Privacy and Web history
Earlier this summer, senior members of the House Energy and Commerce Committee wrote to broadband Internet providers and other online companies, asking whether they have "tailored, or facilitated the tailoring of, Internet advertising based on consumers Internet search, surfing, or other use."
This brings up issues surrounding what is being monitored by corporate users outside of the corporate infrastructure, and whether this will become a legal liability later on if this information is subpoenaed by a court.
TIP: Make sure your service provider is managing your network connection and not the content that passes through to your enterprise. As Arbor Networks CTO Kurt Dobbins says, "Managing the network does not require any personally identifiable information, knowledge of a user's URL browsing history, Internet search activity or capturing and playing back any communications exchange."
One possibility is to insist on a service level agreement from upstream Internet providers that cover privacy issues. I want SLAs from my Internet providers that guarantee me that my email isn't going to be compromised. These agreements arent about uptime but for the purposes of privacy and security. I want secure and assured services, including the ability to browse and search the Web without having this information recorded on a server somewhere. I don't think a lot of people are doing this right now, says OBerry.
Internet access policies
Another side of the customer privacy issue is: who should have access to the Internet from their desktops?
In most companies, it is taken for granted that everyone is connected and online all the time, but this doesn't have to be the case. And as more case law accumulates about what constitutes a privacy breach, you might want to re-examine exactly who has access to the Net, especially if their jobs involve customer records. This could be as simple as emailing a spreadsheet with social security numbers to a private Yahoo account to work on over the weekend: while not a breach, it should be against corporate policy and users should be educated accordingly.
This is particularly acute in healthcare. "In most companies, catching a single spyware application on a single desktop may mean that some financial data might be stolen. For us it means patient health information might be leaked. We have taken the stance that if an employee doesn't need the Internet to do his or her job, that computer won't have access of any kind. Those with Web access don't store medical data," says Maro.
TIP: Disconnect your users from the Internet if you really need to keep customer data private. And don't forget to update your computer and network usage policies to match the changing legal landscape too. "We continue to update our policies as technology and threats change," says Maro.
OBerry is particularly sensitive to this situation, as he works for a state agency.
"Beginning in July of 2009, South Carolina has possible civil penalties if you don't notify folks in a timely manner once you believe data is leaked, and these penalties can add up if you divulge even a fairly small amount personal data. It just makes good common sense to protect at all levels and we have always taken that seriously based on our absolute responsibility to both victim's data as well as our moral duty to not create a new victim, and thereby a possible burden on taxpayers, by compromising even one of our offenders. Nevertheless, there are some fairly broad legal definitions of what constitutes private information and we need to do a better job of defining it in the future.
We all know that laptops are potential data security targets, and as more corporations standardize on laptops as their principle computing device, it means that the opportunity for their theft or loss increases. And to complicate matters, the Department of Homeland Security has had a policy that allows them to impound your laptop when you come back into the US, with no other reason than their particular mood of the day.