Time to Update Your Employee Monitoring Policy?
Jay Cline
October 16, 2006 (Computerworld) "You have no expectation of
privacy!" So say most corporate privacy policies for employees, like
a bullying reminder of the obvious. But the recent boardroom scandal
at Hewlett-Packard Co. involving Web bugs and "pretexting" has
employees asking if they should be afforded some basic privacy
protections in the workplace. Companies that want a dedicated and
productive workforce shouldn't hesitate to extend to their employees
their often-stronger customer privacy policies, disclosing in that
policy all the monitoring they will -- and won't -- do to detect
insider wrongdoing.
The mantra of "You have no expectation of privacy" while you're in
company facilities or using company computing systems has become a
unanimous chorus across corporate America, a legacy of several court
decisions in the 1990s. U.S. companies have welcomed these decisions,
which effectively give corporations carte blanche to record their
employees and monitor their Web and e-mail usage, so long as they
inform employees ahead of time.
And many companies are doing just that. The American Management
Association, which conducts the best ongoing survey on this topic,
last reported in 2005 that three-fourths of U.S. employers conducted
some form of electronic employee monitoring (download PDF). This is
up from one-half of employers in 2003, and, as reported in
Computerworld, just one-third in 2001 (see "Study: Monitoring of
employee e-mail, Web use escalates").
Why are so many companies investing their limited IT resources in
employee monitoring? Let me count the reasons:
1. The annual FBI/CSI report on corporate computer crime routinely
proposes that insiders are the No. 1 threat to company information,
often the most valuable corporate asset.
2. The list of over 300 security breaches posted on Privacyrights.org
includes numerous incidents resulting from employee negligence. These
publicized incidents cost companies $13 million on average, according
to the Ponemon Institute.
3. Any company taking advantage of the free trials offered by Vontu
and Vericept Corp. to scan its outbound electronic traffic has
experienced a sinking feeling as it finally sees just how many
sensitive e-mail attachments are leaving the company network.
Besides, corporate executives say, the network is our property, and
it's our right to know how it's being used. These are all legitimate
reasons for companies to continue some level of employee monitoring.
But isn't it obnoxiously overstating it to say to your valued
employees that they have no privacy inside these walls? Don't we
actually mean to say that we may monitor them but not without cause?
Privacy, after all, is a much bigger concept than not being
monitored. And monitoring, if done within the right parameters and
restrictions, can stop short of what most people would consider to be
a violation of their privacy.
How big is the concept of privacy? There are many different opinions
on this question, but my favorite is the set of seven Safe Harbor
principles agreed to by the U.S. and EU. When applied to employee
monitoring, these principles would result in an employee privacy
policy that said something like this:
1. Notice: We conduct limited employee monitoring: our prominently
visible cameras track your movements at entrances and sensitive
areas, but not in elevators or restrooms. We routinely record the
phone calls only of our call center staff. We donīt routinely screen
outgoing postal mail. Our automatic sensors monitor Internet and e-
mail traffic for commonly recognized obscene words, racial epithets,
threats of violence, pornography, exposures of sensitive company
information and criminal acts. Individual instances violating these
parameters may be investigated by a small number of authorized
security and human resources employees. If an employee is suspected
of wrongdoing, we may monitor all of his behavior while on or using
company facilities, but only with the authorization of the legal and
HR departments, and only while he is a suspect.
2. Choice: We don't use employee monitoring information (EMI) for
marketing purposes or share it with third parties for marketing
purposes, so there is no need to "opt out" of these uses.
3. Onward Transfer: We don't use third parties for our employee
monitoring, but may securely transfer EMI to outside organizations,
such as the police, in cases of suspected wrongdoing.
4. Access: Contact HR to review your employee file. We generally
don't include EMI in your employee file unless there has been a case
of verified wrongdoing.
5. Security: We'll protect EMI to the same degree we protect our
company's most sensitive data.
6. Data Integrity: We'll conduct only the minimum amount of
monitoring necessary to prevent and detect wrongdoing in the company.
We won't keep EMI indefinitely; it will be destroyed according to
strict time limits set by our EMI steering committee.
7. Enforcement: Our internal audit department independently reviews
and reports on our company's compliance with this policy. If you have
questions or complaints about employee monitoring, contact our
anonymous whistleblower hot line, your HR manager or the audit
department.
So why would a U.S. company want to impose these limits on itself
when the law doesn't strictly require it to do so? First, if your
company is a multinational, you may already be required to observe
these limits for your European colleagues. While there are many
onerous European labor regulations that are not observed by the U.S.
divisions of multinationals, this is a serious enough issue begging
the question, Do you really want to give your employees different
levels of privacy based on where they live?
Second, I think the answer to this question goes back to one of the
first ethics lessons our parents taught us in grade school: that what
is legal to do is not always what is right to do. And more
fundamentally, it goes back to the golden rule: We should treat
others as we would wish to be treated.
So what's your employee-monitoring game plan? I'd offer four
recommendations:
1. Organize. Convene an employee privacy task force composed of
representatives from HR, legal, audit, physical and IT security, and
privacy, and review your current monitoring practices and objectives.
2. Update your policy. Make your employee privacy policy consistent
with your customer policy, ideally basing both on the safe harbor
principles.
3. Certify. Post your policy on your intranet and get it certified by
Truste or BBBOnLine Inc. to give it legitimacy.
4. Communicate. Regularly and frequently inform your employees about
your monitoring policy and what rights they have through it.
If your company respects the privacy and dignity of its employees,
they'll be more likely to become genuinely dedicated to your
company's mission. But treat them like criminals, and they'll surely
rise, or sink, to those expectations.
Jay Cline is a former chief privacy officer of a Fortune 500 company
and now president of Minnesota Privacy Consultants. You can reach him
at [email protected]
