As the number of costly insider theft, fraud, lower productivity or inappropriate workplace behavior, involving organizations like the NSA, Zynga and HTC, continues to rise, more companies are recognizing the need for an employee monitoring program. However, since this is not as common of a practice as security from outside attacks, it raises many new questions including legality and best practices.
So, first of all… Yes, employee monitoring is legal in the United States.* While the 1986 Electronic Communications Privacy Act prohibits unauthorized interception of electronic communications including e-mail, the law exempts service providers. Therefore, the courts have commonly interpreted this to include employers who provide e-mail and Internet access, according to David Sobel, attorney for the Electronic Privacy Information Center in Washington, D.C.
Not only is it legal to monitor employees on their computers and online, there is no federal US law that requires employers to notify workers they are being monitored. So while it is a best practice to inform employees of the company’s right to monitor all activity on employee computers and disclose it in the employee handbook, companies are NOT required to do so in the US.
Notifying an employee the company’s right to monitor can also act as a natural deterrent. Valerie Wright, Ph.D., research analyst at The Sentencing Project, noted, “Research to date generally indicates that increases in the certainty of punishment, as opposed to the severity of punishment, are more likely to produce deterrent benefits.” This is akin to video cameras in offices or parking garages.
The US courts have tried to balance an employee’s “reasonable expectation of privacy” against the employer’s business justification for monitoring. According to Santa Clara University Professor of Law Dorothy Glancy, “There aren’t many cases, and they tend to go against the employee. Often, court opinions take the point of view that when the employees are using employers’ property–the employers’ computers and networks–the employees’ expectation of privacy is minimal. Glancy continues, “When courts take this view, if employees want to have private communications, they can enjoy them on their own time and equipment.”
A greater number of companies are monitoring their employees electronically. Active monitoring of employees has risen recently from 35% in 2001 to 80% in 2012 due largely to the increased awareness. However, the costs of data breaches, internal threats and theft, as well as inappropriate workplace behavior cases such as sexual harassment have been large contributors. Employee monitoring provides important data and information that can be used as forensic evidence in a court of law:
Legal Liability: With workplaces often being designed as shared spaces with open floor plans and cubicles, it is easy for employees to be exposed to materials viewed by their colleagues online. Employees who are unwittingly exposed to offensive graphic material on their office neighbor’s computer screen can result in a hostile workplace environment. This is in addition to any harassment that can occur both via work email and chats.
Legal Compliance: In regulated industries, electronic recording and storage may be considered part of a company’s “due diligence” in keeping adequate records and files. This can provide them with some degree of legal protection. It is similar to a company’s need to tape telemarketing activities and customer calls in order to protect the company.
Security Concerns: Protecting the value of intellectual property and electronic assets is a growing concern for companies. Data threat and data breaches can result in millions of dollars as well as damage to a company’s reputation both with its customers and in some cases with investors.
Finally, if your company does not have an Acceptable Use Policy as part of your employee handbook, now is the time to put one in place. An Acceptable Use Policy (“AUP”) serves multiple purposes. It spells out your policies clearly, so that your employees know what is acceptable or not. In this document, you disclose that the organization has the right to monitor activity on company provided devices and on the company network. Make sure all employees receive a copy your AUP, and acknowledge that receipt.
More companies are instituting employee monitoring to improve their internal security against insider threats, ensure adherence to company policies, and improve overall awareness about what is happening within the company. Utilizing the information above will at least get you started on the right legal footing.
*Please consult the laws in your local jurisdiction as they can vary in other countries. The information provided in this document does not constitute legal advice. You should consult an attorney that is familiar with the law of the state or locale involved regarding your particular concerns.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.