Sunday, September 29, 2019

Handling possible data hack


Last week, a reader we're calling Jack received two emails from a law firm whose emails he occasionally received via the firm's listserv, but with whom he'd never actually done any business.

Imagine his surprise when he opened the email and it informed him that the firm planned to debit his bank account for just shy of $3,000 that afternoon. The email instructed the reader to click on a link to read the specifics of the invoice.

Believing the email might be a scam, Jack looked at the return email address and saw that it appeared to have come from someone at the law firm. Nevertheless, Jack knew he had never hired the law firm to do any work for him.

Once he determined that the email was suspicious, Jack knew enough not to click on the link. He thought it might be some sort of phishing expedition where a third party had somehow hacked the law firm's or listserv provider's account and sent out fake emails in an effort to collect information or perhaps money from unsuspecting recipients.

Typically, Jack would just delete such an email and leave it at that. But even though he had never done business with the firm, Jack knew people who worked there. He also suspected that others had received the same email. Was it enough to simply delete the mail, Jack wonders? Who should he alert at the law firm to tell that he had received it?

Jack did not send out the mail and he has no direct responsibility for the law firm's clients. Had he simply deleted the email he would have done nothing wrong.

But the best right thing for Jack to do in response is to alert the alleged sender of the email that he had received a suspicious email from the firm. He can forward the email he received and indicate that he knows he has no invoice due, but that he was concerned that the law firm's email listserv had been compromised.

Too often, however, when people like Jack alert a person or a firm that he or she has received such phishing emails, the person or company contact doesn't respond, even if they indeed explore what happened internally. Once Jack sends an email to the company to inform it of the issue, the right thing is for someone at the firm to respond to Jack, thank him for the alert, and assure him that he should ignore and delete the email.

But such a response doesn't go far enough. If that same errant email went out to the entire listserv, the right thing for the firm to do is to send another email out to the listserv, acknowledging the problem and informing the recipients what they should do.

This list might include urging recipients not to click on any links, changing passwords if they did click on the links, deleting the emails from their inbox and trash, and either having their IT department or their own selves run a virus scan. Offering a phone contact for someone at the firm for follow-up questions wouldn't be a bad idea either.

When something suspicious happens, the right thing for all involved is to reassure those who might have been caught up in the hack. 


Follow him on Twitter: @jseglin

Do you have ethical questions that you need answered? Send them to rightthing@comcast.net.
 

(c) 2019 JEFFREY L. SEGLIN. Distributed by TRIBUNE CONTENT AGENCY, LLC.


Sunday, September 22, 2019

Be upfront about who's writing tweets


I am not a physicist, but I am loosely familiar with some natural law of physics which holds that it is impossible for us to be in two places at the same time. Unless, of course, you're a subatomic particle, which I'm not. Or Schrodinger's cat, which I'm also not.

For the longest time now, I've assumed that other human beings who are also not subatomic particles nor physicist's imaginary cats also are unable to be in two places (or exist in two states of being) at one time. But the recent spate of televised debates among the Democratic Party's presidential hopefuls suggests otherwise.

On the evening of the most recent three-hour debate, several of the candidates tweeted out comments during the course of the evening, a feat seemingly impossible because they were standing on a stage at the exact moment one of their tweets got posted. Often, the tweets seemed pre-packaged to coincide with a good line or salient point the candidate managed to work into the debate.

While it may seem obvious to many that someone or a group of people on the candidate's campaign staff is tweeting on the candidate's behalf, it seems odd that candidates would want their followers to know when they are actually tweeting and when someone else is tweeting on their behalf. The same goes for candidates from other political parties.

It's just that because there were so many people on stage who were vying for the Democratic presidential nomination, the practice was in sharp display during the three-hour debate.

Is it wrong for a busy person to have someone else manage their social media? Of course not. But it seems a lost opportunity for any candidates or political officeholders to engage in honesty and transparency by making clear to followers whether they are actually writing and posting their own words. It would be the right thing to do.

There a few methods of practicing honest tweeting. One would be to include a sentence in a Twitter profile that essentially says, "I do not always write my own tweets."

But a better way for Democrats, Republications, Libertarians and those of any party to practice Twitter transparency is to borrow a practice similar to that used by Michelle and Barack Obama when the latter was in office.

On the morning of Jan. 12, 2012, in one of her first tweets, Michelle Obama wrote: "This account will be managed by campaign staff, with any tweets from the First Lady herself signed '-mo.'" The president used 'bo' to indicate which tweets were directly from him. It would have been simple for any of the Democratic candidates to have engaged in a similar practice so followers could distinguish why they and not a staffer wrote under their name.

After all, we all know that you can't be tweeting while you are engaged in a live debate, unless moderators have started allowing the practice. It's disingenuous to pretend that you are capable of doing so, unless you are a subatomic particle or a thought-experiment cat.

Few of the latter ever run for office. 


Follow him on Twitter: @jseglin

Do you have ethical questions that you need answered? Send them to rightthing@comcast.net.
 

(c) 2019 JEFFREY L. SEGLIN. Distributed by TRIBUNE CONTENT AGENCY, LLC.