Web Monitoring: How to Track Employee Data Access (Without Going Overboard)

Monitoring access to corporate data can be an effective way to keep the crown jewels from walking out the door, but it requires a careful balancing act.

These are excellent practices, says Nancy Flynn, executive director of The ePolicy Institute, a training consultancy. Once you define a thorough electronic data policy (covering everything from application and database access to e-mail, IM and Web usage), the next step is training the employees (see "The 3 E's of E-Risk Management," Page 48). "You need to explain they have no reasonable expectation of privacy in the workplace and what are the ramifications if they violate the policy," says Flynn. The final step is to enforce the policy consistently, no matter who the violator might be.

Following these steps will help shield you from potential legal issues. "The last thing you want is to terminate an employee for violating your data policy and they don't even know you have one. Or they know about the policy but it has not been enforced across the board," says Flynn. As with anything else, following these guidelines will not prevent a disgruntled employee from filing a suit, but some courts have found companies are not legally liable so long as the policy is comprehensive, known to employees and enforced uniformly.

Beware the Downside of Being Watched

Joe Rizzo, acting CISO at multiplayer online game developer Perpetual Entertainment, acknowledges that it is a continuing struggle for organizations to find the right balance between knowing what's happening with data and maintaining employee morale. "It's touchy because our employees don't want to feel like they're being watched," he says.

Rizzo has arrived at what appears to be a reasonable compromise: Perpetual uses Tablus's Content Monitor Alarm to monitor access of its game source code, especially since it often works with third-party developers. The system makes a digital footprint of the source code. "It's our livelihood. We have to control and monitor that data. If we see our IP leaving, we will take action," he says. But he does not block any websites or curtail the use of IM.

Siebel is like Perpetual Entertainment in that it employs highly skilled programmers who balk at the notion of being watched by their employer. "I don't like playing Net cop. I do as little data surveillance as possible," says CISO Mortman. And privacy laws are much more restrictive for the employer in other countries in which Siebel operates, including France. But a few years ago, the results of a Siebel customer satisfaction survey were leaked by an insider. That got Mortman's attention, for sure.

But his inclination at this point is to protect the data by restricting access through rights-management software as opposed to implementing data monitoring tools.