Given, say, Twitter security risks, I knew the premise for SearchCompliance.com contributor Andrew Baer’s recent tips on social media use in the enterprise holds considerable merit: Social media platforms demand a clear employee Internet use policy.
When it comes to the details, however, I was left with more questions than answers. I understand that as a lawyer and e-discovery expert, Baer is naturally risk-averse. Moreover, I recognize that he’s forgotten more about e-discovery and the law than I currently know as a journalist.
That said, Baer’s position on online privacy and the rights of the employer to access the online activity or posts of employees veers into more ambiguous territory. Baer writes that a “policy should also state prominently that employees have no expectation of privacy in anything they store or transmit using corporate IT resources or post on the Internet, and that the enterprise reserves the right to monitor all usage of IT resources and Internet postings without notice and does so periodically.”
I imagine most observers can agree that enterprises need to create a Web 2.0 usage policy that extends existing rules and reminds employees of established guidelines for electronic communications and expectations for online privacy. Such guidance is even more crucial in regulated environments, as explained in ″Compliance concerns dog enterprise 2.0 collaboration software.″
Baer acknowledges the privacy issue: “Monitoring employee Web 2.0 use and terminating or disciplining an employee based on that use can raise legal privacy issues if an enterprise’s Web 2.0 strategy is not well planned and administered.”
The bottom line, however, is that Baer’s advice to compliance officers would appear to extend far beyond IT compliance into something else that he appropriately calls “Big Brother”-like action. As Baer observes, “Some employers may not want to go this far, since policing what employees say outside of work may seem Orwellian and lead to image problems.”
Image problems may just be the tip of the iceberg. I’m left wondering what other e-discovery experts, attorneys, security experts and compliance officers think about online privacy in this context.
George Moraetes, an independent security consultant for Securityminders Inc. in Illinois, agreed via email with Baer that “employees should have no expectation of privacy in anything they store or transmit using corporate IT resources.”
Moraetes wrote “that is a correct assumption, most companies treat email the same way. Employees have separate accounts using own resources. The only way to assure privacy is to encrypt your transmissions, in addition to using aliases. Most users are not techies and lack sophistication. Many companies do not implement DLP and NAC systems, although this in itself will not stop it.”
Moraetes went on describe the issue further:
“I demonstrated to the IRS a project back in 2004, the ability to leak information and not be caught. They told me they would catch anyone — or so they thought.
“In my demonstration to them, I advised that perimeter firewalls all must have ports 80 and 443 open bi-directionally. Otherwise, how would your staff and external users access resources? Obviously, when someone goes to Gmail or even Playboy their network captures and blocks them, reporting them to security — which is a serious offense. In saying that, I launched OpenVPN, communicating directly to my proxy/VPN server from Washington, D.C., to Chicago. I went anywhere that was prohibited and the internal traffic from their DLP systems could not detect or see me. There was nothing they could do about it. There are more ways to skin a cat to breach and leak out information, including Web 2.0 and using TweetDeck, email and the Web. Funneling encrypted traffic can bypass the majority of corporate systems.”
I’m writing an article about online privacy that will capture more viewpoints of other IT practitioners and e-discovery experts. If you have opinions about the use of social media on corporate systems and the online privacy expectations the surround them that you’d like to share, please comment here, @reply to @ITcompliance on Twitter or relate them directly to firstname.lastname@example.org with instructions on whether you’re willing to see them published.
I received a range of answers, depending upon whether I talked to vendors, end users, analysts or. Later today, I’ll be publishing a feature that examines precisely this issue.
After reading C.G. Lynch’s Q&A on what’s next for enterprise 2.0 with Professor Andrew McAfee, who coined the term, I saw I’d need to ask him the same question.
When asked about whether CIOs should worry about “implementing Web 2.0 tools in the enterprise because of security and compliance,” Professor McAfee said he didn’t have any horror stories to relate – and that he asks for them, whenever he talks to big business. His “quick and dirty explanation” for that is:
”People know how to do their jobs. By this point, none of these tools are a week old, so the rules for using them aren’t unclear. We know the stuff that will get us fired if we talk about it. If you work in an investment bank, for example, you have it drummed into you, before any enterprise 2.0 tools even showed up, what you can and can’t talk about, and to whom.”
I asked McAfee a similar question: “Where do you see the intersection between enterprise 2.0 and regulatory compliance?” His answer:
I do not think these tools substantially alter the compliance risk profile of organizations. Employees today are acutely aware of compliance issues, and I don’t see that they’ll be tempted to disobey policy or break the law simply because 2.0 tools become available.
There may be some slight risk of inadvertent noncompliance, but the fact that contributions to 2.0 environments are so visible means that any such breaches are likely to be detected quickly.
When it comes to enterprise 2.0, I agree heartily with Thomas Jefferson, who wrote, “I know of no safe repository of the ultimate power of society but people. And if we think them not enlightened enough, the remedy is not to take the power from them, but to inform them by education.”
After reporting on the story for a week, it’s clear to me that CIOs, privacy and security professionals need better tools to monitor, log and filter communication with external social networking platforms. Data loss prevention (DLP) will be a line item in enterprise security budgets, driven by the need to reduce new risks posed by social messaging.
Even if political gaffes on social networking sites don’t cease — like Battle Creek Mayor Mark Behnke accidentally tweeting Social Security numbers or continued Congressional missteps on Twitter — compliance concerns about the use of enterprise 2.0 platforms are likely to increase with continued data leaks, from whatever vector they take.
Insider threats are a significant concern, given increased economic pressures stemming from the recession. As Forrester senior analyst Andrew Jacquith observed earlier this year, “as auditors have gained more experience assessing compliance with Sarbanes-Oxley and other statutes, they have become increasingly aware of the perils of excessive entitlements. Greater awareness has led to tougher audits. Now enterprises must be prepared to explain who got access to what application features, and why.”
What Professor McAfee’s answer reveals to me, primarily, is that the people aspect of compliance is a crucial consideration. The technology matters but, in the end, your security and ability to meet regulatory requirements rests on the mind-set and education of those entrusted with the sensitive data of an enterprise or its customers. Thanks to the good professor for his answer.