As enterprises deploy more types of cybersecurity and employee monitoring tools, they may be inadvertently exposing themselves, team members, and business partners, to unnecessary privacy risks.
The danger arises when enterprises acquire tools without fully understanding their data collection capabilities and scope. “IT leaders should be asking their vendors to provide information on the data they’re collecting, such as collection frequency and data types,” says Woody Zhu, assistant professor of data analytics at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy.
It’s no secret that collecting sensitive information comes with risks, says Alan Brill, senior managing director of the cyber risk practice, at business advisory firm Kroll. “You may be collecting information that’s covered by laws or regulations, whether you know it or not,” he warns. “Collecting data that you don’t actually need in order to perform a business process represents 100% risk and 0% value.”
Enterprise leadership has to recognize that collecting unneeded information, or information that’s not used for intended purposes, can be an actual danger to the organization. “This decision should not be delegated solely to IT leaders,” Brill says.
Fritz Jean-Louis, principal research director with Info-Tech Research Group, advises IT leaders to work closely with their counterparts in security, human resources, and legal departments to ensure that employee monitoring tools are evaluated from both security and legal perspectives.
Jean-Louis believes that a formal privacy impact assessment conducted with department leaders will ensure full visibility into captured data. The assessment will also confirm that proper security controls are in place and that lawful notices are made to employees about the personal data being captured. “When dealing with personal data, don’t rely solely on contractual requirements,” he cautions. “Perform annual due diligence internally and with vendors.”
Searching for Signs
The fastest way to identify confidential and unnecessary data is by using advanced data loss prevention (DLP) capabilities to search for specific patterns, such as email addresses, phone numbers, protected health information, and personally identifiable information (PHI/PII) data types, says Doug Saylors, a cybersecurity partner with global technology research and advisory firm ISG. Another protection measure, aimed at limiting traffic visibility, is to require remote workers to use VPN connections whenever linking to the enterprise network, he adds.
By observing the specific types of information a tool is collecting, and how the data is being used, IT leaders can generally identify whether there’s any unnecessary data being gathered, Zhu says. For example, assume that a tool is frequently collecting user locations, he notes. The data may be legitimately used to make accurate local news feed recommendations. Yet a close analysis may reveal that a large amount of confidential and unnecessary data is also being collected.
In the event stealth data collection is detected, immediate action is required. “It should be a red alert,” Brill states. He recommends holding an immediate meeting with senior management, IT leadership, the enterprise’s legal and compliance units, and all of the business units using the vendor’s services. “There are decisions that must be made, and those [decisions] will depend on getting accurate information about whether anyone knew about the problem and didn’t raise it,” Brill says.
If the improper data collection is significant, it may be cause for contract termination, Jean-Louis says. “The improper capture of information by a vendor is qualified as a breach.”
Yet terminating an offending vendor isn’t necessarily the best approach. “You also need to know the degree to which you’re dependent on the vendor,” Brill says. Serious questions must be answered before taking drastic action. Is there a way to repair the leak? Does the vendor contract allow termination for collecting non-specified data? What is your enterprise’s responsibility when it comes to collecting problematic data? “If it turns out that someone in your organization knew about the issue and ignored it, that could affect potential liability,” he advises.
If unnecessary data is being anonymized for marketing or research purposes, it’s appropriate to simply tell the vendor to stop collecting it, Saylors advises. On the other hand, if the vendor isn’t adequately protecting collected data, and perhaps is even sharing it with third parties, it may be time to consider legal action. “The liability aspects of certain data types, especially for minors, is a significant risk to organizations in today’s environment.” he notes.
Excessive data collection and storage, unethical data use, and legal compliance are key issues that should be evaluated by the enterprise’s general counsel and corporate compliance department, Brill says. They have the procedures in place to know if collection, storage, use and deletion processes are compliant with laws, regulations and best practices, he explains.
The regulatory environment is evolving, rapidly adding new personal privacy safeguards. At the same time, a growing reliance on remote workforces is creating new challenges, since most home workers use their own Internet connectivity, which is often shared with family members. “Snooping on all traffic on an employee’s network is likely to result in violations of multiple regulatory constraints,” Saylors warns. “Capturing personal data is a liability issue; capturing social media browsing habits is pushing the ethical boundary,” he adds.