Workplace Data Privacy Vs. Security: The New BalanceIs it time to rethink the traditional lock-down approach to employee use of corporate networks at work?
Over the last 15 years, security interests have largely silenced the data privacy debate, leaving companies and employees around the world paying a high price. Today, this focus on security has created a backlash, one that I predict foreshadows a new balance in workplace privacy and security that will tilt more toward individual protection.
But first, let’s talk about the present. Individual privacy and security of the company network are under increasing distress for three main reasons.
- More worktime online: Employees now spend on average nearly two hours per day in personal web use at work. According to the Palo Alto Networks Modern Malware Review, this activity originates 90 percent of malware threats and exposes organizations to a loss of trade secrets, data breaches, and ﬁnancial theft.
- Cyberthreats on the rise: The growing experience and training of hackers (both individuals and state-sponsored) has led to record numbers of malware incidents and data breaches, resulting in record high losses and related costs, according to the Open Security Foundation data loss database.
- Employee privacy rights activism: Companies, regulators, and employees around the world are starting to pay attention to corporate end-user monitoring and what employees have a right to keep private while using computers and networks at work. In Europe, for example, regulators have begun to set limits on the use of end-point monitoring solutions such as Data Loss Prevention (DLP), due to potential conflicts over employee privacy rights.
To my mind, the crux of the privacy issue is that employees and employers seem to have competing goals. Employers’ focus is on ensuring corporate security, increasing productivity, and reducing liability for bad employee behavior like cyber loafing, gambling, or accessing pornography. Employees struggle with balancing a need to use corporate infrastructure for online activity (like personal email) but still want to protect their personal information and reputations.
These goals do overlap, but in an attempt to navigate this environment, many employers (both wittingly and unwittingly) violate employee rights to privacy every day. Worse still, many companies have responded to the "new normal" by clamping down on employee web use by applying employee monitoring systems and unrealistic, unclear Acceptable Use Policies. This creates an unspoken tension in the workplace and takes employers into the territory of potential unfair trade practices under FTC Title 5, which states that if an organization has a policy but doesn’t follow it, the organization is engaging in a deceptive trade practice. In addition, the traditional lock-down approach delivers only modest gains in organizational security and little reduction in employer liability.
There has to be a better way
In Europe, more than 50 global jurisdictions have signed omnibus privacy laws, providing greater protection for individuals in the workplace and signaling an increase in the number of privacy laws worldwide. In the US, the White House last year published a 62-page privacy whitepaper that includes a Consumer Privacy Bill of Rights with recommendations on handling individuals’ personal data pertaining to issues of control, transparency, respect for context, security, access and accuracy, limits on data collection, and accountability.
Are you ready for the changes that are coming? Will you become an advocate for your employees? Do you think corporations have trampled employee rights in their efforts to protect the enterprise? What should employees be allowed to do at work? Do companies have adequate transparency into their policies and goals with regard to security and employee privacy?
Rather than living with the status quo, employers should seek to strike a new balance -- leveraging privacy to achieve security and broader risk management goals. By honoring their employees’ right to privacy, companies can restore trust, preserve employees’ dignity, and engage them in security.
The conflict between security and privacy is nothing new. What’s new is the revelation that employee privacy can actually be a vehicle to better security and that you don’t have to sacrifice one for the other. Privacy as a complement to security -- that should become the new normal.
David has worked for 25 years with US and global companies, advising them on strategy, risk-based priorities, and effective governance of highly sensitive and regulated data. He is a CIPP/E/US, CISA, and CISSP and has authored several books through McGraw-Hill Publishing and ... View Full Bio