White Paper Internet Privacy Alert A CIO’s Guide to Privacy and Surveillance in a Cyber World Prepared by: Marie Nason, Jill Musick, and Mary Razon Prepared for: Terry Linkletter IT 486: Critical Issues in Information Technology Central Washington University – Spring 2011
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
White Paper
Internet Privacy Alert A CIO’s Guide to Privacy and Surveillance in a Cyber World
Prepared by:
Marie Nason, Jill Musick, and Mary Razon
Prepared for:
Terry Linkletter
IT 486: Critical Issues in Information Technology
Central Washington University – Spring 2011
1 Internet Privacy Alert
Table of Contents Executive Summary.............................................................................................................................................. 2
Scope and Methods ............................................................................................................................................... 4
I. Differing International Laws Affect E-Commerce ............................................................................ 5
Multiple Data Protection Laws .................................................................................................................... 5
Solutions to Meet the Challenge .................................................................................................................. 6
Recommendations I ......................................................................................................................................... 9
II. Consumer Data Collection Invades Privacy .................................................................................... 10
Disclosure and Opt Out Agreements - Difficult to Understand and Hard to Find................. 10
Use of Cookie Technology to Record User Activity .......................................................................... 12
Recommendations II .................................................................................................................................... 14
III. Employee Monitoring and Workplace Privacy .......................................................................... 15
Employee Monitoring Then and Now .................................................................................................... 16
Is Employee Monitoring Necessary? ...................................................................................................... 16
Impact of Employee Monitoring .............................................................................................................. 17
Laws Affecting Employee Monitoring and Workplace Privacy ................................................... 19
Methods of Surveillance .............................................................................................................................. 20
Recommendations III ................................................................................................................................... 21
A CIO ’s Guide to Privacy and Surveillance in a Cyber World
Executive Summary
The purpose of this report is to provide CIOs with the necessary information to
analyze their company’s data privacy, security and surveillance policy effectiveness within
the cyber world in three key areas: international business, consumer data, and employee
monitoring.
Differing International Laws Affect E-Commerce
Differing international laws present a challenge affecting e-commerce, mergers and
acquisitions, and commercial transactions. Companies can meet this challenge by creating
an international data strategy. Steps to develop this strategy include: studying the flow of
information a company is responsible for, including through which countries it passes;
studying any foreign vendors and subsidiaries, including potential mergers or acquisitions,
that may touch this information, and include legal language in contracts to address data
privacy and security; including a plan to ensure that any laws applicable in any of these
countries be followed.
Consumer Data Collection Invades Privacy
Companies are in control of vast amounts of personal information and consumers
are concerned about privacy rights and expect that data to be secure. Opt out agreements
are not easy to follow. The use of cookies to track movement is another concern.
Companies can build trust with their consumers by notifying them, in plain language, how
3 Internet Privacy Alert
their collected data will be used; give consumers a simple way to opt out; and commit to
security and confidentiality of consumer data.
Employee Monitoring and Workplace Privacy
CIOs should be mindful of the impact of employee monitoring on their company and
its employees. This impact can be mitigated by: establishing a transparent security
framework for employee monitoring; obtaining input from the different groups affected by
employee monitoring policies; disclosing monitoring practices to employees;
communicating company ethics and security policies; and respecting each employee’s
privacy when the nature of intercepted information is nonbusiness related.
Conclusion
Addressing privacy concerns in regards to international business, consumer data,
and employee rights is a challenge. The CIO must find ways to adapt as new technology is
implemented and new laws are enacted concerning privacy protection and rights,
especially in these three key areas. A company’s survival in a cyber world depends on
listening to the Internet privacy alert.
4 Internet Privacy Alert
Introduction
To really understand the concept of privacy and ascertain when it is under attack, it
is important to first define the word. Merriam-Webster (2011) defines privacy as the
quality or state of being apart from company or observation or freedom from unauthorized
intrusion. In the advent of the information age, the definition and scope of privacy
expanded from the physical world to the cyber world. Individuals, now more than ever,
feel their privacy is under constant assault from corporations and the government. The CIO
plays an enormous part in dealing with some of these problems and is tasked with making
sure there is a balance between the organization’s agenda and an individual’s right to
privacy.
This paper will serve as a CIO’s guide to ensuring that privacy, security and
surveillance regulations are followed and an individual’s rights are protected as their
organization adapts and implements new technology and new laws are enacted concerning
privacy protection and rights.
Scope and Methods
The scope of this discussion is threefold. Part I focuses on what a CIO should be
aware of in regards to the affects differing international laws have on e-commerce and
doing business with other countries. Part II provides an overview for the CIO of the points
of view concerning the collection of consumer data and privacy rights in the United States.
The two key issues discussed are opting out agreements and cookie technology. Part III
informs the CIO of what issues surround the implementation of employee surveillance in
the workplace and techniques to deal with them.
5 Internet Privacy Alert
Much has been published on all three topics covered in this paper, therefore the
decision was made to cull information from these secondary sources and combine the most
pertinent information for a CIO into one easy reference document. Research included
sources such as books focusing on security and ethics in cyberspace; articles in journals of
law and business ethics; and documents and articles found on the Internet, including the
International Strategy for Cyberspace statement just released by President Barack Obama.
I. Differing International Laws Affect E-Commerce
The subject of international law in regards to data privacy and security is a large
one. This section, however, will focus on international law as it exclusively relates to e-
commerce and its affect on how a company does business. In particular, there is the
problem of meeting the myriad of, and sometimes conflicting, international laws that affect
mergers and acquisitions, and commercial transactions. A company must be prepared for
the event that a case is brought against them in a foreign land, with the accompanying
questions on jurisdiction. It is imperative that companies wishing to purchase, merge or do
business with entities in other countries, evaluate the laws in effect in those countries and
take steps to prepare and protect themselves.
Multiple Data Protection Laws
More than 50 countries have data protection laws that cover privacy protection and
security in the cyber world (Gilbert, 2008). Many of these laws give increased rights to
individuals over the transfer of their personal information (Gilbert, 2008). For instance,
the European Union (EU) Data Directive mandates that member states only allow the
6 Internet Privacy Alert
processing of personal data if the subject of that data gives their express consent (Cain,
2002). Even the act of linking to content on another web site could constitute infringement,
according to the EU’s Data Directive (Masters, 2007). Additional international legislation
includes: Hong Kong’s Electronic Transactions Ordinance of 2000, which covers electronic
records and digital signatures; South Korea’s Basic Law on Electronic Commerce, which
covers digital signatures and all communications; Malaysia’s Digital Signature Act 1998,
which covers digital signatures and electronic records; Singapore’s Electronic Transactions
Act of 1998, which covers digital signatures and electronic records, applying to all
communications; the Philippine’s Electronic Commerce Act of 2000, which covers
electronic signatures and transactions and crimes related to e-commerce; The Electronic
Transactions Order of Brunei, which covers electronic contracts and digital signatures; and
India’s Information Technology Bill of 2000, which covers electronic records, digital
signatures, and crimes related to e-commerce (Basu & Jones, 2005).
Solutions to Meet the Challenge
To meet these challenges companies have various avenues open to them.
Developing an international data strategy is a start toward understanding the complexities
involved in doing business in the cyber world (Nahra, 2006). This can be accomplished by
taking either a single global approach or a plan specific to each country (Nahra, 2006), and
should include the experience and advice of a lawyer versed in international law, especially
as it pertains to e-commerce. The challenge is finding a plan that protects the company, but
at the same time allows business flexibility where the law allows this (Nahra, 2006). It is
quite possible that there may be instances where there is not a means of meeting all the
7 Internet Privacy Alert
requirements for all countries, in which case, it is fortunate that enforcement at this point
in time is relatively low (Nahra, 2006).
Another avenue a company may pursue to meet the challenge of preparing and
protecting themselves is to plan how to allocate liability in the event an inadvertent
mistake is made in developing a compliance program or a complaint is received (Nahra,
2006). There have been cases where companies and their officers have had claims brought
against them in countries where they are not physically located (Masters, 2007).
Indemnification and limits on liability provisions can be included in any contracts for
mergers or acquisitions (Gilbert, 2008). A cushion of available funds to cover obligations
can be set aside (Gilbert, 2008). Insurance policies specific to losses as a result of a breach
of security or misuse of data also exist (Gilbert, 2008). These Cyber-risk policies fill the gap
that traditional policies do not cover, but the policies available vary as to the scope of
coverage so it behooves a company to do careful research before purchasing (Masters,
2007). While it is possible to include warranties and liability provisions in any contracts for
mergers and acquisitions, this only protects a company from this particular exposure
(Masters, 2007). Protecting a company through a cushion fund or insurance is an
expensive solution and it is particularly difficult to find insurance companies who have
Cyber risk policies available (Masters, 2007).
A final, and evolving, avenue for a company is the creation of a global legal
framework that addresses data privacy and security. The obvious advantage is that a
company would no longer have to contend with varying and conflicting international laws.
There would be one law of the land, so to speak. Methods to accomplish this have been
postulated. One proposes taking the Safe Harbor framework, a compromise to the EU Data
8 Internet Privacy Alert
Directive negotiated by the United States (US) but not acceptable to other countries, and
using it as a starting point for a new International Safe Harbor (Cline, 2006). This
alternative would not address the issue of privacy as a human right because this would
most likely make a consensus among countries unlikely (Cline, 2006). Negotiations would
start with those countries with laws on data privacy and security in place and would be
negotiated within the World Trade Organization, not the United Nations (Cline, 2006). It
would be based on the top ten privacy principles from each of the negotiating countries and
countries would have the choice of recognizing compliance of the laws for individual
companies or entire countries (Cline, 2006). In addition, the countries would have the
flexibility of enforcement through the processes employed by the World Trade
Organization governing body (Cline, 2006). A second proposes developing norms for
acceptable behavior in cyberspace as a guide to the development of policies and
partnerships (Obama, 2011). This method would not necessitate any rewriting of
international law, nor would existing international norms become obsolete (Obama, 2011).
However, because of the uniqueness of cyberspace, there would need to be a consensus of
how to apply these norms of behavior in this arena (Obama, 2011). Of particular concern to
the CIO of a company dealing with international laws and e-commerce, is the section of the
proposal detailing the policy priorities in regards to Internet governance. To promote an
Internet governance that meets the needs of all Internet users, the US will: (1) prioritize
openness and innovation on the Internet, (2) preserve global network security and
stability, including the domain name system (DNS), and (3) promote and enhance multi-
stakeholder venues for the discussion of Internet governance issues (Obama, 2011). While
9 Internet Privacy Alert
these proposed methods are laudable, there is no guarantee that either will come to
fruition.
Recommendations I
The avenue of a global legal framework is evolving and not yet in existence,
therefore its choice as a solution for a CIO at this point in time is not tenable. The avenue to
protect a company against international claims with a cushion fund or insurance policy is
plausible, but expensive, providing a Cyber-risk policy can be found. The recommendation
made here is to create an international data strategy. The first step in developing this
strategy is to study the flow of information a company is responsible for. This means not
only where it starts and ends up, but through which countries it passes (Nahra, 2006). The
next step is to study any vendors and subsidiaries that may touch this information (Nahra,
2006). Included in this step are any plans for mergers or acquisitions. It must be part of the
strategy to study a possible target’s practices and privacy policies, especially important if
the target resides in another country (Gilbert, 2008). Any written agreements engaged in
with these targets should address data privacy and security specifically and should include
a warranty that no claim has been made against the target company and that they have
complied with all applicable laws (Gilbert, 2008). The third step is to include a plan to
ensure that any laws applicable in any of these countries be followed (Nahra, 2006). The
international data strategy must be reassessed at least once a year to account for changes
in business operations, vendors and laws (Nahra, 2006).
10 Internet Privacy Alert
II. Consumer Data Collection Invades Privacy
Most consumers are not aware of the information being stored about them until
there is a breech that becomes public knowledge (Spinello, 2006). As data storage costs
have decreased, more and more consumer data is being stored. Companies are in control of
vast amounts of personal information and consumers expect that data to be secure. The US
position historically has been that businesses self-regulate how they use this information
(Spinello, 2006). This has led consumers to become increasingly concerned about privacy
rights. Some of the causes for this concern are included in this section, along with potential
solutions.
Disclosure and Opt Out Agreements - Difficult to Understand and Hard to Find
Consumers currently must opt out of information sharing by the online providers
they do business with. This is not a straightforward process. Most consumers do not want
to read a multiple page privacy document when purchasing something online. Online
purchasing is supposed to be a quick and convenient experience.
JCPenney.com uses web beacons to track usage, which is used in focusing
advertising (JCPenney, 2011). They utilize a Privacy Policy that includes an explanation on
how to opt out of tracking (JCPenney, 2001). The consumer must request a list of the third
party companies that JCPenney uses to track movement online. Consumers must then go to
those individual sites if they wish to opt out. This is a very cumbersome and confusing
process for the user and is typical of most privacy policies. Figure 1 is an excerpt from the
JCPenney.com Privacy Policy on opting out which illustrates the fact that the onus is on the
consumer to protect their information.
11 Internet Privacy Alert
Figure 1. Opt out instructions from the JCPenney.com Privacy Policy.
Legislation is in the process of development to help consumers gain control over
their data. One bill, introduced by Senators John Kerry and John McCain, is the Privacy Bill
of Rights Act (Newman, 2011). Language in this bill includes clear notification that the
ability to opt out is available (Newman, 2011). Sensitive information that could cause harm
if disclosed to the public cannot be shared unless a company obtains a user’s consent to opt
in (Newman, 2011). This bill would also prevent companies from collecting information
that is not necessary to deliver or improve service (Newman, 2011).
An additional provision of the Privacy Bill of Rights Act stipulates that consumers
cannot sue for privacy violations (Newman, 2011). Only the Federal Trade Commission or
state attorney would have the authority to sue (Newman, 2011). Consumer privacy groups
are opposed to this provision and feel the act does not go far enough to protect consumers
(Newman, 2011).
The basic tenants of a privacy policy are notice and choice (Spinello, 2006).
Consumers want to have a choice in what data is collected and how it is used (Spinello,
If you prefer that we:
NOT share information about you with any of the companies outside the JCPenney Family that we have authorized to contact you regarding their products or services, or
NOT share your JCPenney credit account history information with affiliated companies within the JCPenney Family
Please let us know by:
writing to us at J.C. Penney Corporation, Inc., P.O. Box 10001, Dallas, TX 75301-7311, Attention: Corporate Customer Relations,