Employee Monitoring: Watch This Way

What you don't know about how your employees are using company resources can hurt you. But remember this: There are acceptable, and not so acceptable, ways to monitor employee activity.

Who hasn't mistyped a URL or clicked on an innocent-looking link only to end up in one of those vile little pornographic cul-de-sacs that seem to lurk on the periphery of many popular Internet sites? While Whitehouse.gov brings you to the president's squeaky-clean official website and updates on bill signings and the war on terrorism, the URL Whitehouse.com leads you to a smutty XXX site that capitalizes on its famous name with pictures of "Hot Interns!"

Whenever I accidentally hit one of these siteswhich usually results in dislocating some body part as I reflexively lurch to click the window shutI wonder whether I'll be explaining it to my manager at my next performance review.

This is the same employee fear that CSOs are up against when they implement an employee monitoring policy (often tagged with the kinder, gentler moniker of "acceptable use policy"). Workers fret that their private communications will be laid bare to any network administrator, that infractions of the policy, even accidental ones, will be a cause for disciplinary action and that the corporate culture could take a distinctly Orwellian turn.

Concerns about surveillance are also shared by many CSOs who would prefer to leave e-mail and Internet baby-sitting to direct managers. But the question of whether to monitor what employees do on company time with corporate resources has been largely decided by legal precedents that are already holding businesses financially responsible for their employee's actions. Increasingly, employee monitoring is not a choice; it's a risk-management obligation.

A 2001 survey of workplace monitoring and surveillance practices by the American Management Association (AMA) and The ePolicy Institute showed the degree to which companies are turning to monitoring. Eighty-two percent of the study's 1,627 respondents acknowledged conducting some form of electronic monitoring or physical surveillance. Of those, 63 percent of the companies stated that they monitor Internet connections, and about 47 percent acknowledged storing and reviewing e-mail messages. A follow-up questionnaire to the AMA's survey also probed the companies' rationales for monitoring. The highest-rated concern in this follow-up was legal liability (68 percent), followed by general security concerns (60 percent). Measuring employee productivity and generating fodder for performance reviewsthe motives that employees usually ascribe to so-called corporate snoopingwere significantly lower on the list.

The main reason for the disconnect between the corporate motives for monitoring and employees' interpretations of them is that communication around the issue is so poor. One in five companies, according to the same survey, still doesn't have an acceptable use policy for e-mail, and one in four has no policy for Internet use. Companies that do have policies usually tuck them into the rarely probed recesses of the employee handbook, and even then the policies tend to be of the vague and lawyerly variety: "XYZ company reserves the right to monitor or review any information stored or transmitted on its equipment." Reserving the right to monitor is materially different from clearly stating that the company does monitor, listing what is tracked, describing what it looks for and detailing the consequences for violations. No wonder employees are anxious.

Open communication is the key to formulating the right policy and putting it into practice. CSOs that are explicit about what the company does in the way of monitoring and the reasons for it, and who actively educate employees about what unacceptable behavior looks like, will find that employees not only acclimate quite quickly to a policy but that they also reduce the CSO's burden by policing themselves. Here are some of the best practices that companies have shared with us for formulating and rolling out monitoring policies and the advice that CSOs have offered for determining how much monitoring is appropriate for your company.What You Can Monitor: Can I See Your Hall Pass?Different industries have different pressure points that necessitate tracking and storing e-mail. The Securities and Exchange Commission mandates that all incoming and outgoing correspondence (including e-mail) for brokerage firms must be reviewed by a compliance officer, and e-mail messages must be stored on a diskette that can't be deleted or overwritten; and it must be preserved for no less than three years to ensure that companies haven't made claims that are beyond the scope of realistic investing. Some industries also have limitations on how tracking is done. The privacy protections provided by HIPAA, the Health Insurance Portability and Accountability Act of 1996, place a responsibility on companies to account for how health-related information is protected and transmitted. Collective bargaining agreements with labor unions curb monitoring of their members, and Fourth Amendment protections also restrict monitoring by government employers. In addition, laws restrict what kind of physical monitoring can be done in the workplace. For example, the law limits monitoring in areas where employees have a legitimate or reasonable expectation of privacyfor example, putting a closed-circuit camera in a bathroom or entering a locker for which a lock has been provided. Laws governing the recording of sound are also limitedphysical surveillance systems are not permitted to record sound, and federal law dictates that phone conversations cannot be recorded unless an employee consents. Many states require the consent of all parties before a phone conversation can be monitored.

While there are laws limiting specific kinds of surveillance, in general, private employers largely have free reign to monitor and scan electronic communications. (See "Monitoring by Law," Page 36.) Deborah Weinstein, a labor and employment law attorney at the Eckert, Seamans, Cherin & Mellott firm in Philadelphia, notes another caveat: Employers may not monitor or intercept e-mail while it is in transit. Once it has been stored, it may be scanned as part of a regular business activity. It is also critical that any scanning or tracking be applied to every employee equally. Companies that do monitor can get into real trouble here. For example, a company may have a policy that mandates scanning every e-mail for product names to deter intellectual property theft. If a potential case of theft is uncovered, it will be important that the company show evidence was discovered in the course of a standard business practice of scanning e-mails. Otherwise, the employee might argue that his communications were scanned in a discriminatory manner. "You can't routinely watch the activities of younger people more than older people or do surveilling by race," Weinstein says.

At First Data, Western Union's parent company, Senior Vice President for Corporate Security Bob Degen applies his Web monitoring and blocking policy equallyregardless of gender, age, race and even corporate seniority. "We're serious about this," he says. "In the past two years, we've had occasion to discipline two very senior executives." The company has a two-strike policy. If an employee habitually tries to access forbidden sites with inappropriate content, HR calls him in and gives him a formal written warning. "That's their first and final warning," says Degen, who notes that the second offense could include termination.

To avoid discrimination claims and preserve the chain of evidence, it's wise to have only a few specially trained and exceptionally discreet employees charged with reading suspicious e-mails. Although employees that carry out monitoring won't be personally sued for an activity that falls within the scope of their job, CSOs need to be aware that often members of the IT group are uncomfortable identifying questionable employee conduct on the network and may worry about being named in any lawsuits that result. At First Data, the IT group was so uneasy making such judgments that Degen took the responsibility out of their hands. "Reports are automatically generated and given to security and HR, and then we determine whether [a situation] needs to be looked into," he says.

Although few states are currently providing protections beyond those that federal law affords to employees, CSOs should consult a cyberlaw expert to see if there are any state laws that would affect their monitoring plans. For example, certain states have enacted strict antispam legislation, and companies could get in legal trouble if an employee used the corporate network to disseminate spam. Any company that has international locations will most certainly want to have a detailed analysis done of the monitoring laws for each country it operates in. In Europe in particular, privacy is viewed as a fundamental human right, and electronic monitoring by and large is generally verboten under European Union laws. That presents a challenge for many global companies that frequently have just one e-mail server. Those companies have to find a way to segregate European and U.S. e-mail to avoid violating European law. Who You Can Monitor: You Lookin' At Me?The fastest way to elicit resistance from employees is if you appear to be on an unfocused fishing expedition for information. First, CSOs need to analyze their motives for doing it. "You need a legitimate reason to monitor employees in the workplace," says Weinstein. "And employers have to identify those reasons. It can't just be because they don't trust [employees]. Maybe they want to protect trade secrets, maintain secure systems or preserve personal productivity."

A company might decide to monitor employees who are "misusing" their e-mail or Internet access to create a hostile work environmentwhich can be a dangerously subjective concept. In 1995, Chevron settled a well-publicized sexual harassment suit brought by four female employees who alleged that their coworkers created a hostile work environment by circulating offensive e-mails and Internet images. One of the items that was introduced into evidence was an e-mail titled "25 Reasons Beer Is Better than Women." Chevron paid out $2.2 million to make the suit go away.

For every half-written document, hastily tapped instant message and ill-conceived e-mail, there's a subpoena to ensnare. Witness the public spanking of Merrill Lynch's stock price after authorities recovered e-mails that showed stock analysts privately trashing companies that they had publicly touted. In fact, the largest legal settlement ever involving a drug company owes a debt of gratitude to the evidence provided by internal e-mails. During litigation over diet pills manufactured by American Home Products, e-mails came out that showed the company was not only aware but dismissive of the drug's potentially fatal side effects. In one particular e-mail an employee scoffed at the notion of having to pay off "fat people who are afraid of some silly lung problem." The company settled the case in a settlement valued at up to $3.8 billion.

Open acknowledgement that a company monitors, reinforced by decisive action when infractions are discovered, will drive home to employees the understanding that e-mail is not a private form of communication. They, in turn, will likely police their own e-mail content.

The liabilities that employees can create with the use of computer systems are almost limitless. Imagine the damage (and damages awarded) if an employee uses the company's network infrastructure to launch an Internet-based attack, or if an embittered employee decides to post fabricated information about his publicly traded employer onto a chat room bulletin board.

However, companies that have acted in good faith to enact a monitoring policy and educate employees about abiding by those requirements will be in a significantly stronger legal position. "The courts look favorably on employers with a written policy consistently enforced and backed up by education," says Nancy Flynn, executive director of The ePolicy Institute and coauthor of E-Mail Rules: A Business Guide to Managing Policies, Security, and Legal Issues for E-Mail and Digital Communication (Amacom, April 2003). "Those employers are seen to have done everything possible to maintain a safe, secure and appropriate work environment."

Outside of the daunting prospect of courtroom appearances, there are some practical human resources arguments to be made for monitoring. Usually, employees have only to hear that e-mail and Internet use will be tracked, and 90 percent of the problem behaviorsfrom raunchy jokes to excessive Internet surfingwill cease. Companies that don't nip their employees naughty habits in the bud risk the creation of a much larger HR problem. When employees were caught either sending or receiving dirty jokes and images at a New York Times Co. facility, the company ended up firing 10 percent of its workforce at that location.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)