Employee monitoring should be done with care

Why would you want to monitor your employees? Have you had a theft or data breach? Do you think you have a malicious trusted insider? There are numerous reasons you might consider monitoring employees, including some based on regulatory requirements.

There are various tools available today that enable CIOs to automatically track and monitor just about every computer-based action of employees. Some of these tools are very sophisticated and can automatically alert you when an email message (to a competitor) contains a résumé or an important piece of confidential data in an attachment. But what's really fair when it comes to employee monitoring, and are employers wasting too much time and resources on monitoring tools and systems?

Here are eight questions and answers to help you understand why companies monitor employees, how they're doing it, and what's fair and legal.

What's the norm?

The American Management Association (AMA) performed a survey on employer monitoring of employees and found that 75% of those surveyed already monitor employee Web site surfing. A majority of this group is also using content proxy systems to block inappropriate surfing. In the survey, more than 50% review and retain emails, while approximately 30% track keystrokes. And more than 80% of these employers surveyed disclose their monitoring policies and practices to their employees.

Is it legal to listen in to phone conversations?

[in the US] it is legal to monitor employees in your organisation. However, you have to do it properly, with forethought and purpose. IT organisations planning to monitor their employees should first create a framework with their human resources team to ensure that new hires are aware of the well-documented monitoring policy and given proper disclosure.

For example, your sales team might wish to monitor calls that the inside sales team is making with customers for quality control purposes. However, it's best to inform both the employee and the customer that the call may be monitored for quality control purposes. In fact, in California you have to do this -- it's part of the California Utilities Commission General Order 107-B law. US federal law, on the other hand does allow unannounced monitoring on all business related -– not personal -- calls that are interstate or international.

When is it Illegal to do so?

Although US federal law allows you to monitor calls unannounced, it's still best practice to create a written policy about call monitoring and to share this information with your employees and customers. Also, if you accidentally monitor a call that is made for personal purposes and not for business, you are breaking US law. This is an important exception to recognise. You might create a policy that no personal calls may be made using company resources. You could recommend a payphone, designate an unmonitored phone, or allow usage of cell phones for personal calls. Remember, it's still your responsibility not to monitor a personal call.

What about email?

There have been numerous cases in court about workplace privacy including your rights as a CIO to store, track and monitor email. The good news for CIOs is that all of these cases ruled in the employers' favour. However, you probably don't want to be the next CIO called into court to test case US law.

To avoid this happening to you, the most important lesson is to ensure your employees are aware of your monitoring policies. You could force them to accept a special message at login to their computer or your corporate network that states "all emails will be monitored for business purposes and no personal emails are allowed to be created, edited, received or transmitted using corporate resources." You can also perform a Google search for "single sign-on" if you don't have a system that allows you do this. There are numerous solutions available that will improve your corporate security including password management, while also helping you to enforce your monitoring policies.

Can you monitor your employees' computer and internet usage?

There are various tools available that you can purchase to monitor employee computer and Internet use. You can track everything an employee does on a computer resource that your corporation provides. If you intend to do this, I strongly recommend against allowing employees the luxury of using personal laptops that they own to do their work for the company.

If you have employees who have a job of typing or translating text, you could monitor their performance with software that counts their keystrokes per minute. This helps you to determine who is performing and who isn't for this particular role in your organisation. However, if you and the CFO decide you want all the slow performers to increase their pace and help increase profitability, you might be placing a talented employee in jeopardy of various health problems such as chronic back pain, neck and hand injury or even worse, carpal tunnel syndrome. Consider these issues and their impact when trying to balance monitoring with performance.

When is it illegal to monitor?

If you want to avoid being the CIO who gets called into court to help make case US law, you want to be careful about peeking in on an employee's personal laptop or external hard drive without their express written consent. If you are using consultants or union labour, you should review the consulting agreement or union contract to ensure this issue is clearly spelled out.

What is fair to both parties?

As an employer, the best thing your corporation can do is to create an Acceptable Usage Policy and an employee monitoring policy. In the first policy, you define what is appropriate and what is inappropriate for your employees to do when using your corporate resources, including but not limited to all telecommunications and computer and networking systems. In this document, you will clearly spell out to the employees what they can do using company equipment and resources.

By providing an employee monitoring policy to your staff members, you'll let them know exactly where and when you block inappropriate Internet access and when you monitor telephone, computer and Internet usage. No one will ever be surprised that you are doing it, and you won't be doing it in a way that could put you at risk of a workplace privacy rights US law breach.

Keep an eye on Workplace Fairness and the American Civil Liberties Union so you'll be aware of recent case US law and what these organisations are recommending as rights for employees in regards to workplace privacy. Then you can build and tune your policies around what's the least risky to your organisation in regards to a workplace privacy lawsuit.

Will employee monitoring be counterproductive for employees?

Just remember that you need to find a balance between ethics, best practices in monitoring and keeping your employees happy and productive. The best way to do it is to approach the concept of employee monitoring as something that needs to be well thought out in advance and agreed upon by the board and the executives of your organisation. You should seriously consider documentation and disclosure in an 'open book' model so employees understand the risks and rewards in how they use corporate resources to do their job and excel knowing that your acceptable use and monitoring policies are in the best interests of the corporation, which should ultimately be a shared purpose and understanding.

Gary Miliefsky is a CISSP, founding member of the U.S. Department of Homeland Security, and a member of the board of directors of the New England Information Security Group. He is also the founder and CTO of NetClarity in Bedford, Mass., and can be reached at searchCIO@netclarity.net.

This article originally appeared on SearchCIO.com.