As insider risks, whether born from negligence, external intimidation, or true malicious internal threats, grow, organizations need to take steps to identify and eliminate these threats. In a previous post we discussed two competing approaches: Insider Risk Management and Insider Threat Surveillance. We promised to examine more closely seven core capabilities required for combatting insider risk. This post will drill down on privacy.
Security and compliance professionals typically think about privacy in the context of regulatory requirements. For example, the EU’s General Data Protection Regulation (GDPR), HIPAA, the California Consumer Privacy Act (CCPA), and a growing number of other laws require organizations to protect personally identifiable information (PII) and personal health information (PHI). When that information is exposed in a breach, organizations are subject to fines, loss of customers, and reputational damage.
Less well understood are the privacy rights of users and how these differ between jurisdictions. For example, in the U.S. and U.K., employers are entitled to monitor private emails to establish whether the contents are business related. If the…
