Employee Privacy & Monitoring Technologies November 16, 2006 TBTLA Andy Swenson Len Chiacchia Chris Favaloro Mark Wright
Agenda Employee Privacy Is Monitoring ethical and legal? Why Monitor? Monitoring Technologies Maintaining Implementing
Employee Privacy Privacy Defined : “The right to be left alone-the most comprehensive of rights, and the right most valued by a free people” - Justice Louis Brandeis (1928)
Ethical Is Monitoring Ethical? Depends on the View Employee View Want their Freedom Monitoring may feel like Big Brother May effect productivity or employee loyalty Company View Responsible for Protecting the Stakeholders Labeling Branding Trademarks Copyrights
Legal Is Monitoring Legal? Federal Law The Electronic Communications Privacy Act of 1986 (ECPA) Allows companies to monitor employees s and track usage if one of three stated provisions are adequately met. Employee has given consent Legitimate business reason Company needs to protect itself
Legal Is Monitoring Legal? State Law The 2006 Florida Statutes – Chapter Allows companies to monitor employees as long as All Parties Consent
Why Monitor Required Financial Securities and Exchange Commission's Code of Federal Regulations (CFR) 17a-3 and 17a-4) 3 – 6 years or longer depending on the data Must be readily accessible for first 2 years Sarbanes-Oxley Auditing Firms – All Communications -7 years GAAP – General Accepted Accounting Principles GAPP – General Accepted Privacy Principles
Why Monitor Required Medical HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996) “the clinical record retention rules for a given jurisdiction would govern as to the length of time the record must be preserved” American Psychiatric Association Council on Psychiatry and Law
Why Monitor Required ISPs- Internet Service Providers 1986 ECPA (Electronic Communications Privacy Act) Currently Requested to keep data for 90 days Proposed Dept of Justice and FBI wants data kept for 2 years ~USAToday; June 2006~
Why Monitor Protection/Liability IM – Instant Messaging Chat Room Discussion Databases Financial – (Non-Company Chat/Discussion Boards) Can be considered Public Appearances by NASD
Survey According to a 2005 Survey by the American Management Association: Privacy Rights Clearinghouse, % of employers monitor their employees' web site 65% use software to block connections to web sites 50% review and retain electronic mail messages. 80% of employers disclose their monitoring practices to employees 84% of employers have established policies governing use 81% have established policies governing personal Internet use
Survey According to a recent report from Business Performance Management Forum and AXS-One Inc: Senior Executives and subject matter Experts Interviewed NO Technologies or Policies in place to Handle a Legal Discovery Order NO Corporate Policy To Cover Electronic Records Mgmt Didn’t Know If They Had A Policy Enterprise Storage Forum, 2006
Applications Applications currently can record : s Sent and Received Instant Messages Key logging – Recording of keystrokes P2P file transactions Websites visited
Applications Secure Computing (A.K.A.CipherTrust) Offers Numerous Software Packages Web Gateway Messaging Gateway Network Gateway Identity and Access Management
Applications Akonix Five Different Appliance Technologies for Protection L7 Enterprise L7 Enforcer L7 Skype Manager L7 Remote Security Manager L7 Builder
Applications Websense Web Security Spyware and Keylogging Malicious Mobile Code Phishing and Pharming Secure IM Attachments Web Filtering Employee Productivity Bandwidth Management Legal Liability
Applications Websense Endpoint Security Internal Attack Prevention Application Content Control External Threat Mitigation Removable Media Management Remote Endpoint Protection
Maintaining All of these systems require additional costs Central Server (Refer to software requirements) Administrator to monitor system and make sure data is secure Policy implemented and in place before using the software Policy should be annually instated and reviewed by employees.
Implementation Define the Scope Monitoring (Too Much, Too Little) The Right People Fit the Person to the Job Personally Screen Remember “Loose Lips Sink Ships” Trained – Technical Forensics Privacy Administrator Chief Privacy Officer CISSP Certified Certified Information Systems Security Professional IAPO Certified International Association of Privacy Officers
Implementation Written Policy Handbook Signed Agreement Internal Web Site Training Employees Management Legally Sufficient "One of the biggest problems is the ambiguity with which these regulations are drafted,“ Peter Gerr - Analyst with Enterprise Storage Group
Implementation Data Storage/Retrieval Security of the Data Retrieving the Data Tamperproof Metadata
Litigation Effective December 1, 2006 New Civil Laws “regarding a company's duty to preserve and produce electronically stored information (ESI) in the face of litigation or pending litigation” Civil Rules 16, 26, 33, 34 and 37
Above ALL Get Corporate Counsel
Thank You Andy Swenson Len Chiacchia Chris Favaloro Mark Wright