CIO Gary Janchenko at Central Ohio Primary Care (COPC) manages the functions of the healthcare organization’s Information Services department. Like other CIOs, this oversight includes employee digital communications on company-provided devices like cell phones, tablets and laptops.
Using these devices, employees correspond with each other and sometimes with friends and family, with the expectation that what they’ve communicated is private. It is and it isn’t. Although companies are required by law to secure and safeguard employee data like Social Security numbers and electronic health records, other confidential information like digital communications, location data and biometric markers are not legally protected.
“Some personal information that employees may think is protected by law is simply not the case,” said Janchenko from the Westerville, Ohio-based headquarters of COPC, a large physician-owned primary care group’s network serving more than 500,000 commercially insured patients at over 90 locations.
Absent these regulations, it’s up to employers to assure employees that information they consider to be nobody’s business but their own is not perused by anyone in the organization. That’s a tough nut for IT leaders to crack since their job is to secure and protect every scrap of corporate data.
“Our role in information security is to try to secure the technology so no one can hack it; the problem is that if we don’t know what [information] we have, we can’t protect it,” said Vladimir Svidesskis, head of security compliance and risk at management consultancy Vaco.
To acquire this knowledge, Svidesskis and the information security team he leads has access to information that employees might reasonably expect is private but nonetheless must be secured—the case with their digital communications. “We have to access this data, classify it and inventory it; otherwise, if we don’t inventory it, we can’t protect it,” he explained.
To find a balance between data protection and data privacy, Janchenko imagines what it would be like for his private electronic communications to be read by others. “I see it as my ethical responsibility to go beyond the legal protections governing employee data to do things that I, as an employee, would expect and want,” he said.
“The challenge in IT is that someone is always watching; at some level, there is not one point where we don’t know what’s going on,” he explained. “It’s like a collision between objective science and subjective art. The `science’ is someone always watching, but the `art’ is knowing when it is appropriate to watch.”
A Patchwork Quilt
Solving this conundrum in a business environment where new electronic forms of communication are increasingly abundant, data is produced at ever-inclining volumes and privacy regulations differ across states and countries is a Solomon-like task.
Although IT organizations have a fiduciary obligation to secure and protect confidential employee data like medical records, current federal and state laws do not restrict the gathering and viewing of data on their daily movements and electronic communications. “The U.S. doesn’t really have a comprehensive employee privacy law,” said Fran Faircloth, partner and core member in the data, privacy and cybersecurity practice at Ropes & Gray.
Employers must comply with a “patchwork quilt” of privacy laws that “can vary widely,” Faircloth maintained. “Social security numbers are almost always in there and many states have some version of protected health information, with some tightening up laws governing mental health information,” she said. “It’s complicated.”
The only federal law limiting employer surveillance is the 1986 Electronic Communications Privacy Act (ECPA), which forbids an employer from eavesdropping on spoken personal conversations, but not their electronic communications. By contrast, the General Data Protection Regulation (GDPR) in the EU stipulates that any information relating to an identifiable person, such as an employee’s name or online identifier, must be secured, protected and kept confidential.
Although ECPA prohibits the intentional surveillance of digital communications in transit, it allows a company to monitor employee emails for lawful business reasons or with an employee’s consent. Faircloth pointed out that employers often have a legitimate interest in knowing how employees use company-provided devices like cell phones and laptops, “activities for which employees may not have a reasonable expectation of privacy, especially if they agreed to the monitoring through an employee handbook,” she said. “What that means is that employees should expect that their employer may be able to view their electronic communications like emails.”
Some states are trying to catch up to the EU’s headstart in putting forth more robust employee privacy protections. For example, the California Privacy Rights Act of 2020, the country’s first comprehensive privacy law, prohibits employers from retaining employee personal information for longer than considered reasonably necessary and limits the disclosure of “sensitive personal information” contained in employee electronic communications, biometric information and geolocation.
“States like Utah, Virginia, Colorado and Connecticut have passed similar laws, and other states have bills circulating,” Faircloth said, “but until they make it through [the legislative process], it’s a waiting game to learn what they will cover.”
What can CIOs do to ensure that something good (employee privacy) isn’t weakened in the effort to contain something bad (data breaches)? Quite a bit, the interviewees contended. “There are more things here that the IT team cannot see than we can see,” said Janchenko.
He’s referring to the establishment of administrative rights governing who can access specific types of data, based on legal, security and competitive considerations. An example is the access controls governing employees’ Social Security numbers and health information. “Our partners in HR control these systems and have their own specific set of integrity protocols when it comes to looking at this data,” Janchenko said. The confidentiality of other employee data like digital communications biometric identifiers and geolocation information depends on a company’s data security practices and policies. At COPC and many other businesses, when employees activate the email system using company-provided computer devices, they effectively give permission to the company to view this information. “The email system is a company asset,” said Janchenko.
Employees “do not own” the emails they send or receive, he said. Depending on the type of email software a company uses, “quite a bit of detail” may be revealed, hence the need to establish transparent policies and practices regarding access rights.
“More often than not here, we monitor an employee’s email to protect this data—something would have to happen for us to look at an email outside this context, such as an employee alleged to have made verbally abusive or threatening comments,” Janchenko said. “If this occurred, we’d partner with HR and legal in making a decision to view the employee’s emails.”
He added, “Frankly, as the CIO, I actually have some of the fewest data access permissions here. For instance, I can’t get into the email server or parts of our electronic health records. I have no business in those systems, so there is no real need for access.”
Each company has a slightly different posture when it comes to peeking at employee digital communications, which is not unusual given dissimilar state regulations. At QBE North America, CIO Ketan Pandit said the large insurance company defines all data for security reasons across three categories—confidential information, internal use information and unclassified information.
“Confidential information involving communications between business customers and employees can only be accessed by authorized users and is always encrypted in transit,” the CIO said. “Internal use information can be provided to employees without significant concerns over a breach of data and unclassified information is just that—data that can be released to the public domain.”
Asked if he or the IT organization ever has a reason to share confidential information in an employee’s email, Pandit said the situation is rare and only justified if determined to be a potential compliance infraction by the company’s privacy team, which includes members of QBE’s legal and HR functions.
“We are extremely careful here about privacy; during the pandemic, for example, I wanted to send a care package to an employee as a friendly gesture and asked HR for the person’s home address. They declined, responding that the information is private,” he said.
At Vaco, Svidesskis follows a similar path, classifying employee data within different categories based on confidentiality. “If this information is deemed highly confidential, such as customer contact information and employees’ names and addresses, we do our best to secure this data so no one can hack it and implement rigorous identity and access management controls,” he said. “For example, HR can access an employee’s Social Security number but we in IT cannot.”
Eyes, Fingers and Faces
What about the confidentiality and security of an employee’s biometric data? Michael Phillips, chief claims officer at Resilience, a provider of cyber risk security and insurance solutions to mid-market companies, said the subject has caught the attention of state legislatures and regulators, in large part driven by plaintiff litigation. “Several states are introducing legislation drawing from the landmark biometric law implemented in the state of Illinois in 2008,” said Phillips.
He’s referring to the Biometric Information Privacy Act (BIPA), which governs how companies in Illinois can collect, use, store and share biometric data. “The rule imposes truly significant liability on businesses that fail to secure their biometric data and inform employees of their policies regarding the use, retention and analysis of this information,” Phillips said.
“This makes complete sense since biometric information, unlike usernames, passwords and bank account numbers, is immutable,” he added. “Biometrics is such a strong tool for privacy reasons, but its strength is also its weakness. If someone hacks into this information and copies it, the tool is rendered useless. You can change your password, but you can’t change your irises to access your bank account.”
At public company Pega, a global provider of business outsourcing software solutions, Chief Information Security Officer Carlos Fuentes approaches employee biometric data with great care, he said. “If a decision is reached to use a new facial recognition device here, the first thing we do is have our Privacy Council, which is made up of attorneys across the world, do a privacy impact assessment,” Fuentes explained.
If the examination passes muster, Fuentes and the information security team conduct an in-depth security assessment to determine the controls needed to protect the biometric data stored in the facial recognition software. If this employee data is especially sensitive, involving, for example, the individuals who need to enter the company’s Security Operations Center, Pega’s external auditor is asked to evaluate the controls as part of the standard audit.
At COPC, employee biometric data is stored in company-provided devices. “Although we have fingerprint scanners and facial recognition identifiers for multi-authentication purposes, this information is stored locally inside the particular computer and is not transmitted outside it,” said Janchenko. “It’s not stored on our network so cannot be compromised by a rogue actor breaking into the systems to access this information.”
An employee’s geolocation data is a more nuanced matter. Phillips said it is not uncommon for IT personnel and employees in other functions like HR or legal to track their colleagues’ location for business purposes.
“The technology is there to determine if an employee is where he’s supposed to be, such as arriving at an airport overseas at the expected time,” he explained. “The problem is when the tools are not used for a valid business reason, such as snooping on someone after hours. It’s up to the CIO to manage the staff to ensure they are operating ethically at all times.”
Asked if the IT organization at Vaco can access an employee’s geolocation data, Svidesskis said it is possible but rare. “If an employee stopped off at a pub at 2 o’clock in the afternoon, we have the technical capabilities to know that, but we would only seek to know this if there was a specific reason,” he said.
As an example of this reason, he cited an employee’s involvement in a tragic car accident. “It could encourage law enforcement in the discovery process to ask for the person’s GPS-enabled data,” Svidesskis said. “If our legal organization is contacted by the police and tells us to provide this data, we are obligated to do so.”
As privacy laws continue to be defined and refined at the state level, Faircloth recommended that CIOs assemble a well-crafted data access authorization governance program. “It’s the most important first step in securing and protecting all corporate data,” she said.
Depending on a company’s size, scale and budgetary constraints, she added that CIOs, for security reasons, might consider separating the management of privacy-related data from other corporate data.
“Cybersecurity generally involves the risks of attacks like ransomware that disrupt ongoing business, whereas information security pertains to securing confidential information,” she explained. “In many ways, different skill sets are needed to manage these areas. IT already has a lot to do but there is some sense in having separate teams address cybersecurity and information security, and for both teams to work together when needed.”