Privacy and Security Risks in Telecommuting

Size: px

Start display at page:

Download "Privacy and Security Risks in Telecommuting"

Matthew Cook
7 years ago
Views:

1 Privacy and Security Risks in Telecommuting For: IAPP Canadian Privacy Summit Thursday, April 30, 2009 Prepared by: Fazila Nurani, B.A.Sc., (E.Eng.), LL.B., CIPP/C PrivaTech Consulting

2 The Benefits of Telecommuting Organizations reap the productivity benefits when they support working from home: Work/life balance: Employees can work offsite when there s a work crunch demanding night/weekend hours. Support employee needs: Employees can attend to important personal/ family commitments and still meet work hour requirements. Alternative in bad weather, transportation delays. Working with business partners in different time zones. Mobile devices (including laptops, cell phones and PDAs) make telecommuting possible Privacy Solutions To Protect Your Organization

3 The Telecommuting Challenge General risks when information leaves the office: Loss or theft of devices or information Inappropriate access by strangers Communication through unprotected channels Risks to information in the home environment: Printing without appropriate disposal Accessing or loading information on unprotected home devices Inappropriate use (e.g. communicating illegal content) or unauthorized use by non-employees The insider threat and telecommuting: Purposefully extracting and sharing confidential information Manipulating hardware/software to overcome security controls Privacy Solutions To Protect Your Organization

4 Reducing the Risk Take control: Company-issued rather than employeeowned device. Ensure the following software applications are installed: Anti-virus software Anti-spyware software File encryption software encryption software For the most complete protection of data, install whole disk encryption on laptops. Change default settings of new devices they are often set to the least security. Privacy Solutions To Protect Your Organization

5 Authentication/Identity Management Accessing resources on the internal network: Virtual private network (VPN) client Organization web-based Intranet Remote log-in and file transfer Authenticating access to the internal network: User account (i.e. username and password) Hard token (e.g. one-time password generator, smart card) Biometrics (e.g. fingerprint) Privacy Solutions To Protect Your Organization

6 Multi-Tiered Device Security Model Privacy Solutions To Protect Your Organization

7 Other Security Considerations Restrictions related to downloads, web sites and applications Employees are unable to download any non-organization issued software onto computer devices Websites offering services are blocked Instant messaging services are blocked Peer-to-peer file sharing applications are prohibited and technical controls exist to prevent their use. Failed log-in lockout settings Privacy screens in public places Run full system scans on mobile devices periodically Security awareness training based on established policies Privacy Solutions To Protect Your Organization

8 IAPP Canadian Privacy Summit Managing Privacy Risks with Telecommuting and Mobile Devices Presented by: Thérèse Reilly, B.A., LL.B., LL.M., CIPP/C Chief Privacy Officer and Director of Compliance April 30, 2009

9 The Landscape New technology and mobile devices emerging daily More and more access to personal information Safeguards needed to protect and secure personal information If not, opens the door for personal information to fall into the wrong hands and as the media reminds us, leads to data breaches

10 The Focus Mobility of the work environment and associated privacy risks Your office and device can be anywhere and everywhere Importance of best practice guidelines and policies for mobile devices and work environments

11 Which Devices? Laptops Hand Held Devices - e.g. Blackberry Portable Storage Devices e.g. USB Key Cameras Telephones Internet Wireless networks

12 Privacy Risks Risks from unauthorized access or disclosure possible complaints loss of clients/customers negative media coverage reputational risk damage claims from clients who allege a privacy breach regulatory sanction for non compliance Highest Areas of Risk

13 Who Owns the Risk? Services in a large organization IT and security dept, privacy program and policies and resources If work independently, as the owner, you will bear responsibility for the security of your systems and appropriate security measures

14 Best Practices Three Major Points: 1. Privacy program 2. Devices selected 3. Informed use of device

15 Mobile Devices and Telecommuting Privacy principals the same Heavier focus on limiting collection and storage and appropriate safeguards - for example: Store information on network servers Delete personal information from laptop and other mobile devices when no longer needed Limit collection, retention and storage of personal information on laptop and portable devices

16 Safeguards High risk area: inadequate or lack of security measures especially for storage and transmitting information Need safeguards appropriate to the sensitivity of the information The more sensitive the information, the higher the level of protection

17 Safeguards Methods of protection include: (a) physical measures (b) organizational measures (c) technological measures

18 The Internet and Wireless Networks Evaluate method of transmitting information Wireless technology - Greater risks - can easily eavesdrop on your communications Encrypt - Use encryption features to prevent unauthorized access

19 Password Policies Essential security component Incorporate industry password protocol in your policies: strong passwords password protecting sensitive documents recording passwords safely no sharing

20 Address Ease of Mobility of the Device Secure the mobile device Transfer of personal information with encryption Safeguard all formats - electronic and paper

21 Address Ease of Mobility of the Device Travelling imposes extra risks Certain devices pose a greater security risk e.g. USB or other flash drives with added vulnerability to import viruses Impose restrictions on the use of personal devices (e.g. camera phone, IPod) in the work environment Breach protocol in place in event of loss or theft

22 Disposal Destruction and disposal policies for the information and device Permanently delete personal information before disposal of device Ensure can t be reassembled into readable form Shred or cut up floppies, CDs or DVDs

23 Devices Provide authorized devices Preclude tampering by having policy to not disable, change or tamper with the device or use unauthorized hardware or software

24 Devices Some more intelligent than others Know what security measures device offers for example, use USB that comes with encryption capability and requirement for password Blackberry device - data transmitted on a BlackBerry routed through the BES server is encrypted by default

25 Employee Training and Awareness Minimize privacy risks by: Foster awareness Training employees on the proper use of the technology and devices Ensuring employees use technology properly and within established guidelines Monitoring and auditing Implement privacy breach response plan

26 Accountability Assign responsibility for compliance All employees accountable for safeguarding personal information in their custody and control

27 Now What? The technical controls have been deployed The policies are in place and have been communicated Privacy Solutions To Protect Your Organization

28 Monitoring Telecommuters Keep employees alert by doing occasional compliance spot checks and pop quizzes at staff meetings. Don t rely solely on your automated systems! Notify employees of the fact that the organization may monitor their actions. Quon v. Arch Wireless (U.S. Ninth Circuit, January 2009) a police department was found to have violated the rights of an employee and the people he exchanged text messages with, when they reviewed personal text messages created on a device owned and issued by the police department. Quon had a reasonable expectation of privacy in those messages. If a device is lost or stolen, the company s incident management policy must immediately come into play. Privacy Solutions To Protect Your Organization

29 Thank you... Questions? Thérèse Reilly, B.A., LL.B., LL.M., CIPP/C Chief Privacy Officer and Director, Compliance Advocis (416) Fazila Nurani, B.A.Sc.(EE), LL.B., CIPP/C President, Senior Counsel/Lead Trainer PrivaTech Consulting (905)

HIPAA Security Alert

Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information