Scott Cleland recently wrote a compelling piece on the need for a new national privacy law in the U.S., but I think this particularly genie is out of the lamp. That would only provide limited protection in a legal case; it wouldn’t protect you against losing your family, career or reputation and the three aren’t mutually exclusive.
This was brought into focus when Google released its transparency statement showing that government requests for information on citizens have gone up, particularly in the U.S., by thousands.
Another way of thinking about this report is that everything you do on the Web, or on a connected PC, may be captured and reported. What I don’t think people have fully thought through is that once behavior at home triggers an investigation, it would be likely that the IT department would become involved because it is then natural for the investigating agency to look at all Internet access an employee has.
This suggests a relatively rigid whitelisting approach to Web sites for most on-premise employees and heavy monitoring and auditing of employees who get permission to have broader Web access. The best defense is likely to get ahead of this problem.
Let me explain.
Stepping Away from Employee Investigations
There are three potential big problems if an employee investigation by an outside agency involves the company. One is that the overhead of the discovery process, depending on how deep the agency wants to go, can be onerous. Second, it can damage the firm’s brand if the investigation becomes public even if the employee is innocent. And third, if IT is the source of the leak and the employee is found innocent, the firm could be massively liable for defamation, hostile workplace, or a series of other charges that could be brought civilly which, with a friendly jury, cost the company a lot of money.
The best defense, therefore, for both the employee and the company, is to assure that the behavior can’t happen at the firm. This generally means a standard policy of whitelisting those sites known to be acceptable to the employee during business hours. This isn’t an uncommon practice today and with this increased scrutiny by law enforcement agencies it is an even more important practice going forward. If it can be reasonably shown that the employee can’t go to questionable sites, then that should stop an investigation cold on campus. This protects both the firm and the employee from problems.
If an employee wants or needs to opt out of this protective program, and clearly many do, then they both must understand the risks and be placed under audit review. People do foolish things and catching them early can often nip in the bud problems that later might emerge, like an addiction to online gambling or pornography, at least at work.
I’m also a big believer in auditing employee email and letting the employees know this is going on so you are less likely to have anything discovered in email that is a problem. This can help with other things like harassment, inappropriate affairs between managers and employees, or even collusion to steal corporate assets, all of which audit teams found by going through emails while I was working at IBM years ago.
Anticipating Other Problems
Over the years, I’ve seen behavior that also has resulted in nasty preventable problems. You may recall that a disgruntled employee at Oracle set up Larry Ellison once by fabricating an evidence chain showcasing discrimination. Oracle was eventually able to prove this, but monitoring executive email for activity and content might have prevented what was an embarrassing trial for the company. In that case, an email was fabricated and sent by the employee from an executive’s PC while they were out of the office. Granted, this also suggests a much more stringent client security process. Once that story became public, I was kind of surprised that all executives didn’t move to biometric protection of their PCs.
Another story I became aware of over the last several years was one in which an employee set up another employee to make them look like they were doing inappropriate searches. Typically, that would be nearly impossible to prove, and it once again showcases that passwords are not an adequate way to protect company equipment or your own career. (Think about that next time you put your password on a sticky note on your monitor.)
Wrapping Up: A Troubled Future
From someone wanting to move up, to getting revenge, to just a poorly thought through practical joke, we are going to see a lot of problems result from folks using the lack of good privacy laws to their own advantage.
From a personal standpoint, it makes sense to adopt a practice where you make sure that anything you do on the Web isn’t something you’d be embarrassed to share. Increasingly, instituting a policy that assures the employees can’t make this mistake will also assure your and their peace of mind.
We are only at the tip of this iceberg. Internet footprints are forever and that means it may be wise to have a chat with our kids. What they do on the Internet now is very likely to have a massive impact on their future success.