Privacy vs Employee Monitoring and Internal Investigations

January 25, 2021

An interview with Brian Wrozek, VP and CISO.

Data Privacy Day is January 28. For most, “data privacy” probably relates to what corporations do with consumer data.
It’s also important to consider workplace privacy within the organization.
Optiv’s CISO, Brian Wrozek, advocates for a team approach to investigations involving Legal, Security and HR.
All parties are best served when the organization promotes a culture of transparency.

Sam Smith:

Brian, thanks for your time. I know Data Privacy Day is a big deal for you.

Brian Wrozek:

It is, and when we look at GDPR, CCPA, any number of other state laws, plus the standards in places like Brazil and Canada, I think it’s clear that it’s a big deal for a lot of people. It’s also clear that we haven’t historically paid enough attention to the importance of online privacy through the years.

SS:

Most of us, when we hear “data privacy,” think about what corporations do with consumer data. But you’re also concerned about what happens within the organization, right?

BW:

Right. Much of the emphasis on Privacy Day will focus on personal privacy issues, and rightly so. But let’s not forget about privacy in the workplace.

SS:

That’s not something I think I’ve heard anyone talking about.

BW:

You really don’t, especially outside our industry. It’s important to balance a business’s interests to minimize the risks of misconduct and loss against an employee’s reasonable expectations of privacy in the workplace. Monitoring is necessary to uncover malicious activity and is also an important element of an overall compliance program.

Companies have the right and need to monitor, but they must demonstrate a legitimate business purpose, especially when they’re monitoring oral and electronic communication.

We have an obligation to protect company IP as well as client data and employee information, all of which requires monitoring for inappropriate and unauthorized activities. This has become more of an issue lately with so many people working from home thanks to COVID.

SS:

So how does an organization go about striking this balance?

BW:

When suspicious activity is detected, we have stop it, obviously. In many cases, there is a legal obligation to conduct a timely investigation and take appropriate corrective action. So, we must conduct an effective and thorough investigation and we have to do it promptly. One of the key steps in the investigative process is to protect the confidentiality of the claims and the parties involved, which includes protecting any digital or physical evidence.

It may not be possible to keep all information completely confidential, since other parties may need to be involved in the investigative process. But investigative information should be shared on a “need to know” basis only. The good news is this isn’t new for security pros. Confidentiality is part of the daily job.

I advocate a team approach to investigations: Legal, Security, HR and Ethics if it’s a separate role. Require at least two members from each function to be involved in all investigations. Each group brings their unique perspectives and proficiencies: HR specializes in interpersonal skills. Security specializes in investigative and evidence gathering techniques. Legal provides privileged and work product immunity protection. In addition, it also protects the investigators. With this approach, no individual can be accused of going after an employee because several others are involved in the investigation. It also gives the help desk and other IT administrators a safety net if they get pressure from a manager to do something that makes them uncomfortable. For example, say a manager asks the help desk to provide access to an employee’s email inbox. Help desk reps can now say – truthfully – that they’re required to open an investigation with Security. This ensures the right process is followed and protects the privacy of employees.

SS:

What you describe sounds pretty transparent, which is hugely important in this sort of investigation.

BW:

Exactly. You want to promote not just transparency, but a culture of transparency. Disclose that you’re performing surveillance and monitoring. It’s best if this is integrated directly into company policies so it’s there in black and white. It needs to be more than a one-time disclosure during new-hire training and it has to be reinforced over time.

And this is especially important: care must be taken that security and compliance monitoring doesn’t morph into employee performance monitoring. That’s a pure management issue but it may involve some of the same tools. This is a greater concern today as managers are struggling with how to measure performance in a predominately remote workforce. Look at two recent developments that bring this struggle to the forefront: Zoom’s attention tracking feature and Microsoft’s productivity scoring. While these tools offer tremendous productivity benefits, they can easily be used in a way that fosters a culture of mistrust, which in turn hurts productivity and morale.

Again, transparency and oversight of management is key when it comes to performance monitoring.

Privacy and security will become more intertwined going forward. Now is the time to work together with HR, Legal and Audits to build the appropriate company culture when it comes to balancing employee privacy and protecting the company.

SS:

Brian, many thanks. These are important issues for organizations and employees, and I think you’ve probably answered some questions here.

Data Privacy Day, sponsored by the National Security Alliance, is an international effort held annually on January 28 to create awareness about the importance of respecting privacy, safeguarding data and enabling trust.

By:

Brian Wrozek

Director, Information Security

Brian Wrozek is the director of information security with Optiv’s Office of the CISO. In this role he specializes in enabling CISOs by sharing practical recommendations and confronting the many cybersecurity challenges with a “glass is half-full” attitude.