Making Ethical Decisions
Leaders must make decisions daily regarding their teams, their organizations, and their own actions. These decisions range from fairly straightforward and simple to more complex and involved. While many decisions do not have an ethical dimension, often a leader will find him or herself faced with a decision that tests his or her ethical standards. The choice made by that leader can have drastic repercussions not only for the decision in question, but the organization’s brand, reputation, and longevity. The leaders at Equifax were faced with difficult decisions, and their choices have influenced the way we look at the data organizations have access to regarding ourselves.
On July 29, 2017, the leadership at Equifax was made aware that there had been a massive security breach that had compromised the personal information of around 143 million people in the United States (O’Brien, 2017). The data breach had started in mid-May and continued until detected in July (White, 2017). White (2017) reported, “According to the company, criminals were able to access the social security numbers, birth dates, and addresses for a massive- but as yet unspecified- number of U.S. consumers.” Criminals with access to that type of personal information would find it very easy to steal the identities of these consumers, thereby affecting their credit scores and purchasing power for years to come. The leaders at Equifax had a major decision on how to respond to this data breach.
It seems fairly obvious that an organization facing this type of issue would only have one option: disclose the breach immediately to help consumers monitor their credit for strange purchases or accounts. However, reporting a data breach has major implications for the organization as a whole. When an organization is affected by a data breach and makes that information public, trust in the organization decreases, potentially causing a loss of profit for the organization. If Equifax were to release the information regarding the data breach, the organization could lose money and its shares on the stock market would lose value. The leaders had to decide, when will we make the data breach information public knowledge? The leaders at Equifax decided to release the information on September 7, 2017, to news outlets alerting the public about the data breach they had suffered (Siegel Bernard, Hsu, Perlroth, & Lieber, 2017). The news gained widespread media attention, but what garnered more outraged than the data breach was the discovery that three executives at Equifax has sold roughly $1.8 million worth of shares as soon as they became aware of the data breach but before it was made public (Siegel Bernard, Hsu, Perlroth, & Lieber, 2017).
Another decision the leaders at Equifax had to make was how much information to release regarding the breach. Again, this decision weighed the company’s ethics against its profitability. Understanding how much information was compromised could again have negative effects on the company’s profits and brand trust from consumers. Equifax initially reported that 143 million consumers were affected by the breach, and their Social Security numbers, birth dates, and addresses were leaked (White, 2017). However, in February and March of 2018, it was further revealed by a Senate investigation that the number of consumers affected by the data breach was closer to 147.9 million, which was more than previously reported, and additional information, such as tax identification numbers, email addresses, and additional license information, was also received by the hackers (Fung, 2018) (Whittaker, 2018). This additional disclosure further damaged the reputation of the consumer credit reporting agency.
The leaders at Equifax demonstrated terrible ethical decision-making. They made the decision to wait to report the breach and not report the full extent of the breach based on how it would affect them personally. This indicates, first and foremost, that the leaders of Equifax think and act with a manager mentality and not a leader mentality. Management decision-making looks at the benefits to the manager and his or her team or division and choices are made based on what provides the greatest benefit, while leadership decision-making looks at the benefits to the organization, no matter the effect on the team or division; the needs of the organization are the most important (Burns, Sorenson, Goethals, & Sage, 2004, p. 317). The leaders at Equifax looked at how the data breach would affect their profits and personal financials and made decisions on how to handle it based on that information. If the leaders had looked at the decisions of when and how much information regarding the data breach to release through both the facts of how it would affect the organization and its consumers and their “gut check” or emotional intelligence, a better decision could have been made.
According to Northouse (2016), “…emotional intelligence can be defined as the ability to perceive and express emotions, to use emotions to facilitate thinking, to understand and reason with emotions, and to effectively manage emotions within oneself and in relationships with others” (p. 28). Emotional intelligence is our ability to understand our own emotional state, the emotional state of others, and to use emotions to make decisions about how and when we do things. It is a critical part of making ethical decisions because it helps clarify when a decision is wrong even though the factual information presented is accurate. Leaders making ethical decisions must consult their emotions, or do a “gut check”, to help fully understand if an option is ethical or not. If the leaders at Equifax had considered how the delay in releasing the breach information and the minimizing of the scope of information released would affect the brand of the company, they may have reconsidered waiting and not divulging everything upfront. While they would have personally taken a financial hit, consumers would have been less upset as they wouldn’t have felt misled or lied to by the organization.
In order to avoid making further unethical decisions, Equifax or any other organization should review the culture within the organization first and determine what improvements may be needed in order for the organization to establish a more ethical culture. It may require additional training or making the expectations more prominent, but it must occur to change the way employees at all levels behave. Another change that should be made is the leaders who made the questionable decisions to withhold the data breach information and minimize what was disclosed should be fired from their positions. Leaders must be held to the same ethical standards as any other employee, and leaders who cannot make ethical decisions should not lead an organization towards unethical practices. As leaders within the organization make decisions, there should be more “checkpoints” or additional input before major decisions can be made. When the leaders at Equifax were determining how to handle the data breach, there should have been others involved, such as lawyers or ethics and compliance officers, that would help steer the decision towards the correct outcome. Finally, there must be an established anonymous compliance line that would allow individuals who are aware of unethical behaviors to report those behaviors without fear of retaliation. In the six weeks between the breach becoming known at the organization and being made public to consumers, there may have been individuals who, if given a secure opportunity to do so, would have reported the unethical decisions and made the breach public sooner. However, for leaders within the company to be able to make the decisions they did without any early leak of the information leads me to believe the culture at Equifax is highly unethical and there isn’t a way for employees to report wrongdoings.
Leaders have to make many decisions within their roles at their organizations. Not all decisions have an ethical dimension, but those that do should be handled carefully and reviewed fully, as wrong decisions can have far-reaching impacts on the organization’s financial and brand health. The leaders at Equifax demonstrated they did not have the ability to make the ethically correct decisions regarding the data breach in 2017. Hopefully, with changes in leadership and further development of an ethical culture within the organization, Equifax can regain its footing and move in a more ethical direction in the future.
Burns, J. M, Sorenson, G. J., Goethals, G. R., & Sage Publications, i. (2004). Encyclopedia of Leadership. Thousand Oaks, CA: Sage Publications, Inc. Retrieved from: https://libproxy.bvu.edu/login?url=http://search.ebscohost.com/login.aspx?direct=tr ue&db=nlebk&AN=474283&site=ehost-live&scope=site (Links to an external site.)
Fung, B. (2018, March 1). Equifax’s massive 2017 data breach keeps getting worse. The Washington Post. Retrieved from: https://www.washingtonpost.com/news/the- switch/wp/2018/03/01/equifax-keeps-finding-millions-more-people-who-were-affected- by-its-massive-data-breach/?noredirect=on&utm_term=.aa7604390254
Northouse, P. G. (2016). Trait approach. In M. Stanley, A. Rickard, L. Larson & M. Masson (Eds.), Leadership: theory and practice (pp. 19-42). Thousand Oaks, CA: Sage Publications.
O’Brien, S. A. (2017, September 8). Giant Equifax data breach: 143 million people could be affected. CNN Tech. Retrieved from: https://money.cnn.com/2017/09/07/technology/business/equifax-data-breach/index.html
Siegel Bernard, T., Hsu, T., Perlroth, N., & Lieber, R. (2017, September 7). Equifax says cyberattack may have affected 143 million in the U.S. The New York Times. Retrieved from: https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
White, G. B. (2017, September 7). A cybersecurity breach at Equifax left pretty much everyone’s financial data vulnerable. The Atlantic. Retrieved from: https://www.theatlantic.com/business/archive/2017/09/equifax-cybersecurity- breach/539178/
Whittaker, Z. (2018, February 12). Equifax says more private data was stolen in 2017 breach than first revealed. ZD Net. Retrieved from: https://www.zdnet.com/article/hackers-stole- more-equifax-data-than-first-thought/