Employee Monitoring: Watch This Way

Who hasn’t mistyped a URL or clicked on an innocent-looking link only to end up in one of those vile little pornographic cul-de-sacs that seem to lurk on the periphery of many popular Internet sites? While Whitehouse.gov brings you to the president’s squeaky-clean official website and updates on bill signings and the war on terrorism, the URL Whitehouse.com leads you to a smutty XXX site that capitalizes on its famous name with pictures of “Hot Interns!”

Whenever I accidentally hit one of these siteswhich usually results in dislocating some body part as I reflexively lurch to click the window shutI wonder whether I’ll be explaining it to my manager at my next performance review.

This is the same employee fear that CSOs are up against when they implement an employee monitoring policy (often tagged with the kinder, gentler moniker of “acceptable use policy”). Workers fret that their private communications will be laid bare to any network administrator, that infractions of the policy, even accidental ones, will be a cause for disciplinary action and that the corporate culture could take a distinctly Orwellian turn.

Concerns about surveillance are also shared by many CSOs who would prefer to leave e-mail and Internet baby-sitting to direct managers. But the question of whether to monitor what employees do on company time with corporate resources has been largely decided by legal precedents that are already holding businesses financially responsible for their employee’s actions. Increasingly, employee monitoring is not a choice; it’s a risk-management obligation.

A 2001 survey of workplace monitoring and surveillance practices by the American Management Association (AMA) and The ePolicy Institute showed the degree to which companies are turning to monitoring. Eighty-two percent of the study’s 1,627 respondents acknowledged conducting some form of electronic monitoring or physical surveillance. Of those, 63 percent of the companies stated that they monitor Internet connections, and about 47 percent acknowledged storing and reviewing e-mail messages. A follow-up questionnaire to the AMA’s survey also probed the companies’ rationales for monitoring. The highest-rated concern in this follow-up was legal liability (68 percent), followed by general security concerns (60 percent). Measuring employee productivity and generating fodder for performance reviewsthe motives that employees usually ascribe to so-called corporate snoopingwere significantly lower on the list.

The main reason for the disconnect between the corporate motives for monitoring and employees’ interpretations of them is that communication around the issue is so poor. One in five companies, according to the same survey, still doesn’t have an acceptable use policy for e-mail, and one in four has no policy for Internet use. Companies that do have policies usually tuck them into the rarely probed recesses of the employee handbook, and even then the policies tend to be of the vague and lawyerly variety: “XYZ company reserves the right to monitor or review any information stored or transmitted on its equipment.” Reserving the right to monitor is materially different from clearly stating that the company does monitor, listing what is tracked, describing what it looks for and detailing the consequences for violations. No wonder employees are anxious.

Open communication is the key to formulating the right policy and putting it into practice. CSOs that are explicit about what the company does in the way of monitoring and the reasons for it, and who actively educate employees about what unacceptable behavior looks like, will find that employees not only acclimate quite quickly to a policy but that they also reduce the CSO’s burden by policing themselves. Here are some of the best practices that companies have shared with us for formulating and rolling out monitoring policies and the advice that CSOs have offered for determining how much monitoring is appropriate for your company.What You Can Monitor: Can I See Your Hall Pass?Different industries have different pressure points that necessitate tracking and storing e-mail. The Securities and Exchange Commission mandates that all incoming and outgoing correspondence (including e-mail) for brokerage firms must be reviewed by a compliance officer, and e-mail messages must be stored on a diskette that can’t be deleted or overwritten; and it must be preserved for no less than three years to ensure that companies haven’t made claims that are beyond the scope of realistic investing. Some industries also have limitations on how tracking is done. The privacy protections provided by HIPAA, the Health Insurance Portability and Accountability Act of 1996, place a responsibility on companies to account for how health-related information is protected and transmitted. Collective bargaining agreements with labor unions curb monitoring of their members, and Fourth Amendment protections also restrict monitoring by government employers. In addition, laws restrict what kind of physical monitoring can be done in the workplace. For example, the law limits monitoring in areas where employees have a legitimate or reasonable expectation of privacyfor example, putting a closed-circuit camera in a bathroom or entering a locker for which a lock has been provided. Laws governing the recording of sound are also limitedphysical surveillance systems are not permitted to record sound, and federal law dictates that phone conversations cannot be recorded unless an employee consents. Many states require the consent of all parties before a phone conversation can be monitored.

While there are laws limiting specific kinds of surveillance, in general, private employers largely have free reign to monitor and scan electronic communications. (See “Monitoring by Law,” Page 36.) Deborah Weinstein, a labor and employment law attorney at the Eckert, Seamans, Cherin & Mellott firm in Philadelphia, notes another caveat: Employers may not monitor or intercept e-mail while it is in transit. Once it has been stored, it may be scanned as part of a regular business activity. It is also critical that any scanning or tracking be applied to every employee equally. Companies that do monitor can get into real trouble here. For example, a company may have a policy that mandates scanning every e-mail for product names to deter intellectual property theft. If a potential case of theft is uncovered, it will be important that the company show evidence was discovered in the course of a standard business practice of scanning e-mails. Otherwise, the employee might argue that his communications were scanned in a discriminatory manner. “You can’t routinely watch the activities of younger people more than older people or do surveilling by race,” Weinstein says.

At First Data, Western Union’s parent company, Senior Vice President for Corporate Security Bob Degen applies his Web monitoring and blocking policy equallyregardless of gender, age, race and even corporate seniority. “We’re serious about this,” he says. “In the past two years, we’ve had occasion to discipline two very senior executives.” The company has a two-strike policy. If an employee habitually tries to access forbidden sites with inappropriate content, HR calls him in and gives him a formal written warning. “That’s their first and final warning,” says Degen, who notes that the second offense could include termination.

To avoid discrimination claims and preserve the chain of evidence, it’s wise to have only a few specially trained and exceptionally discreet employees charged with reading suspicious e-mails. Although employees that carry out monitoring won’t be personally sued for an activity that falls within the scope of their job, CSOs need to be aware that often members of the IT group are uncomfortable identifying questionable employee conduct on the network and may worry about being named in any lawsuits that result. At First Data, the IT group was so uneasy making such judgments that Degen took the responsibility out of their hands. “Reports are automatically generated and given to security and HR, and then we determine whether [a situation] needs to be looked into,” he says.

Although few states are currently providing protections beyond those that federal law affords to employees, CSOs should consult a cyberlaw expert to see if there are any state laws that would affect their monitoring plans. For example, certain states have enacted strict antispam legislation, and companies could get in legal trouble if an employee used the corporate network to disseminate spam. Any company that has international locations will most certainly want to have a detailed analysis done of the monitoring laws for each country it operates in. In Europe in particular, privacy is viewed as a fundamental human right, and electronic monitoring by and large is generally verboten under European Union laws. That presents a challenge for many global companies that frequently have just one e-mail server. Those companies have to find a way to segregate European and U.S. e-mail to avoid violating European law. Who You Can Monitor: You Lookin’ At Me?The fastest way to elicit resistance from employees is if you appear to be on an unfocused fishing expedition for information. First, CSOs need to analyze their motives for doing it. “You need a legitimate reason to monitor employees in the workplace,” says Weinstein. “And employers have to identify those reasons. It can’t just be because they don’t trust [employees]. Maybe they want to protect trade secrets, maintain secure systems or preserve personal productivity.”

A company might decide to monitor employees who are “misusing” their e-mail or Internet access to create a hostile work environmentwhich can be a dangerously subjective concept. In 1995, Chevron settled a well-publicized sexual harassment suit brought by four female employees who alleged that their coworkers created a hostile work environment by circulating offensive e-mails and Internet images. One of the items that was introduced into evidence was an e-mail titled “25 Reasons Beer Is Better than Women.” Chevron paid out $2.2 million to make the suit go away.

For every half-written document, hastily tapped instant message and ill-conceived e-mail, there’s a subpoena to ensnare. Witness the public spanking of Merrill Lynch’s stock price after authorities recovered e-mails that showed stock analysts privately trashing companies that they had publicly touted. In fact, the largest legal settlement ever involving a drug company owes a debt of gratitude to the evidence provided by internal e-mails. During litigation over diet pills manufactured by American Home Products, e-mails came out that showed the company was not only aware but dismissive of the drug’s potentially fatal side effects. In one particular e-mail an employee scoffed at the notion of having to pay off “fat people who are afraid of some silly lung problem.” The company settled the case in a settlement valued at up to $3.8 billion.

Open acknowledgement that a company monitors, reinforced by decisive action when infractions are discovered, will drive home to employees the understanding that e-mail is not a private form of communication. They, in turn, will likely police their own e-mail content.

The liabilities that employees can create with the use of computer systems are almost limitless. Imagine the damage (and damages awarded) if an employee uses the company’s network infrastructure to launch an Internet-based attack, or if an embittered employee decides to post fabricated information about his publicly traded employer onto a chat room bulletin board.

However, companies that have acted in good faith to enact a monitoring policy and educate employees about abiding by those requirements will be in a significantly stronger legal position. “The courts look favorably on employers with a written policy consistently enforced and backed up by education,” says Nancy Flynn, executive director of The ePolicy Institute and coauthor of E-Mail Rules: A Business Guide to Managing Policies, Security, and Legal Issues for E-Mail and Digital Communication (Amacom, April 2003). “Those employers are seen to have done everything possible to maintain a safe, secure and appropriate work environment.”

Outside of the daunting prospect of courtroom appearances, there are some practical human resources arguments to be made for monitoring. Usually, employees have only to hear that e-mail and Internet use will be tracked, and 90 percent of the problem behaviorsfrom raunchy jokes to excessive Internet surfingwill cease. Companies that don’t nip their employees naughty habits in the bud risk the creation of a much larger HR problem. When employees were caught either sending or receiving dirty jokes and images at a New York Times Co. facility, the company ended up firing 10 percent of its workforce at that location.

Monitoring also becomes far more palatable to employees when you make it clear that it provides a measure of protection for them against all the previously mentioned problems. At The Regence Group, an affiliate of Blue Cross and Blue Shield, CISO David MacLeod makes just such an argument to his employees. Through newsletter articles, posters and technology fair booths, MacLeod gets his message out about monitoring. “We characterize it as something that’s for their own protection,” he says. “If somebody claims an employee did something, we have good audit trails to show if they did or didn’t.”How You Can Monitor: Got Enforcement?Clearly defining the company’s expectations and notifying employees of how and when monitoring will take place are important steps on paper but even more critical in practice. Flynn recommends that companies take what she refers to as the “three-E approach.” Establish your policy; educate the workforce; and enforce your policy consistently. That could mean pairing content-scanning technology with a written policy and then reinforcing it with a strong education program that cements the issue in the employee’s mind.

Many companieseven those with exceptionally detailed policiesdon’t actively educate employees about what acceptable use means in day-to-day office life. During orientation, the HR rep might hand a new employee the acceptable-use policy form, and in the blizzard of information, it fails to stick. At The Regence Group, visual reinforcements like posters and newsletters remind employees about policies. And MacLeod requires every employee go through a security awareness program that is separate from the orientation process. He also ensures that his group’s new slogan“Security is everyone’s job”is widely circulated and highly visible throughout the company. The company has an oversight committee composed of all the senior executives, and when it decides on a security initiative, MacLeod has the executives bring that decision to their organization. “That way when somebody goes to [an executive] complaining that security thinks we should do this or that, the executive can say, Yes, I participated in that decision, and here’s why we’re doing it,” says MacLeod. “We don’t have to be the only evangelists.”

Part of the education process is ensuring that employees know bad things can happen when they ignore the policyand not just to them personally. E-disaster stories can be a tremendous education tool for CSOs. While most security executives would undoubtedly blanch at the idea that they should be inciting fear among the masses, employees do need to understand that there’s a connection between what they do and the kinds of stories they see in the news. When a company is hurt by internal e-mails made public, it’s a good time to circulate a reminder that what employees say on e-mail is neither private nor confidential and can be used against the company. If there’s a story in the news about employees posting confidential corporate information to Internet bulletin boards, it’s worth reiterating at that time that such activities are against corporate policy and will be investigated.

It’s one thing to craft a “take no prisoners” policy that threatens serious consequences to employees that flout its rules; it’s another thing to follow through with it. In fact, setting out a tough policy and monitoring employee behavior but doing nothing about what you find is one of the most dangerous things a company can do. “The biggest mistake companies make is not taking action,” says Miriam Wugmeister, a labor and privacy law attorney with Morrison & Foerster in New York City. “A company that puts out a policy and finds those sexually explicit e-mails and does nothing about them [will be vulnerable to a lawsuit] because they monitored and took no action. They knew about the situation, tolerated it and condoned it as an employer.” Also, when the company has a policy but repeatedly does nothing to enforce it, it takes the teeth out of it. If an employee then violates the policy in a sufficiently egregious way and the company decides to terminate him, it could face a discrimination suit because its failure to enforce the policy in the past has created the expectation that it won’t be enforced at all.

Flynn suggests that CSOs make a bold statement by terminating the first person who violates the policy after it is put in place to set the precedent early on in the company. “If you terminate that first person to violate, you may avoid having to terminate a dozen or more employees down the road,” Flynn says. When a policy infraction leads to disciplinary action, it’s also a good idea to get the word out. Whether the employee was disciplined for e-mailing inappropriate material or spending too much time on eBay, let the fact that the policy is being enforced leak out. “The grapevine does a great service in these situations,” says Russell Schofield, managing director of IT at National Cooperative Bank in Washington, D.C., who notes that you can almost hear the collective “Uh-oh!” from the rest of the employees who suddenly realize that the company really is watching.