Case Study Paper 1 Starr 1

Case Study Paper 1

Gary Starr
Arizona State University - OGL 345: Organizational Ethics (2022 Fall - B)
October 30, 2022
Case Study Paper 1 Starr 2

Introduction

Information Technology continues to develop and enable our lives to improve through
efficiency, communication, and enjoyment. Although all these new advancements were
developed for the betterment of society, some people find ways to exploit them for their
purposes. These individuals or businesses exploiting technologies expose ethical issues that
could not have been perceived even a few years ago. Many of these ethical issues are easily
remedied by doing what is societally best for the most significant number of people.
Unfortunately, this does not occur, and the government must step in and create laws to
enforce the proper ethical use of technology. The creation of new laws only sometimes deters
individuals and businesses from continuing to exploit technology for their purposes,
significantly when profits are impacted. They compare the law and what they are doing to
justify in their mind that what they are doing is ethical and within the spirit of the law.

This paper will examine how and why businesses, specifically senior leadership, believe that
they can ethically continue to use technology in ways that are contrary to laws, best use
practices and against the betterment of the majority of people. How they justify working in the
grey area as they choose to describe it, ignore the advice of those versed in the subject, and the
risk of massive fines. Leadership within businesses needs to realize that how technology is
utilized will constantly be changing, and everyone will be watching them as an example of the
ethical use of it.

The four case studies examined will look at what can happen when companies are faced with
the dilemma of choosing what ethical based on what is best for the company versus their
stakeholders is. Case study one explores how Bloomingdale’s violated TCPA guidelines by not
protecting customer data by using it for their company gain through unauthorized text
messaging. Case study two will delve into how Twitter violated FTC guidelines twice by
misrepresenting to users how their data would be utilized and as well used the data for their
company gain through targeted advertising. Case study three reviews Equifax's loss of customer
data and their choice to ignore system vulnerabilities and not report the hack immediately.
Case study four delves into the phenomenon of ransomware by applying the case of the
Colonial Pipeline shutdown, the cause of it, and whether it is ethical to pay the ransom.

Chosen Profession

The subject of Information Technology and the vast number of sub-topics that comprise
Information Technology is relatively new in the advancement of society. The digital or internet
age is considered to have started on January 1, 1983. (University System of Georgia, n.d.)
Technology is advancing so quickly that the second era, or web 2.0 of the internet age, began in
2004, and now we are considered to be in the third era, or web 3.0, with its beginnings in 2021.
(Lucatch, 2022) Each new technology is initially created to enhance the lives of everyone that
utilizes it. However, as fast as the new technology is premiered, individuals and businesses are
Case Study Paper 1 Starr 3

looking for ways to exploit it for their gain. This exploitation comes at the cost of those using
the technology.
I have chosen Information Technology as the profession of this paper because I have enjoyed
studying the subject since 1989 and my professional life since 1997. The aspect I enjoy most
about this field is that it is constantly changing and requires constant learning to stay up to
date. Learning and applying new technologies to enhance and improve personal and
professional lives gives me a sense of satisfaction. The frustrating aspect of keeping up with
new technology is the necessity of ensuring that the business and senior leadership I work for
remain ethical when utilizing the tools available within technology.
Due to the vast number of topics under Information Technology, it is only possible to list some
of the ethical questions, issues, and hot topics currently impacting the field. Each new
technology also births new ethical questions and issues. Information Technology has five ethical
issues: misuse of personal information, misinformation and deep fakes, lack of oversight and
acceptance of responsibility, use of AI, and autonomous technology. (Watters, 2021) The areas I
will address will be the misuse of personal information, lack of oversight, and acceptance of
responsibility.

Selection of Moral Framework

Ensuring proper ethics in Information Technology is imperative due to the amount of data and
personal information constantly being collected. Those sharing their data expect it to be stored
securely and used properly based on mutual agreements implied and governed by law. These
implied and set-by-law agreements would lend themselves to the moral framework of
utilitarianism. Jeremy Bentham, the founding father of utilitarianism, states that the object is
to produce pleasure, good, or happiness and to avoid pain or evil for those impacted. (Fryer,
2015, p. 56) The concept is that the most ethical thing to do is the action that benefits or
produces pleasure for the most significant amount of people and with the least amount of pain.
With utilitarianism, the idea arises of what is the definition of good. There are sub-categories of
utilitarianism to help define good. Jeremy Bentham defines hedonistic utilitarianism as those
things that are good that we associate with pleasure. (Fryer, 2015, p. 61) So, according to
Bentham, only pleasurable things are ethical. On the other hand, objective-good utilitarianism
states that things that are good for people, even if they may cause pain are the most ethical.
(Fryer, 2015, p. 61)

I argue that utilitarianism, particularly objective-good utilitarianism, manifests itself the best for
the Information Technology field of study. The idea is to find an ethical approach to technology
that benefits the most significant amount of people even though there may be pain or
inconvenience involved in protecting data and people's personal information. The pain is
minimized for the individual supplying the information through anti-virus programs and
ensuring they utilize strong passwords. However, the pain is more for businesses collecting the
data. Businesses could argue that they are ethically utilizing data improperly because Bentham
Case Study Paper 1 Starr 4

states that the most pleasurable is ethical, and increasing profits through using data in their
possession is pleasurable for the business.
Case Study 1
Bloomingdale’s is a global luxury retailer that has been in business for 149 years and operates
53 stores under the parent company of Macy's Inc. (Macy's Inc., 2022). It is not unfathomable
to guess that Bloomingdale's has millions of customers have done business with during the
internet age. As with any large business during the internet age, Bloomingdale's has collected
customer data through various means, including their loyalty program. Like many companies,
Bloomingdale's collected personal data, including phone numbers from those who signed up for
their loyalty program, but they did not disclose how they would use that data. Bloomingdale's
did not inform or request permission from those who supplied their information that they
would receive promotional text messages from Bloomingdale's. This violates TCPA (Telephone
Consumer Protection Act) laws as individuals in the loyalty program did not expressly grant
permission through appropriate means to receive these texts. Bloomingdale's was fined in 2015
for violating the TCPA laws and settled out of court for a $1.4 million fine. (Pemberton, 2018)
When faced with a plethora of data from customers, Bloomingdale's moral dilemma was how
to utilize it in the most effective way to promote future sales and increase profits. Texting was a
relatively new platform for marketing purposes, as texting did not overtake phone calls per
month until 2007. (tatango, 2020) The Telephone Consumer Protection Act (TCPA), established
in 1991 and amended over the years for new technology such as texting, establishes guidelines
and laws that must be followed to protect the public from unsolicited marketing.
(Congress.gov, 1991) Bloomingdale's had to decide whether to text previous customers in their
loyalty program database or accept that those customers before they adhered to the TCPA
texting guidelines, were not available for texting promotions. Bloomingdale's chose to ignore
the laws in place to protect their customers and instead used Bentham's hedonistic
utilitarianism concept of what was more pleasurable for the business. The consequence of
choosing their actions was a hefty $1.4 million fine which would have been much larger if they
had not settled.
Had Bloomingdale's spent more time evaluating the ethical use of customer information, they
would not have had the legal issue they ran developed. Bloomingdale's should have used a
utilitarian approach to their decision-making. If they had done so, they would have acted in the
best interest and pleasure of a more significant number of people. The sub-section of objective-
good utilitarianism states that action should be for the good of the people, even if it may cause
pain. The pain for Bloomingdale's would have been not utilizing all of the data they possessed,
but the ethical thing for the good of the people would have been to follow the TCPA guidelines
and not text them inappropriately. Another moral theory that Bloomingdale's could have
utilized before acting is Kant's moral theory. Kant believes humans are driven by sentiment or
reason when making ethical decisions. (Fryer, 2015, p. 92) This is what Kant would call a
hypothetical or categorical imperative. Bloomingdale's should have used a categorical
Case Study Paper 1 Starr 5

imperative that dictates that the ethical decision to make is a full stop if it is the most ethical
decision, even if they did not feel as they should. He explains that people have free will though
to make these decisions. (Fryer, 2015, p. 94) Bloomingdale's had free will to choose to allow
their sentiment of increasing sales and profits to overshadow the ethical choice of following
TCPA guidelines and laws. If Bloomingdale's had used reason-driven actions, they would have
realized that they had a duty to protect their customer’s data and would not have utilized it
improperly. “If treating people as a means to an end is unethical, then it seems that business
per se is unethical.” (Fryer, 2015, p. 105)
Case Study 2
Twitter is one of the internet's largest and oldest social media platforms. It was created in 2006
by its co-founder Jack Dorsey (MacArthur, 2020) and currently has over 345.3 million users
worldwide. (Insider Intelligence, 2022) If there was a company that should understand FTC
guidelines concerning the use of customer information and privacy issues, it should be Twitter,
particularly since it had violated the FTC Act previously in 2010. Twitter has been caught once
again requesting customer information for the claimed purpose of account security but has
been using the data for ad targeting for Twitter's financial benefit. More than 140 million
Twitter users supplied their email addresses and phone numbers with the understanding that it
was to help secure their accounts. However, instead, Twitter is accused of using that data for
serving ads that added multi-millions to its coffers. The Department of Justice, representing the
FTC, has recently filed a $150 million penalty against Twitter. (Fair, 2022)
The ethical dilemma for Twitter was whether to concern themselves with needed revenue by
improperly utilizing users’ data or adhere to their commitment to protecting their users' data.
Twitter needs revenue to operate derived from advertising on its platform. To maintain a
steady revenue stream and appease advertisers, they had to decide which course of action
ensured their long-term survival and benefited their internal stockholders financially. Twitter
ultimately chose once again to unethically choose revenue and profits over their policies,
government regulation, and the protection of their users.
Twitter failed in two ethical areas impacting technology, misuse of personal information and a
lack of oversight and acceptance of responsibility. They had already been found to be in non-
compliance with the FTC Act in 2010, but the company did not accept responsibility or increase
oversight to ensure it did not happen again. Twitter could have ensured in 2010 that its privacy
policy was not contradictory to how it conducted business. They should have been honest and
clearly stated that they would be using the personal information for multiple purposes instead
of hiding it. Instead, Twitter chose actions that would benefit their financial bottom line at the
expense of their users. Twitter valued financial gain over the right of protection of the personal
information of its users.
Twitter blatantly ignored utilitarianism, as defined by Bentham, as a method for defining their
ethical decision-making practices when handling users' personal information. They instead
Case Study Paper 1 Starr 6

applied rule utilitarianism and the principle of corporate maximization. Fryer wrote, "The
utilitarian rule that managers tended to appeal to is that they should do whatever they could to
promote the success of their corporation because they believed that this, ultimately, would
maximize the good." (Fryer, 2015, p. 78) This is what Twitter was doing. They looked at the
company's success as maximizing the good for all, even if it hurt what they considered a small
few, which in this case were millions of users. The success of Twitter took precedence as it
benefited those who were direct stakeholders. Fryer mentions that rule utilitarianism does
have an issue of undermining the credibility of the ethics of the action taken. (Fryer, 2015, p.
77) Twitter should have viewed the principle of corporate maximization as something other
than the ethical method of properly using personal information, as it ignored how non-
dependent stakeholders would be affected, which were their users in this case. Twitter,
instead, should have looked at the concept of the Universal Declaration of Human Rights.
Viewing users as citizens of the Twitter ecosystem, they have the political rights of justice and
fairness and the social rights of being treated properly by Twitter concerning their personal
information. (Fryer, 2015, p. 19 – 21)

Case Study 3
Equifax is one of the largest credit score report bureaus in the United States. Equifax describes
itself as a global data, analytics, and technology company that enables people to move forward
when applying for a job, mortgage, or buying a car through their use of data, analytics, and
technology. (Equifax, 2022) I could not find a solid accounting of how many individuals Equifax
has collected data from. However, a reference on Wikipedia states that they have collected
data from over 800 million individuals worldwide. (Wikipedia, 2022) In 2017, Equifax was the
victim of a significant data breach that stole the personal data of 143 million customers. (Mills,
2017) The FTC sued, and Equifax agreed to a settlement of $700 million, with individual
payments limited to no more than $125. (Meek, 2022)
Equifax was the subject of a data breach because it chose to be lax regarding security measures.
Ethically, Equifax failed in a couple of ways: they chose not to patch widely known
vulnerabilities due to poor corporate practices and did not report the breach immediately. As
with all of the cases in this paper, Equifax had a moral dilemma in their eyes of protecting and
increasing profits for the company or taking care of their external stakeholders. They utilized
relative ethical relativism, which meant that they viewed, in their eyes, profits as the most
ethical path to take.
The first failure this case study will address is the breakdown in corporate practices concerning
their information technology infrastructure. In early 2017, Equifax contracted an outside
security firm to assess its systems. The consulting firm warned Equifax of issues that needed to
be addressed. A patch was also issued for server software on March 7th for a known
vulnerability. An employee was instructed to apply the patch, but they did not do so.
Case Study Paper 1 Starr 7

(Fruhlinger, 2020) Equifax chose not to be an ethical business when presented with potential
and known vulnerabilities in its systems. They chose what was better for their local
stakeholders and ignored the risk to their external stakeholders or customers. For a business to
act virtuous, it must "understand itself as being embedded in a community that comprises all its
stakeholders, and to act in a respectful and considerate manner towards that community."
(Fryer, 2015, p. 178) Aristotle stated that virtues help an individual or, in this case, a business
achieve its purpose. Elaine Sternberg expounds on that idea by stating that a business's
purpose is "maximizing owner value over the long term ."(Fryer, 2015, p. 185) Equifax's
leadership was more concerned about the owner's value than being virtuous towards their
customers. Equifax was aware of the amount of data they had collected and the potential harm
if it was to be released to nefarious individuals. They chose to spend the money on something
other than the needed security and training for their systems. Equifax chose to act unethically
by not taking care of known vulnerabilities that ultimately impacted 143 million customers.
The second failure, in this case, is that Equifax failed to report the breach when it first became
aware of it. Executives sold company stock in August and reported the breach in September
2017. (Fruhlinger, 2020) Equifax made an unethical decision of not reporting the breach
immediately. They also appeared to be unethical when their executives were ensuring their
financial positions were not impacted by selling off stock with anticipation of a stock decline
after publicly announcing the breach. The social contract ethical theory would apply to this part
of the case study. Equifax executives were concerned about their own needs and ignored the
needs of others. As John Locke explained, if people lived without a form of social organization,
in this case, the business protocols and procedures, they would have "little respect" for others,
which were the customers. Equifax also broke an explicit agreement that they would protect
their customers' data.

Case Study 4
The final case study concerning ethical behavior in Information Technology looks at the topic of
ransomware. Two areas need to be addressed: businesses that are attacked with ransomware
are unethical because they did not adequately prepare for a potential attack. Specifically, is it
ethical to pay the ransomware demands?
Ransomware attacks can occur in a couple of ways, becoming more sophisticated every year.
The least sophisticated method of ransomware is when a hacker steals information from a
business's systems and then demands payment to ensure they do not share it with the public or
the dark web. The more sophisticated method is when a hacker enters a business's systems and
applies software that encrypts data making it unusable by the business, which in turn can
prevent the business from functioning digitally. The hacker then requires payment in return for
software code that will unencrypt the data and bring the systems back into operation for the
Case Study Paper 1 Starr 8

business. Failure to pay and the business can only function once they can rebuild their systems,
and only if they had a backup protocol.
The first area of ethics pertains to ransomware. Is a business acting unethically by not preparing
properly for potential ransomware attacks? Colonial Pipeline, in May 2021, was the victim of a
ransomware attack that forced it to shut down for several days. Colonial Pipeline paid the
ransom of $4.4 million to receive the code to unlock their systems. The ethicalness of paying
the ransom will be discussed later in this case study. The after-action report highlighted that
the hackers could enter Colonial Pipeline's systems by utilizing a password from a VPN that is
utilized on other systems. (Kerner, 2022) Utilizing the same password across multiple systems is
considered a poor security practice. Colonial Pipeline should have found this issue if they were
doing regularly scheduled security audits which is a mandatory security practice. Colonial
Pipeline was unethical using the social contract and utilitarianism theories. The shutdown of the
Colonial Pipeline systems, one of the largest pipelines in the United States, disrupted oil supply,
causing gas prices to increase and fuel shortages for airlines. (Sajindra, 2022) Colonial Pipeline
failed the social contract, which states that a business, in exchange for resources from society
that it requires to exist, it agrees to pay society to cover those resources. (Fryer, 2015, p.138) In
this case, the payment Colonial Pipeline owed society was an uninterrupted flow of oil which
society needs to function. Colonial Pipeline was also unethical regarding utilitarianism as they
were not conducting business in a manner that benefited the more significant amount of
people. They failed ethically in both theories because they needed to spend the resources to
ensure proper security practices were being performed. Their dilemma was whether they
should spend the money to protect all internal and external stakeholders or just the direct
stakeholders by utilizing cost savings.
The other area of ethical consideration concerning ransomware is whether a business should
pay the hacker's demands. This is an ethical discussion that is still being heavily debated.
Colonial Pipeline chose to pay the ransom of $4.4 million with the justification that they had to
prevent further disruption of the oil supply, which would have a severe impact on gas supplies
and prices. They had to decide to follow the advice of top law enforcement, such as the FBI,
which prefers businesses not to pay the ransoms or pay it for the benefit of a more significant
amount of people. (IAFI, 2022) In this case, the external stakeholders who rely on the flow of
Colonial Pipeline's oil would argue that they did the right thing, thus making it an ethical
decision.
On the other hand, the FBI would state that paying the ransom is unethical as it funds criminal
and terror groups while violating government regulations. (Sumner & Simons, 2021) In this
case and all other ransomware cases, it becomes a matter of ethical relativism regarding what
is ethical or not on how to handle the situation. It will come down to what each specific
business decides is the most ethical thing to do, which is why this subject is still a hotly debated
topic.
Case Study Paper 1 Starr 9

Ethical Behavior in Information Technology

All four case studies demonstrate that there are fundamental leadership ethical issues in the
Information Technology field. The protection of personal information and using the information
appropriately are the building blocks of basic ethics in Information Technology. A problem
arises when technology leaders concentrate on the most current innovation and its implications
and fail to remain current on the constantly changing laws or insist on doing things the same as
it has always been. The challenge arises when the need to maximize corporate growth and
profitability competes with what is suitable for the most significant number of people and
guidelines dictated by law. Leaders and managers are challenged with doing what they perceive
the company would want them to do for the benefit of direct stakeholders versus what is
suitable for the indirect stakeholders, who are the customers or users and legally required.
There should not be a moral tradeoff in the Information Technology field. Leaders and
managers need to look at the ramifications from a bigger picture if they ignore guidelines and
laws impacting their customers or users. The principle of corporate maximization may benefit
the company in the short term, but the potential long-term negatives will be pain points for the
company. The company's actions should be based on what is best for the direct and indirect
stakeholders per what is acceptable per guidelines and laws. Failure to make beneficial
decisions and actions for all becomes subject to massive fines, negative publicity, and loss of
customer base, which would then negatively impact the company long term. So, the tradeoff
for trying to circumvent the ethical decision of protecting and using personal information is no
longer a maximization for the company. If a company does not make ethical decisions
concerning the basics, how will it make the correct decisions with more complex ethical
questions concerning technology?
When evaluating whether a company is functioning morally within the Information Technology
field, it is a matter of examining how the leadership is making decisions. Do they have the
mindset that it is ok to function in the grey areas to maximize the potential for the company, or
do they have processes in place to ensure they are protecting their customers or users per
guidelines and laws? Suppose they have made decisions that negatively impact the customer or
user in favor of the company's benefit in the hope that they are not caught. In that case, they
are not functioning ethically.

Conclusion
The Information Technology field is relatively new in comparison to other technologies and
growing at a rapid pace with innovations and procedures. These innovations are created to
improve lives as a whole, but there are individuals or companies finding ways to exploit them
for their benefit as fast as they are released. In addition, some corporations need to ensure
they keep up with or are ignoring the laws and regulations being created to protect the most
significant number of people possible. Companies then must ask themselves whether they
Case Study Paper 1 Starr 10

continue working in the grey area of ethics. They continue to operate as usual and maximize
the benefit for the company, hoping not to be caught and receive a fine, or they operate
ethically to protect their customers and users.
All four case studies demonstrate that companies ignored the ethical ideals of following the
laws and guidelines of doing what is best for their customers and users. However, found out
that choosing to act in a manner they perceived was in the company's best interests was not
the correct moral decision. Set aside the pain of the fines for the company, they chose to ignore
the fundamental rights of protecting personal information and the proper use of it, which
causes pain for a more significant group of people, their customers, and users.
Case Study Paper 1 Starr 11

References

A Brief History of the Internet. (n.d.). University System of Georgia.

https://www.usg.edu/galileo/skills/unit07/internet07_02.phtml

Equifax. (n.d.). https://www.equifax.com/about-equifax/who-we-are/

Equifax. (2022, October 25). Wikipedia.

https://en.wikipedia.org/wiki/Equifax#:~:text=Equifax%20collects%20and%20aggregates%20inf
ormation,than%2088%20million%20businesses%20worldwide.

Fair, Lesley. (2022, May 25). Twitter to pay $150 million penalty for allegedly breaking its
privacy promises – again. Federal Trade Commission. https://www.ftc.gov/business-
guidance/blog/2022/05/twitter-pay-150-million-penalty-allegedly-breaking-its-privacy-
promises-again

Fruhlinger, Josh. (2020, February 12). Equifax data breach FAQ: What happened, who was
affected, what was the impact?. CSO. https://www.csoonline.com/article/3444488/equifax-
data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html

Fryer, Mike. (2015). Ethics Theory & Business Practice. Sage.

History of Text Message Marketing. (2020, November 23). Tatango.
https://www.tatango.com/blog/history-of-text-message-marketing/

IAFI. (2022, January 1). The ethical dilemma of ransomware attacks. Fabric Architecture
Magazine. https://fabricarchitecturemag.com/2022/01/01/the-ethical-dilemma-of-
ransomware-attacks/

Kerner, Sean Michael. (2022, April 26). Colonial Pipeline hack explained: Everything you need to
know. TechTarget. https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-
explained-Everything-you-need-to-know

Lucatch, David. (2022, February 22). What’s In Store For Web 3.0 In 2022. Forbes.
https://www.forbes.com/sites/forbesbusinesscouncil/2022/02/22/whats-in-store-for-web-30-
in-2022/?sh=18bec5c46a07

MacArthur, Amanda. (2020, November 25). The Real History of Twitter, in Brief. Lifewire.
https://www.lifewire.com/history-of-twitter-3288854

Macy’s Inc. (n.d.). https://www.macysinc.com/brands/bloomingdales

Case Study Paper 1 Starr 12

Meek, Andy. (2022, October 11). We finally have a new update on the Equifax breach
settlement. BGR. https://bgr.com/business/we-finally-have-a-new-update-on-the-equifax-
breach-settlement/

Mills, Chris. (2017, September 7). Hackers steal personal information of 143 million Equifax
customers. BGR. https://bgr.com/tech/equifax-hack-143-million-affected-statement/

Pemberton, Alexandra. (2018, August 3). Bloomingdale’s Text Messaging Leads to $1.4M TCPA
Settlement. Contact Center Compliance DNC.com. https://www.dnc.com/news/bloomingdales-
text-marketing-leads-14m-tcpa-settlement

S.1462 – Telephone Consumer Protection Act of 1991. (1991, November 26). Congress.gov.
https://www.congress.gov/bill/102nd-congress/senate-bill/1462

Sajindra, Hirushan. (2022, July). Case Study of Colonial Pipeline Ransomware Attack.
ResearchGate.
https://www.researchgate.net/publication/361910184_Case_Study_of_Colonial_Pipeline_Rans
omware_Attack

Sumner, Phyllis and Simons, Jillian. (2021, August 17). Ethical, Legal Implications of Paying
Ransoms (Updated). National Defense Magazine.
https://www.nationaldefensemagazine.org/articles/2021/8/17/ethical-legal-implications-of-
paying-ransoms

Twitter in 2022: Global user statistics, demographics and marketing trends to know. (2022, May
19). Insider Intelligence. https://www.insiderintelligence.com/insights/twitter-user-statistics-
trends/

Watters, Ashley. (2021, July 1). 5 Ethical Issues in Technology to Watch for in 2021. CompTIA.
https://connect.comptia.org/blog/ethical-issues-in-technology