Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Collapse Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Hacking, Malware, and Social Engineering Threats (January 2012)
SEC Issues Guidance on Cybersecurity and Cyber Incident Disclosure (December 2011)
The Militarization of Cyber Space and the Risks for U.S. Businesses (November 2011)
SEC Requires Disclosure of Cyber Attacks (October 2011)
Massachusetts Enacts Privacy Regulations (September 2011)
Avoiding Privacy Risks: Smile! You're on the Web Camera! (March 2010)
The Developing Legal Standards for Data Security (August 2008)
Privacy and Security Litigation and Enforcement: Growing Risks for Businesses? (May 2007)
Deflecting and Responding to Data Security Breaches (February 2006)
"Media Liability" Coverage in Tech/Media/eBusiness Policies (February 2006)
Variations in "Fraud/Dishonesty" Exclusions in Tech/Media/eBusiness Policies (January 2006)
Insuring Liability for Third-Party Claims Seeking Lost Profits (November 2005)
Addressing Liability Risks for Data Loss from an Insurance and Contractual Risk Transfer Perspective (July 2005)
Addressing Privacy Risk from an Insurance and Contractual Risk Transfer Perspective (May 2005)
Storing Liability: The Increasing Risks of Off-Site Data Storage (May 2005)
Privacy: Outsourcing and the Need for a Vendor Compliance Strategy (March 2005)
E-mail Privacy: Does Your E-mail Take a Pit Stop? (September 2004)
Indemnity and Insurance Provisions in E-Business Contracts (July 2004)
Protecting Data Assets: Not Just a Cyberspace Issue (June 2004)
New Liability Forms and Media, Tech, and E-Business Risks (May 2004)
Protecting Your Employees from Identity Theft (February 2004)
Creating a Privacy Policy Compliant with the New Online Privacy Protection Act (December 2003)
Tech E&O—A Primer for Risk Managers (November 2003)
Going Public: Dealing with the Disclosure Mandate of California's Latest Privacy Law (September 2003)
Cyber Liability Insurance Market Update (August 2003)
Security Requirements in a Privacy World (June 2003)
The Growing Privacy Risk and the Insurance Industry (February 2003)
Insuring First-Party Cyber Risk for Fortune 1000 Companies (November 2002)
Stand-Alone E-Business Insurance: Who's Buying, Selling, and Why? (September 2002)
The End of Computer Virus Coverage as We Know It? (May 2002)
You Say Professional Services, I Say B2B Activities (January 2002)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 1 (August 2001)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 2 (November 2001)
E-Commerce Insurance Issues: A Year in Review (June 2001)
New Stand-Alone E-Commerce Insurance for First-Party Risks? (February 2001)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 1) (December 2000)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 2) (December 2000)
Third-Party Liability E-Commerce Risks and Traditional Insurance Programs (August 2000)
First-Party E-Commerce Risks (June 2000)
Insurance Issues for E-Commerce Activities (May 2000)
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Expand Enterprise Risk ManagementEnterprise Risk Management
Expand Internal ControlsInternal Controls
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

Avoiding Privacy Risks: Smile! You're on the Web Camera!

March 2010

Managing privacy risks seems to be an increasingly difficult task. To see just how much trouble businesses and government entities are having, just read current headlines. Almost daily there are privacy and security violations revealed.

by Gary Clayton
Privacy Compliance Group, Inc.

Perhaps the difficulty arises from the use of technology that we don't fully understand. Or perhaps it comes from the failure to apply common principles of fair use and data protection. The skeptics might say that it is these factors, combined with an apparent lack of common sense, that create unnecessary risks for businesses and organizations. This article shows how taking six common-sense steps can give you the information necessary to avoid privacy risks.

Laptops, Webcams, and Common Sense

In the last few days, there has been considerable press attention given to a case involving a Pennsylvania school district accused of secretly activating webcams inside student's homes. The press reports state that Lower Marion school officials handed out Apple laptops to all 2,300 students in its two high schools. Without disclosing their plan to the families and students, the school district allegedly activated the built-in laptop computers to locate lost computers. Only two employees in the technology department were authorized to activate the cameras, and then only to locate stolen computers. The school district has admitted that they remotely activated webcams 42 times in the past 14 months. (Numerous media reports indicate that such remote activation helped the school district locate 28 of the 42 missing computers.) It is unknown whether or not the school district also turned on the computers' microphones.

In mid-November 2009, the vice principal of one of the district's two high schools allegedly informed a male student that he was "engaged in improper behavior in his home." It is also alleged that the vice principal cited as evidence a photograph "embedded in" the laptop the student had been issued by the school district.

Basic Risk Avoidance Steps

This Pennsylvania case shows how even well-intentioned plans can cause problems if we fail to understand the technology being used and its potential consequences. In this case, school officials apparently did not stop to consider how such use of webcams could catch children and other family members in private situations. Considering that many teens keep computers in their bedrooms, the potential for abuse is nearly limitless.

Effective risk management could (should) have avoided the issues raised by the Pennsylvania case. The remainder of this article examines the fundamental steps that management should follow when considering any use of personal information, particularly sensitive personal data.

Six Basic Risk Avoidance Steps

Effective risk management does not have to involve complex methodologies. Six common-sense steps can provide your organization with the information needed to avoid privacy risks. The six steps are:

  1. Identify the purposes for collecting personal data and the benefits that will result.
  2. Identify what personal data will be collected and eliminate the collection of personal data that is irrelevant or excessive.
  3. Identify any likely adverse impact that may occur.
  4. Consider alternatives that may avoid or lessen the privacy and security risks.
  5. Take into account the obligations that arise from collecting the personal information.
  6. In light of the above, determine whether the collection of personal data is justified.

Application of These Six Steps

Would the application of these six basic steps potentially have avoided the situation that has arisen in Pennsylvania? While no risk avoidance process can avoid all risks in all situations, the implementation of these six steps can help reduce or avoid most privacy risks. How would these steps have worked in the Pennsylvania situation?

  1. Identification of the purpose: The school district's stated purpose was to prevent the theft of laptops. This does not explain why a vice principal allegedly used the photos to reprimand a boy's behavior.
  2. Personal data collected: This is the first point at which red flags should have been raised. Think about the types of personal data that can be collected by secretly turning on the webcams in a teenager's laptop. First of all, teens are known to use their laptops in their bedrooms. And, as the legal director of the American Civil Liberties Union of Pennsylvania states: "This is the age where kids explore their sexuality, so there is a lot of that going on in the room."
  3. Identify likely adverse impacts: The potential for abuse is almost limitless in this case. Once the webcams are turned on, there is no way to control what images will be seen or collected. Basically, there is no way to ensure that only relevant and nonexcessive information will be collected.
  4. Consider alternatives: One alternative was to have informed the students and their families of the plan to remotely activate the webcams. Also, remote activation of a webcam is not the only method available to locate stolen laptops. The use of GPS chips within a laptop is effective and would have avoided the types of risks that arise from the use of webcams.
  5. Obligations that arise: Had basic risk avoidance steps been followed, it is unlikely that this factor would have been reached. The magnitude of the risks and the readily available alternatives should have precluded the use of webcams. If not, however, a discussion of the obligations that arise from collecting potentially intimate and embarrassing situations should have raised red flags.
  6. Is the collection justified? Considering the risks, the lack of notice, the potential for abuse, the adverse impact on the school district, and the potential criminal violations that can arise, it is difficult to see how collection of personal data through a secretly activated web camera can be justified. Even if arguments can be made that remote activation of a webcam was necessary, common sense should have prevailed.

Consequences

The press reports indicate that the Federal Bureau of Investigation (FBI) is now investigating potential criminal violations from the remote activation of webcams. In particular, the FBI is examining whether laws on wire tapping and/or computer intrusion have been violated. The media reports that the school district has retained special legal counsel. There are certainly scores of negative reports that place the school district in an unfavorable light. These problems may have been avoided by the implementation of basic privacy risk management process. Common sense dictates that risk avoidance is preferable to costly and resource-consuming litigation.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Advertisements
    
 
© 2000-2012 International Risk Management Institute, Inc. (IRMI). All rights reserved.