On the Spot

How would you react if your CEO ordered your IT organization to track an employee's e-mail? Or if a hacker gained access to sensitive customer information?
We posed this and four other hypothetical privacy scenarios to two IT leaders: Bob Prochnow, 46, chief technology officer at Austin, Texas-based SiteStuff Inc., an online exchange serving buyers and sellers in the commercial real estate market; and Robert DiStefano, 51, managing director of IT at The Vanguard Group Inc., a Valley Forge, Pa.-based mutual fund company. Here's how they responded:


Your company decides to spin off a midsize division that serves hundreds of thousands of individual customers. A year later, the spin-off is acquired by a different company. What do you do to make sure customer data remains confidential?
Prochnow: The first step is to identify the information that customers feel is confidential. Then, as part of a privacy policy, we'd have to make it clear how we store and use information, including whether we would provide it in detail or in an aggregated form to anyone. Customers typically don't object to providing information in an aggregate form.
If we were the parent company and we were spinning off a subsidiary whose customers were still our customers, we'd retain ownership of confidentiality as part of the spin-off arrangement.
DiStefano: This would be very touchy. I'd want to ID every attribute of the data about clients. Then I'd want to clearly choose which elements of that data are needed to let the spin-off retain its revenue stream and which things are owned by the parent company. They've got to be discrete.
Where there's overlap, it gets tricky. The key is to make the apps and the services offered to clients as discrete as you can, which is often difficult. I'd also want to have a privacy consultant come in and render an opinion as due diligence.

Your CEO orders you and your IT organization to track an employee's e-mail. How would you handle the situation?
Prochnow: The first thing I'd do is get the business reason. There might, for instance, be suspicion that an employee is exposing the company to federal law violations. Then I'd consult with the legal staff to make sure that they concur that the business reason justifies overriding the individual's privacy. If legal concurred, we'd then take steps to get at that information, and we'd have to do that very discreetly.
We'd have only a very small number of technology people involved and, depending on the individual circumstance, we'd inform the employee or not. You have to handle it on an individual basis. But you have to go into it knowing that once you've done this with an employee, you've completely destroyed your relationship with that employee. It's not something you can do lightly.
DiStefano: That has to be handled up front, from a policy point of view. First, the company should have made a conscious decision on how they'll deal with ownership of e-mail. Second, that policy has to be communicated to every employee, preferably on something they sign. If you've told everyone their e-mail may be monitored, and they've signed a form, that's the first step.
The other issue is, how fair is it to do the tracking? You don't want employees to think you're looking over their shoulders constantly. If there's a complaint from a supervisor about an activity that might be criminal or fraudulent, then certainly that ought to be turned over to law enforcement or the company's internal audit arm. You need clear guidelines.

New federal legislation mandates that your company post a privacy policy on your Web site within three months. When and how do you begin?
Prochnow: This is funny - only federal legislation would assume we could go three months without posting a privacy policy. As an e-commerce company, if we needed a privacy policy, we'd have to do it in days. Also, all responsible e-commerce and Web companies have to post privacy policies. It's standard business practice.
But there are differences between a B2B and a B2C company. As a B2B, our customers are really another company's employees, as opposed to a consumer who goes to a Web site. Our relationship is one company to another. It does introduce complexity to privacy policy, because ultimately, the employers of our users have the right to the data the employee is providing to us.
Any privacy policy should be reviewed by the business owners, the marketing department and legal to make sure it's adequate and implementable. In a good organization, the privacy policy is something that crosses a broad section of the company.
DiStefano: We would look to our legal department to understand the regulation. They would also interpret how it interacts with other regulations from agencies like [the National Association of Securities Dealers]. That's important to us because we're in a heavily regulated industry. Legal would then draft what we should do. We have a compliance department that would make sure everybody understood the ramifications of the regulation.
A hacker has gained access to information on hundreds of your customers, although no credit card numbers were compromised because they were encrypted. How do you restore the confidence of your customers and the public at large?
Prochnow: That's a good question. It's for that reason that SiteStuff has decided not to store credit card data. It's the crown jewels for a hacker to find. It was absolutely decided up front not to store credit card data.
As a B2B company, a lot of the purchases that get made with us are through trade accounts that don't have credit card data. We can do e-commerce without storing that data. But if we were storing credit card numbers [and that data got hacked], as the CTO, I'd be ultimately held responsible. But restoring confidence would be a joint effort across the company.
As the technology person, I'd have to fully document how the disclosure happened, find the reason why it happened and identify what we did to protect ourselves. If we could identify what was stolen, the business side would work with each customer, giving them advance notice of what steps they could take to protect themselves on an individual basis.
I'd also use technology to generate evidence. If you were storing credit card data, you'd have to have mechanisms to log that data. The very first response would be a purely technical one - to determine what happened and why.
DiStefano: You'd want to notify clients proactively to say, "This information was compromised, but the hacker couldn't use it to your disadvantage." You want to tell clients as much as you can - without causing another breach - to reassure them you're being honest.
A technical analysis of how the hacker did it wouldn't be understood [by most customers], but it would reassure them that you understood it. You want to say, "We're disclosing specifics on the attack, we know how it happened, we've closed that hole and we're having a third party step in to assess our security."

Someone breaches security and gains access to highly confidential customer information. Your own investigation indicates it's an inside job. How do you handle the situation without demoralizing your entire IT group?
Prochnow: There has to be a balance between a company's needs and individual privacy - the same as if we were going to look at someone's e-mail. The first step would be to determine the severity of the problem and make sure there are legal grounds to investigate the problem. If you concluded the problem was intentional and severe, you'd want to handle it very tactfully and do it on a personal level.
But what you could do up front is focus on recruiting to make sure you hire very competent, reliable and ethical staff, and then treat them fairly. If you have a good working environment, I think you can avoid this in the first place.
DiStefano: You have to deal with people who go over the line, but then you have to be able to look other employees in the eye and say, "What they did was out of bounds." So you've got to have a certain amount of trust, because you can't always explain [to other employees] what the terminated employee did.
A case like this deserves a lot of thought from HR. It would have to be clear to the whole department that the termination was for the sake of protecting customer data and the other employees. It's easier if you have good audit trails. If you remind everybody that protecting the client's data is the top priority, you can get them to accept tighter procedures.
King is an editor at Computerworld. Ulfelder is a freelance writer in Southboro, Mass. Contact him at sulfelder@charter.net.

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon