First, I'd like to compliment you on your level of concern. Even though privacy in the U.S. is, unfortunately, not as large an issue as in the European Union or Canada, it is still a worthy consideration in your role as a security manager.
Before you reconsider your policy on using remote webcam surveillance, you may want to answer the following questions:
- Does your appropriate use policy explicitly state that employees should have no expectation of privacy when using corporate information technology assets? If so, you may have some protection; if not, you definitely may have a concern requiring immediate action. At a minimum, you may want to add this caveat to your policy as soon as possible; by making sure employees realize that any work done on a corporate computer or IT resource is not private, it can help to avoid future concerns.
- Have you discussed your concern with your legal and human resources departments? It may be a useful action to ensure they are in the loop should any questions from employees or the media surface. At least you can have a common plan for response.
- Is there any way to technically block the camera or turn off the monitoring software? If so, you may want to turn it off until you get a more solid understanding of HR's, legal's and management's opinions for the use of this technology.
- With your appropriate use policy, did the employees sign that they have received the policy and are aware of its existence? If they did, and if the policy notes that there should not be any expectation of privacy, this may buy you some time until any actions are required.
If the only reason you have the cameras is to monitor the whereabouts of the laptop, you may want to consider some other technologies such as a LoJack for laptops-style "phone home" tracking system –- just in case you need to turn the cameras off. However, if the cameras are also used for videoconferencing, etc., then you may be able to write a privacy statement into the videoconferencing policy, but still implement a rule prohibiting express use of the camera to spy on the actions of the employees or laptop users.
For more information:
- Has social networking changed data privacy forever? Watch Hugh Thompson and Adam Shostack face off in this video.
- Learn more about employee privacy for HIPAA compliance.
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it ... Continue Reading