Home » Physical Security » Employee Protection

In Depth

Employee Monitoring: Watch This Way

What you don't know about how your employees are using company resources can hurt you. But remember this: There are acceptable, and not so acceptable, ways to monitor employee activity.

By Daintry Duffy

Page 3

At First Data, Western Union's parent company, Senior Vice President for Corporate Security Bob Degen applies his Web monitoring and blocking policy equallyregardless of gender, age, race and even corporate seniority. "We're serious about this," he says. "In the past two years, we've had occasion to discipline two very senior executives." The company has a two-strike policy. If an employee habitually tries to access forbidden sites with inappropriate content, HR calls him in and gives him a formal written warning. "That's their first and final warning," says Degen, who notes that the second offense could include termination.

To avoid discrimination claims and preserve the chain of evidence, it's wise to have only a few specially trained and exceptionally discreet employees charged with reading suspicious e-mails. Although employees that carry out monitoring won't be personally sued for an activity that falls within the scope of their job, CSOs need to be aware that often members of the IT group are uncomfortable identifying questionable employee conduct on the network and may worry about being named in any lawsuits that result. At First Data, the IT group was so uneasy making such judgments that Degen took the responsibility out of their hands. "Reports are automatically generated and given to security and HR, and then we determine whether [a situation] needs to be looked into," he says.

Although few states are currently providing protections beyond those that federal law affords to employees, CSOs should consult a cyberlaw expert to see if there are any state laws that would affect their monitoring plans. For example, certain states have enacted strict antispam legislation, and companies could get in legal trouble if an employee used the corporate network to disseminate spam. Any company that has international locations will most certainly want to have a detailed analysis done of the monitoring laws for each country it operates in. In Europe in particular, privacy is viewed as a fundamental human right, and electronic monitoring by and large is generally verboten under European Union laws. That presents a challenge for many global companies that frequently have just one e-mail server. Those companies have to find a way to segregate European and U.S. e-mail to avoid violating European law. Who You Can Monitor: You Lookin' At Me?The fastest way to elicit resistance from employees is if you appear to be on an unfocused fishing expedition for information. First, CSOs need to analyze their motives for doing it. "You need a legitimate reason to monitor employees in the workplace," says Weinstein. "And employers have to identify those reasons. It can't just be because they don't trust [employees]. Maybe they want to protect trade secrets, maintain secure systems or preserve personal productivity."