Employee Privacy&

Monitoring Technologies

November 16, 2006

TBTLAAndy SwensonLen Chiacchia

Chris FavaloroMark Wright

Agenda

• Employee Privacy• Is Monitoring ethical and legal?• Why Monitor?• Monitoring Technologies• Maintaining• Implementing

Employee Privacy

Privacy Defined :

“The right to be left alone-the most comprehensive of rights, and the right most

valued by a free people” - Justice Louis Brandeis (1928)

Ethical

Is Monitoring Ethical?• Depends on the View

• Employee View• Want their Freedom• Monitoring may feel like Big Brother• May effect productivity or employee loyalty

•Company View•Responsible for Protecting the Stakeholders

•Labeling

•Branding

•Trademarks

•Copyrights

Legal

Is Monitoring Legal?Federal Law

The Electronic Communications Privacy Act of 1986 (ECPA)

Allows companies to monitor employees emails and track

usage if one of three stated provisions are adequately met. • Employee has given consent• Legitimate business reason• Company needs to protect itself

Legal

Is Monitoring Legal?State Law

The 2006 Florida Statutes – Chapter 934.03

Allows companies to monitor employees as long as

All Parties Consent

Why Monitor

RequiredFinancial

Securities and Exchange Commission's Code of Federal Regulations (CFR) 17a-3 and 17a-4)

• 3 – 6 years or longer depending on the data• Must be readily accessible for first 2 years

Sarbanes-Oxley

• Auditing Firms – All Communications -7 years

GAAP – General Accepted Accounting PrinciplesGAPP – General Accepted Privacy Principles

Why Monitor

RequiredMedical

HIPAA

(HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996)

“the clinical record retention rules for a given jurisdiction would govern as to the length of time the record must be preserved”

American Psychiatric Association Council on Psychiatry and Law

Why Monitor

RequiredISPs- Internet Service Providers

1986 ECPA (Electronic Communications Privacy Act)

Currently

Requested to keep data for 90 days

ProposedDept of Justice and FBI wants data kept for 2 years

~USAToday; June 2006~

Why Monitor

Protection/LiabilityEmail

IM – Instant MessagingChat Room

Discussion Databases

• Financial – (Non-Company Chat/Discussion Boards) Can be considered Public Appearances by NASD

SurveyAccording to a 2005 Survey by

the American Management Association:

Privacy Rights Clearinghouse , 2006

75% of employers monitor their employees' web site

65% use software to block connections to web sites

50% review and retain electronic mail messages.

80% of employers disclose their monitoring practices to employees

84% of employers have established policies governing e-mail use

81% have established policies governing personal Internet use

Survey

According to a recent report fromBusiness Performance Management Forum and AXS-One Inc:

Senior Executives and subject matter Experts Interviewed

NOTechnologies or

Policiesin place to

Handle a Legal Discovery Order

NOCorporate

PolicyTo CoverElectronic

Records Mgmt

Didn’t Know If They Had A

Policy

Enterprise Storage Forum, 2006

Applications

Applications currently can record :• Emails Sent and Received• Instant Messages• Key logging – Recording of keystrokes• P2P file transactions• Websites visited

Applications

Secure Computing (A.K.A.CipherTrust)• Offers Numerous Software Packages

• Web Gateway• Messaging Gateway• Network Gateway• Identity and Access Management

Applications

Akonix • Five Different Appliance Technologies for Protection

• L7 Enterprise• L7 Enforcer• L7 Skype Manager• L7 Remote Security Manager• L7 Builder

Applications

Websense• Web Security

• Spyware and Keylogging • Malicious Mobile Code • Phishing and Pharming • Secure IM Attachments

• Web Filtering• Employee Productivity • Bandwidth Management • Legal Liability

Applications

Websense• Endpoint Security

• Internal Attack Prevention • Application Content Control • External Threat Mitigation • Removable Media Management • Remote Endpoint Protection

Maintaining

All of these systems require additional costs• Central Server (Refer to software requirements)• Administrator to monitor system and make sure data

is secure• Policy implemented and in place before using the

software• Policy should be annually instated and reviewed by

employees.

Implementation

Define the Scope

•Monitoring (Too Much, Too Little)

The Right People• Fit the Person to the Job• Personally Screen• Remember “Loose Lips Sink Ships”

Trained – Technical Forensics•Privacy Administrator•Chief Privacy Officer•CISSP Certified

Certified Information Systems Security Professional•IAPO Certified

International Association of Privacy Officers

ImplementationWritten Policy

Handbook Signed Agreement Internal Web Site

Training EmployeesManagement

Legally Sufficient"One of the biggest problems is the ambiguity with which these regulations are drafted,“

Peter Gerr - Analyst with Enterprise Storage Group

Implementation

Data Storage/Retrieval

Security of the Data Retrieving the Data Tamperproof Metadata

LitigationEffective December 1, 2006

New Civil Laws

http://www.uscourts.gov/rules/newrules6.html

“regarding a company's duty to preserve and produce electronically stored information (ESI) in the face of litigation or pending litigation”

Civil Rules 16, 26, 33, 34 and 37

Above ALL

Get

Corporate

Counsel

Thank You

WWW.TB-TLA.ORG

Andy SwensonLen Chiacchia

Chris FavaloroMark Wright