Internet Privacy Alert

White Paper

Internet Privacy Alert A CIO’s Guide to Privacy and Surveillance in a Cyber World

Prepared by:

Marie Nason, Jill Musick, and Mary Razon

Prepared for:

Terry Linkletter

IT 486: Critical Issues in Information Technology

Central Washington University – Spring 2011

1 Internet Privacy Alert

Table of Contents Executive Summary.............................................................................................................................................. 2

Introduction ............................................................................................................................................................ 4

Scope and Methods ............................................................................................................................................... 4

I. Differing International Laws Affect E-Commerce ............................................................................ 5

Multiple Data Protection Laws .................................................................................................................... 5

Solutions to Meet the Challenge .................................................................................................................. 6

Recommendations I ......................................................................................................................................... 9

II. Consumer Data Collection Invades Privacy .................................................................................... 10

Disclosure and Opt Out Agreements - Difficult to Understand and Hard to Find................. 10

Use of Cookie Technology to Record User Activity .......................................................................... 12

Recommendations II .................................................................................................................................... 14

III. Employee Monitoring and Workplace Privacy .......................................................................... 15

Employee Monitoring Then and Now .................................................................................................... 16

Is Employee Monitoring Necessary? ...................................................................................................... 16

Impact of Employee Monitoring .............................................................................................................. 17

Laws Affecting Employee Monitoring and Workplace Privacy ................................................... 19

Methods of Surveillance .............................................................................................................................. 20

Recommendations III ................................................................................................................................... 21

Conclusion............................................................................................................................................................. 22


Internet Privacy Alert

A CIO ’s Guide to Privacy and Surveillance in a Cyber World

Executive Summary

The purpose of this report is to provide CIOs with the necessary information to

analyze their company’s data privacy, security and surveillance policy effectiveness within

the cyber world in three key areas: international business, consumer data, and employee

monitoring.

Differing International Laws Affect E-Commerce

Differing international laws present a challenge affecting e-commerce, mergers and

acquisitions, and commercial transactions. Companies can meet this challenge by creating

an international data strategy. Steps to develop this strategy include: studying the flow of

information a company is responsible for, including through which countries it passes;

studying any foreign vendors and subsidiaries, including potential mergers or acquisitions,

that may touch this information, and include legal language in contracts to address data

privacy and security; including a plan to ensure that any laws applicable in any of these

countries be followed.

Consumer Data Collection Invades Privacy

Companies are in control of vast amounts of personal information and consumers

are concerned about privacy rights and expect that data to be secure. Opt out agreements

are not easy to follow. The use of cookies to track movement is another concern.

Companies can build trust with their consumers by notifying them, in plain language, how


their collected data will be used; give consumers a simple way to opt out; and commit to

security and confidentiality of consumer data.

Employee Monitoring and Workplace Privacy

CIOs should be mindful of the impact of employee monitoring on their company and

its employees. This impact can be mitigated by: establishing a transparent security

framework for employee monitoring; obtaining input from the different groups affected by

employee monitoring policies; disclosing monitoring practices to employees;

communicating company ethics and security policies; and respecting each employee’s

privacy when the nature of intercepted information is nonbusiness related.

Conclusion

Addressing privacy concerns in regards to international business, consumer data,

and employee rights is a challenge. The CIO must find ways to adapt as new technology is

implemented and new laws are enacted concerning privacy protection and rights,

especially in these three key areas. A company’s survival in a cyber world depends on

listening to the Internet privacy alert.


Introduction

To really understand the concept of privacy and ascertain when it is under attack, it

is important to first define the word. Merriam-Webster (2011) defines privacy as the

quality or state of being apart from company or observation or freedom from unauthorized

intrusion. In the advent of the information age, the definition and scope of privacy

expanded from the physical world to the cyber world. Individuals, now more than ever,

feel their privacy is under constant assault from corporations and the government. The CIO

plays an enormous part in dealing with some of these problems and is tasked with making

sure there is a balance between the organization’s agenda and an individual’s right to

privacy.

This paper will serve as a CIO’s guide to ensuring that privacy, security and

surveillance regulations are followed and an individual’s rights are protected as their

organization adapts and implements new technology and new laws are enacted concerning

privacy protection and rights.

Scope and Methods

The scope of this discussion is threefold. Part I focuses on what a CIO should be

aware of in regards to the affects differing international laws have on e-commerce and

doing business with other countries. Part II provides an overview for the CIO of the points

of view concerning the collection of consumer data and privacy rights in the United States.

The two key issues discussed are opting out agreements and cookie technology. Part III

informs the CIO of what issues surround the implementation of employee surveillance in

the workplace and techniques to deal with them.


Much has been published on all three topics covered in this paper, therefore the

decision was made to cull information from these secondary sources and combine the most

pertinent information for a CIO into one easy reference document. Research included

sources such as books focusing on security and ethics in cyberspace; articles in journals of

law and business ethics; and documents and articles found on the Internet, including the

International Strategy for Cyberspace statement just released by President Barack Obama.

I. Differing International Laws Affect E-Commerce

The subject of international law in regards to data privacy and security is a large

one. This section, however, will focus on international law as it exclusively relates to e-

commerce and its affect on how a company does business. In particular, there is the

problem of meeting the myriad of, and sometimes conflicting, international laws that affect

mergers and acquisitions, and commercial transactions. A company must be prepared for

the event that a case is brought against them in a foreign land, with the accompanying

questions on jurisdiction. It is imperative that companies wishing to purchase, merge or do

business with entities in other countries, evaluate the laws in effect in those countries and

take steps to prepare and protect themselves.

Multiple Data Protection Laws

More than 50 countries have data protection laws that cover privacy protection and

security in the cyber world (Gilbert, 2008). Many of these laws give increased rights to

individuals over the transfer of their personal information (Gilbert, 2008). For instance,

the European Union (EU) Data Directive mandates that member states only allow the


processing of personal data if the subject of that data gives their express consent (Cain,

2002). Even the act of linking to content on another web site could constitute infringement,

according to the EU’s Data Directive (Masters, 2007). Additional international legislation

includes: Hong Kong’s Electronic Transactions Ordinance of 2000, which covers electronic

records and digital signatures; South Korea’s Basic Law on Electronic Commerce, which

covers digital signatures and all communications; Malaysia’s Digital Signature Act 1998,

which covers digital signatures and electronic records; Singapore’s Electronic Transactions

Act of 1998, which covers digital signatures and electronic records, applying to all

communications; the Philippine’s Electronic Commerce Act of 2000, which covers

electronic signatures and transactions and crimes related to e-commerce; The Electronic

Transactions Order of Brunei, which covers electronic contracts and digital signatures; and

India’s Information Technology Bill of 2000, which covers electronic records, digital

signatures, and crimes related to e-commerce (Basu & Jones, 2005).

Solutions to Meet the Challenge

To meet these challenges companies have various avenues open to them.

Developing an international data strategy is a start toward understanding the complexities

involved in doing business in the cyber world (Nahra, 2006). This can be accomplished by

taking either a single global approach or a plan specific to each country (Nahra, 2006), and

should include the experience and advice of a lawyer versed in international law, especially

as it pertains to e-commerce. The challenge is finding a plan that protects the company, but

at the same time allows business flexibility where the law allows this (Nahra, 2006). It is

quite possible that there may be instances where there is not a means of meeting all the


requirements for all countries, in which case, it is fortunate that enforcement at this point

in time is relatively low (Nahra, 2006).

Another avenue a company may pursue to meet the challenge of preparing and

protecting themselves is to plan how to allocate liability in the event an inadvertent

mistake is made in developing a compliance program or a complaint is received (Nahra,

2006). There have been cases where companies and their officers have had claims brought

against them in countries where they are not physically located (Masters, 2007).

Indemnification and limits on liability provisions can be included in any contracts for

mergers or acquisitions (Gilbert, 2008). A cushion of available funds to cover obligations

can be set aside (Gilbert, 2008). Insurance policies specific to losses as a result of a breach

of security or misuse of data also exist (Gilbert, 2008). These Cyber-risk policies fill the gap

that traditional policies do not cover, but the policies available vary as to the scope of

coverage so it behooves a company to do careful research before purchasing (Masters,

2007). While it is possible to include warranties and liability provisions in any contracts for

mergers and acquisitions, this only protects a company from this particular exposure

(Masters, 2007). Protecting a company through a cushion fund or insurance is an

expensive solution and it is particularly difficult to find insurance companies who have

Cyber risk policies available (Masters, 2007).

A final, and evolving, avenue for a company is the creation of a global legal

framework that addresses data privacy and security. The obvious advantage is that a

company would no longer have to contend with varying and conflicting international laws.

There would be one law of the land, so to speak. Methods to accomplish this have been

postulated. One proposes taking the Safe Harbor framework, a compromise to the EU Data


Directive negotiated by the United States (US) but not acceptable to other countries, and

using it as a starting point for a new International Safe Harbor (Cline, 2006). This

alternative would not address the issue of privacy as a human right because this would

most likely make a consensus among countries unlikely (Cline, 2006). Negotiations would

start with those countries with laws on data privacy and security in place and would be

negotiated within the World Trade Organization, not the United Nations (Cline, 2006). It

would be based on the top ten privacy principles from each of the negotiating countries and

countries would have the choice of recognizing compliance of the laws for individual

companies or entire countries (Cline, 2006). In addition, the countries would have the

flexibility of enforcement through the processes employed by the World Trade

Organization governing body (Cline, 2006). A second proposes developing norms for

acceptable behavior in cyberspace as a guide to the development of policies and

partnerships (Obama, 2011). This method would not necessitate any rewriting of

international law, nor would existing international norms become obsolete (Obama, 2011).

However, because of the uniqueness of cyberspace, there would need to be a consensus of

how to apply these norms of behavior in this arena (Obama, 2011). Of particular concern to

the CIO of a company dealing with international laws and e-commerce, is the section of the

proposal detailing the policy priorities in regards to Internet governance. To promote an

Internet governance that meets the needs of all Internet users, the US will: (1) prioritize

openness and innovation on the Internet, (2) preserve global network security and

stability, including the domain name system (DNS), and (3) promote and enhance multi-

stakeholder venues for the discussion of Internet governance issues (Obama, 2011). While


these proposed methods are laudable, there is no guarantee that either will come to

fruition.

Recommendations I

The avenue of a global legal framework is evolving and not yet in existence,

therefore its choice as a solution for a CIO at this point in time is not tenable. The avenue to

protect a company against international claims with a cushion fund or insurance policy is

plausible, but expensive, providing a Cyber-risk policy can be found. The recommendation

made here is to create an international data strategy. The first step in developing this

strategy is to study the flow of information a company is responsible for. This means not

only where it starts and ends up, but through which countries it passes (Nahra, 2006). The

next step is to study any vendors and subsidiaries that may touch this information (Nahra,

2006). Included in this step are any plans for mergers or acquisitions. It must be part of the

strategy to study a possible target’s practices and privacy policies, especially important if

the target resides in another country (Gilbert, 2008). Any written agreements engaged in

with these targets should address data privacy and security specifically and should include

a warranty that no claim has been made against the target company and that they have

complied with all applicable laws (Gilbert, 2008). The third step is to include a plan to

ensure that any laws applicable in any of these countries be followed (Nahra, 2006). The

international data strategy must be reassessed at least once a year to account for changes

in business operations, vendors and laws (Nahra, 2006).


II. Consumer Data Collection Invades Privacy

Most consumers are not aware of the information being stored about them until

there is a breech that becomes public knowledge (Spinello, 2006). As data storage costs

have decreased, more and more consumer data is being stored. Companies are in control of

vast amounts of personal information and consumers expect that data to be secure. The US

position historically has been that businesses self-regulate how they use this information

(Spinello, 2006). This has led consumers to become increasingly concerned about privacy

rights. Some of the causes for this concern are included in this section, along with potential

solutions.

Disclosure and Opt Out Agreements - Difficult to Understand and Hard to Find

Consumers currently must opt out of information sharing by the online providers

they do business with. This is not a straightforward process. Most consumers do not want

to read a multiple page privacy document when purchasing something online. Online

purchasing is supposed to be a quick and convenient experience.

JCPenney.com uses web beacons to track usage, which is used in focusing

advertising (JCPenney, 2011). They utilize a Privacy Policy that includes an explanation on

how to opt out of tracking (JCPenney, 2001). The consumer must request a list of the third

party companies that JCPenney uses to track movement online. Consumers must then go to

those individual sites if they wish to opt out. This is a very cumbersome and confusing

process for the user and is typical of most privacy policies. Figure 1 is an excerpt from the

JCPenney.com Privacy Policy on opting out which illustrates the fact that the onus is on the

consumer to protect their information.


Figure 1. Opt out instructions from the JCPenney.com Privacy Policy.

Legislation is in the process of development to help consumers gain control over

their data. One bill, introduced by Senators John Kerry and John McCain, is the Privacy Bill

of Rights Act (Newman, 2011). Language in this bill includes clear notification that the

ability to opt out is available (Newman, 2011). Sensitive information that could cause harm

if disclosed to the public cannot be shared unless a company obtains a user’s consent to opt

in (Newman, 2011). This bill would also prevent companies from collecting information

that is not necessary to deliver or improve service (Newman, 2011).

An additional provision of the Privacy Bill of Rights Act stipulates that consumers

cannot sue for privacy violations (Newman, 2011). Only the Federal Trade Commission or

state attorney would have the authority to sue (Newman, 2011). Consumer privacy groups

are opposed to this provision and feel the act does not go far enough to protect consumers

(Newman, 2011).

The basic tenants of a privacy policy are notice and choice (Spinello, 2006).

Consumers want to have a choice in what data is collected and how it is used (Spinello,

If you prefer that we:

NOT share information about you with any of the companies outside the JCPenney Family that we have authorized to contact you regarding their products or services, or

NOT share your JCPenney credit account history information with affiliated companies within the JCPenney Family

Please let us know by:

writing to us at J.C. Penney Corporation, Inc., P.O. Box 10001, Dallas, TX 75301-7311, Attention: Corporate Customer Relations,

calling us at 1-800-204-3334, or email us at [email protected]

mailto:[email protected]?


2006). If every company followed some simple guidelines, such as asking for permission

before selling identifiable personal data to another organization, this would give

consumers a clear and simple choice and legislation would possibly not be necessary.

Another option would be to use technology and code to protect consumer privacy.

When using Platform for Privacy Preferences Project (P3P) the user can define preferences

in their browser that are compared to the websites visited (Spinello, 2006). P3P will only

allow users to provide their personal data at sites consistent with their preferences

(Spinello, 2006). A user would receive a warning if entering a website that collected more

information than he or she was willing to provide (Spinello, 2006). This would help

empower consumers to make informed choices (Spinello, 2006). Websites and browsers

would have to adopt these standards for this solution to work.

Use of Cookie Technology to Record User Activity

Any website can track any online activity. A website can follow a person from site to

site, identifying all the pages visited and what is done there (Miller, 2008). This mimics

following a person to the store and taking pictures of everything they do (Miller, 2008).

Cookies are used to accomplish this and are automatically installed on the user’s computer

hard drive (Miller, 2008). This activity takes place without a user’s knowledge or

permission (Miller, 2008).

Cookies help companies market products to the consumer, usually a harmless

purpose. Advertising is presented that focuses on consumer interests (Miller, 2008). If this

were the only use for the information, there would likely be no cause for concern. However,

the information gathered could be combined with other stored information (Miller, 2008).


Governments or other entities could use this information to create a data profile about a

person (Miller, 2008).

Companies value this kind of information. It allows them to “predict consumer

preferences and behavior” (Spinello, 2006, p.149). However, what if a consumer does not

want their activity tracked? Most consumers do not know what actions to take to regain

control over their personal information.

Legislation is being introduced that would allow users to block companies from

collecting information about their online movements. Senator Jay Rockefeller presented the

Do-Not-Track Online Act of 2011 on May 9, 2011 (Lefkow, 2011). This Act would give

consumers a straightforward way to indicate whether they wanted to have personal

information collected by online service providers (Lefkow, 2011). The Federal Trade

Commission would be required to implement mechanisms for allowing this option for

consumers (Lefkow, 2011). This is similar to legislation introduced by Representative

Jackie Speier on February 11, 2011 called the Do Not Track Me Online Act of 2011 (Lefkow,

2011).

These bills have not become law yet and may not make it into law. It is clear that

consumers are interested in their right to protect their data and its use. Laws are one way

consumers can speak up, but they may prove hard to implement. Consumers would have to

negotiate with every website seeking their information (Spinello, 2006). This would

become time-consuming and a burden for both parties (Spinello, 2006). If privacy is

important to consumers, those in the industry can recognize this and work to earn their

confidence.


Companies have the option to regulate themselves to avoid government-imposed

regulations. A commitment to security and confidentiality may mean higher prices. Those

who care about privacy may be willing to pay a premium for more protection. This could

actually convince those reluctant to enter the online market to join if privacy is guaranteed.

Recommendations II

Consumers are increasingly voicing their concerns regarding privacy rights and the

protection of their data. They do not feel in control of how their information is used. Opt

out agreements are not easily understood and although consumers can manage cookies

through their browser, most do not know how. It is imperative that corporations

understand these concerns and take steps to address them. The lack of action has created a

cry for legislation to force companies to give consumers some rights.

Corporations can take action to help with these concerns. One basic notion is notice

and choice. Simple steps that notify the customer about how a company uses their data

would let the consumer make a more informed decision. Next, give consumers a simple

way to opt out. A consumer doing business with a company may or may not want to have

information shared with others. Consumers do not read multi-page privacy agreements to

find out they must send a letter or email to everyone with whom the company has shared

data. Give consumers a clear and simple choice.

A lack of trust exists between consumers and corporations regarding the safety of

their personal information. Committing to security and confidentiality may require

additional resources, but consumers are interested in this protection and may be willing to

pay for this necessity. There are many reluctant to join the online market because of these


concerns. Eliminating these perceptions by giving consumers some control may actually

open up the market to those hesitant consumers.

III. Employee Monitoring and Workplace Privacy

Employee monitoring and surveillance is becoming the subject of much media

attention as some employees view it as an invasion of their privacy. Employers justify their

methods as necessary to protect intellectual property, monitor employee performance, and

manage productivity. It also aids employers in avoiding liability for certain employee

behaviors. This conflict has prompted the discussion as to where the line should be drawn

between justifiable monitoring and invasion of an individual’s privacy.

Even though employee monitoring is deemed necessary for employers, companies

that choose to implement these kinds of technologies must be mindful of its effect on

employee morale. Richard Hunter, a privacy analyst at Gartner Incorporated, said that,

"CIOs must measure expected benefits against potential problems" (James, 2004). In order

to find a common ground for both employers and employees, this section will explore the

reasoning behind employer access to the work-related and personal information of their

employees. It will discuss what methods of surveillance are implemented and how it affects

both parties. Furthermore, it will touch on what legislation addresses workplace privacy

concerns. This section will conclude with solutions and recommendations that may help

the CIO understand that the human aspect of this issue is important to the effectiveness of

employee monitoring.


Employee Monitoring Then and Now

Employee advocacy groups have been fighting for employees’ workplace privacy in

increasing measure, which may lead us to believe that employee-monitoring practices have

just recently been introduced, when in fact they have been around for decades. The

differences between then and now are the methods used, availability of technology, and the

amount of information collected (Kizza, 2010, p. 148).

Employers have always been very much aware of how employee performances

affect the company’s bottom line. Before high tech surveillance equipment and software

were available, companies implemented various methods to monitor their employees

(Kizza, 2010, p. 148). During the early years, employee monitoring relied heavily on

intensive use of human resources and one-on-one monitoring. The development of new

technology slowly lessened this dependency. Companies are now implementing advanced

tracking systems that replace the visible eyes of managers with invisible eyes of monitoring

software and equipment. Employers believe that such monitoring technologies are more

accurate because of the absence of human biases and opinions (Crampton & Mishra, 1998).

Is Employee Monitoring Necessary?

Information is considered to be the most valuable asset a company can have. As the

use of technology increased in the workplace, so has the possibility of “intrusion into the

systems, theft of business information, fraudulent use of information and other forms of

information loss or damage” (Stanton, The Visible Employee, 2006, p. 1). The CIO can

implement all the necessary precautions and use the most advanced security procedures,

but without a responsible employee to monitor the system, these safety measures can be


rendered useless. Employees are a vital part of the success of these security procedures,

but then, they themselves require monitoring to prevent certain wrongdoings.

The advent of technology in the workplace has created some personnel issues, such

as cyberloafing, wherein employees use valuable company time and resources to browse

the Internet for personal purposes (Mujtaba, 2003). This unnecessary and unproductive

use of company time and resources can be prevented by implementing employee

monitoring measures.

Just as the company is trying to protect their rights and property, as well as their

third party users such us shareholders and customers, employees are voicing their

concerns about the possibility of the mishandling of their private information.

Another issue raised is the lack of privacy at work. Employees feel that they have the

right to privacy at work, and the use of employee monitoring techniques is an invasion of

their privacy. By being monitored constantly, employees feel scrutinized and are not able to

perform well because of constant fear of surveillance.

Impact of Employee Monitoring

In order for CIOs to provide an effective solution, it is necessary to be mindful of the

impact of employee monitoring to their company and its employees. As mentioned earlier,

the human aspect of employee monitoring is slowly being replaced by the use of advanced

data collecting technologies, thus eliminating human biases and judgment that can be

clouded by human emotions and politics. Evaluations are based more on quantitative data

from computer systems that can be further analyzed, which may be an advantage for

employees (Crampton & Mishra, 1998). Employee monitoring also provides employee


location flexibility, since employers can check on employees in various work locations

(Crampton & Mishra, 1998). Another advantage for employees is computer-based

feedback, which has proven to be more effective than face-to-face evaluation (Crampton &

Mishra, 1998), because they now have the ability to review their own performance through

data collected without prejudice.

Employee monitoring can also have a negative affect employees, both

psychologically and physically. Employees feel that too much monitoring creates

unnecessary stress and lack of self-esteem (Crampton & Mishra, 1998). Constant fear of job

loss results to lack of interest, which that translates to poor performance. Physical

manifestations such as headaches and stomach problems result in missing work, thus

increasing medical expenses (Crampton & Mishra, 1998). Another issue is that employee

evaluations based solely on quantitative measurements from computer systems may not be

the best representation of their performances, because behavior and quality of work are

just some of the things that cannot be quantified (Crampton & Mishra, 1998).

Employers have long defended their actions by explaining that employee

monitoring is not implemented to hurt employees but to help increase overall efficiency

(Kizza, 2010, p. 153). The thought is that employees who are aware of being monitored are

more likely to increase their productivity and become more responsible with the use of

their time. In addition to production increase, employee monitoring can help employers

lessen their risk of future liabilities caused by improper use of company resources (Kizza,

2010, p. 153). Just as it is necessary for employees to have objective evaluations, it is

important for employers to have access to quantitative data in order to determine the

effectiveness of their business strategies (Kizza, 2010, p. 153). However advantageous


these reasons may seem, the effect of such monitoring creates adverse working conditions

for employees and in the end, this may defeat the purpose of implementing such measures

(Kizza, 2010, p. 153).

Laws Affecting Employee Monitoring and Workplace Privacy

In the United States, Americans are given the right to keep certain information

private, but with constant monitoring, employees feel that employers are crossing that line

(Crampton & Mishra, 1998). Employees have turned to the government to seek legal

protection, but unfortunately found that they have less legal rights than they thought

(Schulman). The 1986 Electronic Communications Privacy Act (ECPA), which “prohibits

unauthorized interception of various electronic communications, including email”

(Schulman), was thought to be the answer to protecting employees from monitoring.

However, this law has several exceptions. The most relevant exceptions to workplace

privacy are the “Consent of a Party to the Communication Exception” and the “Provider

Exception”, which grant providers of communication, such as employers, the right to

intercept communications as long as there is a legitimate business reason (Electronic

Surveillance in Communications Networks). Employees are left without an alternative,

since under United States federal law employers have every legal right to intercept “work

related use of telephone, email, and other computer-generated communications if certain

conditions have been met” (Thomas, 2005). In Europe, by contrast, employees’ privacy is

protected by Article 8 of the European Convention for the Protection of Human Rights and

Fundamental Freedoms, which states that “everyone has the right to respect for his private

and family life, his home and his correspondence” (Lasprogata, King, & Pillay, 2004). The


term “private and family life” is interpreted by the European Court of Human Rights to

“include the workplace and extends protection of privacy in correspondence from it”

(Lasprogata, King, & Pillay, 2004).

Methods of Surveillance

Because of the variety of exploits used to steal information from companies, a multi-

layered security framework should be employed. There are various monitoring

technologies available for implementation today (Weckert, 2005, p. 7).

Some of the more established methods are:

• phone tapping

• voicemail recording

• CCTV’s

• video monitoring

Some of the newer methods include:

• computer software monitoring such as email, web tracking, content filtering

and blocking

• remote freeze and lock up

• key-loggers

• screen capture programs

• application usage trackers

Some companies would go even further by using GPS or tagging employee badges

with RFID, methods capable of tracking the exact location of their employees (James,

2004).


Employee monitoring has resulted in a massive collection of employee data, placed

in the hands of the employers. Unfortunately, employers are not always clear with how

they use and store this kind of information. Most employees are not even aware what data

is being collected. Without transparency and full disclosure, employees are constantly in

fear that these records may be compromised or worse, be used against them in the future.

Recommendations III

While employee monitoring can create ethical issues and business problems, there

are solutions that can help solve this dilemma. Establishment of a transparent security

framework that involves and benefits not just employers, but employees, is an important

step for a CIO to take. In order to have an effective security policy and infrastructure in

place, it is vital to have active participation from the different groups affected by it, namely:

employees, company leaders and IT experts (Stanton, Human Risks in Computer Security,

2006). Input from each group is critical to make sure all sides are heard, and directives are

created fairly.

If an employer decides that employee monitoring is necessary, employees have the

right to know that they are being monitored and what is being monitored. Employers

should effectively communicate their ethics and security policies and integrate them

through ethics training and self-regulatory programs. Furthermore, it is important to

respect each individual’s privacy when the nature of intercepted information is

nonbusiness related. In return, employees must be mindful of the use of company time and

resources for nonbusiness related activities so that productivity, efficiency, and

information security are not compromised. The CIO must also be willing to share what is


discovered through surveillance and be open to inquiries and possible backlash from

employees.

Conclusion

Addressing privacy concerns in regards to international business, consumer data,

and employee rights is a challenge. The CIO must find ways to adapt as new technology is

implemented and new laws are enacted concerning privacy protection and rights,

especially in these three key areas. A guide to this adaption includes:

Development of an international data strategy through the study of the company’s flow

of information; the study of vendors and subsidiaries; assurance that applicable laws

are followed in countries where doing business; and annual reassessment of the

strategy.

Notification to the consumer in plain language of how a company uses their data; giving

consumers a simple way to opt out; and commitment to security and confidentiality of

consumer data.

Establishment of a transparent security framework for employee monitoring;

obtainment of input from the different groups affected by employee monitoring

policies; disclosure to employees of monitoring practices; communication of company

ethics and security policies; and respect for each employee’s privacy when the nature of

intercepted information is non business related.

A company’s survival in a cyber world depends on listening to the Internet privacy alert.


References

Basu, S., Jones, R., (2005). Indian Information and Technology Act 2000: Review of the

Regulatory Powers under the Act. International Review of Law Computers &

Technology, 19 (2), 209-230.

Cain, R. (2002). Global Privacy Concerns and Regulation – Is the United States a World

Apart? International Review of Law Computers & Technology, 16 (1), 23-34.

Crampton, S. M., & Mishra, J. M. (1998). Employee monitoring: privacy in the workplace?

SAM Advanced Management Journal. Electronic Surveillance in Communications

Networks. (n.d.). Retrieved May 25, 2011, from US Department of Justice Computer

Crime & Intellectual Property Section:

http://www.justice.gov/criminal/cybercrime/ssmanual/04ssma.html

Gilbert, F. (2008). Is Your Due Diligence Checklist Obsolete? Understanding How

Information Privacy and Security Affects Corporate and Commercial Transactions.

The Computer & Internet Lawyer, 25 (10), 13-18.

James, G. (2004, March 1). Can't Hide Your Prying Eyes. Retrieved May 21, 2011, from

Computer World:

http://www.computerworld.com/s/article/90518/Can_t_Hide_Your_Prying_Eyes

J. C. Penney Corporation, Inc. (2011, April 5). Privacy policy. Retrieved May 28, 2011 from

http://www.jcpenney.com/jcp/CustomerServiceSub.aspx?CatTyp=CSR&CatID=124

90&cmResetCat=True&CmCatId=homepage&mscssid=69d3ee29b8c3a4e838be2be

cf3256eb5axMnVNoVza3WxMnVNoVza3o200B9B2A297EB9334BC7CB4B089BE83

EA34A1115019

Kizza, J. (2010). Ethical and Social Issues in the Information Age. London: Springer.


Lasprogata, G., King, N. J., & Pillay, S. (2004). Regulation of Electronic Employee Monitoring:

Identifying Fundamental Principles of Employee Privacy through a Comparative

Study of Data Privacy Legislation in the European Union, United States and Canada.

Stanford Technology Law Review, 12.

Lefkow, C. (2011, May 9). US Politicians Push for 'Do Not Track' Internet Laws. Retrieved

May 27, 2011 from

http://www.nzherald.co.nz/connect/news/article.cfm?c_id=1501833&objectid=10

724402

Masters, L. (2007). Insuring Coverage Along the Information Superhighway. The Computer

& Internet Lawyer, 24 (11), 1-14.

Merriam-Webster, Inc. (2011). Privacy. Retrieved May 15, 2011 from

http://www.merriam-webster.com/dictionary/privacy

Miller, M. (2008). Is it safe? Protecting Your Computer, Your Business, and Yourself Online.

Indianapolis, IN: Que.

Mujtaba, B. (2003). Ethical Implications of Employee Monitoring:. Journal of Applied

Management and Entrepreneurship.

Nahra, K. (2006). A Privacy and Security Compliance Checklist for the Internet Era. Journal

of Internet Law, 9 (12), 11-18.

Newman, J. (2011, April 13). Kerry-McCain privacy bill: What you need to know. Retrieved

May 28, 2011 from

http://www.pcworld.com/article/225039/kerrymccain_privacy_bill_what_you_nee

d_to_know.html


Obama, B. (2011). International Strategy for Cyberspace. Prosperity, Security, and

Openness in a Networked World.

Schulman, M. (n.d.). Little Brother is Watching You. Retrieved May 18, 2011, from Santa

Clara University: http://www.scu.edu/ethics/publications/iie/v9n2/brother.html

Speier, J. (2011, February 11). Speier Introduces Consumer Privacy Package. Retrieved May

27, 2011 from https://speier.house.gov/index.cfm?sectionid=48&itemid=683

Spinello, R. A. (2006). Cyberethics: Morality and Law in Cyberspace. Sudbury, MA: Jones and

Bartlett.

Stanton, J. (2006, June). Human Risks in Computer Security. Retrieved May 26, 2011, from

mThink:

http://mthink.com/sites/default/files/legacy/midmarket/content/pdf/mms2_2_10

_wp_syracuseuniv_stanton.pdf

Stanton, J. (2006). The Visible Employee. Medford: Information Today.

Thomas, R. (2005, March 18). Issues to Consider When Implementing an Employee

Monitoring Program. Retrieved May 27, 2011, from Tech Republic:

http://www.techrepublic.com/article/issues-to-consider-when-implementing-an-

employee-monitoring-program/5615878

Weckert, J. (2005). Electronic Monitoring in the Workplace: Controversies and Solutions.

Hershey: Idea Group Inc.



http://www.pcworld.com/article/225039/kerrymccain_privacy_bill_what_you_need_to_know.html

Date post:	26-Mar-2016
Category:	Documents
Upload:	marie-nason
View:	222 times
Download:	4 times

Internet Privacy Alert

Documents