Privacy vs Employee Monitoring and Internal Investigations
Privacy vs Employee Monitoring and Internal Investigations
January 25, 2021
An interview with Brian Wrozek, VP and CISO.
- Data Privacy Day is January 28. For most, “data privacy” probably relates to what corporations do with consumer data.
- It’s also important to consider workplace privacy within the organization.
- Optiv’s CISO, Brian Wrozek, advocates for a team approach to investigations involving Legal, Security and HR.
- All parties are best served when the organization promotes a culture of transparency.
Sam Smith:
Brian Wrozek:
SS:
BW:
SS:
BW:
Companies have the right and need to monitor, but they must demonstrate a legitimate business purpose, especially when they’re monitoring oral and electronic communication.
We have an obligation to protect company IP as well as client data and employee information, all of which requires monitoring for inappropriate and unauthorized activities. This has become more of an issue lately with so many people working from home thanks to COVID.
SS:
BW:
It may not be possible to keep all information completely confidential, since other parties may need to be involved in the investigative process. But investigative information should be shared on a “need to know” basis only. The good news is this isn’t new for security pros. Confidentiality is part of the daily job.
I advocate a team approach to investigations: Legal, Security, HR and Ethics if it’s a separate role. Require at least two members from each function to be involved in all investigations. Each group brings their unique perspectives and proficiencies: HR specializes in interpersonal skills. Security specializes in investigative and evidence gathering techniques. Legal provides privileged and work product immunity protection. In addition, it also protects the investigators. With this approach, no individual can be accused of going after an employee because several others are involved in the investigation. It also gives the help desk and other IT administrators a safety net if they get pressure from a manager to do something that makes them uncomfortable. For example, say a manager asks the help desk to provide access to an employee’s email inbox. Help desk reps can now say – truthfully – that they’re required to open an investigation with Security. This ensures the right process is followed and protects the privacy of employees.
SS:
BW:
And this is especially important: care must be taken that security and compliance monitoring doesn’t morph into employee performance monitoring. That’s a pure management issue but it may involve some of the same tools. This is a greater concern today as managers are struggling with how to measure performance in a predominately remote workforce. Look at two recent developments that bring this struggle to the forefront: Zoom’s attention tracking feature and Microsoft’s productivity scoring. While these tools offer tremendous productivity benefits, they can easily be used in a way that fosters a culture of mistrust, which in turn hurts productivity and morale.
Again, transparency and oversight of management is key when it comes to performance monitoring.
Privacy and security will become more intertwined going forward. Now is the time to work together with HR, Legal and Audits to build the appropriate company culture when it comes to balancing employee privacy and protecting the company.
SS:
Data Privacy Day, sponsored by the National Security Alliance, is an international effort held annually on January 28 to create awareness about the importance of respecting privacy, safeguarding data and enabling trust.