write a two page case anaylsis using business ethics on the HBS case study, You Can$$t Tell Anyone $($A$)$ by Mary Gentile and Brian Moriarty You Can't Tell Anyone $(A)$

It was January $26,2020,$ and Tom Patton's thoughts were racing a million miles per minute as he closed

the door to his office and sank into his desk chair. ${?}^1$ He was head of internal communications at RothBabbitt

Cyber $($RothBabbitt$).$ His boss, the chief communications officer, I.ucille Givens, had warned him just minutes

before "You can't tell anyone. And we need this figured out in the next $24$ hours before the rest of the world

fincls out."

Failing at What You Are Known For

An hour earlier, Givens had called Patton to her office and told him they needed to meet. Patton could tell

that something was wrong from the moment he had picked up the phone and heard the tone of his boss's

voice. He hung up and immediately headed toward her office.

When Patton arrived, General Counsel Ray Downey and Givens were seated at her small conferenee table.

They both waved Patton in and signaled him to shut the door behind him.

"We've got bad news to share, Tom," Givens began.

"Yes," added Downey, "and it is highly confidential$-$nothing we discuss in the next hour goes beyond

our circle right here until leadership gives us the go$-$ahead, agreed?"

"Cot it$,"$ Patton repliec. $"$So what's going on$?"$

Givens and Downey explained to Patton that RothBabbitt, a well$-$regarded publicly held cybersecurity firm,

had suffered a significant data breach due to a cylerattack. Although the initial breach had occurred on July $18,$

$2019,$ the company had not discovered it until January $4,2020).$

The initial report from the cyber forensics and investigation team was devastating. The months$-$long

infiltration had enabled hackers to acoess multiple services within RothBabbitt's systems, compromising

information from a broad spectrum of its clients. The stolen data included personal identifying information

Aspen lestikutc, which abos served as the insuhatce for GiVV. From $2019$ to $2015,$ CiVV was boxted and sepported by Bahson $($ixllegec$.$ This case studly

the contern of thind parties $("$Thied Party Cantent"$).$ Thind Party $($isencnt is not monitoect, reviculah, or upelated, mor is any Thied Party Cimtent

endoreat by the IDelointe Founchatice. $($PII$)$ such as names, addresses, social security numbers, and other financial information associated with a

national lending institution.

Intruders had also accessed clata belonging to several local clients, including a major metropolitan hospital,

purloining hundreds of patients' PII with medical records. Some of these patients were children who resided

in RothBabbitt's home city. The impact of the exposute was both national and radically local. "And that's just

what we've found so far," Downey saic gravely. $"$It could get even worse."

The initial breach was perpetrated on a RothBabbitt server running an application with an error in its code

that made it susceptible to hackets. On July $12,2019,$ the company that produced the application had issued a

waming message about the vulnerability and a patch that owners of the software could deploy to correct the

error. RothBabbitt's information technology $($IT$)$ team members had received the alett and patch instructions;

however, they did not believe this application was running on any of their machines because it did not appear

in inventories of their digital assets. They ran a scan of their systems to check if the application was deployed

on their servers, but it did not discover the program. System scans were imperfect and could fail to detect

progtams for a variety of reasons, such as firewall issues. Unaware that the company was using the vulnerable

application, the RothBabbitt IT team did not install the available patch to prevent a cyberattack from

succecding. ${?}^2$

As Downey spoke, Patton envisioned this disaster's powerful impact on the people whose PII had been

breached. Knowing that someone has stolen your PII is like walking around with a dark cloud over your head,

he thought. You don't know who has your information, whether criminals are brokering it on the dark web, or

when and how someone might use it for nefarious purposes such as emptying a savings account or stealing an

identity.

Patton was also concerned about how this news would affeet RothBabbitt's workers. Employees would

likely be anxious about their job security and fear that their standing in the community might take a sharp turn

due to their association with RothBablitt. People whose information had been stolen in the attack were going

to be angry, not only with the company but also with all the people who wotked there. They would want to

understand why the company did not notify victims of the data breach sooner. Patton imagined parents getting

yelled at during their child's soceer game or being glared at by their neighbors.

Downey explained that RothBabbitt had retained couns