INSIDER THREAT MANAGEMENT GROUPPREVENT | DETECT | MITIGATE™

SHAWN M. THOMPSON, ESQ.Founder and President, ITMG

Insider Threat Law: Balancing Privacy and Protection

www.itmg.coshawn@itmg.co410-874-3712

The story of me . . .Founder and President, Insider Threat Management Group

Board Member, National Insider Threat Special Interest Group

Insider Threat Program Manager, Department of Defense

Senior Legal Advisor, National Insider Threat Task Force

Senior Special Agent, Department of Defense

Senior Litigation Attorney, Department of Defense

Assistant General Counsel, Federal Bureau of Investigation

Special Assistant United States Attorney, United States Department of Justice

. . . the story of you

Objective

Balance = Value

Monitoring is essential

Privacy Protection

Privacy

Historical context What is “privacy?” Does it exist in the

employment context?Collection v. Use

Key Takeaway – Employee’s have limited privacy rights at the workplace and on employer devices and vehicles outside the workplace

Collection v. Use Collection

• Less restrictions• More responsibility

Use• More restrictions• Greater responsibility

Key Takeaway – Businesses can collect more than they can use

• Keep threats outs Preventi

on

• Uncover threats

Detection

• Respond to threatsMitigatio

n

Objectives

Protection

Prevention• Pre-employment screening

• Agreements• Policies and training• Continuous Evaluation

Key Takeaway – Obtaining employee consent and developing monitoring policies are best practices

Detection – HOW?How can employees be monitored?• Video• Audio• GPS• Computer activity• External data sources

Detection – WHO?Who can be monitored?

• Everyone? • Sub-groups?• Third-parties?

Key Takeaway – Different levels of monitoring require documented justification

Detection – WHAT?What can be monitored?

• Communications

• Movements

• Devices

Key Takeaway – Important Distinctions between collection and use

Detection – WHEN/WHERE?

When and Where can employees be monitored?• On-site

• Off-site

• “Personal” time v. “business” time

Key Takeaway – Monitor for “legitimate business needs” only

Detection – WHY?Why can (or must) employees be monitored?

• Requirements?

• Government v. commercial Government minimum standards Regulatory findings

• Prevent liability exposure

“We considered several factors [for closing the investigation], including the fact that Morgan Stanley had established and implemented comprehensive policies designed to protect against insider theft of personal information.”

August 2015 letter from FTC to Morgan Stanley

Key Takeaway – User activity monitoring is essential

Mitigation Discoverability Enforceability Usability

Key Takeaway – Monitoring is essential to properly mitigate insider threats

Insider Threat Compliance Program(aka “Watch the Watchers”)

Important?

Business case

Elements and Components

Best practices

Key Takeaways MONITORING is necessary BALANCE = value Collection “rights” are NOT king POLICIES are vital Maintain REASONABLENESS Seek LEGAL counsel

QUESTIONS?

SHAWN M. THOMPSON, ESQ.Founder and President

Insider Threat Management Group

itmg.co410-858-0006

Shawn M.Thompson, Esq.Insider Threat Management Group, LLCwww.itmg.coshawn@itmg.co410-874-3712