Legal Incentives for Spying on Employees
Monitoring employees, or “spying” for the Orwellian enthusiasts, is an uncomfortable issue for most companies. While everyone wants to trust employees, there are daily reminders of employees turning into “insider threats” and negatively impacting organizations. The decision to monitor is a difficult one for myriad reasons – cost, culture, privacy, perception, etc. The challenge is to balance the security needs of the corporation with the privacy concerns of employees. The benefits of monitoring are well known – visibility of employee actions, protection of assets, knowledge of threatening behaviors, etc., all of which can support security, compliance, and productivity use cases. While many organizations regularly monitor and analyze network logs, far fewer employ granular behavioral or user activity monitoring. Most simply default to the “if I’m not required to, I’m not going to” mentality, regardless of the business case for it. Sound security reasons notwithstanding, there are several legal incentives, or reasons and motivations, to monitor employee behavior. These incentives come in two varieties – regulatory compliance and legal entanglements.
Insider Threat Compliance?
Compliance refers to the imposed rules and regulations on certain industries and sectors. There are five general categories of government regulations that impose affirmative obligations to monitor employee behaviors.
The Gramm-Leach-Bliley Act is a federal law enacted to control the ways that financial institutions deal with private information of individuals. This Act is best known for deregulating the financial sector and creating companies that were “too big to fail,” which is widely blamed for causing the 2007 subprime mortgage crisis. This act imposes two insider threat requirements: identify and assess risks to determine mitigating actions and monitor user behavior to ensure proper access and use of customer records.
The Bank Secrecy Act requires financial institutions to prevent money-laundering by monitoring their network activity. While the BSA itself does not specifically require employee monitoring, all transaction accounts, including those of employees, must be monitored for unusual activity. Logically, employee monitoring can be useful in detecting and preventing insider threats, and should be part of a financial institution’s fraud prevention toolkit, which can also be a useful regulatory shield.
The Health Insurance Portability and Accountability Act provides data privacy and security provisions for safeguarding medical information. This act imposes four security requirements: monitor access rights to files containing PHI information, detect behavior deviations and identify possible security violations, monitor electronic and physical accesses, and monitor file attributes for access and changes.
The Sarbanes-Oxley Act is designed to protect investors from the possibility of fraudulent accounting activities by corporations (think Enron and WorldCom) and mandates strict reforms to improve financial disclosures of corporations to prevent accounting fraud. This act also imposes the following insider threat requirements: monitor to ensure access is limited to authorized users, perform risk assessments, and monitor for unauthorized access to corporate confidential financial information.
The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, and transmit credit card information maintain a secure environment. PCI imposes three monitoring requirements: monitor access of cardholder data to uncover unusual trends, monitor and uncover the sharing of credentials, and baseline user behavior and monitor for deviations.
The National Industrial Security Program Operating Manual or NISPOM establishes the standard procedures and requirements for all government contractors regarding the access, processing, and storage of classified information. The NISPOM requires covered entities to establish a formal insider threat program, a key component of which is to implement user activity monitoring to detect insider threat activity.
If you’re not a regulated entity you might be thinking you are off the hook. Not so fast! Beyond regulatory incentives to monitor employees, there are several legal entanglements or risks that can often be mitigated through proper employee monitoring.
Duty of care
A duty of care is a legal obligation imposed on individuals under tort law when performing acts that could foreseeably harm others. Courts have created a liability regime where monitoring employee behavior has become a matter of corporate self-interest. Employers now possess “affirmative obligations” to prevent and eliminate harassment in the workplace, prevent retaliation, prevent workplace violence, and prevent the disclosure of protected information (i.e. manage insider threats). In fact, the United States Supreme Court has made it clear that employers may be vicariously liable for actions of its employees. One mitigation defense that courts apply is to explore to what extent the employer attempted to “prevent and correct” the behavior that led to the incident. Since knowledge of employees’ behavior is required to meet this standard and potentially avoid liability, the only logical result is for businesses to invoke employee monitoring solutions to meet these burdens of proof.
Negligent Hiring and Retention
These claims generally arise in the context of a workplace violence incident when facts exist that show that the employee perpetrator had a violent history and that the employer could have reasonably learned of this behavior. Similarly, if an employer is aware or could have become aware of an employee’s violent propensities, liability could attach. While the standards for determining liability in this area vary somewhat from one jurisdiction to the next, most jurisdictions examine whether an employer knew, or should have known, of an employee’s unfitness for a position or dangerous propensities. Here, monitoring could help the employer prevent, detect, and mitigate such behaviors and provide adequate proof to meet legal obligations, and limit liability, as described above.
Retaliation claims arise when an employee alleges that they have participated in a “protected activity” and, as a result, were subsequently subject to an “adverse employment decision.” Defending such claims can be difficult for employers since courts have created a framework that tends to require an omniscient employer who possess knowledge of all activities and relationships within their organization. Thus, employee monitoring represents the only logical approach to attempt to meet this standard and to properly defend against a claim of retaliation.
Disclosure of Sensitive Information
The need to protect its own sensitive information notwithstanding, businesses may be liable for the unauthorized disclosure of sensitive personal information of its employees and customers, as well as the sensitive business information of its partners. As discussed, employers may be vicariously liable for the actions of their employees, so monitoring employee behavior may be the only way to adequately prevent, detect, and mitigate this behavior.
Hostile Work Environment
These claims arise when an employee alleges that an employer has created a workplace that a “reasonable person would consider intimidating, hostile, or abusive.” Claims of sexual harassment fall under this category. For example, employers may subject themselves to liability if they freely allow the sending of sexually explicit or harassing emails. Logically, monitoring employee communications may be the only way to detect and mitigate such actions.
While no company wants to be viewed as Big Brother, the decision to monitor employees must be made within the context of current regulatory and legal frameworks that often incentivize “spying” on employees. Current “insider threat” compliance regulations are becoming increasingly important and more frequently enforced. In many cases, monitoring employee behavior might be the only regulatory shield or legal defense available to an organization.