IT shops balance security, privacy

The threat of terrorist attacks against corporate America has forced IT departments to try to figure out how to protect employee privacy when implementing new security technologies.

Companies can be held liable if employees’ personal information isn’t adequately safeguarded, experts warn. So security technology and service providers are increasingly being called upon to educate their clients about privacy issues when those clients set out to enhance their employee authentication and monitoring procedures.

Rebecca Whitener, director of privacy services at Plano, Tex.-based Electronic Data Systems Corp., said she has seen an increase in the number of clients interested in biometric access controls, employee authentication systems and tools for enforcing policies that cover acceptable use of company computers. And the issue of privacy has taken centre stage in each of those areas, she said.

“The issue still remains that you want to have clear notice of what information is being collected and how it’s being used. There are still areas of privacy that remain sacrosanct,” such as personal financial data and health care information, said Whitener. “Companies have to consider the regulatory environment and make sure they don’t lose sight of that,” she noted.

Don’t Disclose

More important, companies that are deploying employee monitoring and authentication systems that collect and store personal data need to do so with an eye toward protecting that information from unauthorized disclosure, said John Spotila, president of GTSI Corp., a systems reseller in Chantilly, Va., and former administrator of the Office of Information and Regulatory Affairs during the Clinton administration.

“Many of the potential problems arise because people don’t think through all of the implications of what they are doing,” said Spotila. For example, when a company collects biometric information and stores it in a database, that company accepts an implied responsibility to limit access to that information. While there are no legal constraints on how much information companies can collect or what they can monitor, “it’s certainly possible to take on liability” if that information is compromised, Spotila said.

The potential problems don’t stop there, he said. “You can destroy morale, and people won’t want to work for your company if you reach too broadly,” Spotila said. “Decision-makers need to use common sense.”

Mike Reagan, senior vice-president at Vericept Corp. in Englewood, Colo., which develops software to monitor acceptable network use policies, agreed. He added, however, that sound policies and technologies can actually improve productivity. “Productivity usually increases when employees know where the lines are,” he said.

Ronald Krutz, privacy practice director at Corbett Technologies Inc. in Alexandria, Va., said the events of Sept. 11 created a new market in privacy policy enforcement for his company. Corbett last week launched a service that’s designed to bring structure and formality to corporate privacy policy audits and help executives avoid liability pitfalls.

The new service will involve a series of interviews with key managers to ascertain what privacy protections and policies executives think are in place in their company. Those interviews will then be compared with the results of audits that show what is actually in place.

“There are mature standards for assessing security,” said Krutz. “Privacy, on the other hand, doesn’t seem to have that formality.”

The issue of privacy “boils down to what data is collected and how it’s used,” said Richard Jones, vice-president of technology at CommerceHub, an online hub for business trading partners based in Clifton, N.J. “Having an iris scan or palm print of someone is no more an abrogation of privacy than having a fingerprint and for that, privacy standards and protocols have long been established.”

In any case, it’s clear that many IT shops have yet to address the issue.

An IT manager at a major financial institution, who spoke on condition of anonymity, said he is unaware of any new projects since Sept. 11 that are specifically related to privacy. He did say that the privacy challenge is an internal one.

There’s really “no way to completely protect the company’s data from employees with authorized access,” the IT manager said. “We can’t stop different groups from looking at the data they need to do their jobs, but we try very hard to prevent them from updating the data without an audit trail.”

Post-Sept. 11 Security Measures Raise Privacy Concerns

Unprecedented security measures put in place in the aftermath of the Sept. 11 terrorist attacks on the U.S. have some civil libertarians worried that the tenuous balance between the need for public protection and the right to privacy may be shifting rapidly in the wrong direction.

They cite plenty of examples: