The case of TechFite allows for presenting examples of criminal activity according to Computer Fraud and Abuse Act (CFAA) and Electronic Communications Privacy Act (ECPA). Firstly, an example of intentional unauthorized access to information using TeachFite’s computers is mining other internet-based companies’ trash and surveilling their data. Since CFAA prohibits unauthorized access to other computers or websites, such activity of TechFite’s employees is considered unlawful (Lee, 2018). Secondly, according to ECPA, it is illegal to abuse private information within online communications (Pfeifle, 2018). Thus, an example of a breach of ECPA is that TechFite’s employees used dummy accounts to access correspondence and stored data of other units without authorization.
The first of three laws that might help detect negligence in TechFite is ECPA. The activity that demonstrated failure was the lack of an oversight measure to prevent the abuse of information obtained by the application division of the company. The second law, Sarbanes-Oxley Act (SOX), was violated due to the company’s negligence in restricting unlawful access to auditing information of other entities. Thirdly, within the context of CFAA, TechFite neglected to oversee the use of hacking systems by company employees to mine competitors’ data.
The duty of due care is imposed on the decision-makers and responsible actors who are expected to detect, report, and act on any observed or suspicious unlawful action. In particular, according to the TechFite case, one example of a breach of duty of care might be the insufficient attention of the Security Analyst to the operations of the Application Division, which has led to their criminal activity. Another example of a breach of duty of due care is the company authorities’ failure to act on the lack of client information protection in the BI unit. It might have led to the breach of client privacy since no duty responsibilities were segregated, and access was not properly controlled.
When applying SOX to the case, one should consider the proper use of auditing practices in the IT department. This law establishes “a set of requirements for financial systems, to deter fraud and increase corporate accountability” (“Role based access control,” 2020, para. 1). The activities in accessing financial data and auditing accounts in TechFite lack lawful basis because two versions were found to be accessed by former employees with the specific request of Carl Jasper, which jeopardizes the security of this information. Thus, the company might not be considered compliant with SOX.
Two examples might be provided to illustrate the criminal activity, victims, and criminals. Firstly, the illegal activity of Carl Jesper, who initiated unlawful access to auditing and financial information of the TechFite (which is the victim of the crime), is a breach of SOX. Secondly, Sarah Miller’s activity of initiating unauthorized access to competitors’ electronic communication is a breach of ECPA.
Several policies might have been implemented but were not in place at TechFite, which has led to the breaches of laws. In particular, the first policy not implemented properly in the organization is the duty and responsibility separation policy. Indeed, according to the Federal Information Security Management Act (FISMA,), a Chief Information Officer is obligatory in organizations, and a clear separation of roles of personnel should be imposed (Wilson & Hash, 2003). However, as the case illustrates, the BI unit’s employees had the same level of access to all information, jeopardizing data security. The second policy that was not implemented is the Chinese Wall policy, which prohibits access to secure communication within the same company to prevent abuse of protected data by separate units or employees. Such a policy might have safeguarded the electronic data from competitors of TechFite. These policies might have eliminated the opportunity for the abovementioned criminal activities.
In summation, TechFite is characterized by significant disruptions in information security, which is why it is not compliant with all relevant legislation. Firstly, there are significant breaches of CFAA proven by unauthorized access to other companies’ data, which is why TechFite is not compliant with CFAA. Secondly, the company is not compliant with ECPA due to unauthorized intrusion into external networks. Finally, TechFite is not compliant with SOX due to unlawful audit practices and breaches in financial data security.
The case study raises ethical concerns, which necessitate the discussion of codes of ethics applicable to information technologies. The first organization, the ethical guidelines which might be applied to the case, is Association for Computing Machinery (ACM). The ACM Code of Ethics and Professional Conduct contains an entry that states that computing entities are expected to respect privacy (ACM, 2018). This entry applies to the case since it highlights the failure of TechFite to comply with this provision since its employees breached the privacy of electronic communication in other organizations. The second organization from which to use the ethical principles is the Information Systems Security Association International (ISSA). ISSA Code of Ethics holds that companies are to “perform all professional activities and duties by all applicable laws and the highest ethical principles” (ISSA, 2022, para. 3). Since TechFite is non-compliant with at least three laws regulating cyber security, it breaches this provision of the code.
There were several instances of unethical behavior in the company. Firstly, IT Security Analyst Nadia Johnson conducted unethical behavior by neglecting the safeguarding of proprietary information of the former clients, which disrupted their privacy and confidentiality. Secondly, Carl Jasper behaved unethically when inquiring about creating accounts with access to financial information for former employees, threatening the security of the company’s data.
The company was impacted by several factors that deteriorated its ethical conduct. Firstly, the lack of the Chinese Wall policy was an organizational factor that demonstrated the lack of constraining measures for accessing proprietary information. It resulted in the BI unit’s unauthorized access to sensitive information in other companies and inclined the employees to act unethically. The second factor is the failure to set high standards of ethical conduct by the company leadership, namely, the unethical initiation of fictitious accounts of former employees by Carl Jasper. It resulted in the breach of privacy and unauthorized access to finance ncial information of the organization by outsiders.
At least two policies might be implemented to minimize unethical conduct at TechFite. Firstly, the company should initiate a zero-tolerance for breaching laws, which will ensure the elimination of the risk of cybercrime committed by employees and protect the intellectual property of competitors (ACM, 2018). The second possible policy is the policy of overseeing and ethical breach reporting, which would allow for making the employees accountable for identifying and reporting incidents of unethical conduct.
In addition, it is essential to implement a Security Awareness Training and Education (SATE) program in TechFite to improve the organizatioinal ethical culture and knowledge of the employees on cyber security and ethicality. One of the components of SATE is who will manage the program; it should be an externally involved information security expert with experience in training. The second pivotal component is who will be participating; the employees within the company who work with electronic data will be participating in the training on obligatory terms. The mechanism to inform the employees about their participation in the SATE program will involve electronic means of communication. In particular, an e-mail will be used to disseminate the information among all the employees eligible to participate in the program. Since the company has approximately 1000 employees, it is a reasonable means of communicating program involvement in a timely manner.
One of the unethical behaviors in the case that might be mitigated by SATE is the negligence of proprietary information protection by Nadia Johnson. The SATE program will train the employees across the divisions on the identification and reporting of such breaches of information security to eliminate similar instances in the future. Secondly, the behavior of Carl Jasper demonstrates unethical conduct inquired by a leader of a unit, which should be prevented and properly addressed. The SATE program will educate the employees on the proper response to such unethical actions through the identification of an independent CIO to whom similar concerns will be reported.
In summation, TechFite’s business conduct significantly lacks ethicality, which is exemplified by repeated breaches of common ethical principles of professional behavior in computing systems organizations. The company should comply with the codes of ethics of such organizations as ACM and ISSA to ensure its high ethical standards. Furthermore, it is recommended to implement the SATE program to train the employees and educate them on the importance of ethical behavior in the information technology workplace.
References
Association for Computing Machinery. (2018). ACM code of ethics and professional conduct. Web.
Information Systems Security Association International. (2022). ISSA code of ethics. Web.
Lee, A. (2018). Algorithmic auditing and competition under the CFAA. Berkeley Technology Law Journal, 33, 1307-1342.
Pfeifle, A. (2018). Alexa, what should we do about privacy: Protecting privacy for users of voice-activated devices. Washington Law Review, 93(1), 421-458.
Role based access control. (2020). Web.
Wilson, M., & Hash, J. (2003). Computer security. National Institute of Standards and Technology. Web.