Moves to tighten corporate information security – often driven by compliance and regulatory pressures – increasingly require employees to sacrifice a degree of privacy.
Just as legislators in the US and Europe are asking citizens to accept greater surveillance through devices such as biometric passports and identity cards, so businesses are under greater pressure to monitor what their staff do with business information. This pressure is all the greater when it involves customer data.
For CIOs and chief information security officers (CISOs), this poses an acute dilemma. The US Sarbanes Oxley Act requires companies to set up confidential mechanisms for whistle-blowers, for example. In European countries such as France, such devices are culturally beyond the Pale. If the telephone number or confidential e-mail box is hosted in the US, it might not even be legal.
Other examples include rules that prevent companies moving employee data overseas, reading employee e-mails without first seeking a court order, or contacting customers by e-mail without their prior consent. “There is always the dynamic tension between public safety and personal privacy,” says Jay Heiser, a research vice president and security expert at industry analysts Gartner. “Each culture cuts that in a different way. Technology exacerbates the problem. When you have a business environment that extends across cultural and jurisdictional boundaries you are setting up a situation where there is conflict.”
One of the most intractable problems is employee monitoring. Although normal practice in the US and the UK, in some European countries monitoring without prior consent is virtually impossible. Legal experts caution that consent has to be genuine: an employee is not consenting if the alternative is demotion or the sack.
This means multi-national companies can find themselves having to operate multiple policies across their trading regions or add extra steps to their processes.
“To save costs, we have one mail transfer agent in Europe. An e-mail sent from Paris goes out via London,” explains Michael Colao, global head of IT security at Dresdner Kleinwort Wasserstein, the investment bank.
“The first call when an e-mail leaves the bank is to our global human resources system. We have to determine where the employee sits and what rules govern monitoring. If you send an e-mail outside the bank with the subject ‘internal use only’ from London it goes straight to our compliance department. We can’t do that in Madrid.”
It is not only financial services that are affected. Microsoft, for example, trades in more than 100 countries. According to security and privacy head Peter Cullen, to meet the most stringent local rules, Microsoft has had to set the bar “very, very high” for its security and privacy policies. So its data privacy practices exceed what is required in many countries.
Taking the high ground in issues such as privacy and securing customer data does no harm to a company’s reputation, but it entails costs. Californian State law 1386, which forces companies to tell customers if their data has been exposed, has effectively become an international rule. “In the event of triggering the circumstances of 1386 we have to tell all our customers. We can’t operate multiple policies so local laws become global,” says DrKW’s Mr Calao.
Businesses also have to balance the fact that while some privacy and security legislation is specific, some is vague. Italian law, for example, specifies the type of password a company should use. In the UK, the law talks of taking “reasonable measures” to secure data. Yet both laws are based on EU data legislation.
“Businesses have to have a strategy for managing risk, security and privacy that is aligned with their business objectives,” says Ray Stanton, head of BT’s global security practice.