Disclaimer: The information contained herein is not offered as legal advice and should not serve as a substitute for obtaining such advice from a legal professional familiar with the facts of a particular case. This is for informational purposes only and intended to highlight some of the general legal issues that arise when selecting and implementing employee network and endpoint monitoring solutions. Use and application of the information contained to a particular set of facts and circumstances is at the sole discretion of the reader.
Employee monitoring is necessary to protect your sensitive data, but it does come with some legal considerations that you need to be aware of.
Employee monitoring solutions can take many forms, including those that monitor video, audio, social media, and criminal records. The scope of this discussion, however, is limited to those solutions designed to monitor employees’ electronic activity on a mobile device, laptop, or network. These solutions are generally referred to as User Activity Monitoring (UAM). Regardless, the objective of these solutions is to collect information for purposes of identifying behavior that either violates policy or is otherwise indicative of threatening behavior by employees (e.g. workplace violence, security violations, policy violations, illegal activity, information disclosures, etc.). Selecting and implementing an employee monitoring solution raises several legal and policy considerations. These generally fall into four categories: Collection, Use, Incentives, and Evidentiary.
Collection
Here, collection refers to the gathering and monitoring of electronic information generated by employees on electronic devices or networks. Generally, employers are granted wide latitude to monitor employees while they are at work or on duty. Employers will often be presumed to be within legal bounds as long as the information is 1) collected for a legitimate business purpose[i] and 2) the employer owns the network or device[ii] and 3) the information is collected while the employee is on duty[iii] or 4) the information is publicly available.[iv] A closer examination of the application of monitoring solutions follows.
Who can be monitored?
A typical business may have several different groups of users on their network at any given time. Beyond employees, groups including contractors, service providers, third party partners, etc. may have access to a corporate network. Monitoring is, however, not limited only to employees. Businesses are allowed to monitor for legitimate business purposes and this standard does not otherwise confine them to certain groups. The answer does, however, depend on ownership of the device or network or upon any governing Service Level Agreements (SLAs) that may exist between the user and the monitoring entity. Simply put, if the monitoring entity owns the network and device to which it seeks to monitor, monitoring of any individual storing information on or otherwise traversing the corporate-owned devices or networks, will be allowable. Entities may want to limit their monitoring only to certain sub-groups within their ecosystem (e.g. privileged users). This is allowable as long as such tailoring is specifically supported by relevant policies and procedures that provide a legitimate business justification.[v]
What can be monitored?
Assuming the employer owns the endpoint, network, or otherwise has the consent to monitor an employee owned device (e.g. BYOD policy), the substance of what is communicated on those channels may also raise legal considerations. Communications may be protected by law (e.g. privileged attorney-client, doctor-patient, etc.) or are considered personal communications (e.g. webmail, banking, etc.). The former are defined by state law and may require that certain communications be protected from discovery or otherwise not used against the employee.[vi] The latter invoke delicate considerations pertaining to personal health, financial, or familial information.[vii] The extent to which an employer may collect and subsequently “use” this information will be subject to any employment agreements and general use restrictions described below.
Why can monitoring take place (i.e. is monitoring required)?
There are limited mandates to conduct monitoring of user activity in the private sector. Per the National Industrial Security Program Operating Manual (NISPOM), defense contractors that have network access to classified information must monitor user activity on those networks.[viii] Beyond this requirement, and the database monitoring requirements of Sarbanes-Oxley,[ix] there are no actual legal mandates to conduct broad employee monitoring, however, there are an increasing number of regulatory and legal decisions that infer that such monitoring is a best practice.[x] For example, the FTC issued a ruling in favor of Morgan Stanley that halted the investigation and limited the amount of regulatory fines because Morgan Stanley implemented policies and procedures to protect against insider threat, including the fact that Morgan Stanley “monitored the size and frequency of data transfers by employees.”[xi] Similarly, courts have viewed monitoring as an effective measure to guard against threats and to protect business interests.[xii]
Use
Merely collecting information is of little benefit unless it can also be utilized to foster legitimate business interests such as investigating misconduct, curing policy violations, commencing HR proceedings, or protecting trade secrets. While employers are granted wide latitude when collecting employee information, within the bounds described above, there exist far more restrictions on how an employer may actually use the collected information. Here, use refers to the further application of information collected against an employee, storing it for further analysis, or disseminating it outside the organization to a third party or law enforcement. The use of such information is generally governed by employment law, specifically anti-discrimination laws, but may also be impacted by any union agreements or particular employment agreements that address how adverse information may be utilized. For example, an employer’s monitoring practices could subject them to litigation if the basis for monitoring, or activities in pursuit thereof, is simply to glean only protected information or is used to target a person or group for discipline based only on the protected characteristics. Some common federal anti-discrimination statutes include:
- Title VII Civil Rights Act of 1964 prohibits discrimination based on race, religion, origin
- American with Disabilities Act prohibits discrimination based on an identified handicap
- Age Discrimination Act prohibits discrimination against individuals aged 40 and older
- Pregnancy Discrimination Act prohibits discrimination based on childbirth or related medical conditions
- Genetic Information Non-Discrimination Act prohibits discrimination based on genetic information
- HIPAA may be used to support a standard of care for a negligence claim
Endnotes
[i] “Legitimate business purpose” is a broadly defined term that focuses on the purpose of a given business action and whether the proposed action “substantially” accomplishes this purpose. See California Civil Jury Instructions (CACI) 2503 see also Electronic Communications Privacy Act, 18 USC §2510(5)(a) (allowing for provider and legitimate business use exceptions to the collection of electronic information). At a minimum, a business may protect its property, including its information networks, information, and personnel.
[ii] Ownership refers to actual ownership of the particular device or network, however, employee owned devices may be subject to monitoring if the employee consents or the employee otherwise connects their device to the employer-owned network.
[iii] See discussion infra regarding “When and where monitoring may take place.”
[iv] This refers to monitoring myriad sources of publicly available information including criminal records, social media, blogs, business registration records, publications, etc. There are few restrictions on the collection of this data as long as the information is truly open to the public (a Facebook page that is “private” does not meet this definition) and obtainable without violating the terms and use of the particular publicly available source (e.g. bans on bot-scraping and multiple account creations).
[v] For example, businesses can expose themselves to liability if they seek to monitor only particular subsets of their employee population if those subsets (e.g. privileged users) are substantially composed of individuals from a “protected class” (age, race, ethnicity, etc.). Here, a clear policy is essential to support the justification (the need to monitor due to privileged access and risk) and to rebut any potential claims of discrimination.
[vi] See Stengart v. Loving Care Agency, Inc, 201 N.J. 300, 316-320 (N.J. 2009); Curto v. Medical World Communications, 2006 U.S. Dist. LEXIS 29387 (E.D. N.Y. 2005) (employees maintain a reasonable expectation of privacy in attorney-client email communication regardless of the existence of a privacy banner or monitoring policy), but see Scott v. Beth Israel Medical Center, 847 N.Y.S. 2d 436 (N.Y. 2007) (employer policies of “no personal use” diminishes any expectation of confidentiality).
[vii] Here, the distinction between “collection” and “use” becomes paramount. Simply because an organization has the legal right to collect information traversing its networks and endpoints, does not grant it the right to use that information in any manner it chooses. For example, an organization that deploys a UAM solution will inevitably collect myriad forms of sensitive and personal information to which the organization would otherwise not be privy (e.g. financial, health, family discussions, etc.). It is important for any organization that deploys a UAM solution to develop clear guidelines and policies for the collection and use of the information to ensure privacy is protected.
[viii] Conforming Change 2 to DoD 5220.22-M, “National Industrial Security Operating Manual (NISPOM).” (2016)
[ix] Sarbanes-Oxley Act of 2002, section 404.
[x] See “Incentives” discussion under the Duties section, infra.
[xi] http://www.ftc.gov/news-events/blogs/business-blog/2015/08/letter-morgan-stanley-offers-security-insights-about
[xii] See discussion under “Duties.”