First, I'd like to compliment you on your level of concern. Even though privacy in the U.S. is, unfortunately, not as large an issue as in the European Union or Canada, it is still a worthy consideration in your role as a security manager.
Before you reconsider your policy on using remote webcam surveillance, you may want to answer the following questions:
- Does your appropriate use policy explicitly state that employees should have no expectation of privacy when using corporate information technology assets? If so, you may have some protection; if not, you definitely may have a concern requiring immediate action. At a minimum, you may want to add this caveat to your policy as soon as possible; by making sure employees realize that any work done on a corporate computer or IT resource is not private, it can help to avoid future concerns.
- Have you discussed your concern with your legal and human resources departments? It may be a useful action to ensure they are in the loop should any questions from employees or the media surface. At least you can have a common plan for response.
- Is there any way to technically block the camera or turn off the monitoring software? If so, you may want to turn it off until you get a more solid understanding of HR's, legal's and management's opinions for the use of this technology.
- With your appropriate use policy, did the employees sign that they have received the policy and are aware of its existence? If they did, and if the policy notes that there should not be any expectation of privacy, this may buy you some time until any actions are required.
If the only reason you have the cameras is to monitor the whereabouts of the laptop, you may want to consider some other technologies such as a LoJack for laptops-style "phone home" tracking system –- just in case you need to turn the cameras off. However, if the cameras are also used for videoconferencing, etc., then you may be able to write a privacy statement into the videoconferencing policy, but still implement a rule prohibiting express use of the camera to spy on the actions of the employees or laptop users.
For more information:
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Ernie Hayden
In this Ask the Expert video, Ernie Hayden answers the question of what 'big data' is and outlines big data security issues in this video. Continue Reading
Every firm needs a security conscience, according to expert Ernie Hayden, who says it is critical among key CISO responsibilities. Continue Reading
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading