Republic of the Philippines

Province of Camarines Sur

GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

LEARNING OBJECTIVES
After the completion of this module, student will
know the:
• The right of privacy and the basis for protecting
personal privacy under the law.
• The laws that provide protection for the
privacy of personal data and its associated

PROFESSIONAL •
ethical issues
The various strategies for consumer profiling
and its associated ethical issues
• The reason why and how are employers

ETHICS IN IT •
increasingly using workplace monitoring
The capabilities of advanced surveillance
technologies and its ethical issues.

MODULE 4: MODULE CONTENTS

1 Why Computer Incidents

PRIVACY are So Prevalent 2
2 Types of Exploits 3
3 Types of Perpetrators 4
4 Federal Laws for Prosecuting
Computer Attacks 10
5 Advance Technique using
Microsoft Excel:
Formulas and Functions 14

CHS313 – Professional Ethics in IT 1

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

Privacy Protection and The Law

The use of information technology in both government and business requires
balancing the needs of those who use the information that is collected against the
rights and desires of the people whose information is being used.

Information about people is gathered, stored, analysed, and reported because

organizations can use it to make better decisions. Some of these decisions, including
whether or not to hire a job candidate, approve a loan, or offer a scholarship, can
profoundly affect people’s lives. In addition, the global marketplace and intensified
competition have increased the importance of knowing consumers’ purchasing
habits and financial condition. Companies use this information to target marketing
efforts to consumers who are most likely to buy their products and services.
Organizations also need basic information about customers to serve them better. It
is hard to imagine an organization having productive relationships with its
customers without having data about them. Thus, organizations want systems that
collect and store key data from every interaction they have with a customer.

First, it is important to gain a historical perspective on the right to privacy.

During the debates on the adoption of the United States Constitution, some of the
drafters expressed concern that a powerful federal government would intrude on the
privacy of individual citizens. After the Constitution went into effect in 1789, several
amendments were proposed that would spell out additional rights of individuals. Ten
of these proposed amendments were ultimately ratified and became known as the
Bill of Rights. So, although the Constitution does not contain the word privacy, the
United States Supreme Court has ruled that the concept of privacy is protected by the
Bill of Rights. For example, the Supreme Court has stated that American citizens are
protected by the Fourth Amendment when there is a “reasonable expectation of
privacy.”

CHS313 – Professional Ethics in IT 2

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

The Fourth Amendment is as follows:

“The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated, and no
Warrants shall issue, but upon probable cause, supported by Oath or affirmation,
and particularly describing the place to be searched, and the persons or things to be
seized. “

However, the courts have ruled that without a reasonable expectation of

privacy, there is no privacy right.

Today, in addition to protection from government intrusion, people want and

need privacy protection from private industry. Few laws provide such protection,
and most people assume that they have greater privacy rights than the law actually
provides. As the Privacy Protection Study Commission noted in 1977, when the
computer age was still in its infancy: “The real danger is the gradual erosion of
individual liberties through the automation, integration, and interconnection of
many small, separate record-keeping systems, each of which alone may seem
innocuous, even benevolent, and wholly justifiable.”

Information Privacy
A broad definition of the right of privacy is “the right to be left alone—the most
comprehensive of rights, and the right most valued by a free people.”

Information privacy is the combination of communications privacy (the

ability to communicate with others without those communications being monitored
by other persons or organizations) and data privacy (the ability to limit access to
one’s personal data by other individuals and organizations in order to exercise a
substantial degree of control over that data and its use). The following sections cover
concepts and principles related to information privacy, beginning with a summary
of the most significant privacy laws, their applications, and related court rulings.

CHS313 – Professional Ethics in IT 3

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

Privacy Laws, Applications, and Court Rulings

This section outlines a number of legislative acts that affect a person’s privacy.
Note that most of these actions address invasion of privacy by the government.
Legislation that protects people from data privacy abuses by corporations is almost
non-existent.

The discussion is divided into the following topics: financial data, health
information, children’s personal data, electronic surveillance, fair information
practices, and access to government records.

Financial Data
Individuals must reveal much of their personal financial data in order to take
advantage of the wide range of financial products and services available, including
credit cards, checking and savings accounts, loans, payroll direct deposit, and
brokerage accounts. To access many of these financial products and services,
individuals must use a personal logon name, password, account number, or PIN. The
inadvertent loss or disclosure of this personal financial data carries a high risk of
loss of privacy and potential financial loss. Individuals should be concerned about
how this personal data is protected by businesses and other organizations and
whether or not it is shared with other people or companies.

1. Fair Credit Reporting Act (1970)

The Fair Credit Reporting Act regulates the operations of credit-reporting
bureaus, including how they collect, store, and use credit information. The act,
enforced by the U.S. Federal Trade Commission, is designed to ensure the accuracy,
fairness, and privacy of information gathered by the credit-reporting companies and
to check those systems that gather and sell information about people. The act outlines
who may access your credit information, how you can find out what is in your file,
how to dispute inaccurate data, and how long data is retained. It also prohibits the
credit-reporting bureau from giving out information about you to your employer or
potential employer without your written consent.

CHS313 – Professional Ethics in IT 4

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

2. Right to Financial Privacy Act (1978)

The Right to Financial Privacy Act protects the records of financial institution
customers from unauthorized scrutiny by the federal government. Prior to passage
of this act, financial institution customers were not informed if their personal records
were being turned over for review by a government authority, nor could customers
challenge government access to their records. Under this act, a customer must
receive written notice that a federal agency intends to obtain their financial records,
along with an explanation of the purpose for which the records are sought. The
customer must also be given written procedures to follow if he or she does not wish
the records to be made available. In addition, to gain access to a customer’s financial
records, the government must obtain one of the following:

• an authorization signed by the customer that identifies the records, the

reasons the records are requested, and the customer’s rights under the act,
• an appropriate administrative or judicial subpoena or summons,
• a qualified search warrant, or
• a formal written request by a government agency (can be used only if no
administrative summons or subpoena authority is available)

The act only governs disclosures to the federal government; it does not cover
disclosures to private businesses or state and local governments. The definition of
financial institution has been expanded to include banks, thrifts, and credit unions;
money services businesses; money order issuers, sellers, and redeemers; the U.S.
Postal Service; securities and futures industries; futures commission merchants;
commodity trading advisors; and casinos and card clubs.

3. Fair and Accurate Credit Transactions Act (2003)

The Fair and Accurate Credit Transactions Act was passed in 2003 as an
amendment to the Fair Credit Reporting Act, and it allows consumers to request and
obtain a free credit report once each year from each of the three primary consumer
credit reporting companies (Equifax, Experian, and TransUnion). The act also
helped establish the National Fraud Alert system to help prevent identity theft. Under
this system, consumers who suspect that they have been or may become a victim of

CHS313 – Professional Ethics in IT 5

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

identity theft can place an alert on their credit files. The alert places potential
creditors on notice that they must proceed with caution when granting credit.

Health Information
The use of electronic medical records and the subsequent interlinking and
transferring of this electronic information among different organizations has
become widespread. Individuals are rightly concerned about the erosion of privacy
of data concerning their health. They fear intrusions into their health data by
employers, schools, insurance firms, law enforcement agencies, and even marketing
firms looking to promote their products and services. The primary law addressing
these issues is the Health Insurance Portability and Accountability Act.

1. Health Insurance Portability and Accountability Act (1996)

The Health Insurance Portability and Accountability Act (HIPAA) was
designed to improve the portability and continuity of health insurance coverage; to
reduce fraud, waste, and abuse in health insurance and healthcare delivery; and to
simplify the administration of health insurance.

To these ends, HIPAA requires healthcare organizations to employ

standardized electronic transactions, codes, and identifiers to enable them to fully
digitize medical records, thus making it possible to exchange medical data over the
Internet. The Department of Health and Human Services developed over 1,500 pages
of specific rules governing exchange of such data. At the time of their
implementation, these regulations affected more than 1.5 million healthcare
providers, 7,000 hospitals, and 2,000 healthcare plans.17 The rules, codes, and
formats for exchanging digital medical records continue to change making for an
ongoing maintenance and training workload for the individuals and organizations
involved.

Children’s Personal Data

According to the Center for Media Research, teens spend over five hours per
week surfing the Web, and over 40 percent of them claim that their parents have no
idea what they are looking at online. Meanwhile, Norton Online Living reports that
40 percent of teens have received an online request for personal information. In

CHS313 – Professional Ethics in IT 6

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

addition, an estimated 16 percent of U.S. children have been approached online by a

stranger.

1. Children’s Online Privacy Protection Act (1998)

According to the Children’s Online Privacy Protection Act (COPPA), any Web
site that caters to children must offer comprehensive privacy policies, notify parents
or guardians about its data collection practices, and receive parental consent before
collecting any personal information from children under 13 years of age. COPPA was
implemented in 1998 in an attempt to give parents control over the collection, use,
and disclosure of their children’s personal information; it does not cover the
dissemination of information to children.

Electronic Surveillance
This section covers laws that address government surveillance, including
various forms of electronic surveillance. New laws have been added and old laws
amended in recent years in reaction to worldwide terrorist activities and the
development of new communication technologies.

1. Communications Act (1934)

The Communications Act established the Federal Communications
Commission and gave it responsibility for regulating all non-federal-government
use of radio and television broadcasting and all interstate telecommunications as
well as all international communications that originate or terminate in the United
States. The act also restricted the government’s ability to secretly intercept
communications.

Fair Information Practices

Fair information practices are a term for a set of guidelines that govern the
collection and use of personal data. Various organizations as well as countries have
developed their own set of such guidelines and call them by different names. The
overall goal of such guidelines is to stop the unlawful storage of personal data,
eliminate the storage of inaccurate personal data, and prevent the abuse or
unauthorized disclosure of such data. For some organizations and countries, a key
issue is the flow of personal data across national boundaries (transborder data flow).

CHS313 – Professional Ethics in IT 7

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

Fair information practices are important because they form the underlying basis for
many national laws addressing data privacy and data protection issues.

Access to Government Records

The government has a great capacity to store data about each and every one
of us and about the proceedings of its various organizations. The Freedom of
Information Act enables the public to gain access to certain government records, and
the Privacy Act prohibits the government from concealing the existence of any
personal data recordkeeping systems.

1. Privacy Act (1974)

The Privacy Act establishes a code of fair information practices that sets rules
for the collection, maintenance, use, and dissemination of personal data that is kept
in systems of records by federal agencies. It also prohibits U.S. government agencies
from concealing the existence of any personal data record-keeping system. Under
this law, any agency that maintains such a system must publicly describe both the
kinds of information in it and the manner in which the information will be used. The
law also outlines 12 requirements that each record-keeping agency must meet,
including issues that address openness, individual access, individual participation,
collection limitation, use limitation, disclosure limitation, information management,
and accountability. The purpose of the act is to provide safeguards for people against
invasion of personal privacy by federal agencies. The CIA and law enforcement
agencies are excluded from this act; in addition, it does not cover the actions of
private industry.

CHS313 – Professional Ethics in IT 8

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

KEY PRIVACY AND ANONYMITY ISSUES

The rest of this chapter discusses a number of current and important privacy issues,
including data breaches, electronic discovery, consumer profiling, workplace
monitoring, and advanced surveillance technology.

Data Breaches
An alarming number of identity theft incidents can be traced back to data
breaches involving large databases of personal information. Data breaches are
sometimes caused by hackers breaking into a database, but more often than one
might suspect, they are caused by carelessness or failure to follow proper security
procedures.

The number of data breach incidents is alarming (over 1,450 in 2012 alone),
as is the lack of initiative by some companies in informing the people whose data was
stolen. Organizations are reluctant to announce data breaches due to the ensuing
bad publicity and potential for lawsuits by angry customers. However, victims
whose personal data was compromised during a data breach need to be informed so
that they can take protective measures.

The cost to an organization that suffers a data breach can be quite high—by
some estimates nearly $200 for each record lost. Nearly half the cost is typically a
result of lost business opportunity associated with the customers whose patronage
has been lost due to the incident. Other costs include public-relations-related costs to
manage the firm’s reputation, and increased customer-support costs for information
hotlines and credit monitoring services for victims.

Electronic Discovery
Discovery is part of the pre-trial phase of a lawsuit in which each party can
obtain evidence from the other party by various means, including requests for the
production of documents. The purpose of discovery is to ensure that all parties will
go to trial with as much knowledge as possible. Under the rules of discovery, neither
party is able to keep secrets from the other. Should a discovery request be objected
to, the requesting party may file a motion to compel discovery with the court.

CHS313 – Professional Ethics in IT 9

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

Electronic discovery (e-discovery) is the collection, preparation, review, and

production of electronically stored information for use in criminal and civil actions
and proceedings. Electronically stored information (ESI) includes any form of digital
information, including emails, drawings, graphs, Web pages, photographs, word-
processing files, sound recordings, and databases stored on any form of electronic
storage device, including hard drives, CDs, and flash drives. Through the e-discovery
process, it is quite likely that various forms of ESI of a private or personal nature
(e.g., personal emails) will be disclosed.

E-discovery is further complicated because there are often multiple versions

of information (such as various drafts) stored in many locations (such as the hard
drives of the creator and anyone who reviewed the document, multiple company file
servers, and backup tapes). As a result, e-discovery can become so expensive and
time consuming that some cases are settled just to avoid the costs.

E-discovery raises many ethical issues: Should an organization ever attempt

to destroy or conceal incriminating evidence that could otherwise be revealed during
discovery? To what degree must an organization be proactive and thorough in
providing evidence sought through the discovery process? Should an organization
attempt to bury incriminating evidence in a mountain of trivial, routine ESI?

Consumer Profiling
Marketing firms aggregate the information they gather about consumers to
build databases that contain a huge amount of consumer data. They want to know
as much as possible about consumers—who they are, what they like, how they
behave, and what motivates them to buy. The marketing firms provide this data to
companies so that they can tailor their products and services to individual consumer
preferences. Advertisers use the data to more effectively target and attract customers
to their messages. Ideally, this means that buyers should be able to shop more
efficiently and find products that are well suited for them. Sellers should be better
able to tailor their products and services to meet their customers’ desires and to
increase sales. However, concerns about how this data is used prevent many
potential online shoppers from making purchases.

CHS313 – Professional Ethics in IT 10

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

Online marketers cannot capture personal information, such as names,

addresses, and Social Security numbers, unless people provide them. Without this
information, companies can’t contact individual Web surfers who visit their sites.
Data gathered about a user’s Web browsing through the use of cookies is anonymous,
as long as the network advertiser doesn’t link the data with personal information.
However, if a Web site visitor volunteers personal information, a Web site operator
can use it to find additional personal information that the visitor may not want to
disclose. For example, a name and address can be used to find a corresponding phone
number, which can then lead to obtaining even more personal data. All this
information becomes extremely valuable to the Web site operator, who is trying to
build a relationship with Web site visitors and turn them into customers. The
operator can use this data to initiate contact or sell it to other organizations with
which they have marketing agreements.

Consumer data privacy has grown into a major marketing issue. Companies
that can’t protect or don’t respect customer information often lose business, and some
become defendants in class action lawsuits stemming from privacy violations.

Opponents of consumer profiling are also concerned that personal data is

being gathered and sold to other companies without the permission of consumers
who provide the data. After the data has been collected, consumers have no way of
knowing how it is used or who is using it.

Workplace Monitoring
Plenty of data exists to support the conclusion that many workers waste large
portions of their work time doing non-work-related activity. One recent study
revealed that between 60 to 80 percent of workers’ time online has nothing to do with
work.61 Another source estimates that, on average, workers spend about four or five
hours per week on personal matters. In a recent survey by an IT staffing firm, 54
percent of companies reported they were banning the use of social networking sites
such as Facebook, Twitter, MySpace, and LinkedIn to help reduce waste at work.

The potential for decreased productivity and increased legal liabilities has led
many employers to monitor workers to ensure that corporate IT usage policies are

CHS313 – Professional Ethics in IT 11

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

being followed. Many U.S. firms find it necessary to record and review employee
communications and activities on the job, including phone calls, email, and Web
surfing. Some are even videotaping employees on the job. In addition, some
companies employ random drug testing and psychological testing. With few
exceptions, these increasingly common (and many would say intrusive) practices are
perfectly legal.

The Fourth Amendment to the Constitution protects citizens from

unreasonable government searches and is often invoked to protect the privacy of
government employees. Public-sector workers can appeal directly to the “reasonable
expectation of privacy” standard established by the 1967 Supreme Court ruling in
Katz v. United States.

However, the Fourth Amendment cannot be used to limit how a private

employer treats its employees. As a result, public-sector employees have far greater
privacy rights than those in private industry. Although private-sector employees can
seek legal protection against an invasive employer under various state statutes, the
degree of protection varies widely by state. Furthermore, state privacy statutes tend
to favor employers over employees. For example, to successfully sue an organization
for violation of their privacy rights, employees must prove that they were in a work
environment in which they had a reasonable expectation of privacy. As a result,
courts typically rule against employees who file privacy claims for being monitored
while using company equipment. A private organization can defeat a privacy claim
simply by proving that an employee had been given explicit notice that email,
Internet use, and files on company computers were not private and that their use
might be monitored.

CHS313 – Professional Ethics in IT 12

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

Advanced Surveillance Technology

A number of advances in information technology—such as surveillance
cameras and satellite-based systems that can pinpoint a person’s physical location—
provide amazing new data-gathering capabilities. However, these advances can also
diminish individual privacy and complicate the issue of how much information
should be captured about people’s private lives.

Camera Surveillance
Surveillance cameras are used in major cities around the world in an effort to
deter crime and terrorist activities. Critics believe that such scrutiny is a violation of
civil liberties and are concerned about the cost of the equipment and people required
to monitor the video feeds. Surveillance camera supporters offer anecdotal data that
suggests the cameras are effective in preventing crime and terrorism. They can
provide examples in which cameras helped solve crimes by corroborating the
testimony of witnesses and helping to trace suspects.

Vehicle Event Data Recorders

A vehicle event data recorder (EDR) is a device that records vehicle and
occupant data for a few seconds before, during, and after any vehicle crash that is
severe enough to deploy the vehicle’s air bags. Sensors located around the vehicle
capture and record information about vehicle speed and acceleration; seat belt
usage; air bag deployment; activation of any automatic collision notification system,
and driver inputs such as brake, accelerator, and turn signal usage.71 The EDR
cannot capture any data that could identify the driver of the vehicle. Nor can it tell if
the driver was operating the vehicle under the influence of drugs or alcohol.

Stalking Apps
Technology has made it easy for a person to track the whereabouts of someone
else at all times, without ever having to follow the person. Cell phone spy software
called a stalking app can be loaded onto someone’s cell phone or smartphone within
minutes, making it possible for the user to perform location tracking, record calls,
view every text message or picture sent or received, and record the URLs of any Web
site visited on the phone. A built-in microphone can be activated remotely to use as a

CHS313 – Professional Ethics in IT 13

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

listening device even when the phone is turned off.74 All information gathered from
such apps can be sent to the user’s email account to be accessed live or at a later time.
Some of the most popular spy software includes Mobile Spy, ePhoneTracker,
FlexiSPY, and Mobile Nanny.

CHS313 – Professional Ethics in IT 14

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

Discussion Questions
1. Are surveillance cameras worth the cost in terms of resources and loss of privacy,
given the role that they play in deterring or solving crimes?
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
__________________________
2. Why do employers monitor workers? Do you think they should be able to do so?
Why or why not?
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
__________________________
3. Do you think that law enforcement agencies should be able to use advanced
surveillance cameras and data from vehicle data recorders in a court of law?
Why or why not?
_______________________________________________________
_______________________________________________________
_______________________________________________________

CHS313 – Professional Ethics in IT 15

 Republic of the Philippines
Province of Camarines Sur
GOVERNOR MARIANO E. VILLAFUERTE COMMUNITY COLLEGE-SIRUMA
Poblacion, Siruma, Camarines Sur
gmvcc.siruma@gmail.com

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
__________________________
4. Do you think that the installation of stalker software on suspects’ cell phones
should be authorized for law enforcement agencies? If so, under what
circumstances should such use be permitted? If not, why not.
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
__________________________.

CHS313 – Professional Ethics in IT 16