Employee Privacy&
Monitoring Technologies
November 16, 2006
TBTLAAndy SwensonLen Chiacchia
Chris FavaloroMark Wright
Agenda
• Employee Privacy• Is Monitoring ethical and legal?• Why Monitor?• Monitoring Technologies• Maintaining• Implementing
Employee Privacy
Privacy Defined :
“The right to be left alone-the most comprehensive of rights, and the right most
valued by a free people” - Justice Louis Brandeis (1928)
Ethical
Is Monitoring Ethical?• Depends on the View
• Employee View• Want their Freedom• Monitoring may feel like Big Brother• May effect productivity or employee loyalty
•Company View•Responsible for Protecting the Stakeholders
•Labeling
•Branding
•Trademarks
•Copyrights
Legal
Is Monitoring Legal?Federal Law
The Electronic Communications Privacy Act of 1986 (ECPA)
Allows companies to monitor employees emails and track
usage if one of three stated provisions are adequately met. • Employee has given consent• Legitimate business reason• Company needs to protect itself
Legal
Is Monitoring Legal?State Law
The 2006 Florida Statutes – Chapter 934.03
Allows companies to monitor employees as long as
All Parties Consent
Why Monitor
RequiredFinancial
Securities and Exchange Commission's Code of Federal Regulations (CFR) 17a-3 and 17a-4)
• 3 – 6 years or longer depending on the data• Must be readily accessible for first 2 years
Sarbanes-Oxley
• Auditing Firms – All Communications -7 years
GAAP – General Accepted Accounting PrinciplesGAPP – General Accepted Privacy Principles
Why Monitor
RequiredMedical
HIPAA
(HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996)
“the clinical record retention rules for a given jurisdiction would govern as to the length of time the record must be preserved”
American Psychiatric Association Council on Psychiatry and Law
Why Monitor
RequiredISPs- Internet Service Providers
1986 ECPA (Electronic Communications Privacy Act)
Currently
Requested to keep data for 90 days
ProposedDept of Justice and FBI wants data kept for 2 years
~USAToday; June 2006~
Why Monitor
Protection/LiabilityEmail
IM – Instant MessagingChat Room
Discussion Databases
• Financial – (Non-Company Chat/Discussion Boards) Can be considered Public Appearances by NASD
SurveyAccording to a 2005 Survey by
the American Management Association:
Privacy Rights Clearinghouse , 2006
75% of employers monitor their employees' web site
65% use software to block connections to web sites
50% review and retain electronic mail messages.
80% of employers disclose their monitoring practices to employees
84% of employers have established policies governing e-mail use
81% have established policies governing personal Internet use
Survey
According to a recent report fromBusiness Performance Management Forum and AXS-One Inc:
Senior Executives and subject matter Experts Interviewed
NOTechnologies or
Policiesin place to
Handle a Legal Discovery Order
NOCorporate
PolicyTo CoverElectronic
Records Mgmt
Didn’t Know If They Had A
Policy
Enterprise Storage Forum, 2006
Applications
Applications currently can record :• Emails Sent and Received• Instant Messages• Key logging – Recording of keystrokes• P2P file transactions• Websites visited
Applications
Secure Computing (A.K.A.CipherTrust)• Offers Numerous Software Packages
• Web Gateway• Messaging Gateway• Network Gateway• Identity and Access Management
Applications
Akonix • Five Different Appliance Technologies for Protection
• L7 Enterprise• L7 Enforcer• L7 Skype Manager• L7 Remote Security Manager• L7 Builder
Applications
Websense• Web Security
• Spyware and Keylogging • Malicious Mobile Code • Phishing and Pharming • Secure IM Attachments
• Web Filtering• Employee Productivity • Bandwidth Management • Legal Liability
Applications
Websense• Endpoint Security
• Internal Attack Prevention • Application Content Control • External Threat Mitigation • Removable Media Management • Remote Endpoint Protection
Maintaining
All of these systems require additional costs• Central Server (Refer to software requirements)• Administrator to monitor system and make sure data
is secure• Policy implemented and in place before using the
software• Policy should be annually instated and reviewed by
employees.
Implementation
Define the Scope
•Monitoring (Too Much, Too Little)
The Right People• Fit the Person to the Job• Personally Screen• Remember “Loose Lips Sink Ships”
Trained – Technical Forensics•Privacy Administrator•Chief Privacy Officer•CISSP Certified
Certified Information Systems Security Professional•IAPO Certified
International Association of Privacy Officers
ImplementationWritten Policy
Handbook Signed Agreement Internal Web Site
Training EmployeesManagement
Legally Sufficient"One of the biggest problems is the ambiguity with which these regulations are drafted,“
Peter Gerr - Analyst with Enterprise Storage Group
Implementation
Data Storage/Retrieval
Security of the Data Retrieving the Data Tamperproof Metadata
LitigationEffective December 1, 2006
New Civil Laws
http://www.uscourts.gov/rules/newrules6.html
“regarding a company's duty to preserve and produce electronically stored information (ESI) in the face of litigation or pending litigation”
Civil Rules 16, 26, 33, 34 and 37
Above ALL
Get
Corporate
Counsel
Thank You
WWW.TB-TLA.ORG
Andy SwensonLen Chiacchia
Chris FavaloroMark Wright
Top Related