In the face of today’s attacks on computer information, we should expect legislators to enact laws to protect our privacy. However, any law that fails to recognize three things — who owns a computer, who uses it and for what purposes — is unlikely to fit the privacy needs of both corporate and individual PC owners.
Think of your home computer. Its hard drive is likely to contain personal information, such as your name, address, phone number, credit card numbers, Social Security number, favorite Web sites, e-commerce purchase history and personal photos. If that data were to fall into the wrong hands, you could become the victim of identity theft, lose thousands of dollars, find your credit rating in jeopardy, be targeted by con artists or worse.
Just as outsiders have no right to enter your home without your knowledge or consent and pilfer personal information, unauthorized individuals or organizations do not have the right to trespass on home computers for similar purposes, even if they do so remotely. It’s no surprise that consumers all over the world support laws designed to curb this sort of abuse.
Business vs. Home
But just as one size doesn’t fit all in dressing rooms, it doesn’t fit all in legislative chambers either. PC owners vary widely in terms of the uses to which they put their computers. A policy that fits a home user like a glove can leave enterprises exposed and unprotected. Legislation is not made of latex. It can’t stretch and contract as the need arises. If it really has to fit, some tailoring is required.
Laws and regulations should recognize that the appropriate degree of privacy for consumer-owned PCs is different from the appropriate level for those owned by businesses. Owners of privately acquired PCs are entitled to determine which sensitive information is to be shared with whom and for what purpose. So are enterprises.
But there is one major difference: While home PC owners and users are typically one and the same, corporate PCs are used by employees and contractors but are owned by the company. Corporate owners not only have a right to monitor computer use to curb abuse of company property, but also may be required to do so by law.
Mandate for Supervision
Indeed, monitoring and supervision are increasingly necessary. The Sarbanes-Oxley Act is the most far-reaching law to affect financial services, accounting, auditing, financial reporting and professional services firms since the 1930s. It requires publicly traded companies to automate retention and retrieval of every material document, e-mail and instant message they create. Additionally, the Health Insurance Portability and Accountability Act (HIPAA) is placing major burdens on the information infrastructures of healthcare providers and their business partners.
In today’s environment, companies may be liable if employees install unlicensed software, illegally download copyrighted music or use their PCs to commit other crimes. Misuse doesn’t even have to be criminal. It may involve the innocent opening of a virus-infected e-mail attachment or the installation of incompatible software. The possibilities are endless, and the consequences may be dire. Minimizing these all-too-real risks requires central controls.
Does that mean Big Brother must lurk in every company desktop and notebook? Not at all.
The plain truth is that employees have a far lower expectation of privacy on company PCs than on their home computers. They’ve typically been told how company PCs may be used, that the information those PCs contain is a corporate asset, and that the company has the right to access its own computers to assure their proper use.
Public policy should recognize that corporate PC owners have as much of a right to control use of their property to ensure privacy as consumers do. But only businesses are required to secure the privacy of certain information by law. Corporate owners need more control and privacy safeguards than home owners or their workers who use company-issued workstations.
Privacy safeguards are welcome and necessary. But it’s impossible to fashion one privacy standard and apply it to every type of PC owner, user and circumstance. One size and one law do not fit all.
Chris O’Connor is the director of IBM security strategy. He is responsible for creating the cross-company strategy, key messages and market-facing product architecture while working to ensure that products and services meet strict government and commercial security needs. He manages a team composed of expertise from the various IBM hardware, software, services and research groups. O’Connor has spent most of his career in the IBM software community, with one outside experience as director of software for NetEdge Systems in 1994-1995.