Legal, Ethical and Professional Issues in IT and Information Security
Rapidly evolving technologies, the ubiquity of computers as well as heightening connectivity through the Internet has provided numerous benefits for people and businesses. In fact, every aspect of life has somehow changed because of these advances. Many opportunities for creating jobs and businesses have surfaced because of technology. However, it cannot be denied that these developments come along with challenges, one of which pertains to information security. Information security refers to the protection of information a well as its accompanying "critical elements, including the systems and hardware that use, store, and transmit that information." This is an important consideration in an age where information will pass through public domains that can be accessed or hacked by individuals or entities who have malicious or criminal intentions. Unprotected information, especially those involving personal and financial data, can be stolen and used for the other party's interest. In the context of information security, information has three essential characteristics that make it valuable: confidentiality, integrity and availability. The security of these characteristics is of paramount importance but due to rapid developments in the computer sector, threats to information confidentiality, integrity and availability have now evolved into a broad array of events, such as damage, theft, hacking, SEO attacks, and destruction, among other things. It is important to note that when an organization's information security is compromised, risks for liability heighten. Hence, information security (including one related to Internet technology, domain names, and Internet protocols) has transformed into a complex problem that is challenged by legal, ethical and professional issues. This paper identifies the legal, ethical and professional issues in information security and also provides recommendations as to how these concerns may be addressed.
Given the ubiquity of computers and the prevalence of Internet use, it has become necessary to put in place regulations that would somehow protect users from acts that would be damaging to them. These rules and regulations evolved with time and have been created as they become necessary. Many of these laws cover information security so that individuals and corporations can be safe while using the Internet to send information, or they could be assured that the data stored in their database systems are protected up to a certain degree. Rules and regulations are meant to deter criminal intents and actions. There are numerous national and international laws associated with information security. In the United States, a good number of computer laws are based on the Computer Fraud and Abuse Act of 1986 (CFA). The CFA was initially narrow in scope and primarily dealt with criminal activity, particularly those that involve hacking of federal agency systems and of financial institutions. However, as the role of computers within American society began to expand, Congress amended the CFA eight more times to respond to various situations related to the preservation of information sent over the Internet or those stored as electronic copies. The Electronic Communications Privacy Act of 1986 is a set of statutes that "regulate the interception of wire, electronic, and oral communications" so that data transmitted through these mediums are covered by legal remedies in case of security breaches.
Meanwhile, to safeguard the security and confidentiality of health care information, Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Providers of health plans, health care clearinghouses, as well as health care providers are expected to comply with the HIPAA as the legislation establishes and enforces standards regarding the exchange of electronic information in the health care setting.
Other relevant American legislation are the (i) Communications Act of 1934, which regulates foreign and interstate communications; (ii) Economic Espionage Act of 1996, which governs the protection of trade secrets to discourage people from selling company secrets; (iii) Federal Privacy Act of 1974, which regulars federal agencies' use of personal data; and (iv) National Information Infrastructure Protection Act of 1996, which categorizes crimes according to a defendant's authority to access computers. There are also international laws and bodies that deal with information security, such as the Cyber-Crime Convention of the European Council and the United Nations Charter's provisions governing information warfare.
In spite of the number of laws created to ensure information security, issues continue to persist such as privacy problems. This is unsurprising considering that the technology can be still be considered to be in its early stages and experts are still trying to find ways to make them more secure. It must be noted that privacy issues have become rampant into the 21st century as, through the help of advanced technology, organizations are becoming better able to gather, exchange and sell personal information. Because of the number of incidents in which security of personal information has been compromised as a result of these practices, private individuals are increasingly looking to the federal government for the resolution of such problems. Due to the fact that laws are seemingly not adequately enforced at times, information security professionals play an important role in the context of legal issues.
Ethics is integral in any aspect of life because it guides people to do what is considered right. Doing the right thing ensures not only success but also the avoidance of harm to different stakeholders. Because of this, there are professional organizations that have made it their responsibility to develop and enforce codes of ethics so that the professionals in their fields would not have alibis for doing the wrong thing. These professional organizations have the authority to remove any practitioner proven to have behaved unethically so that the integrity of the profession is kept intact and to avoid losing the public's trust.
However, even if professional organizations have already been established within the information technology and information security sectors, they still have not yet developed a binding code for ethical practices mainly because technology continues to evolve. These associations, including the Information Systems Security Association, can only recommend ethical practices but they really do not have the authority to remove unethical members from position. As a result, unethical practices have been rampant especially as technology advancements that may be used to enhance trade and even politics are currently being used in unethical ways.
Among the most common ethical issues pertaining information security are (i) infringement on software licenses; (ii) spreading of viruses and hacking; and (iii) misuse of company equipment. As of now, there are no clear guidelines pertaining to these practices other than the legal repercussions of such acts. Those that commit them generally do not feel that they are obliged to follow ethical behaviors prescribed for those who are in this field.
Software infringement is also known as software piracy. People from different parts of the world are aware of what software piracy means but not all of them believe that it is unethical. As a result of this, major software companies are losing roughly 35% to 40% of their potential revenue to software pirates around the world. Software piracy involves the illegal copying, distribution and sale of commercial software. Moores, Nill and Rothenberger states that in 2007, global piracy rate stood at 35.8%, which means that almost 36 out of 100 copies of business software are pirated. Meanwhile, hacking into personal or corporate computers no longer serves as a "sport for bragging rights" (Qing, Zhengchuan).
Today, hacking through unsecure websites, expired or hacked domain names, or old Internet protocols are a major organized activity that thrives through the vast network of criminal and syndicates all over the world. Qing, Zhengchuan, Tamara and Hong note that the financial impact of hacking each year is in excess of $1 trillion dollars worldwide. Numerous studies have evidenced that the weakest link to the hacking problem is the human capital.
Indeed, individuals are the weakest defense against external attacks and "the most dangerous to the organizations from within" (Qing, et al). A higher percentage of culprits for illicit use are not the external hackers, but the employee who has intimate knowledge and access to organizational systems and who are able to obtain permissions - properly or improperly - to access sensitive information. On the other hand, many employees across the world misuse company resources such as computers. An example of this is using company computers for personal reasons like sending personal emails or playing games. In spite of this common occurrence, most employees do not perceive this as an unethical practice.
Aside from the legal and ethical issues involved in the enforcement of security of information, there are also professional issues related to this field. Information security professionals are very important in addressing the legal issues discussed earlier, and they need to be trained and well-informed about the legal external environment. In doing so, they will be more effective in performing one of its tasks, which is to help in maintaining information security by contributing to the development and enforcement of company policies. In turn, these policies serve as laws within the organization and have their own set of provisions, penalties as well as sanctions so that compliance is ascertained. It is important to note, however, that there is a significant difference between legislation and policies - "ignorance of a policy is an acceptable defense." In light of these, there are certain elements information security professionals need to keep in mind when developing and enforcing policies:
- Policies must be distributed and duly understood by employees who are expected to adhere with them;
- These must be readily available in the event that employees want to review them;
- They should be easily understood and if necessary, translated into different languages and be in a form that may be reviewed by illiterate or visually impaired workers; and
- Acknowledged by workers in the form of signed forms.
Meanwhile, deterrence and preventive measures are generally acknowledged as the solution to unethical practices impacting information security. Information security professionals also face certain issues as to the roles they can place in deterrence. First, these professionals have to be properly educated and trained with regards to "designing, publishing and disseminating organization policies and relevant laws." They should also learn how to get employees agree to comply with these policies, which is something that could make them as the least well-liked persons in the organizations. Many employees, including those in leadership positions, could not fully appreciate the importance of implementing certain protocols with regard to computer use. They would think that information security experts are being unreasonable and overly paranoid with regards to their systems. This is understandable because they do not understand how risks could originate from activities that seem to be harmless in nature, such as visiting websites or downloading materials from the Internet. In relation to this, IT professionals must take the time to explain to the workforce why certain measures (including launching ethical cyberwar attacks) may be necessary and how they would also benefit from following the policies governing computer use.
Another issue confronting professionals is that employees who have the authority and privilege are the ones who sometimes accidentally damage security systems. For instance, executives may be given full access to all information and without realizing it, one of these executives could introduce virus into the system through their electronic devices plugged into their own workstations. There is no intent to harm but it could happen. Thus, information security professionals have to be effective in their role in planning and control that could prevent such accidents. Just as importantly, professionals have to learn to recognize possible criminal intent and they can do this by having the competence to recognize security breaches that are caused by accidents, ignorance and willful intention.
Technological advancements, the ubiquity of computers and heightening connectedness brought about by the Internet has provided many benefits to individuals and companies. How people do things some things have radically changed because of these technological advancements. However, it is undeniable that these benefits come with certain risks, such as those involving information security breaches that could be unintentional or intentional in nature. Information is supposed to be confidential but through technology, it has become easily accessible thereby compromising integrity. Data stored in databases will have security in place to prevent unauthorized access or retrieval. But there are times when individuals will willfully tap into the system to steal or manipulate information for personal gain. Other breaches could happen during transmission of data from one network to another and passing the information using the Internet.
It must be noted that into the 21st century, information security has been confronted with increasing ethical, legal and professional issues. There rules and regulations in place that seek to address ethical, legal and professional issues. However, some of these rules lack implementation simply because there are many gray areas involving information security. Hence, it is of utmost importance that information security professionals be well-prepared through education and training as they play a key role in addressing these problems. Continuous education and training will ensure that best practices are adopted in the workplace. Among the things that information security professionals need to master are the relevant laws as they play critical roles in designing and implementing security polices; and, deterrence of unethical behavior considering that they are expected to have the expertise to accomplish these.
Booms, T. E. Hacking into federal court: Employee "authorization" under the guise of stealing personal information.
Computer Fraud and Abuse Act. Vanderbilt Journal of Entertainment & Technology Law, 13(3), 543-575.
Domain Names and Internet Technology. How to Extract Hostnames, Domains, and Subdomains from Internet Links Assigned to Different Web Protocols?
Hixson, R., & Hunt-Unruh, D. Demystifying HIPAA. Annals of the American Psychotherapy Assn, 11(3), 10-14.
Matwyshyn, A. CSR and the corporate cyborg: Ethical corporate information security practices. Journal of Business Ethics, 88, 579-594.
Moores, T. T., Nill, A., & Rothenberger, M. A. Knowledge of software piracy as an antecedent to reducing pirating behavior. Journal of Computer Information Systems, 50(1), 82-89.
Qing, H., Zhengchuan, X., Tamara, D., & Hong, L. Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54(6), 54-60.
Whitman, M.E. & Mattord, H.J. Principles of information security. Independence: Cengage Learning.