Telecommuting Presents Privacy and Security Risks to Organizations

New Ernst & Young LLP report examines challenges of implementing adequate policies and controls

NEW YORK, – Personal and private information related to both employees and their employers may be compromised by telecommuting staff if privacy risks are not dealt with effectively, according to a new report developed by Ernst &Young LLP and the Center for Democracy and Technology (CDT).

The report, titled “Risk at Home: Privacy and Security Risks in Telecommuting,” is based on the results of a survey designed to identify the current state of privacy and security considerations in work-from-home arrangements. The report also highlights specific steps organizations can take to protect personal and other sensitive company-related information as well as areas of potential weakness companies should address.

“As more organizations allow employees to work remotely or from home, there are increased privacy and security risks,” said Sagi Leizerov, a senior manager with Ernst & Young’s Advisory Services group. “Employers need to establish clear guidelines that will protect confidential information from such risks and employees must understand why such requirements were created as well as the critical need to comply with them.”

A total of 73 corporate and government organizations (representing 10 industries in the US, Canada and Europe) participated in the study. Respondents acknowledged telecommuting is a persistent area of risk and recognized the topic is often not adequately addressed. In some instances, risks associated with telecommuting do not garner the attention of newer, more pressing business risks.

Findings from the survey also suggest employers do not fully recognize and address the privacy and security issues related to telecommuting employees, leaving the organization vulnerable to certain risks. For example, while many organizations allow telecommuters to handle personal information at home, only half of the survey respondents said they address this subject with formal policies and training. Survey respondents noted the multidisciplinary nature of the topic — which could be viewed as a human resources, information technology, security or privacy issue — made it difficult for them to determine whose responsibility it should be to address these risks.

But companies are not completely missing the mark, as the survey shows internal controls have been established to monitor and protect the transfer of information both within and outside the walls of an organization. Despite these efforts, gaps still exist between the establishment of such controls and consistent monitoring and enforcement. Consider these findings:

— Although portable media (such as laptop computers and Personal Digital Assistants (PDAs) are commonly used by telecommuters and have been in the forefront of various recent information breaches, few organizations have adopted privacy-enhancing devices (such as thin-client terminals, which are computers that are designed to not save data) to help safeguard sensitive information.

— Telecommuters regularly use their own personal computers and PDAs for work purposes. However, the hard drive and email encryption tools commonly found on employer-supplied devices are of little help when employees use their home computers for work-related activities.

— Allowing telecommuters to use wireless Internet connections is a common practice, yet the use of wireless security measures is not widely required.

— To protect company information from being exposed outside the office, policies on downloading non-company approved software and using peer-to-peer file-sharing applications do exist for telecommuting employees. However, the use of certain tools (such as firewalls) to enforce such policies are only applicable when employees are connected to the internal office network.

— Organizations can also help protect sensitive information by conducting tailored, periodic background checks for all employees based their role, location and level of exposure to confidential information. Although more than 75% of respondents perform such activities (including background checks and drug tests) prior to employment and 15% continue these initiatives periodically (as appropriate), the types of activities being done do not seem to vary based on whether or not the employee is a telecommuter or resides in the main office.

The report also addresses the protection of hard-copy files, the use of privacy enhancing technologies, the adoption of biometric technology (a process which involves using a unique identifier, such as a fingerprint or one’s voice, to allow access to information) and limitations on the use of email, in addition to monitoring of telecommuter activity by employers.

“Organizations must assess, review and monitor the use of technology by employees working from home or off-site to prevent data from being misused and an individual’s privacy from being violated,” said Leizerov. “Otherwise, they could find themselves facing risks that could not only have been avoided, but may result in having a significant negative impact on the organization from both a financial and reputational standpoint.”

About the survey
A diverse group of 73 corporate and government organizations representing 10 industries in the US, Canada and Europe participated in the study. About half the survey respondents hold a Fortune designation, including 20% of the Fortune 100 companies, and range in size from over 100,000 to under 100 employees. The average number of employees from all organizations in the sample was approximately 50,000. Participating organizations submitted one completed survey, but answers could come from more than one individual. The Web-based survey was conducted between December 2007 and January 2008. The full report is available on www.ey.com/privacy and www.cdt.org.

About the Center for Democracy & Technology
The Center for Democracy & Technology is a non-profit public interest organization working to keep the Internet open, innovative, and free. With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in communications technologies. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media.

About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 130,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve potential.

For more information, please visit http://www.ey.com.

SOURCE Ernst & Young LLP