Law

What online privacy expectations exist for social media use at work?

If you read Professor Jonathan Zittrain’s rebuttal on cloud computing to Bernard Golden at CIO.com today, you know that both agree that privacy is the No. 1 concern for cloud computing. Compliance officers have to worry about more than just privacy, of course, but protecting the private information of employees and customers alike is a crucial component of any enterprise-class security regimen.

Given, say, Twitter security risks, I knew the premise for SearchCompliance.com contributor Andrew Baer’s recent tips on social media use in the enterprise holds considerable merit: Social media platforms demand a clear employee Internet use policy.

When it comes to the details, however, I was left with more questions than answers. I understand that as a lawyer and e-discovery expert, Baer is naturally risk-averse. Moreover, I recognize that he’s forgotten more about e-discovery and the law than I currently know as a journalist.

That said, Baer’s position on online privacy and the rights of the employer to access the online activity or posts of employees veers into more ambiguous territory. Baer writes that a “policy should also state prominently that employees have no expectation of privacy in anything they store or transmit using corporate IT resources or post on the Internet, and that the enterprise reserves the right to monitor all usage of IT resources and Internet postings without notice and does so periodically.”

I imagine most observers can agree that enterprises need to create a Web 2.0 usage policy that extends existing rules and reminds employees of established guidelines for electronic communications and expectations for online privacy. Such guidance is even more crucial in regulated environments, as explained in ″Compliance concerns dog enterprise 2.0 collaboration software.″

Baer acknowledges the privacy issue: “Monitoring employee Web 2.0 use and terminating or disciplining an employee based on that use can raise legal privacy issues if an enterprise’s Web 2.0 strategy is not well planned and administered.”

The bottom line, however, is that Baer’s advice to compliance officers would appear to extend far beyond IT compliance into something else that he appropriately calls “Big Brother”-like action. As Baer observes, “Some employers may not want to go this far, since policing what employees say outside of work may seem Orwellian and lead to image problems.”

Image problems may just be the tip of the iceberg. I’m left wondering what other e-discovery experts, attorneys, security experts and compliance officers think about online privacy in this context.

George Moraetes, an independent security consultant for Securityminders Inc. in Illinois, agreed via email with Baer that “employees should have no expectation of privacy in anything they store or transmit using corporate IT resources.”

Moraetes wrote “that is a correct assumption, most companies treat email the same way. Employees have separate accounts using own resources. The only way to assure privacy is to encrypt your transmissions, in addition to using aliases. Most users are not techies and lack sophistication. Many companies do not implement DLP and NAC systems, although this in itself will not stop it.”

Moraetes went on describe the issue further:

“I demonstrated to the IRS a project back in 2004, the ability to leak information and not be caught. They told me they would catch anyone — or so they thought.

“In my demonstration to them, I advised that perimeter firewalls all must have ports 80 and 443 open bi-directionally. Otherwise, how would your staff and external users access resources? Obviously, when someone goes to Gmail or even Playboy their network captures and blocks them, reporting them to security — which is a serious offense. In saying that, I launched OpenVPN, communicating directly to my proxy/VPN server from Washington, D.C., to Chicago. I went anywhere that was prohibited and the internal traffic from their DLP systems could not detect or see me. There was nothing they could do about it. There are more ways to skin a cat to breach and leak out information, including Web 2.0 and using TweetDeck, email and the Web. Funneling encrypted traffic can bypass the majority of corporate systems.”

I’m writing an article about online privacy that will capture more viewpoints of other IT practitioners and e-discovery experts. If you have opinions about the use of social media on corporate systems and the online privacy expectations the surround them that you’d like to share, please comment here, @reply to @ITcompliance on Twitter or relate them directly to ahoward@techtarget.com with instructions on whether you’re willing to see them published.

What will compliance with the Massachusetts data protection act mean?

A bill being discussed in the Massachusetts Senate proposes major changes to MA GL 93H, the Data Breach Notification Act. These changes could in turn result in revisions to 201 CMR 17.00, the data protection regulation promulgated by the Office of Consumer Affairs and Business Regulation (OCABR), including removal of specific encryption requirements and deference to federal statutes.

We wrote about it last week in “Mass. Senate seeks to amend, weaken data breach notification law.” As you know, we’ve been covering news on the nation’s most comprehensive data protection law since the beginning of the year, including a podcast with the OCABR CIO and general counsel:

•    Podcast: New Massachusetts data protection law mandates IT compliance
•    Panels describe risks of noncompliance with Mass. data protection law

Kevin Beaver, a contributor to SearchCompliance.com, offered his commentary on the situation nationally: “Are you out of the loop on state data breach notification laws?“

Sarah Cortes reminded the readers of SearchCompliance.com last week of  the risk of penalties for violating data privacy laws.

Anne McCrory, editorial director for the CIO/IT Strategy Media Group at TechTarget, also has rung in with her view: “It’s time for a federal data protection act,” following Scot Petersen’s take: “Red Flags Rule delay reveals troubling pattern developing.”

Our sister site, SearchSecurity.com, posted some additional advice:  Encrypt now to meet new Mass. data protection law.

So with all that out there, here’s what I’m wondering:

What do you think of the law?

What are your thoughts on the proposed revisions?

How are you approaching compliance with the regulation?

Do you have clients or partners that you are advising on the topic? What do they think?

I’ve been interviewing many of our readers on precisely these questions, including many thought leaders, CISOs, privacy officers and CIOs. I’d be grateful for your thoughts as well.

Please write to editor@SearchCompliance.com or directly to me at ahoward@techtarget.com.

As you know, you can also find us @ITCompliance on Twitter

LegalTech 2009: The intersection of e-discovery and information governance

This is a guest post from Barclay T. Blair, author of Information Nation and head of the information governance practice at Forensics Consulting Solutions LLC.

Last week I made the trek to New York to attend LegalTech — a big trade show and conference focused on technology for the legal community. I had never attended the show before, as I had always perceived it as a niche show that focused on an area of the market that wasn’t relevant to me, i.e., IT for law firms. However, this year at least, the themes of the show were much broader and directly relevant to everyone in the IT world. More specifically, a major theme of the show was the role that IT has in controlling the e-discovery monster.

For example, the keynote address was (quite cleverly, I thought) entitled, “You wanna go to court — get a lawyer; If you wanna avoid going to court — get a records manager.” The message was clear: The real problem in e-discovery is the way we manage (or mismanage) information on a day-to-day basis. If we (and by we, I mean everyone responsible for information, including IT) did a better job of managing information, then the pain and cost of having to sift through mountains of unnecessary, duplicative, outdated and unclassified information in the 11th hour during a bet-the-company lawsuit would be significantly reduced.

It’s a message that resonates with my clients, and a reason why so many organizations today are motivating IT and legal to work together to solve this problem.

Further evidence of e-discovery and information governance coming together at the show was found in Autonomy (an e-discovery software provider, among other things) announcing its acquisition of Interwoven (a content management vendor). The vision for this acquisition, as explained in a standing room-only luncheon presentation, was to provide software that helps companies with both ends of the problem. In other words, to manage information better on the business side so that when litigation hits, e-discovery is less costly and painful. It was a message repeated by other vendors across the show floor.

Another key theme that I observed at the show was the rising importance of tools that promise to automatically classify information — whether for information governance or e-discovery purposes. This has been emerging for several years but perhaps is starting to hit its stride. I think autoclassification technologies (about which I will write more later) will be an important part of the IT and information governance toolbox in the months and years to come, as we all look for ways to understand, use and manage our information assets better.

Barclay T. Blair is a consultant to Fortune 500 companies, software and hardware vendors and government institutions, and is an author, speaker and internationally recognized authority on a broad range of policy, compliance and management issues related to information governance and IT. Blair heads the information governance practice at Forensics Consulting Service LLC, and can be reached at bblair@fcsig.com or (403) 638-9302.