If monitoring of computer networks and communications systems is used, how is the information accessed and stored? What information is collected and stored on phone calls, inbound or outbound? Who has authority over the monitoring decisions? What kind of authority do they have?
How often, if at all, are the desktops and laptops scanned to find unauthorized software applications? Are personal E-mail and instant-messaging applications permitted on employees' computers at work? If so, how are passwords being handled? Can IT access the programs? Are these communications being monitored and stored? Where, by whom, and how? What notice, if any, is provided to the employees about monitoring and risk management of workplace communications? If notice is being provided, do you also obtain consent in writing for monitoring or acknowledgement of your monitoring practices?
Are keystroke loggers used? Biometrics? Screen shots? Do your monitoring software and systems capture all instant-messaging platforms? Are you unionized? Are there attempts to organize your workplace?
(A special workplace communications audit should be conducted after consulting with a privacy professional, preferably an attorney, so you can benefit from any privilege that may apply to the results of the audits. But this can be a quick snapshot of some of the more risky issues.)
What information is paired with customer, passenger, and patient records? Is outside information gathered? How? Is a name and address or other personally identifiable information used to obtain this outside information? (For example, sending to a data-management company the names and Social Security numbers of your customers to obtain any known offline information and buying habits.)
Is data inputting, management, or storage outsourced? To whom? Where? Does the information cross international borders?
Answering these questions will go a long way to helping identify what information is held, where, and how. It will also help guide you in determining who has access to it and what they are permitted to do with the information. Once gathered, this data inventory can be used to help conduct a data audit and, ultimately, a data map for the company.
At each of these stages, the compliance, security, and legal departments should be consulted. The entire process is very time-consuming and can take several months, at least. Holes and potential risks that are spotted in the meantime can be rectified when identified, rather than having to wait months to be handled.
Note that these processes are part of a preventive law audit and may or may not be privileged if inquiries are made at a later date about what the company knew and when. Your legal counsel should be involved in the planning of any confidentiality or privilege strategies. The audit may have to be conducted entirely under the auspices of your outside counsel to qualify for privilege. And even the best-laid plans for covering the audits under attorney-client privilege may be frustrated by the way certain laws are written. Environmental laws, for example, may protect audits under privilege only if the company takes action to rectify the problem. So think carefully and get good advice.
But privileged or not, without a data audit the company may be doomed. So work to protect the results of the audit, but work harder to comply and fix any problems you discover.
Parry Aftab is a cyberspace lawyer, specializing in online privacy and security law, and she's also executive director of WiredSafety. She hosts the Web site aftab.com and blogs regularly at theprivacylawyer.blogspot.com.
To discuss this column with other readers, please visit the Talk Shop.
To find out more about Parry Aftab, please visit her page on the Listening Post.