Privacy

Why you should use monitoring technology and how to implement it

In the digital age, companies are under a lot of risk for harm. This is why some employee monitoring is necessary.

Employers and employees have a mutual interest in the success of their business. Salary cuts, layoffs, and bankruptcies hit everyone involved hard. So you would expect employees to sit up and take notice when they learn that one third of all U.S. corporate bankruptcies are directly caused by employee theft, while in 2008, the cost of employee fraud rose to nearly $1 trillion.

Yet, for many reasons, employees are often surprised to learn that their employer is monitoring the use of computers and networks in an attempt to prevent abuse or, at the very least, to mitigate its effects. This is why it's important to clearly communicate to employees the why's and how's of the monitoring technology deployment.

Expectations of privacy

Privacy issues arise for a variety of reasons. The Internet has, arguably, been the dominant force in the erosion of a boundary between work and personal life. Many people are never out of reach of cell phone calls, text messages, or e-mails and are on call for work at all hours, wherever they are.

The other side of the coin is that people are able to use those same tools to conduct aspects of their personal lives from work and feel justified in doing so. Some employees may fear (or are even told) that use of their employer's computers for personal business may be held against them. But in fact, it's arguably often in the employer's own interests to allow an employee to take care of such business -- in appropriate measure -- online, rather than taking the time away from the office to run errands in person.

Another issue is concern on the part of employees that they may be accused of goofing off. In truth, there are few employers who would begrudge a conscientious employee a few minutes to take a breath during the course of the day. And if the employee's preferred way of doing that is to indulge in some harmless online pursuit for a few minutes (Farmville, anyone?), then few would consider it an inappropriate use of time. In truth, unless an employee is guilty of some very serious goofing off, it's rarely worth the effort on the part of the employer to detect and prevent every instance of such behavior.

Finally, even in the course of legitimate business communication, an employee may include comments that she does not want anyone to see, apart from the original recipient. These may be essential commentary such as "Paul really botched this -- can you please redo it?" or some less essential editorializing, perhaps about some task the employee's manager has assigned, such as "Sorry to waste your time with this, but my boss seems to think we have nothing better to do this week." Many employees have a natural anxiety that comments like this will surface to haunt them if a monitoring system is deployed, especially if they feel there's any possibility of it being applied retrospectively to unguarded comments made in the past.

Some of the expectations around privacy stem from what we call privacy nostalgia -- the notion that a former sense of privacy has been lost. But, in reality, before the advent of the personal computer and the cell phone, there were few illusions about privacy in the office. Employees knew that coworkers could overhear their conversations, office mail circulated in envelopes secured with no more than a loosely tied piece of string, and carbon paper retained physical imprints of written communications.

Today most white-collar employees spend the bulk of their time at their desks, communicating via e-mail, text, instant messaging, and an assortment of social media tools. And, perhaps because of the resultant physical isolation, they often have an expectation that what they do out of the sight or earshot of others should be accorded total privacy. One big difference is that anything committed to the electronic record can live to haunt the creator -- and her employer -- for years to come.

Company liability for employee actions

Companies have a duty to ensure that employees are not creating liability. There are some big examples of employee-created liability (see below) as well as smaller, less widely heralded, versions of the same story that are acted out every day.

Examples of major liability:
  • Nick Leeson, Chief Trader with Barings Bank in Singapore, practiced fraudulent activities that resulted, in 1995, in a $1.4-billion loss and the failure of the 233-year-old bank.
  • In 2009, Bear Stearns hedge fund managers Ralph Cioffi and Matthew Tannin were acquitted of charges that they lied to investors when they made optimistic noises externally about their funds, while privately exchanging e-mails that spoke of the market as being "ugly" and "toast," for example. The prosecution's case was, of course, based on the trail of electronic footprints left by the pair.
  • Also in 2009, Swiss Bank UBS was required to pledge $35 million when a court found "probable cause" in a fraud case brought against it. In an notably worded statement, the judge ruled that "The court takes UBS employees at their word when they referenced their notes, these purported investment grade securities which they sold, as ‘crap' and ‘vomit,' for UBS alone possessed the knowledge of what their product was truly worth." Again, those pesky e-mails!

What you don't know can hurt you

Clearly, in the face of such examples and statistics, it's not a responsible approach to run an organization on the basis of blind faith that every single employee can be trusted not to cause this kind of damage. Implicit trust is a recipe for disaster, and it's not surprising that many corporate executives deploy some kind of transaction-monitoring system to mitigate some of the consequences that ill-judged or malicious employee actions can visit upon the welfare of their organization.

Some organizations are extending the scope of their monitoring. According to one survey, for example:

  • 66% of employers monitor employees' Internet usage
  • 43% monitor e-mail
  • 45% track content, keystrokes, and time spent at the keyboard
  • 40% of employers that monitor e-mail do so by assigning an individual to read others' e-mail

Another survey of 800 compliance and ethics professionals found that 24% of respondents' companies had disciplined an employee for activities on a social networking website. At the same time, only 34% of companies had a general policy governing employee activity, and just 10% had a policy that specifically addressed use of social networking sites.

Modern communications leave a broad trail of electronic footprints, and employers are wise to bear in mind the maxim  "What you don't know can hurt you." Unless the employer pays particular attention to the issue, it's very easy to overlook the existence -- and the implications -- of potentially harmful data. But the fact that it's out of sight does not mean it's any less of a ticking time bomb.

The damage that can result when the bomb goes off can be the result of employee misbehavior, such as discrimination or harassment. When an investigation or lawsuit ensues, all that electronic data is fair game for the "other side" to review. Not only is it an expensive and time-consuming process to retrieve and hand over all the relevant data, but also the more there is, the more likely it is to contain something that is, at the very least, embarrassing. In the worst event, it could be damning to your case.

Advanced monitoring and employee privacy

While there are many emotional arguments that make the case against the perceived invasion of privacy entailed in electronic monitoring, the reality is that employers in the U.S. have the legal right to monitor nearly every aspect of employees' workplace communications. If the activity takes place on company equipment on its network, employees lose any entitlement to privacy.

Organizations have a duty to ensure that their systems are not being abused. Since most communications are now digital, so must be the monitoring that is essential to avoid problems that have the potential to cripple the organization. Simply put, different times call for different measures.

Solutions

You should cast the net widely to cover not just core transaction systems, but all the communication channels that are used in your organization. If there is one place that danger is more likely to lurk than anywhere else, it's in the unexamined corners of the system.

The solution you choose should, in essence, be smarter than the people being monitored. For that, it's not enough to have a set of simple "thou shalt not" rules. These just provide a simple obstacle course for the would-be transgressor to navigate. A more viable approach is holistic compliance, which monitors the overall behavior patterns of an organization and the individuals in it, looking for anomalies that might be indicators of trouble.

The holistic approach is more effective than one based on static rules. It can be set up to look for significant anomalies rather than trivial infractions. This ensures that monitoring resources are focused on important issues, rather than wasted on trivia.

It's nevertheless important to acknowledge that monitoring systems can scoop up private information that the employer does not really need to know. This is a risk the employee takes when she entrusts personal information to a system that is owned and run by someone else. But the employer can ensure that any sensitive information -- whether it belongs to the employer or to an employee -- is appropriately handled. You should closely protect the results of monitoring. Only authorized personnel should have access to it, and the use to which it is put should be monitored at least as carefully as the original data.

Finally, however good the technology, it's never the complete solution. Be sure to create and enforce policies that make it clear to employees what their duties are, what the employer's obligations are, and how they each affect the other. Not the least of these is to be very open about what monitoring is being deployed and why. A little education can go a very long way to overcoming the distrust that arises when employers try a stealth approach to this very sensitive issue.

Elizabeth Charnock is the CEO of Cataphora, a leading provider of software and services for the analysis of organizational behavior in Redwood City, CA.

6 comments
LocoLobo
LocoLobo

Let's start with the last two examples of major liability cited. Isn't a large part of the problem here the insistence of CXOs that their people put lipstick on a pig and "Sale" it? Trying to put a gag on your employees doesn't fix the real problems. Neither does burying your head in a cubicle and pretending the problem isn't there. Wouldn't it have been better in both cases to get an honest opinion from your employees? Next point, "The solution you choose should, in essence, be smarter than the people being monitored." Really? Isn't any system no smarter than the people who design and/or operate it? Are you saying you should only hire dumb employees so they can't outthink your system? Perhaps we could listen to our people. I'm not saying to follow every suggestion given. Nor to let the janitors set corporate policy on finances. But if you really want "holistic compliance", try asking both your customers and employees about opportunities and problems. Then listen!

renodogs
renodogs

I appreciate your article, thank you. I'm not sure why anyone would use the company's gear for personal business- be it answering personal emails or simply surfing the net. Anyone with a brain knows that every single data byte is being logged, whether you're on break or not. With the advent of IPads and such, I think the incident rate of corporate espionage will increase, as well as employee distraction from their main task at hand. I don't see the corporate world doing anything except clamping down even further on personal gear at the workplace. I do, however, think that the corporate world has extended itself a bit too far into our personal lives with their incessant requirement of being on-call 24-7. If they want to essentially own you as a human being, then people can and will take license to do exactly what the corporate world doesn't like, that is to have some sort of life because in fact, the nature of the job has created a corporate slave. I've been appalled (like many) over the work and personal life being co-mingled- and for no other reason than the company you work for is too damned cheap to hire enough people to actually do the job/service they offer to their customers. How sad to see a completely decent outfit go down the tubes because of employee job burnout. A building is nothing more than that- a building. That doesn't make a business. It's the people, their talents, and the structure of how they are assembled. Psychologically speaking, the advertising they employ touting their wholesome nature and how they help this or that cause is pure rubbish out of Orwell's '1984'. Nonetheless, if you're going to work at a place that monitors your every move, then please, only make plans to stay for a few years and then move on. Making a career at anyplace in the corporate world is pure nonsense. That said, load up your 401k to the max allowed while working there, invest conservatively, and take care of number 1. Surviving the 'grind' isn't easy, but you can do it if you keep one thing in mind... There's life outside the big city, the office, the tech room. Go experience it. If they won't let you because you're on call all of the time, then do something else. You really only have one life- and it's short my friend. You'd better get busy living it. That's not being cynical, that's just smart.

rwczen
rwczen

Great article, but the title lead me to believe that there was a guide on 'how to implement it'. I was expecting at the very least some suggestions on software or hardware that could be used. I always see articles like this that say they're going to tell you how to do something and they never actually provide any steps or direction. Why mislead people?

seanferd
seanferd

If you are looking for a product installation guide or a list of products, you are looking at the wrong article. It's about IT Leadership implementation of a general concept. The idea would be to use the offered concepts and guidelines in choosing your solution. Specific implementation would depend on the specific product, and the products vary widely. Steps and directions can be found in the product documentation, and should be part of the research you do to see if it is a product that fits your needs in the first place. If you want something more specific to a single product, look for articles containing such product names in the title. I don't see how it is misleading at all. You have to decide what "it" is before you go anywhere near implementation, and the author can't possibly know what solutions you would choose. ;)

rwczen
rwczen

I understand that there are many platforms and solutions out there and that there is no way the author could provide details of all of them. I suppose I could even live with some concepts and guidelines if any were provided. In a nutshell all the article really said was to 'monitor everything including those monitoring'. The problem is the title has 2 little words: "How To". That implies that the reader will be given some sort of instruction which was not the case. The title "Why you should use monitoring technology" would have been perfect. Assume that I am new to the IT world, that I am reading the article to gain insight and learn why and how I could implement this technology in my company. I have just read the article, but now what? Where do I go from here? Where do I begin? You suggest I figure out what "it" is and find a solution from there, the problem with that is that I don't know what any of the options are, I have no starting point. Simple things such as 'if you are using Exchange a product like X will archive all email in and out of your company' would at least give readers a starting point. Good article, but drop the "and how to implement it" from the title or at least change to 'implementation considerations'

toni.bowers
toni.bowers

The "how to" was in reference to the political ramifications of the rollout--how to roll it out so that it's accepted by the end-users.