A school district near Philadelphia is facing lawsuits and possible criminal action because school officials remotely turned on students’ laptop computers and watched students in their homes. An interest group that focuses on Internet issues recently reported that employers are not paying enough attention to the privacy and security risks posed by employees who telecommute. Researchers at Rutgers University have warned that smart phones, such as Blackberries and iPhones, are vulnerable to a computer virus that records the user’s location, movements, and even conversations. Modern technology has enhanced our lives and made us more productive, but it also puts users at risk of having their privacy violated, and businesses at risk of invading others’ privacy, even unintentionally.
Businesses and other organizations can avoid the predicament facing the school district by asking some simple questions:
- Why is the organization collecting this information and how does it expect to benefit? Does the data meet a legitimate business or operational purpose? How important is it that the organization have this information? The school district argues that, since it owns the students’ laptops, it has an interest in locating laptops its employees believe were stolen. Parents and others argue that the school has no right to watch students when they are off school property. Businesses frequently ask customers for data such as Social Security numbers and telephone numbers, but unless this data is essential to delivering services, it might be better to not ask for it.
- What data does the organization want to collect and what type of information might it collect unintentionally? The school district wanted to monitor potential theft of the laptops. By activating the computers’ webcams, however, the district could have captured images of the students during private moments. Businesses legitimately use security cameras to watch for threats to people and property. Although most of the images they capture are of little interest, the cameras could catch people off guard.
- What could go wrong if the organization collects the information? All information stored on computer networks is vulnerable to potential theft from individuals inside and outside the organization. If hackers obtain customer credit card information, the organization could face lawsuits from those whose information was stolen. School district employees might face criminal prosecution if authorities believe they violated the law.
- Is the organization informing customers and employees of its actions and looking at alternative approaches? Businesses often post signs informing customers that they are using security cameras. The school district could have considered other ways of tracking stolen laptops, such as by using GPS technology.
- What obligations will the organization assume by collecting the information? Federal and state laws require special protections for sensitive employee and customer data, such as birth dates, Social Security numbers, and personal financial information. Even where statutes do not apply, organizations may have common law obligations to protect data.
- If you had to justify the data collection in court or to a customer, would you be able to? People might have trouble understanding why the school district felt that watching students in their homes secretly was appropriate. A court might decide that a museum’s collection of members’ Social Security numbers was unnecessary.
Even when organizations use good judgment and take precautions, data loss can occur. To prepare for this possibility, discuss these issues with one of our insurance agents to determine whether you have the right coverage. Sound loss prevention practices coupled with adequate insurance will help your organization take advantage of technology while protecting yourself, your employees, and your customers.