What if cameras placed to catch terrorists catch employees behaving badly instead?
BY DR. LARRY PONEMON
Many security and privacy professionals in municipal agencies face the dual challenge of protecting individuals' privacy yet complying with new Homeland Security surveillance rules intended to protect our country from future terrorist attacks. In the following case, we discuss how surveillance technologies challenge an organization's privacy commitments and new wireless technologies create unexpected security risks.
In the Eye of the Storm
Mark was the newly appointed CIO of a state's department of ports and tunnels. During the first few weeks, Mark was engrossed in reviewing a recent audit of the security system for the ports that was conducted by an independent firm. Since 9/11, the department had been upgrading its data security to prevent hackers and terrorists from accessing sensitive information about the ports and tunnels.
Before he took the job, Mark was well aware of both the physical and technical security risks of the ports and tunnels to possible terrorism. His priority when he started was to have his assistant schedule meetings with the various IT staff to understand the adequacy of the department's physical and electronic controls over data. In addition, Mark met with Audrey, the department's privacy and public policy manager. She told Mark that while she understood the need for heightened security measures, she also wanted to make sure that the department continued to honor its privacy commitments.
Mark told Audrey that the FBI and local law enforcement officials had discussed with him the need to have access to databases containing personal information about employees and contractors. "They wanted to be able to match records to a suspected watch list of terrorists and people wanted for violent crimes," said Mark. "How can I protect personal information while sharing our databases with who knows how many people? Yet there are valid national security reasons why the government would be interested in our workers." Audrey advised him that as a high-profile municipal agency, a privacy breach could damage its reputation and pose risks of class-action lawsuits.
A Case of Overexposure
One beautiful summer day, Mark decided to leave his office and take a walk through the dock's cargo holding zone. He enjoyed seeing the containers being unloaded and marveled at the efficiency of the port. However, as he was watching some of the workers, he became uneasy. A number of individuals were using wireless devices such as cell phones (some with built-in digital cameras) and PDAs.
Mark heard about terrorists using wireless technology to collect digital photos, plant explosives and release remote bombing devices, but knew that his department had yet to address the security implications of wireless equipment that many employees and contractors now had routine access to. He made a mental note that when he returned to the office he would convene a meeting to discuss the development of policies and procedures for wireless technology.
In the meantime, the FBI had begun surveillance because they believed terrorists might have infiltrated the ports. Video cameras were installed in several discreet locations to record suspicious activity. Department officials were informed that the cameras would be on all the time. In the interest of national security, however, employees and contractors were not told about the increased surveillance.
A few months later, FBI agents were reviewing some of the tapes that had been flagged for their attention. "Wow, look at that," laughed one of the agents. "I thought things were pretty dull on the docks." The tape had captured two employees engaged in a compromising act during working hours. "I think we need to let the ports and tunnel department know about this tape and what some of their employees are doing during working hours," he added.
The Issue: Balancing Security with Privacy
Video camera surveillance used to protect against terrorism has created new data and privacy risks for Mark's agency. While not tipping his hand to terrorists and making them aware of the surveillance technologies in place, Mark needs to consider the privacy commitment of the agency to citizens, contractors and employees.
Second, the agency should determine how it will protect information gathered through surveillance from overexposure and the violation of individuals' right to privacy. In this case, security surveillance had the unintended consequence of creating a potential employee disciplinary issue for the agency.
Many organizations use wireless connectivity as
a complement to traditional, wired networks. From a security perspective,
however, wireless raises many new challenges in addition to those associated
with traditional networking. Employees are bringing new wireless devices into
the workplace. These security issues become even more critical when an
organization must not only deal with potential employee abuse and negligence but
also with possible terrorist attacks.