merchants who are also using that credit system.
it is not yours. it is merely a token.
Many card contracts only hold you liable for charges if your card is physically stolen and you don't report it; you are not liable *at all* for fees charged to your card unless
a) You charged them yourself
b) Through your own actions permitted someone to charge them
c) Failing to report a stolen card.
In other words, if my card is in my pocket, and whatever merchant some gomer used my number at can't prove that it was ME who authorized the use... he gets no money, visa doesn't charge me.
If you card DOESN'T work this way, please shop around, you are getting screwed.
One of our clients uses a proprietary system which, among other things, keeps records of customers paying by credit card. Unbeknownst to them (or us) this system has an "undocumented feature": a back door. Probably coded to allow easy access to systems by help-desk techies, there was no mention of it in any documentation we could find.
The client received an email from someone who told them about the back-door and provided clips of actual credit card information taken from the system! Luckily enough, this person disclaimed any intent to do harm and provided the information for us to eliminate the problem.
Of course, our dilemma was whether to advise the client to tell his customers about a possible theft of information. We decided that, since the email sender performed a service and had only used the credit card information to illustrate the problem, that the client was safe in not telling customers that their data might have been compromised.
No one ever had to evacuate a city because the solar panels broke!
As a sysadmin, your duty is to report what is going on to those who run the business; from there it is their call. It is not YOUR job to assess the legal and financial risks of the company. It is theirs.
If the company won't report it, and you have an ethical issue with this, then that's your call, same as with ANY action your employer does. You can report it behind their back, sure. I, for one, would fire you. I sure as HELL would not trust someone with my business data who goes behind my back.
As for talk of sysadmins doing cover-your-ass stuff... if you have to, you have to, that's reality. We gotta put food on the table, right?
Really, though, you should not be secretive about security. If you have issues about what the company does/does not have for security, document it. Keep up with patches. Make sure there is a paper trail showing that you did what is reasonable to protect things.
A lot of people here are simply saying "Yes, he has to disclose it." It's not that easy. There are two big problems to this that I can see. First, the customers are NOT the victims here. Second, the sysadmin clearly has ethical obligations to his employer; whether he has ethical obligations to his employer's customers is less clear.
When a credit card number is used fraudulently, the credit card company is the victim. The holder of the credit card (the consumer) has no responsibility to pay for fraudulent charges; he only has a responsibility to notify the credit card company that the charges are not legitimate.
Some may say that the consumer is ultimately the victim because the credit card company will pass losses from fraud to their customers in the form of higher fees. If you believe this then you probably also believe that copying a CD actually takes money out of the music industry's bank accounts. The credit company has the power to change their system to stop fraud -- it is simply more profitable for them to absorb the losses instead.
This is one of the reasons I've never been afraid to use my credit card number online -- why there was ever fear over this is beyond my understanding. If someone steals my credit card number (it happened to me once), I just call up the credit card company and tell them. I don't have to pay for something I didn't buy. Period.
Anyway, my point is that there is not an ethical obligation to the customer because the customer is not a potential victim here. Some have said there is a legal obligation but I do not believe that (i am not a lawyer). If a restaurant discovers a waiter has been stealing credit card numbers they are not going to notify their customers. They will fire the waiter and notify the credit card company and possibly the police.
The second part of this -- who the sysadmin has an ethical obligation to -- goes like this: As a sysadmin you have an ethical obligation to your employer to not harm your employer. You also have an ethical obligation to not use your employer's customer data to contact the customers directly -- you would be stealing data just like the credit card thieves and could face prosecution from your (by this point, former) employer. You also have an ethical obligation to understand your position in the company and operate within those bounds -- you are a sysadmin, not a lawyer, not a PR person, not a manager. You also have an ethical obligation to your employer to notify an appropriate person *within the company* when someone else is behaving unethically. The company has an ethical and probably legal obligation to notify the credit card company -- since the credit card company stands to lose money of the stolen numbers are used.
Credit card companies have entire departments to deal with fraud -- they have the expertise the handle this situation. Joe sysadmin doesn't. Joe sysadmin's employer doesn't. And the customers certainly don't. The credit card company is really the one that should be notified here -- and since the credit card company is the potential victim, it should be up to them to decide whether or not to involve law enforcement.
If I were the sysadmin in this situation I would first try to convince my manager to involve the company's legal dept to find out what our legal obligations and risks are. I would encourage them to notify the credit card company and offer my time to work with the credit card company to investigate whether or not something actually happened. If the company decides to keep quiet, I would put my objections in writing and make sure they are known, and I would look for another employer. In this case, though, I wouldn't take it upon myself to notify anyone outside the company. If the crime involved human victims rather than corporate ones, I think I would feel obligated to notify law enforcement.
Ethical issues should not be in conflict with good business. However, more and more often, we hear the same old claim that profit is the only concern of Corporate officers and employees. It is little wonder we are having to deal with the fallout of Enron and Arthur Anderson (a prestigious company with a long history and a BUISNESS of ethics) - a stock market in a state of flux due to flagging investor confidence and trust.
Customer financial data falls rather neatly in to the ethics of good business. It is good business to protect that data. Failure to do so is often a sign of negligence. Business will be affected. And the Board should rightly begin to consider what aspects of management needs to be "adjusted" to weed out future negligence and incompetence.
It is certainly possible to have an incident where data theft happened despite proper due diligence on the part of the company. However, the unfortunate fact is that today many IT environments are woefully insecure for no other reason than a lack of attention. Negligence.
Any corporate structure who's IT systems contain valuable data (to include customer financial information) should focus as much (if not more) on information security as other IT issues such as cost, management, and availability.
The infosec industry is changing after years of dire warning. Some large organizations have built their own internal infosec groups specifically tasked to protect corporate (and customer) data and systems. Others seek outside help and have grown the number of infosec consultancies. And infosec issues are becoming more and more important to a product's offerings. There is still much to be done - as evidence by this even being an issue for discussion. But at least companies are finally taking a proactive stance.
After all, its not only good ethics... its good business.