Over the last 15 years, security interests have largely silenced the data privacy debate, leaving companies and employees around the world paying a high price. Today, this focus on security has created a backlash, one that I predict foreshadows a new balance in workplace privacy and security that will tilt more toward individual protection.
But first, let’s talk about the present. Individual privacy and security of the company network are under increasing distress for three main reasons.
To my mind, the crux of the privacy issue is that employees and employers seem to have competing goals. Employers’ focus is on ensuring corporate security, increasing productivity, and reducing liability for bad employee behavior like cyber loafing, gambling, or accessing pornography. Employees struggle with balancing a need to use corporate infrastructure for online activity (like personal email) but still want to protect their personal information and reputations.
These goals do overlap, but in an attempt to navigate this environment, many employers (both wittingly and unwittingly) violate employee rights to privacy every day. Worse still, many companies have responded to the "new normal" by clamping down on employee web use by applying employee monitoring systems and unrealistic, unclear Acceptable Use Policies. This creates an unspoken tension in the workplace and takes employers into the territory of potential unfair trade practices under FTC Title 5, which states that if an organization has a policy but doesn’t follow it, the organization is engaging in a deceptive trade practice. In addition, the traditional lock-down approach delivers only modest gains in organizational security and little reduction in employer liability.
There has to be a better way
In Europe, more than 50 global jurisdictions have signed omnibus privacy laws, providing greater protection for individuals in the workplace and signaling an increase in the number of privacy laws worldwide. In the US, the White House last year published a 62-page privacy whitepaper that includes a Consumer Privacy Bill of Rights with recommendations on handling individuals’ personal data pertaining to issues of control, transparency, respect for context, security, access and accuracy, limits on data collection, and accountability.
Are you ready for the changes that are coming? Will you become an advocate for your employees? Do you think corporations have trampled employee rights in their efforts to protect the enterprise? What should employees be allowed to do at work? Do companies have adequate transparency into their policies and goals with regard to security and employee privacy?
Rather than living with the status quo, employers should seek to strike a new balance -- leveraging privacy to achieve security and broader risk management goals. By honoring their employees’ right to privacy, companies can restore trust, preserve employees’ dignity, and engage them in security.
The conflict between security and privacy is nothing new. What’s new is the revelation that employee privacy can actually be a vehicle to better security and that you don’t have to sacrifice one for the other. Privacy as a complement to security -- that should become the new normal.David has worked for 25 years with US and global companies, advising them on strategy, risk-based priorities, and effective governance of highly sensitive and regulated data. He is a CIPP/E/US, CISA, and CISSP and has authored several books through McGraw-Hill Publishing and ... View Full Bio