Canada’s privacy chief has expressed concern over the use of employee surveillance technologies, and urged organizations to “look beyond intrusive solutions” in dealing with information and corporate security issues.
Speaking before delegates to the InfoSecurity Canada conference held in Toronto last month, federal Privacy Commissioner Jennifer Stoddart discussed issues around security and privacy, including privacy in the workplace, protection of personal information with cross-border disclosures, and the increasing risk of corporate insider threat.
Stoddart acknowledged that companies today are faced with the challenge of securing their IT and information assets. She suggested, however, that finding ways to solve this problem should not be done at the expense of employee privacy. “Too often we reach for the obvious solutions, rather than the right one,” said Stoddart. “Sacrificing privacy may not be the solution at all.”
The privacy commissioner also urged the IT industry to consider the privacy implications when developing technologies that aim to improve business processes and address security issues, and not be easily “seduced by the siren song of technology.”
Stoddart’s InfoSec keynote was echoed in her annual report to Parliament last month, where the commissioner cited “technology leaders” such as Microsoft and IBM which are constantly developing new schemes for identity management to deal with issues such as online fraud and spam.
“The challenge of protecting data is increasingly globalized, because actions in one distant part of the world now may directly impact the privacy of Canadians,” Stoddart said in her report.
In the same way that technologies may compromise privacy, the human element can also be a factor for privacy or data breach. Stoddart said the rise of the insider threat, or breaches caused by employees with access to corporate data, may be the most dangerous threat to privacy and security, and the one that’s the most difficult to defend against.
“Often, we defeat privacy and security not through malice, but through negligence,” stressed the federal executive, pointing to various headline-grabbing examples of actual data breaches that resulted from human negligence. And the planned integration of electronic health records in Canada only makes the insider threat more real and more dangerous, Stoddart said. “The deliberate or negligent exposure of medical records could [have] profound (effects) for all of us.”
But with all the recent hype around insider threats, this risk is nothing new, according to Marc van Zadelhoff, a vice-president at Herndon, Va.-based Consul Risk Management Inc., a developer of user activity monitoring, reporting and auditing applications. The difference today is that regulation and compliance make these situations more urgent, he said.
Zadelhoff was at the InfoSecurity event presiding over a presentation on privileged user monitoring entitled, Who’s Watching the Watchdog? Consul’s technology lets firms conduct systems audits and monitor user behaviour. Implementing these tools is partly driven by regulatory compliance and partly by business concerns on security and information asset protection, said Zadelhoff.
Reacting to the privacy commissioner’s concern about workplace privacy, Zadelhoff stressed it is important that user monitoring tools are designed in a way that preserves employee and customer privacy.
Consul’s monitoring tools, for instance, can provide behavioural reports on a per-user basis, detailing the user name and the applications and files accessed. But such functionality, Zadelhoff said, can be configured so that it maintains user anonymity while still being able to monitor network activities.
“Our solution is to be used by security staff for the purposes of monitoring around compliance and audit, so you can restrict who uses the solution. We have never ever had an issue where our solution led to privacy issues, because people realize that this should be implemented in a careful manner,” said the Consul executive.
Zadelhoff added that the customers who are buying such user monitoring technologies are either security, privacy or compliance officers, who understand the issues around privacy protection.