Critical Incident Management

Most computer security statistics clearly demonstrate the most devastating information events happen as a result of employees (including full-time, part-time, interns, contractors, and volunteers). There are numbers amounting to more than 80 percent of unlawful computer acts committed by insiders with the remaining 20 percent resulting from individuals outside the organization's walls. The principal tool in the typical office is the workstation comprising the communication portal between employees and the outside world. Before organizations can safeguard their communications resources, they must understand why and what must be protected.

Governing the conduct of employees should be a set of well-established policies and procedures. Of course, employees are expected to conduct themselves in conformity with laws and regulations, but an organization's policies provide governance in situations tailored to the particular business structure and its needs. The employee's authority to act is derived from the lines of responsibility and reporting; consequently, there are some basic tenets when considering employee conduct:

• Least privilege. This is the practice of constraining a user's information access to the minimum level necessary for her to do her job and nothing more.

• Separation of duties. This is the practice of dividing critical function steps among employees so that no one employee has the ability to complete a transaction. For example, if an accounts payable clerk reviews incoming invoices and prepares checks, it is the vice president who must sign them before they may be sent.

• Accountability. This is the overarching goal of conscientious auditing to review business practices and determine if they are in conformity with laws, regulations, policies and procedures. Accountability looks for potential unlawful acts, abuse, single points of failure, business efficiency and effectiveness, separation of duties, and least privilege.

An employee's job-related conduct must not jeopardize the organization's critical assets, meaning the organization's legitimate ability to achieve its profitable goals.

Legalities in Employee Monitoring

There is much made of lawfully monitoring employees' conduct on the job. And, there seems to be a fair degree of misunderstanding on the part of senior managers and legal units. The fact of employee monitoring or auditing is this: the most active attacks on the organization's assets originate from outside the organization, but the most successful and financially devastating attacks come from employees, former employees, contractors, and others who had or have legitimate access to sensitive information.

There are federal and state criminal statutes governing "listening" to employees' conversations and intercepting third-party electronic communications. These laws include actions such as eavesdropping on oral conversations, intercepting electronic communications, and the rights of those monitored by these techniques. Federal and many state laws define wire communications as electronically exchanged information through cable, wires, or transmitted through the air. Examples would include wireless local area networks, WLANs, conventional cable-connected networks, wire-connected telephones, cellular telephones, and cordless telephones.

Oral communications are exchanged in face-to-face situations, where one or more persons are vocalizing one to another without interceding technology. Intercepting communications is the process by which the contents of a communication, either oral, wireless or wire, is acquired by a third party. There is another type of employee monitoring where employers install video camera equipment to capture the activities of their employees and others on property under their control.

Oral Communications

There is federal law protection of oral communications not transmitted by means of electronic transmission such as telephone or voice over IP means. Federal laws protect the interception of oral communications or the disclosure of the contents of those communications that were unlawfully intercepted. Interestingly, legal privacy protection is only extended to oral communications that have a reasonable expectation of privacy. If there is a reasonable expectation of privacy, the only means by which an oral communication may be intercepted (absent a consenting third party) is by a law officer using a court ordered wiretap.

Wire Communications

Federal laws protect the sanctity of telephone communications and other electronically transmitted communications (Title 18, United States Code Section 2511). Under this statute if an employer intercepts or discloses the content of an unlawfully intercepted communication, it could result in a criminal prosecution. It is important to note that this statute has application to cellular telephones, cordless telephones, hard-wire telephones, and possibly wireless networks. However, there are some exceptions to this law:

• Consent of at least one of the participating parties to the electronic communication. As in the oral communication privacy law, it is required that only one person, having a legitimate presence, provide consent to monitoring. Currently, many organizations obtain continuing consent or waivers from their employees as a condition of their employment. Employers are wise to obtain signed employee acknowledgement and consent before monitoring.

• There is not a reasonable expectation of privacy to the electronic communication. Many employers announce that communications with their employees are possibly being monitored; this relieves the reasonable expectation of privacy. Employers might advise their employees and others that use of the organization's electronic equipment for any purpose other than business is not permitted.

Trap and Trace and Pen Register Installations

There are pieces of hardware known by their purpose of "trap and trace" that are installed to identify telephone numbers that are calling other telephones. Trapping and tracing telephone numbers refers to tracing a caller's telephone number to a telephone located at a specific location at a specific time. Equipment used to trap and trace a telephone call generally must be used in conjunction with the local telephone carrier and is restricted to law enforcement actions supported by court ordered installations. Pen registers are electronic devices that, when installed on a telephone line, identify the numbers dialed out from a targeted telephone. This equipment is installed only to identify telephone numbers either received or called. Trap and trace equipment will not and must not be used to monitor communication's content, merely the involved telephone numbers.

Under the provisions of Title 18 United States Code, Section 3121 there are general prohibitions regarding the installation of pen register and trap and trace equipment with the requirement of first obtaining a court order described under Section 3123. Court orders are generally obtained by law enforcement agents with an effective life of 60 days, and may be extended for additional periods of time. It is important to note that the application and court order for pen register and trap and trace equipment is applicable only to telephone lines. Using software applications and tools to locate IP addresses is not addressed in this statute and does not require any special type of court order or warrant.

Video and Still Camera Monitoring

Monitoring activities on property under the control of employers is allowed using video and still camera technology. It is a requirement, however, that only images are viewed and recorded, not communications either oral or electronic. For example, a bank uses hidden video camera or still camera technology to record the activities within the confines of the vault. As part of their employment, all employees are advised that only the bank's business may be conducted on the property during business hours and that employees are not entitled to a reasonable expectation of privacy with respect to their actions. During business hours, the camera captures an employee taking cash from her drawer and passing it to a customer in exchange for a small paper package that she immediately places in her pocketbook. No conversational exchange was recorded or intercepted. Is this a lawfully monitored incident? In all likelihood, the answer is "yes."

However, there are conditions under which employers may not record images as employees have expectations of privacy. For example, restroom stalls are areas where employees have a reasonable expectation of privacy. Monitoring their activities with video or still-camera equipment there would be prohibited. However, video camera surveillance of the work area where an employee can observe the equipment negates any reasonable expectation of privacy, Vega-Rodriguez v. Puerto Rican Telephone Co., 110 F. 3d 174 (1997).

Monitoring E-Mail and the Employee Workstation Conduct

Employers' monitoring of e-mail used to be the $64,000 question. The matter is best addressed in the context that employers are liable for the conduct of their employees, even when employees are using the organization's equipment after business hours. Employees sending and receiving racist, sexist, and sexually explicit e-mail leave a trail that exposes an employer to liabilities based on claims of hostile work environment and negligence.

The courts have decided that it is the responsibility of employers to monitor the activities of their employees, and failing to do so can result in substantial settlements in the defendant's favor. In the matter of Blakey v. Continental Airlines, Inc., June 1, 2000, the New Jersey Supreme Court unanimously decided that certain postings made to a work-related electronic bulletin board constituted a hostile work environment for which the employer could be held liable. The court decided that if the employer had noticed that its employees were posting messages to the bulletin board that were defamatory and harassing, the employer had a duty and responsibility to remedy that harassment.

Productivity and liability are issues that drive employers to monitor employee use of e-mail systems in the workplace. Failing to take appropriate levels of discipline often result in defendant's prevailing in civil suits. Presently, the courts have been inclined to side with the employer's position in the debate over employee's electronic privacy.

In Smyth v. The Pillsbury Co., 914 F. Supp. 97 (Eastern District of Pa., 1996), the District Court decided that the employee did not have a reasonable expectation of privacy by his use of the internal e-mail system to communicate with his supervisor. The company had previously stated that e-mail communications would remain confidential. The court found that it was lawful for the company to intercept the employee's e-mail and terminate him for transmitting inappropriate communications using the company's e-mail. In this case, the court ruled that no employee had a reasonable expectation of privacy using e-mail sent over the company's e-mail network.

In the matter of McLaren v. Microsoft Corp., No.05-97-00824-CV, 1999 Texas App. Texas Ct. App., May 28, 1999, the employee filed e-mail messages in "personal folders" on his office computer with password protection. The court ruled the employee did not have a reasonable expectation of privacy preventing the company from viewing these files. In their decision, the court determined the employee's e-mail messages were not his personal property, rather they were part of the employer's office environment. Accordingly, the employer's need to prevent inappropriate use of its e-mail system outweighed the employee's privacy, and the company had a legitimate right to access data stored in the employee's "personal folders."

Decisions made in the California State court system ruled that employees do not have cause of action for wrongful termination when they were fired because of their objections to their employers' e-mail monitoring activities. The relevant cases are Bourke v. Nissan Motor Corp., No. B068705 (Cal. Ct. App. July 26, 1993); and Shoars v. Epson America, Inc., No. B 073243 (Cal. Ct. App., rev. dec., No. S040065, 1994 Cal. LEXIS 3670, June 29, 1994, no published decision).

In 1986, the Electronic Communications Privacy Act (ECPA), 18 U.S. Code 2700 et seq. became federal law prohibiting the interception and unlawful use of intercepted electronic communications. Although the specific term of e-mail is not mentioned in the statute, the legislative history and current case law indicate that e-mail falls within its coverage. For the purposes of employers monitoring e-mail activities of their employees, there are three major exceptions:

1. Provider exception to monitoring electronic communications. The employer is the provider of the e-mail system and has the right to monitor its use preventing prohibited or unlawful behavior.

2. Prior consent exception. This exception is drawn on the conclusion that the employee has given her prior consent to having her electronic communications monitored.

3. Business use exception. This exception is based on the organization's policy that only proper official business may be conducted using the e-mail system.

Employee Legal Defense

With recent and past legal decisions regarding employees' privacy rights in the electronic workplace, there are some things that should be considered:

• Do not look to the Fourth Amendment to the Constitution for privacy protection as it only applies to the citizen's relationship with government and law enforcement agencies. Depending on an organization's policies and procedures, if an employer searches an employee's workstation where there is a reasonable expectation of privacy, then the employer may be held liable. If an employer searches an employee's workstation at the direction of law enforcement agents and it is determined there is a reasonable expectation of privacy, it is likely any evidence will be excluded from criminal proceedings under the doctrine of "fruits of a poisonous tree."

• For an invasion of an employee's privacy, an employee must have an expectation of privacy that society considers reasonable (Medical Laboratory Management Consultants v. ABC, Inc., 30 F. Supp. 2d 1182, 1998). For an intrusion to be actionable in civil proceedings, it must violate the solitude or seclusion of another or her private affairs or concerns is subject to liability to the other for invasion of her privacy if the intrusion is highly offensive to a reasonable person. In determining whether the employees' privacy expectation is reasonable, the workplace should include areas and artifacts related to work that are under control of the employer even if employees bring personal items to work. Not everything brought into the workplace can be considered part of the workplace, e.g., pocketbooks, handbags, briefcases, etc. In the case, O'Connor v. Ortega, 480 U.S. 709 (1987), the court upheld the expectation of privacy as reasonable given that the employer had not discouraged employees from bringing personal items to their workplace neither had they established any privacy policies.

• Lack of formal official use policy. Even in today's world, some employers fail to institute policies governing official use only of business resources. Employees might be able to use the lack of enforced official use policy as grounds for wrongful termination in the event of objectionable behavior. (United States v. Slanina, No. 00-20926 5th Cir. Feb. 21, 2002)

• Hard drive cleansing. There are super cleansing programs available for download offering differing levels of assurance that discarded data have been erased. Regrettably, as many have experienced, there are often records of e-mail and Internet browsing stored in other locations of the organization's network.

• Employees often deny they were viewing objectionable material and that the material in question was received from unsolicited sources. The viability of this argument will depend on the amount, type, and characteristics of the material. If material is discovered in the form of sexually explicit banner advertisements with a few thumbnail images, there might be some merit to the employee's argument. However, if there is a sizeable cache of full-size material that has been stored on the employee's workstation covering a lengthy period of time, then this argument is not persuasive.

Employee Monitoring Best Practices

The best philosophy for employee monitoring is to "get it out in the open." Do not hide the fact that employees are going to be monitored. If employers attempt to conceal employee-monitoring activities, it could result in employees having a reasonable expectation of privacy in their behavior at work. Employers choosing to engage in some type of employee monitoring should consider the following:

• Senior managers should formally identify the business purpose of employee monitoring and confine their monitoring to that purpose alone. It is a matter of legal business practices and continuing profitability. If employee monitoring is based in any other purpose, then prepare for endless litigation.

• Employers should have plainly written policies and procedures describing the nature, extent, and uses of monitoring. Wise employers will clarify that monitoring employee conduct is a matter of protecting the bottom line. Do not be afraid to reward good employee behavior that is discovered as a result of monitoring.

• Employers should selectively monitor electronic and oral communications unless there is a very strong reason to do otherwise.

• Advise employees, on all levels, that the organization has formal policies and procedures for monitoring. Identify what types of monitoring is going to be conducted such as e-mail, Internet browsing, telephone calls, voice mail, workstation files, server logs, router logs, video surveillance, etc.

• Advise employees and have them formally acknowledge that all equipment and resources belonging to the organization are for official use only and there is not any reasonable expectation of privacy for any employee, including senior managers. Employees should know that placing a password to protect a file does not ensure privacy. Organizations should determine if they are going to allow employees to use encryption and thereby evade monitoring. Rest assured if encryption is permitted, its use may be corrupted and the organization's intellectual property can be transmitted outside the company with little chance of detection.

• Should telephone calls between employees and outsiders be recorded, organizations should consider using a intercessory recording announcing that telephone conversations are being recorded for quality assurance or other purposes.

• Organizations must have designated procedures addressing the manner in which captured communications and recorded behavior will be reviewed for compliance. It is imperative that vigorous controls are in place relating to the dissemination of information obtained through employee monitoring.

Employee Polygraphs

This is a touchy topic and generally only employed by government agencies screening prospective and active employees who will have access to sensitive or classified information. The following are the conditions under which polygraphs are usually administered:

• Generally, employers cannot use polygraph testing to screen employees, except in cases of national defense or security concerns.

• Generally, employers can use polygraphs to screen employees who have direct access to controlled substances in the course of their employment.

• Generally, employers may screen employees who are security guards with access to sensitive areas.

Under the provisions of the federal Employee Polygraph Protection Act, Title 29 United States Code Section 2001-2007, testing employees must fall within the following investigation scope:

• There must be an ongoing investigation involving an actual economic loss.

• The employee that is going to be tested must have had access to items that resulted in the loss.

• There must be a reasonable suspicion that the employee was involved.

• Employees must be provided with a statement concerning the reasons why the test is to be performed. Employers must provide a statement containing the above listed information at least 48 hours before testing, it must be written so the employee can understand it, and an agency representative must sign it.

During polygraph testing the employee has the following rights:

• Polygraphs may not be used for random testing or for investigations of unspecified events.

• Employees may terminate the examination at any time.

• Employees cannot be asked intrusive or degrading questions.

• Employees cannot be asked questions concerning religious beliefs, racial opinions, political beliefs, sexual preferences, or beliefs about labor organizations.

• Employees cannot be tested if a qualified physician has advised, in writing, against testing on mental, physical, or medical grounds.