Disclaimer: The information contained herein is not offered as legal advice and should not serve as a substitute for obtaining such advice from a legal professional familiar with the facts of a particular case. This is for informational purposes only and intended to highlight some of the general legal issues that arise when selecting and implementing employee network and endpoint monitoring solutions. Use and application of the information contained to a particular set of facts and circumstances is at the sole discretion of the reader.
In Part 1, we explored the various legal considerations related to the collection and use of information derived from User Activity Monitoring (UAM) solutions. While the former is broader in scope than the latter, each require clear policies and procedures to maintain the proper balance between privacy and security. In Part 2, we’ll explore the various incentives or justifications for implementing UAM tools and solutions and close with a brief overview of the evidentiary value of UAM collected data.
Beyond the inherent collection and use considerations that accompany employee monitoring solutions, there are also several concomitant employer incentives to monitor employees that have arisen from various regulatory and court decisions. These have resulted in the imposition of various “duties of care” on employers as well as liabilities that result from specific causes of action.
Duty of Care
A duty of care is a legal obligation imposed on individuals under tort law when performing acts that could foreseeably harm others. Courts have created a liability regime where monitoring employee’s email and behavior has become a matter of corporate self-interest.[i] Employers now possess “affirmative obligations” to prevent and eliminate harassment in the workplace,[ii] prevent retaliation,[iii] prevent workplace violence[iv] and prevent the disclosure of protected information.[v] In fact, the United States Supreme Court held that employers may be vicariously liable for actions of its employees.[vi] One mitigation defense that courts apply is to explore to what extent the employer attempted to “prevent and correct” the behavior that led to the incident. Since knowledge of employees’ behavior is required to meet this standard and potentially avoid liability, the logical result is for businesses to invoke employee monitoring solutions to meet these burdens of proof.
Negligent Hiring and Retention. These claims generally arise in the context of a workplace violence incident when facts exist that show that the employee perpetrator had a violent history and that the employer could have reasonably learned of this behavior. Similarly, if an employer is aware or could have become aware of an employee’s violent propensities, liability could attach. While the standards for determining liability in this area may vary somewhat from one jurisdiction to the next, most jurisdictions examine whether an employer knew, or should have known, of an employee’s unfitness for a position or dangerous propensities. Here, monitoring could help the employer prevent, detect, and mitigate such behaviors and provide adequate proof to meet legal obligations, and limit liability, as described above.
Retaliation. Retaliation claims arise when an employee alleges that they have participated in a “protected activity” and, as a result, were subsequently subject to an “adverse employment decision.”[vii] Defending such claims can be difficult for employers since courts have created a framework that tends to require an omniscient employer who possess knowledge of all activities and relationships within their organization.[viii] As a result, employee monitoring represents the only logical approach to attempt to meet this standard and to properly defend against a claim of retaliation.
Disclosure of Sensitive Information. The need to protect its own sensitive information notwithstanding, businesses may be liable for the unauthorized disclosure of sensitive personal information of its employers and customers, as well as the sensitive business information of its partners. Employers may be vicariously liable for the actions of their employees, as such, monitoring employee behavior may be the only logical tool to adequately prevent, detect, and mitigate this behavior.
Hostile Work Environment.[ix] These claims arise when an employee alleges that an employer has created a workplace that a “reasonable person would consider intimidating, hostile, or abusive.”[x] Claims of sexual harassment fall under this category. Employers may subject themselves to liability if they freely allow the sending of sexually explicit or harassing emails.[xi] Logically, monitoring employee communications may be the only affirmative defense that employers can rely on to avoid liability.[xii]
User Activity Monitoring as Evidence
In addition to using collected information for internal HR and investigatory processes described in Part 1, organizations may need to use information to support litigation – criminal or civil. Use in this context requires that the information be qualified as admissible evidence.[xiii] A bedrock legal principle is that documents (digital or otherwise) must be properly authenticated before they can be introduced as evidence. The US Federal Rules of Evidence (FRE) defines computer data as “documents.” [xiv] Thus, UAM data are viewed by courts as electronic documents and the proponent bears the burden to offer sufficient authentication support. What constitutes sufficient support?
Per the FRE, authentication is satisfied “by evidence sufficient to support a finding that the matter in question is what the proponent claims.”[xv] Under this standard, a printout of an e-mail message, for example, can often be authenticated simply through direct testimony from the recipient or the author,[xvi] or through the testimony of a company employee familiar with the practices and procedures of collection and the distinctive characteristics of the message itself.[xvii] Moreover, authentication merely requires “that the court admit evidence if sufficient proof has been introduced so that a reasonable juror could find in favor of authenticity or identification.”[xviii] As such, there are no specific requirements or set procedures for the authentication of digital evidence. Authentication is given weight based on the particular facts and circumstances pertaining to the creation and recovery of the evidence itself.
The Best Evidence Rule under FRE provides that “[t]o prove the content of a writing, recording or photograph, the original writing, recording or photograph is required . . . .”[xix] With electronic evidence, however, the concept of an “original” can be difficult to define. Fortunately, FRE Rule 1001(3) provides “[if] data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original.’” Under this rule, multiple or even an infinite number of copies of electronic files may each constitute an “original.”[xx]
- Develop a clearly defined process and supporting procedures for how data is captured.
- Develop clear policies and procedures sufficient to demonstrate that the capture of data complies with the identified processes.
- Develop clear processes and procedures to preserve the data in a secure, encrypted repository.
- Develop an immutable logging policy and procedure sufficient to demonstrate the requisite chain of custody of the data itself. If the data cannot be accounted for from inception to trial, this may raise authenticity questions at trial that may result in a jury giving it less evidentiary weight than desired.
Employee monitoring solutions, when deployed within a carefully constructed holistic insider risk management framework, are your best defense against insider threats and the myriad liabilities imposed on employers by the courts. Implementation of these solutions will require careful planning and a trained workforce, but will yield an immediate and lasting return on investment.
[i] See JEFFREY ROSEN, The Unwanted Gaze: The Destruction of Privacy in America 79 (Vintage Books 2001) (2000) (discussing the privacy of employees ’communications in the workplace).
[ii] See generally Enforcement Guidance for Vicarious Employer Liability for Unlawful Harassment by Supervisors, Equal Employment Opportunity Commission, June 18, 1999.
[iii] Thompson v. N. Am. Stainless, LP, 131 S.Ct. 863 (2011) (rev’d S.Ct. 863 (2011)).
[iv] See Negligent Hiring discussion, infra.
[v] Such disclosure may expose businesses to liability for breach from customers, partners, and employees themselves.
[vi] Faragher v. City of Boca Raton and Burlington Industries, Inc. v. Ellerth, 524 U.S. 775 (1998).
[vii] Little v. Windermere Relocation, Inc., 301 F.3d 958, 969 (9th Cir. 2002) (citation omitted) (holding that employee established a prima facie case of retaliation under Title VII by showing a causal connection between involvement in a protected activity and adverse employment action).
[viii] Thompson v. N. Am. Stainless, LP, 131 S.Ct. 863 (2011) (rev’d S.Ct. 863 (2011).
[ix] 42 U.S.C. sec. 2000-e17 (Title VII).
[xi] 42 U.S.C. §§ 2000e-2000e-17 (2005), amended by Civil Rights Act of 1991, 42 U.S.C. § 1981a (2005) (“Title VII”).
[xii] JEFFREY ROSEN, The Unwanted Gaze: The Destruction of Privacy in America 79 (Vintage Books 2001) (2000) (discussing the privacy of employees ’communications in the workplace).
[xiii] Material that is presented to a court of law to help find the truth about something. Merriam-Webster, http://www.merriam-webster.com/dictionary/evidence (visited 7/17/16)
[xiv] See Fed. R. Evid. 1001(1);
[xv] Federal Rules of Evidence 901(a)
[xvi] United States v. Siddiqui, 235 F.3d 1318 (11th Cir. 2000) (testimony of recipients sufficient to authenticate e-mails sent by defendant); Laughner v. State, 769 N.E.2d 1147 (Ind. Ct. App. 2002) (AOL instant messages authenticated by the recipient).
[xvii] Federal Rules of Evidence 901(b)(4) “Circumstantial Evidence”
[xviii] 200 F.3d 627 (9th Cir. 2000)
[xix] Fed. R. Evid. 1002
[xx] Overly On Electronic Evidence in California, (1999) § 9.02; 9-3, comments on California Evidence Code section 255, an identical statute to Rule 1001(3), noting, “The approach adopted in Evidence Code section 255 allows for the possibility that multiple or, even, an infinite number of originals may exist. Each time an electronic document is printed, a new ‘original’ is created.”