Federal exec touts workplace privacy

Canada’s privacy chief has expressed concern over the use ofemployee surveillance technologies, and urged organizations to”look beyond intrusive solutions” in dealing with information andcorporate security issues.

Speaking before delegates to the InfoSecurity Canada conferenceheld in Toronto last month, federal Privacy Commissioner JenniferStoddart discussed issues around security and privacy, includingprivacy in the workplace, protection of personal information withcross-border disclosures, and the increasing risk of corporateinsider threat.

Stoddart acknowledged that companies today are faced with thechallenge of securing their IT and information assets. Shesuggested, however, that finding ways to solve this problem shouldnot be done at the expense of employee privacy. “Too often we reachfor the obvious solutions, rather than the right one,” saidStoddart. “Sacrificing privacy may not be the solution at all.

The privacy commissioner also urged the IT industry to considerthe privacy implications when developing technologies that aim toimprove business processes and address security issues, and not beeasily “seduced by the siren song of technology.”

Stoddart’s InfoSec keynote was echoed in her annual report toParliament last month, where the commissioner cited “technologyleaders” such as Microsoft and IBM which are constantly developingnew schemes for identity management to deal with issues such asonline fraud and spam.

“The challenge of protecting data is increasingly globalized,because actions in one distant part of the world now may directlyimpact the privacy of Canadians,” Stoddart said in her report.

In the same way that technologies may compromise privacy, thehuman element can also be a factor for privacy or data breach.Stoddart said the rise of the insider threat, or breaches caused byemployees with access to corporate data, may be the most dangerousthreat to privacy and security, and the one that’s the mostdifficult to defend against.

“Often, we defeat privacy and security not through malice, butthrough negligence,” stressed the federal executive, pointing tovarious headline-grabbing examples of actual data breaches thatresulted from human negligence. And the planned integration ofelectronic health records in

Canada only makes the insider threat more real and moredangerous, Stoddart said. “The deliberate or negligent exposure ofmedical records could [have] profound (effects) for all of us.”

But with all the recent hype around insider threats, this riskis nothing new, according to Marc van Zadelhoff, a vice-presidentat Herndon, Va.-based Consul Risk Management Inc., a developer ofuser activity monitoring, reporting and auditing applications. Thedifference today is that regulation and compliance make thesesituations more urgent, he said.

Zadelhoff was at the InfoSecurity event presiding over apresentation on privileged user monitoring entitled, Who’s Watchingthe Watchdog? Consul’s technology lets firms conduct systems auditsand monitor user behaviour. Implementing these tools is partlydriven by regulatory compliance and partly by business concerns onsecurity and information asset protection, said Zadelhoff.

Reacting to the privacy commissioner’s concern about workplaceprivacy, Zadelhoff stressed it is important that user monitoringtools are designed in a way that preserves employee and customerprivacy.

Consul’s monitoring tools, for instance, can provide behaviouralreports on a per-user basis, detailing the user name and theapplications and files accessed. But such functionality, Zadelhoffsaid, can be configured so that it maintains user anonymity whilestill being able to monitor network activities.

“Our solution is to be used by security staff for the purposesof monitoring around compliance and audit, so you can restrict whouses the solution. We have never ever had an issue where oursolution led to privacy issues, because people realize that thisshould be implemented in a careful manner,” said the Consulexecutive.

Zadelhoff added that the customers who are buying such usermonitoring technologies are either security, privacy or complianceofficers, who understand the issues around privacy protection.