Insider Threat Law: Balancing Privacy and Protection
Transcript of Insider Threat Law: Balancing Privacy and Protection
INSIDER THREAT MANAGEMENT GROUPPREVENT | DETECT | MITIGATE™
SHAWN M. THOMPSON, ESQ.Founder and President, ITMG
Insider Threat Law: Balancing Privacy and Protection
The story of me . . .Founder and President, Insider Threat Management Group
Board Member, National Insider Threat Special Interest Group
Insider Threat Program Manager, Department of Defense
Senior Legal Advisor, National Insider Threat Task Force
Senior Special Agent, Department of Defense
Senior Litigation Attorney, Department of Defense
Assistant General Counsel, Federal Bureau of Investigation
Special Assistant United States Attorney, United States Department of Justice
. . . the story of you
Objective
Balance = Value
Monitoring is essential
Privacy Protection
Privacy
Historical context What is “privacy?” Does it exist in the
employment context?Collection v. Use
Key Takeaway – Employee’s have limited privacy rights at the workplace and on employer devices and vehicles outside the workplace
Collection v. Use Collection
• Less restrictions• More responsibility
Use• More restrictions• Greater responsibility
Key Takeaway – Businesses can collect more than they can use
• Keep threats outs Preventi
on
• Uncover threats
Detection
• Respond to threatsMitigatio
n
Objectives
Protection
Prevention• Pre-employment screening
• Agreements• Policies and training• Continuous Evaluation
Key Takeaway – Obtaining employee consent and developing monitoring policies are best practices
Detection – HOW?How can employees be monitored?• Video• Audio• GPS• Computer activity• External data sources
Detection – WHO?Who can be monitored?
• Everyone? • Sub-groups?• Third-parties?
Key Takeaway – Different levels of monitoring require documented justification
Detection – WHAT?What can be monitored?
• Communications
• Movements
• Devices
Key Takeaway – Important Distinctions between collection and use
Detection – WHEN/WHERE?
When and Where can employees be monitored?• On-site
• Off-site
• “Personal” time v. “business” time
Key Takeaway – Monitor for “legitimate business needs” only
Detection – WHY?Why can (or must) employees be monitored?
• Requirements?
• Government v. commercial Government minimum standards Regulatory findings
• Prevent liability exposure
“We considered several factors [for closing the investigation], including the fact that Morgan Stanley had established and implemented comprehensive policies designed to protect against insider theft of personal information.”
August 2015 letter from FTC to Morgan Stanley
Key Takeaway – User activity monitoring is essential
Mitigation Discoverability Enforceability Usability
Key Takeaway – Monitoring is essential to properly mitigate insider threats
Insider Threat Compliance Program(aka “Watch the Watchers”)
Important?
Business case
Elements and Components
Best practices
Key Takeaways MONITORING is necessary BALANCE = value Collection “rights” are NOT king POLICIES are vital Maintain REASONABLENESS Seek LEGAL counsel
QUESTIONS?
SHAWN M. THOMPSON, ESQ.Founder and President
Insider Threat Management Group
itmg.co410-858-0006
Shawn M.Thompson, Esq.Insider Threat Management Group, [email protected]