Blog Post 4 – Information Access Protection – The control and limitation of access to data by others

Print

            When we think of data security and privacy of our data at work, information access protection is what we are typically thinking about as it deals with the control and access to our data by others.  Information access protection deals with control and limitation theories that deal with access and control over personal information (Tavani, 2007, p. 7).  One example of information access protection is evident from the Privacy Act of 1974, which restricts the collection, use, and distribution of information by federal agencies.

 

            How many of you reading this blog post now have cellular devices provided by your company with installed mobile device management software (MDM) or require installing software on your device?  The use of MDM is common practice; one that often comes without any indication as to what your company is doing with your data.  So, the first recommendation is to review mobile device management policies and procedures proactively.  One study by Parham (2015) indicates that employees have grave concerns over employer access to personal email, texts, personal contacts, photos, videos, voicemails, and so forth (p. 25).  Your company can install an MDM solution that protects your data and containerizes corporate data allowing them to erase corporate data without impacting or viewing your information.  Providing features like a mandatory pin, for instance, instilling greater sense privacy (Parham et al., 2015, p. 26).  It seems simple; what else can your organization do?

            The second recommendation resulting from my research is to weigh the costs and benefits of security controls.  Security controls, while typically in place to protect an organization, often cause stress, health problems, and the sense that privacy has been invaded (Leclercq & Vandelannoitte, 2017, p. 141).  Taking the simple step of making sure controls have a value from an employee and employer perspective reduces those feelings of privacy invasion while providing greater protection for your organization (Lee, Lee, & Kim 2016, p. 68).  So how can we weigh the costs and benefits of security controls?

            One method is to weigh asynchronous vs. synchronous security controls.  Realtime internet monitoring and keystroke logging by organizations create a feeling of privacy invasion.  Doing things asynchronously like passive email monitoring and examining internet or phone records upon HR requests significantly reduce that feeling of privacy invasion (Tomczak, Lanzo, & Aguinis, 2018, p. 254).  Another helpful step is to roll out monitoring software selectively based on system authority or access to essential information assets, which also reduces the sense of privacy invasion (Lee et al., 2016, p. 68).  Some employees appreciate security and notifications when well designed.  Potoglou, Dunkerley, Patil, and Robinson (2017), found an appreciation amongst employees for items like warnings on websites that contain security concerns like phishing or other security and privacy attacks (p. 820).  All of these tools generate data on employees, which brings me to my next recommendation.

            Organizations should limit data collection where it lacks value, and where it contains value data should be anonymized or obfuscated and erased when finished with use.  Excessive accumulation of data is directly linked to an employee’s feeling of privacy invasion (Carpenter, McLeod, Hicks, & Maasberg, 2018, p. 95).  Many organizations think that anonymizing data is an uphill battle.  However, ethical use of data requires anonymizing and protecting that data (Herschel & Miori, 2017, p. 33).  What if you are a believer that big data can’t be anonymized? 

            There are several other options from removing employee personal information from your organization’s data sets.  Obfuscating data is one step an organization can take to produce misleading, false, or ambiguous data to make it less valuable to malicious actors.  Systems should be designed not to collect personal information where it isn’t necessary, and employers can purchase anti-tracking systems for employee systems to protect further their web activity (Pascalev, 2017, p. 42).  So, let us suppose an organization has taken steps to protect employee data but, you have a bad actor in the organization?

            How many of you work in an organization that turns a blind eye to information security misbehavior?  Misbehavior being anything against a policy, ethics, or the law.  Organizations need to create sanctions for information security misbehavior and enforce those sanctions.  Insider threats are one of the greatest risks to employee data today.  Utilizing Human Resources to enforce sanctions and increase the severity of sanctions with employee misbehavior increase the effort, risk, and reduce rewards for an employee to misbehave. 

            This is the end of the road for this series in protecting employee privacy.  As a recap, here are my 10 steps an organization can use to reduce the perception of employee privacy invasion:

 

References

Carpenter, D., McLeod, A., Hicks, C., & Maasberg, M. (2018). Privacy and biometrics: An empirical examination of employee concerns. Information Systems Frontiers, 20(1). 91-110. doi:10.1007/s10796-016-9667-5

Herschel, R., & Miori, V. (2017). Ethics & Big Data. Technology in Society, 49. 31-36. doi:10.1016/j.techsoc.2017.03.003

Leclercq-Vandelannoitte, A. (2017). An ethical perspective on emerging forms of ubiquitous IT-based control. Journal of Business Ethics, 142(1). 139-154. doi:10.1007/s10551-015-2708-z

Lee, C., Lee, C., & Kim, S. (2016). Understanding information security stress: Focusing on the type of information security compliance activity. Computers & Security, 59. 60-70. doi:10.1016/j.cose.2016.02.004

Parham, A., Mooney, J., & Cairney, T. (2015). When BYOD meets big data. The Journal of Corporate Accounting & Finance, 26(5). 21-27. doi:10.1002/jcaf.22059

Pascalev, M. (2017). Privacy exchanges: restoring consent in privacy self-management. Ethics and Information Technology, 19(1). 39-48. doi:10.1007/s10676-016-9410-4

Potoglou, D., Dunkerley, F., Patil, S., & Robinson, N. (2017). Public preferences for internet surveillance, data retention, and privacy enhancing services: Evidence from a pan-European study. Computers in Human Behavior, 75. 811-825. doi:10.1016/j.chb.2017.06.007

Tavani, H. (2007). Philosophical theories of privacy: Implications for an adequate online privacy policy. Metaphilosophy, 38(1), 1. doi:10.1111/j.1467-9973-2006-00474.x

Tomczak, D., Lanzo, L., & Aguinis, H. (2018). Evidence-based recommendations for employee performance monitoring. Business Horizons, 61(2). 251-259. doi:10.1016/j.bushor.2017.11.006