BIB 3074 Case Studies 1 1

Answer the questions by identifying the the systemic, corporate and individual
ethical issues present in the case studies.

Case Study 1: Wells Fargo Banking Scandal

Wells Fargo was the darling of the banking industry, with some of the highest returns on equity in
the sector and a soaring stock price. Top management touted the company’s lead in “cross-
selling”: the sale of additional products to existing customers. “Eight is great,” as in eight Wells
Fargo products for every customer, was CEO John Stumpf’s mantra.

In September 2016, Wells Fargo announced that it was paying $185 million in fines for the
creation of over 2 million unauthorized customer accounts. It soon came to light that the pressure
on employees to hit sales quotas was immense: hourly tracking, pressure from supervisors to
engage in unethical behavior, and a compensation system based heavily on bonuses.

Wells Fargo also confirmed that it had fired over 5,300 employees over the past few years related
to shady sales practices. CEO John Stumpf claimed that the scandal was the result of a few bad
apples who did not honor the company’s values and that there were no incentives to commit
unethical behavior. The board initially stood behind the CEO but soon after received his
resignation and “clawed back” millions of dollars in his compensation.

Further reporting found more troubling information. Many employees had quit under the immense
pressure to engage in unethical sales practices, and some were even fired for reporting
misconduct through the company’s ethics hotline. Senior leadership was aware of these
aggressive sales practices as far back as 2004, with incidents as far back as 2002 identified.

The Board of Directors commissioned an independent investigation that identified cultural,

structural, and leadership issues as root causes of the improper sales practices. The report cites:
the wayward sales culture and performance management system; the decentralized corporate
structure that gave too much autonomy to the division’s leaders; and the unwillingness of
leadership to evaluate the sales model, given its longtime success for the company.

1. What should business leaders take away from this scandal?

(a) Do not encourage unethical practices directly or indirectly among employees.

(b) Do not set unrealistic targets for employees to achieve within an unrealistic time-frame.

(c) Institute measures to prevent unethical practices.

(d) Encourage honest employees to grow in the company.

 BIB 3074 Case Studies 1 2

(e) Honor adherence to regulatory framework as applicable to the company.

2. What could Wells Fargo have done differently to avert this cultural meltdown?

(a) When the first incident of aggressive sales practice was reported in year 2004 with identified
incidents from year 2002, they could have instituted measures to prevent recurrence of such
incidents. Some of the practical and workable measures are enumerated in succeeding
paragraphs.

(b) Convene a meeting of senior managers to provide them with appropriate guidelines so as not
to repeat such incidents.

(c) Instruct senior managers to advise their juniors to refrain from any such aggressive sales
practices.

(d) Investigate to determine the extent of impact of aggressive sales practices as on 2004 and
take remedial actions against those who are engaged in such activities.

(e) Promote the whistle-blower method of instantaneous reporting of an incident by anyone who
has witnessed such an incident.

(f) Reward employees having honesty, integrity and moral values.

Case Study 2: Apple vs. FBI Case Study

In the wake of the December 2015 terrorist attack in San Bernardino, attention turned to the
perpetrator’s iPhone. A federal judge asked Apple, maker of the iPhone, to provide “reasonable
technical assistance” to the FBI in accessing the information on the phone with that hope of
discovering additional threats to national security.

Apple provided the FBI with data it had in their possession and sent Apple engineers to advise the
FBI, but refused to comply with the court order to bypass the phone’s security measures:
specifically the 4-digit login code and a feature that erases all data after ten incorrect attempts.
The FBI argued that the bypass could only be used for this phone, this one time. The agency also
cited national security concerns, given the phone may lead to better understanding the attack and
preventing further incidents.

Apple CEO Tim Cook issued a public letter reiterating Apple’s refusal to cooperate. Cook
advocated for the benefits of encryption in society to keep personal information safe. He stated
 BIB 3074 Case Studies 1 3

that creating the backdoor entry into the iPhone would be akin to creating a master key capable of
accessing the tens of millions of iPhones in the U.S. alone. Cook also had concerns that the FBI
was outstepping its bounds - by using the court system to expand its authority - and believed the
case should be settled after public debate and legislative action through Congress instead.

Public opinion polls on the issue were split. A number of major tech firms filed amicus briefs in
support of Apple. The White House and Bill Gates stood behind the FBI. In anticlimactic fashion,
the FBI withdrew its request a day before the hearing, claiming it no longer needed Apple’s help to
assess the phone. It is speculated that an Israeli tech firm, Cellebrite, helped the FBI gain assess.
Questions:
1. Was Apple wrong for not complying with the FBI’s request? If so, why? If not, why not?
2. What ethical issues are involved in this case? Please consult our Framework for Ethical
Decision Making for an overview of modes of moral reasoning.

Feelings are not the same as ethics. Feelings provide crucial information for making ethical
decisions. Some people have well-developed habits that make them feel horrible when they
make a mistake, yet many others feel good even when they make a mistake.I'm making an
error. And our feelings will often warn us that doing so is unpleasant. If it's difficult, do the right
thing. Ethics is not the same as religion. Even if a person is not religious, ethics applies to
everyone. Although most religions encourage high ethical norms, they do not always address
all of them the kinds of issues we're dealing with. Following the law is not the definition of
ethics. Many ethical principles are included into a good legal system. Although there are ethical
standards, the law can diverge from them.

3. Who are the stakeholders in this situation?

The stakeholders are the one leveraging on apple since they have invested into Apple and
hoping on their win to not lose their bonds.
4. Apple’s values are listed on the bottom of its home page at apple.com. Is the company’s
decision consistent with its values? Is that important?

It is important for Apple to uphold its values that the believe is how their company works and
prides on.

Case Study 3: Company v. Company Disclosure Debate

 BIB 3074 Case Studies 1 4

In 2015, the bug was found by Google’s in-house security research team, which searches for
vulnerabilities in Google software, as well as that of other vendors, including Microsoft. Upon
finding a vulnerability, Google adheres to a strict 90-day policy: Vendors are notified of the bug,
and a public disclosure is automatically released 90 days after, regardless of whether the bug has
been addressed.

Microsoft initially asked for an extension beyond the 90 days, which was denied by Google, as
was a request to extend the disclosure date to the first “Patch Tuesday” of the month (the second
Tuesday of the month, and preferred release date for patches for developers).

Microsoft criticized Google in a blog post, accusing the company’s decision of being a “gotcha”
opportunity, and at the expense of the users, who were at risk for the two days between the
disclosure and the patch release. Microsoft reiterated its support for “Coordinated Vulnerability
Disclosure,” which calls for security researchers to work closely with developers in ensuring a fix is
released before the public disclosure.

Google, and supporters of similar disclosure policies, argue that firm disclosure dates prevent
developers from sweeping vulnerabilities under the rug, and should strike a balance between the
public’s right to know and providing the developer a chance to fix the problem. Many take an even
harder stance and propose that immediate public disclosure is the best policy.

Shortly after this incident, Google released an additional update on three Microsoft vulnerabilities.
Questions:
1. What should Google and Microsoft have done differently, if anything?

Based on this case study, Microsoft standpoint on not releasing the disclosure to the public on
the intended to by Google was an unethical way of restricting the rights of people to know the
truth since the people are the ones paying and consuming the products given by Microsoft.

2. Did the release unnecessarily put users at risk, or is it in the best interest of users in the
long run for Google to stick to its disclosure policy?

From my view, Google sticking to disclosure the policy to the public was the proper way of
conducting a company and maintaining its reputation and being trasparent to the public which
issues they face. We can assume people will learn to understand the situation at first if
informed early rather than doing it late and still not fixing the issue.

3. Is Google’s firm, 90-day policy fair? Or should it be willing to adjust depending on the
situation?

Google’s decision was fair since they didn’t force the bug issue to be fixed within 90 days but
instead gave a chance to Microsoft to resolve it and if not public disclosure would be done but
they can still be working to fix the problem from then on.
BIB 3074 Case Studies 1 5

4. Did Microsoft adequately respond? Is sticking to “patch Tuesday” enough of a reason to

wait to release the patch?

Microsoft was not utterly in the wrong but they could have handled the situation more properly.

5. Should Google have published the exploit code?

No because both companies have not come to an agreement yet.

6. What obligations do security researchers have, or are they free to publish their work as they
please?

Security researches are closely monitored by the developers to minimize the risk of further
exploitation of bugs