Transcript Monitoring Technologies vs. Employee Privacy

Employee Privacy
&
Monitoring Technologies
November 16, 2006
TBTLA
Chris Favaloro
Mark Wright
Andy Swenson
Len Chiacchia
Agenda
• Employee Privacy
• Is Monitoring ethical and legal?
• Why Monitor?
• Monitoring Technologies
• Maintaining
• Implementing
Employee Privacy
Privacy Defined :
“The right to be left alone-the most
comprehensive of rights, and the right most
valued by a free people”
- Justice Louis Brandeis (1928)
Ethical
Is Monitoring Ethical?
• Depends on the View
• Employee View
• Want their Freedom
• Monitoring may feel like Big Brother
• May effect productivity or employee loyalty
•Company View
•Responsible for Protecting the Stakeholders
•Labeling
•Branding
•Trademarks
•Copyrights
Legal
Is Monitoring Legal?
Federal Law
The Electronic Communications Privacy Act of 1986 (ECPA)
Allows companies to monitor employees emails and track
usage if one of three stated provisions are adequately met.
• Employee has given consent
• Legitimate business reason
• Company needs to protect itself
Legal
Is Monitoring Legal?
State Law
The 2006 Florida Statutes – Chapter 934.03
Allows companies to monitor employees as long as
All Parties Consent
Why Monitor
Required
Financial
Securities and Exchange Commission's
Code of Federal Regulations (CFR) 17a-3 and 17a-4)
• 3 – 6 years or longer depending on the data
• Must be readily accessible for first 2 years
Sarbanes-Oxley
• Auditing Firms – All Communications -7 years
GAAP – General Accepted Accounting Principles
GAPP – General Accepted Privacy Principles
Why Monitor
Required
Medical
HIPAA
(HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996)
“the clinical record retention rules for a given jurisdiction
would govern as to the length of time the record must be preserved”
American Psychiatric Association Council on Psychiatry and Law
Why Monitor
Required
ISPs- Internet Service Providers
1986 ECPA (Electronic Communications Privacy Act)
Currently
Requested to keep data for 90 days
Proposed
Dept of Justice and FBI wants data kept for 2 years
~USAToday; June 2006~
Why Monitor
Protection/Liability
Email
IM – Instant Messaging
Chat Room
Discussion Databases
• Financial – (Non-Company Chat/Discussion Boards)
Can be considered Public Appearances by NASD
Survey
According to a 2005 Survey by
the American Management Association:
84%
of employers have established policies governing e-mail use
81%
have established policies governing personal Internet use
80%
of employers disclose their monitoring practices to employees
75%
of employers monitor their employees' web site
65%
use software to block connections to web sites
50%
review and retain electronic mail messages.
Privacy Rights Clearinghouse , 2006
Survey
According to a recent report from
Business Performance Management Forum and AXS-One Inc:
NO
Technologies or
Policies
in place to
Handle a Legal
Discovery Order
NO
Corporate
Policy
To Cover
Electronic
Records Mgmt
Didn’t Know If
They Had A
Policy
Senior Executives and subject matter Experts Interviewed
Enterprise Storage Forum, 2006
Applications
Applications currently can record :
• Emails Sent and Received
• Instant Messages
• Key logging – Recording of keystrokes
• P2P file transactions
• Websites visited
Applications
Secure Computing (A.K.A.CipherTrust)
• Offers Numerous Software Packages
•
•
•
•
Web Gateway
Messaging Gateway
Network Gateway
Identity and Access Management
Applications
Akonix
• Five Different Appliance Technologies for Protection
•
•
•
•
•
L7 Enterprise
L7 Enforcer
L7 Skype Manager
L7 Remote Security Manager
L7 Builder
Applications
Websense
• Web Security
•
•
•
•
Spyware and Keylogging
Malicious Mobile Code
Phishing and Pharming
Secure IM Attachments
• Web Filtering
• Employee Productivity
• Bandwidth Management
• Legal Liability
Applications
Websense
• Endpoint Security
•
•
•
•
•
Internal Attack Prevention
Application Content Control
External Threat Mitigation
Removable Media Management
Remote Endpoint Protection
Maintaining
All of these systems require additional costs
• Central Server (Refer to software requirements)
• Administrator to monitor system and make sure data
is secure
• Policy implemented and in place before using the
software
• Policy should be annually instated and reviewed by
employees.
Implementation
Define the Scope
•Monitoring (Too Much, Too Little)
The Right People
• Fit the Person to the Job
• Personally Screen
• Remember “Loose Lips Sink Ships”
Trained – Technical Forensics
•Privacy Administrator
•Chief Privacy Officer
•CISSP Certified
Certified Information Systems Security Professional
•IAPO Certified
International Association of Privacy Officers
Implementation
Written Policy
 Handbook
 Signed Agreement
 Internal Web Site
Training
Employees
Management
Legally Sufficient
"One of the biggest problems is the ambiguity with which these
regulations are drafted,“
Peter Gerr - Analyst with Enterprise Storage Group
Implementation
Data Storage/Retrieval
Security of the Data
 Retrieving the Data
 Tamperproof
 Metadata

Litigation
Effective December 1, 2006
New Civil Laws
http://www.uscourts.gov/rules/newrules6.html
“regarding a company's duty to preserve and produce electronically
stored information (ESI) in the face of litigation or pending litigation”
Civil Rules 16, 26, 33, 34 and 37
Above ALL
Get
Corporate
Counsel
Thank You
WWW.TB-TLA.ORG
Chris Favaloro
Mark Wright
Andy Swenson
Len Chiacchia