Ethics Breach As Privacy Breach

Welcome to this week’s Tip of the Hat! We’re still sorting through the big pile of notes and handouts from our trip to #PSR19 last month. This week’s newsletter will cover another session from the conference. Escaping the clutches of CCPA we focus on another important topic – particularly for libraries – for reasons that will become clear below.

Data breaches are a common occurrence in life. We get email notifications from Have I Been Pwned, credit monitoring referrals, and the inevitable “we value your privacy” statement from the breached company. Breaches also happen at libraries and library vendors; there’s no escaping from the impact from a data breach.

What you might not know, though, is that breaches come in different forms. In their presentation “The Data Breach vs. The Ethics Breach: How to Prepare For Both,” James Casey and Mark Surber broke down the three types of data breaches: security, data, and ethics. Security and data breaches take many forms: improper staff access levels to a database, a stolen unencrypted laptop, or sending an email with sensitive data to the wrong email address.

While security and data breaches focus primarily on failures to secure data on a technical, procedural, or compliance level, ethics breaches focus on the failure to handle the data consistent with organizational or professional values. A key point is that you can still have an ethics breach even if you follow rules and regulations. Ethics breaches involving privacy can include using consumer data for purposes that, while not violating any legal regulations, the consumer would not expect their data to be used for such a purpose. Another example is doing the absolute minimum for data security and privacy based on regulations and industry standards, even when the reality is that these minimum requirements will not adequately protect data from a breach.

Ethics breaches damage an organization’s reputation and public trust in that organization and, given the difficult nature of cultivating reputation and trust with the public, are hard to restore to pre-breach levels. Monetary fines and settlements make data and security breaches costly, but the lost reputation and trust from ethics breaches could very well be the more expensive type of loss even before you factor in the harm to the persons whose data was caught in the breach.

Casey and Surber’s talk proposed an Ethics by Design approach to aligning data practices in all stages of development and processes to ethical standards and practices. Ethics by Design might look something like this in libraries:

  • Adherence to professional ethics codes and standards, including:
  • Auditing vendors for potential ethics breaches – this audit can be done at the same time as your regularly scheduled privacy and security audits.
  • Considering patron expectations – patrons expect libraries to respect and protect their privacy. That privacy extends to the library’s data practices around collection, use, and sharing with third parties. They do not expect to be subject to the same level of surveillance and tracking as practiced by the commercial sector. The ethics breach litmus test from Casey and Surber’s talk can help identify an unethical data practice – upon learning of a particular practice, would a consumer (or in this case, patron) respond by saying “you did WHAT with my data?!”? If so, that practice might lead to an ethics breach and needs to be re-evaluated.

Ethics by Design asks us to “do the right thing”. Ethical practices need money, time, and resources – all which many libraries are short of at one time or another. It is easy to bypass ethical standards and practices, as well as doing the absolute minimum to follow regulations, particularly when “everyone else is doing it.” The nature of library work at its core is to uphold our patrons’ human rights to access information. Ethics guides libraries in creating practices that uphold and protect those rights, including the right to privacy. Protecting patron privacy should not only focus on preventing a security or data breach but also preventing an ethics breach.