5.3.1. Data privacy and social networking

Most data breach incidents publicized in the media involve private information on individuals, i.e. social security numbers, health information, confidential media data, etc. Loss of corporate information such as trade secrets, sensitive corporate information, strategies, details of customer contracts, etc. or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.

The “2016 Cost of Data Breach Study: Global Analysis”, by the Ponemon Institute and sponsored by IBM is based on an evaluation involving 383 enterprises worldwide (12 different countries).

According to this research [PON 16], the average impact of a data breach can be summarized as follows:

• – the average cost of a data breach is over four million USD;
• – the cost of data breaches has increased by about 30% in 3 years since 2013;
• – the average cost per lost or stolen record is about 200$ in major countries like USA, Germany and France (158 $ on the 12 countries);
• – each data breach involves approximately 10,000 lost or stolen records. However, the average number of breached records varies between 20,000 and 30,000 in most countries.

The biggest financial consequence of organizations that experienced a data breach is loss of business. The customer churn rate may be higher than 6% when the number of records impacted is high. When we consider the activity sectors subject to data breach, Figure 5.3 shows that the main areas impacted are healthcare, finance and education.

It is a consolidated view (383 companies involved worldwide), and measured in USD.

5.3.2. The root causes of data breach

Figure 5.4 shows the main root causes of a data breach.

Most data breaches are caused by malicious or criminal attacks. There are also glitches that include both IT and business process failures that lead to a sudden malfunction or irregularity.

Breaches also take the most time to detect and contain. As a result, they have the highest cost per record.

The probability of a data breach occurring over a period of 24 months is quite significant:

• – for a file containing ≈ 10 K records, the probability is approximately 25%;
• – for a file containing 100 K records, the probability is about 1%.

5.3.3. The GDPR

Many governments and public organizations try to fight this new cause of economic and social injury. Presently, the European Union (EU) has issued a General Data Protection Regulation (GDPR) directive. It is a regulation by which the Parliament, the Council of the EU and the European Commission intend to strengthen and unify data protection for all individuals.

The primary objectives of the GDPR are to return to citizens and residents control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The GDRP separates responsibilities and duties of data controllers and processors, obligating controllers to engage with only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights. Processors must also take all measures required by Article 32, which delineates the GDPR’s “security of processing” standards.

Under Article 32, similarly to the Directive’s Article 17, controllers and processors are required to “implement appropriate technical and organizational measures”.

First, the GDPR requires businesses to implement technical and organizational measures to provide appropriate protection to the personal data they hold. Among the specific suggestions for what kinds of security actions might be considered “appropriate to the risk”, we can quote:

• – the pseudonymization and encryption of personal data;
• – the ability to ensure ongoing confidentiality, integrity and availability, and resilience of processing systems and services.
• – the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• – a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

When determining such security measures, businesses must take into account the nature, scope, context and purposes of their use of personal data. So far nothing really new.

5.3.4. Where did ethics begin, and is there good or bad ethics?

This question depends on practices sometimes observed which consist of charging the victim with carelessness:

• – Some data breaches have already affected 40 million people in terms of their financial information and a possible total of 70 million whose addresses, telephone numbers and other details were stolen. Are the victims aware of possible usage risks?
• – As often mentioned, there are executives who are aware early on in the process. Indeed, they are sometimes aware of the weaknesses that exist in the design of Web applications. They are therefore involved whatever the events after the breach.
• – Ethics must begin at the very top; and it is not acceptable to assume a position of saying, “Too bad you got hacked, dear customer, now prove it”.
• – Good ethics could have started at the first sign of the breach, not months and years down the road. There could have been a public acknowledgment as it was taking place. Sometimes, the stock market is a more important motivator than the customer.

5.4.1. Consequences

The problems related to the lack of security, biased information, stolen data, information misuse, rumors, etc. and corporate systems’ intrusion, hacking, fake news or information, etc., which developed thanks to globalization and social networking, are major ethical problems. These have to be addressed, as for bioethics, as the main challenge of the next generation since it will affect everyone.

The DSP are often blamed for not assuming their responsibility and must work in order to react and limit the propagation of such failures. But how?

This question is a complex one. Answers are often unknown, or not consensual. Thus, it is a business ethics problem that has to be solved.

5.5.1. Definition of a whistleblower

A whistleblower (also written as whistle-blower or whistle blower) is a person who exposes any kind of information or activity that is deemed illegal, unethical or not correct within an organization that is either private or public:

“The information of alleged wrongdoing can be classified in many ways: violation of company policy/rules, law, regulation, morality, or threat to public interest/national security, as well as fraud, and corruption, etc.

Those who become whistleblowers can choose to bring information or allegations to surface either internally or externally. Internally, a whistleblower can bring his/her accusations to the attention of other people within the accused organization such as an immediate supervisor. Externally, a whistleblower can bring allegations to light by contacting a third party outside of an accused organization such as the media, government, law enforcement, or those who are concerned”².

Some characteristics of whistleblowing include:

• – whistleblowing is a subset of data breaching;
• – in the following sections, we will develop several points related to the protection of whistleblowers. Indeed, they take the risk of facing stiff reprisal and retaliation from those who are accused of wrongdoing. Because of this, some laws were established to protect whistleblowers. Some third party groups even offer protection to whistleblowers, but that protection can only go so far. Whistleblowers face legal action, criminal charges, social stigma and termination from any position, office or job;
• – several other classifications of whistleblowing will also be defined: they can be private and public, internal and external, etc.

5.5.2. Two types of whistleblowing – same ethics?

It is relevant to distinguish between two levels of whistleblowing, namely internal whistleblowing and external whistleblowing. Most people who have a concern tend to raise this internally with their line manager or superior first, and very few whistleblowers “go public” (that is blow the whistle outside the organization) without passing through this preliminary stage.

• – Internal whistleblowing provides an organization with a golden opportunity to investigate the malpractice and “right or wrong”. This can be facilitated by efficient whistleblower policies and procedures: they provide advantages to both parties, for if the employee has voiced concern, then rectifying the problem is usually the end solution. The benefits to both parties should be obvious as the problem, if it is resolved and contained, usually results in no long-term damage done to reputation.

  However, in many whistleblowing cases, the organization’s response is often hostile. Criticism of current practices is unwelcome, and the “concerned employee” is now viewed at best as disloyal or at worst as an organizational pariah and hence deserves being victimized. This is because, when faced with this situation, many “internal whistleblowers” become external whistleblowers. They make a public disclosure to regulating bodies, the press or government bodies, and the problem is exposed in detail in the public domain.

• – External whistleblowers take the decision to go public because their initial concerns are ignored, and take action in spite of threats and retaliation. [HEN 08] concludes that the decision taken by an internal whistleblower is primarily motivated by emotions – usually annoyance and moderate anger at wrongful activities – and this leads them to report it to management. If nothing is subsequently done by managers, she found that the outrage and frustration of being ignored or punished for bringing malpractices to management attention propels them towards reporting externally.

5.5.3. Notions of ethics in the case of whistleblowing

Ethics governs a person’s or group’s behavior. The ethical implications of whistleblowing can be negative as well as positive. However, sometimes employees may blow the whistle as a ‘guerrilla’. “Rather than acting openly, guerrillas often choose to remain undercover, moving clandestinely behind the scenes, as a salmon swimming upstream against the current of power”.

Over the years, motivations driving guerrillas have been diverse. They range from altruism to the seemingly petty. Taken as a whole, whistleblowing can be interpreted as awe inspiring, as saving human lives. Nevertheless, of the more than 1,000 whistleblower complaints that are filed each year with the Pentagon’s Inspector General, about 97% are not substantiated.

The negative results of being a whistleblower could be one being seen as a traitor, a hero, or just one of the majority (97%) of whistleblowers who are simply disgruntled with a perceived unfairness.

It is believed throughout the professional world that an individual is bound to secrecy within their work sector. Discussions of whistleblowing and employee loyalty usually assume that the concept of loyalty is irrelevant to the issue or, more commonly, that whistleblowing involves a moral choice that pits the loyalty that an employee owes an employer against the employee’s responsibility to serve the public interest.

5.5.4. Public support is growing for whistleblowers

At present, whistleblowing generally has a good public perception whereas perhaps 15 or even 10 years ago [HTT 17], it may have been seen as something sneaky, like “telling tales”. Perhaps this is because during that period, the world has witnessed some spectacular scandals and many of these only became apparent as a consequence of whistleblowers.

At the micro level, in SME’s however, organizations normally react in a very negative manner to whistleblowing, often bullying the employee and dismissing them, and whilst a “fortunate few” may be paid off when the organization tries to buy their silence with gagging orders, for many others there is an uphill struggle in getting any justice at all for the economic and personal loss they suffer.

Discussions on whistleblowing generally revolve around several topics: what precisely does whistleblowing mean? How and when is whistleblowing ethical? What are the methodologies to be implemented?

Concerning business ethics, hereafter we have a set of rules that we can easily apply.

5.6.1. How to discuss new ethical issues in business?

According to Samiel Dyens [DYE 17], a lawyer, whistleblowing is an “internal warning mechanism, empowered to receive and deal with employee complaints relevant to fraud, misuses, or financial or accounting misconduct, which they may have known within the framework of their job” [BAI 10].

Such professional warnings or ethical alerts consist of literally “blowing the whistle” to alert and reveal facts or situations likely to be detrimental to an organization.

However, far from being merely an internal and simple control mechanism within an organization, whistleblowing, or ethical alerts, leads us to re-examine our relationship with the institution, with public confidence and with democracy.

There are lessons we can learn from our history. Even if denunciations, denigration and maliciousness are not uncommon in companies and administrations, the logic of institutionalization of the alert justifies a kind of rejection in our country: the dark hours of the occupation and collaboration during the Second World War have generated mistrust towards this approach.

This confusion between the obligation to denounce and the ethical alert is maintained by the legislator himself. Thinking about an ethical alert is all the more necessary today because we observe a massive and rapid dissemination of corporate warnings.

We are experiencing an unprecedented rise. There are no less than four texts which, in very different fields, provide a warning system and/or protection for the alert.

However, this promotes the mechanism of the ethics alert as being a preferred tool to fight against corruption. There are several reasons for that:

• – on the one hand, an ethical alert is not only a tool or a technique, but also a new way of designing and thinking about the relationship between an individual and the institution;
• – on the other hand, the uncontrolled and heterogeneous proliferation of warning devices did not answer a fundamental question: what is the legal meaning of an ethical alert? Is this a “simple” protection of the whistleblower?
  1. 1) Should giving a warning be an obligation or an option for an employee?
  2. 2) Should the alert be confidential or anonymous?
  3. 3) How does a warning take care of the fundamental rights of employees?
  4. 4) How can the alert be given or triggered?
  5. 5) What perimeter (limits of diffusion) can we give to an alert on ethics?

Here again emerges the need to distinguish between the obligation of denunciation as planned by rules (laws or internal rules of procedure) and issuing an ethical alert through personal initiative.

5.7.1. Lack of the above processes will erode ethics

The consequence of this is an erosion of ethics throughout some organizations (as for the famous ENRON story) and the implicit tolerance of wrong behaviors in modern society generally (as due to greed). These are factors which may go on contributing to more fraud and corruption. To break the invirtuous circle, we need the ethical tone at the top to inspire employees to do the right thing. There also needs to be a means of effective reporting of malpractices as any chain is only as strong as its weakest link. Implementation of efficient whistleblower policies and procedures in organizations is one of the best means to do this.

“The National Business Ethics Survey 2013 indicated that in the USA one in three workers observing workplace misconduct chose not to report it. This was coupled with an estimated retaliation rate of over 21% towards workers who did report wrongdoing. In the UK legislation to protect whistleblowers has been largely ineffective whatever the good intentions of the lawmakers and in spite of the frequency of Government commissioned reports identifying the benefits of whistleblowing and praising whistleblowers for their courage in making a stand against malpractices” [NBE 13].

5.7.2. Benefits of whistleblower policies and procedures

Avoiding dealing with malpractices can be construed as condoning the wrongdoing – so once the wrongdoing has been flagged up why not deal with it rather than risk it escalating to the extent of high profile negative publicity?

A reputation lost can be costly in terms of partners, customers and potential employees not wanting to be associated with a company conducting itself on dubious lines, without factoring in the obvious loss of profit. It is not a good strategy for business.

Usually, most customers and employees want to be associated with companies that demonstrate high ethical standards, organizations that value their workforce, comply with the law of the country they are operating in and promote a healthy relationship at all the levels of its hierarchy. Furthermore, if malpractice is going on in an organization, those at the top, especially those involved in governance, if they have any ethical values should really welcome these matters being brought to their attention.

How can whistleblower policies and procedures be harnessed positively to the benefit of everyone so that corporate governance can be strengthened and without any detriment to the person blowing the whistle?

Organizational hotlines can be a useful internal form of communication and potentially reduce the risk of external whistleblowing and increased exposure of malpractices in the public domain. It is also possible to implement improved communications between an organization and whistleblowers to provide more opportunities to resolve issues in their work.

Another advantage of having an anonymous whistleblowing hotline is that it may encourage the estimated third of workers who choose NOT to report wrongdoing to feel more comfortable about making a disclosure. Certainly, the silence of many the so-called “Inactive Observers” (or silent alert launchers) is sometimes because they assume that no action will be taken; however, many may feel more comfortable anonymously divulging information that they may otherwise have withheld, and therefore anonymous whistleblowing hotlines may potentially result in more whistleblowing.

5.8.1. Useful links and further information

Ethics Resource Center: www.ethics.org

KPMG [KPM 17] – Analysis of Global Patterns of Fraud: Who is the Typical Fraudster? Available at: https://www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/Documents/who-is-the-typical-fraudster.pdf

Whistleblowing Commission Report (2013) sponsored by the charity Public Concern at Work available at: http://www.pcaw.org.uk/

Whitepaper: Beyond Compliance: Implementing Effective Whistleblower Hotline Reporting Systems available at: http://touroinstitute.com/Beyond_Compliance.pdf