‘The monitoring of employees must be ethically balanced and aligned with international privacy regulations’
27th June, 2013 – London, UK – At a cyber security event in London today, three influential global businesses, Dtex Systems, Deloitte and Bird & Bird, are presenting a unified view that the monitoring of employees in the workplace must be closely regulated and only focused on identifying threats. All agree that there is a need for employee monitoring in light of an increase of attacks from within, but they place strong emphasis that protective monitoring systems must be able to identify internal threats without unnecessarily capturing content or personal information. The three organisations have published a new report providing guidance on how to effectively protect customer data and commercially sensitive information systems without compromising staff privacy, in accordance with complex and varied international legal regulations.
As competition drives global demand for innovative products and services at increasingly competitive prices, the value of commercial information and personal data has increased exponentially. However, in order to promote innovation, businesses can no longer afford to restrict the activities of their staff to maintain baseline security standards. In these flexible working environments, staff require broader and broader access to systems and data whereby monitoring is the only option for identifying and preventing accidental or deliberate breaches by insiders.
The threat of industrial espionage is spreading, with more global businesses coming under attack. Increasingly, these threats are coming from within; it is well documented that the number of employees stealing confidential data or providing unauthorised access to external sources rising rapidly. The most successful and damaging attacks involve both insiders and outsiders, often with the insider unaware that their activities have supported such an attack. Businesses need to be able to monitor and identify suspicious behaviours in order to protect their interests, but they are faced with privacy requirements that differ across countries.
The report, ‘Protective monitoring and privacy law’, published today by Dtex, Bird & Bird and Deloitte, provides recommendations and guidance for multinational organisations regarding the legalities of monitoring computer activities in the workplace. This guidance will help businesses to establish a balanced approach to mitigating the threat of industrial espionage.
“Monitoring is a necessary but often contentious subject. Global businesses have a legal requirement to protect sensitive customer data whilst also upholding an individual’s right to privacy. Some organisations just can’t seem to get this right, but striking this balance is actually quite simple if some basic principles are followed diligently,” comments Mohan Koo, managing director of Dtex Systems. “This report helps clarify the steps that global organisations need to consider when implementing a Protective Monitoring policy, in order to do so ethically and in adherence to global legal requirements.”
Ruth Boardman, partner and co-author of the report, Bird & Bird said: "There are commercial and legal imperatives to protect company confidential data, while at the same time protecting employee privacy. It can be difficult to manage this balance, especially across multiple jurisdictions. The whitepaper will be a useful and practical tool to help international organisations achieve this important objective.”
Peter Gooch, Security and Privacy Director at Deloitte adds: “The rules around employee monitoring, as with many privacy requirements, can vary greatly country by country. Much of this is driven by underlying cultural and social differences, which can be deeply embedded into a particular country’s society, so getting monitoring right is very important to any organisation. Having a flexible approach that can be tailored to different country requirements is key.”
The Protective Monitoring report brings together insights from leading players in the security industry and across business sectors. It details the steps required for an efficient and effective Protective Monitoring programme, which can be implemented globally within multinational organisations.
Some of the report’s key recommendations include:
> Identifying which markets require particular attention as part of the Protective Monitoring roll-out
> Reviewing privacy regulations to ensure compliance with local legislation
> Conducting appropriate risk and impact assessments for key markets to determine the appropriate level of monitoring (i.e. not a “catch all” approach)
> Reviewing technology infrastructure for the most appropriate systems
The full report can be downloaded at www.dtexsystems.com/pm-guidelines