Questions for Talking with the CIO
As said, employment lawyers need to talk to the CIO in order to more fully manage the risk employers face from employees. Here is how to get the conversation started.
- Does the organization have a data governance plan, that is, “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods“? (“Data Governance” will be the subject of a specific post in the coming days).
Data Collection and Retention
- What devices are connected to the network and/or gather data from employees? How does IT intend to keep up with developing technologies so that all devices that connect with the network (including employee-owned devices) or gather information on employees are properly configured?
- What software is loaded into the network or employee devices that might gather or store data related to employees? Is the data collection purposefully done and/or necessary?
- Where is employee-related data stored (all of it, including information returned from smart devices, etc., and activity log information)?
- Is all employee-related data subject to document retention policies? Can you identify each pool of data collected by the company and determine whether it ought to be retained?
- Are data transfer, storage and retention policies in compliance with all privacy and data security regulations? This is especially important in regulated industries and where data crosses borders. This should also apply to vendors, especially those with direct access to your network and its data?
- Do IT and counsel have a plan in place to deal with the evolving privacy regulatory framework, especially in international cross-border contexts? In other words, who is tasked with staying on top of the law with regard to data transfer, breaches and notifications?
Security of Data
- Are employees adequately trained in security protocols? Can the IT department proactively identify who is and who is not following those protocols? Are there adequate and appropriate security policies in place? Are there clear policies and procedures concerning the identification, and exfiltration, of trade secrets and other confidential information?
- Are mobile devices properly configured to ensure the security of employee data, including such data that is generated by the employee on behalf of the employer and which is transmitted back to the employer?
- Is the network properly configured to segregate data on a “need to know” basis?
- Is the network itself properly configured for optimal security? Are firewalls, routers, and switches using the latest software and patches? Is there a patch/update program in place? Are appropriate limits placed on, and does IT have control over, all network ports, protocols, and services? Are administrative privileges routinely audited? Are wireless networks properly secured? Are adequate malware defenses in place? Is all software up-to-date and are all security patches applied?
- Is all information posted on company and vendor websites reviewed for its compliance with information security? For instance, some suggestthat the Target breach began with public facing documents that were exploited for the purpose of understanding Target’s system?
- Do all technology-related agreements signed by the company require the appropriate level of security, particularly for any vendor that connects with your systems? This article, Exposed Corporate Credentials on the Open Web, a Real Security Risk.gives some interesting insight to the risks associated with this issue.
- Does any technology-related agreement get signed without IT reviewing for security purposes?
- Is employee data identified and mapped in order to be producible in an e-discovery context?
- How are individual accounts and/or employee activity monitored and logged? Who can access that information? Is employee data useable to help assess employee performance?
- Are there protocols in place to manage the end of the employment relationship? This may include plans to image drives or monitor attempts at employee data exfiltration. At the very least, IT should maintain a checklist of procedures for the end of the employment relationship.
- Are plans in place for a data breach? Are there industry-compliant incident response, management and auditing plans in place? How are those plans designed to manage breaches concerning employee data, including PII or other private information? Are all members of the incident response team identified and is their 24/7 contact information identified?
Obviously, not everything here is employment law-specific and not every element is covered — but everything here is relevant to the conversation.